1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14 • INT – Integer
16 • STR – Textual string
18 • HEXSTR – Hexadecimal string (with 0x prefix)
20 • BOOL – Boolean value (on/off or true/false)
22 • TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25 • SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28 • BASE64 – Base64 encoded string
30 • ADDR – IPv4 or IPv6 address
32 • DNAME – Domain name
34 • ... – Multi-valued item, order of the values is preserved
36 • [ ] – Optional value
38 • | – Choice
40 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 15 fixed sections (module, server, xdp, con‐
43 trol, log, statistics, database, keystore, key, remote, acl, submis‐
44 sion, policy, template, zone). Module sections are prefixed with the
45 mod- prefix (e.g. mod-stats).
46 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51 A multi-valued item can be specified either as a YAML sequence:
53 address: [10.0.0.1, 10.0.0.2]
55 or as more single-valued items each on an extra line:
57 address: 10.0.0.1
59 address: 10.0.0.2
60 If an item value contains spaces or other special characters, it is
62 necessary to enclose such a value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be in‐
72 cluded at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76 include: STR
78
80 Dynamic modules loading configuration.
81 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85 module:
87 - id: STR
88 file: STR
89 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93 file
95 A path to a shared library file with the module implementation.
96 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 tcp-fastopen: BOOL
124 remote-pool-limit: INT
125 remote-pool-timeout: TIME
126 remote-retry-delay: TIME
127 socket-affinity: BOOL
128 udp-max-payload: SIZE
129 udp-max-payload-ipv4: SIZE
130 udp-max-payload-ipv6: SIZE
131 edns-client-subnet: BOOL
132 answer-rotation: BOOL
133 automatic-acl: BOOL
134 dbus-event: none | running | zone-updated | ksk-submission | dnssec-invalid ...
135 listen: ADDR[@INT] ...
136 CAUTION:
138 When you change configuration parameters dynamically or via configu‐
139 ration file reload, some parameters in the Server section require
140 restarting the Knot server so that the changes take effect. See be‐
141 low for the details.
142 identity
144 An identity of the server returned in the response to the query for TXT
145 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
146 to an empty value to disable.
147 Default: FQDN hostname
149 version
151 A version of the server software returned in the response to the query
152 for TXT record version.server. or version.bind. in the CHAOS class (RFC
153 4892). Set to an empty value to disable.
154 Default: server version
156 nsid
158 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
159 able.
160 Default: FQDN hostname at the moment of the daemon start
162 rundir
164 A path for storing run-time data (PID file, unix sockets, etc.).
165 Depending on the usage of this parameter, its change may require
167 restart of the Knot server to take effect.
168 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
170 user
172 A system user with an optional system group (user:group) under which
173 the server is run after starting and binding to interfaces. Linux capa‐
174 bilities are employed if supported.
175 Change of this parameter requires restart of the Knot server to take
177 effect.
178 Default: root:root
180 pidfile
182 A PID file location.
183 Change of this parameter requires restart of the Knot server to take
185 effect.
186 Default: rundir/knot.pid
188 udp-workers
190 A number of UDP workers (threads) used to process incoming queries over
191 UDP.
192 Change of this parameter requires restart of the Knot server to take
194 effect.
195 Default: equal to the number of online CPUs
197 tcp-workers
199 A number of TCP workers (threads) used to process incoming queries over
200 TCP.
201 Change of this parameter requires restart of the Knot server to take
203 effect.
204 Default: equal to the number of online CPUs, default value is at least
206 10
207 background-workers
209 A number of workers (threads) used to execute background operations
210 (zone loading, zone updates, etc.).
211 Change of this parameter requires restart of the Knot server to take
213 effect.
214 Default: equal to the number of online CPUs, default value is at most
216 10
217 async-start
219 If enabled, server doesn't wait for the zones to be loaded and starts
220 responding immediately with SERVFAIL answers until the zone loads.
221 Default: off
223 tcp-idle-timeout
225 Maximum idle time (in seconds) between requests on an inbound TCP con‐
226 nection. It means if there is no activity on an inbound TCP connection
227 during this limit, the connection is closed by the server.
228 Minimum: 1 s
230 Default: 10 s
232 tcp-io-timeout
234 Maximum time (in milliseconds) to receive or send one DNS message over
235 an inbound TCP connection. It means this limit applies to normal DNS
236 queries and replies, incoming DDNS, and outgoing zone transfers. The
237 timeout is measured since some data is already available for process‐
238 ing. Set to 0 for infinity.
239 Default: 500 ms
241 CAUTION:
243 In order to reduce the risk of Slow Loris attacks, it's recommended
244 setting this limit as low as possible on public servers.
245 tcp-remote-io-timeout
247 Maximum time (in milliseconds) to receive or send one DNS message over
248 an outbound TCP connection which has already been established to a con‐
249 figured remote server. It means this limit applies to incoming zone
250 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
251 timeout includes the time needed for a network round-trip and for a
252 query processing by the remote. Set to 0 for infinity.
253 Default: 5000 ms
255 tcp-reuseport
257 If enabled, each TCP worker listens on its own socket and the OS kernel
258 socket load balancing is employed using SO_REUSEPORT (or SO_REUSE‐
259 PORT_LB on FreeBSD). Due to the lack of one shared socket, the server
260 can offer higher response rate processing over TCP. However, in the
261 case of time-consuming requests (e.g. zone transfers of a TLD zone),
262 enabled reuseport may result in delayed or not being responded client
263 requests. So it is advisable to use this option on secondary servers.
264 Change of this parameter requires restart of the Knot server to take
266 effect.
267 Default: off
269 tcp-fastopen
271 If enabled, use TCP Fast Open for outbound TCP communication (client
272 side): incoming zone transfers, sending NOTIFY, and DDNS forwarding.
273 This mode simplifies TCP handshake and can result in better networking
274 performance. TCP Fast Open for inbound TCP communication (server side)
275 isn't affected by this configuration as it's enabled automatically if
276 supported by OS.
277 NOTE:
279 The TCP Fast Open support must also be enabled on the OS level:
280 • Linux/macOS: ensure kernel parameter net.ipv4.tcp_fastopen is 2 or
282 3 for server side, and 1 or 3 for client side.
283 • FreeBSD: ensure kernel parameter net.inet.tcp.fastopen.server_en‐
285 able is 1 for server side, and net.inet.tcp.fastopen.client_enable
286 is 1 for client side.
287 Default: off
289 remote-pool-limit
291 If nonzero, the server will keep up to this number of outgoing TCP con‐
292 nections open for later use. This is an optimization to avoid frequent
293 opening of TCP connections to the same remote.
294 Change of this parameter requires restart of the Knot server to take
296 effect.
297 Default: 0
299 remote-pool-timeout
301 The timeout in seconds after which the unused kept-open outgoing TCP
302 connections to remote servers are closed.
303 Default: 5
305 remote-retry-delay
307 When a connection attempt times out to some remote address, this infor‐
308 mation will be kept for this specified time (in milliseconds) and other
309 connections to the same address won't be attempted. This prevents
310 repetitive waiting for timeout on an unreachable remote.
311 Default: 0
313 socket-affinity
315 If enabled and if SO_REUSEPORT is available on Linux, all configured
316 network sockets are bound to UDP and TCP workers in order to increase
317 the networking performance. This mode isn't recommended for setups
318 where the number of network card queues is lower than the number of UDP
319 or TCP workers.
320 Change of this parameter requires restart of the Knot server to take
322 effect.
323 Default: off
325 tcp-max-clients
327 A maximum number of TCP clients connected in parallel, set this below
328 the file descriptor limit to avoid resource exhaustion.
329 NOTE:
331 It is advisable to adjust the maximum number of open files per
332 process in your operating system configuration.
333 Default: one half of the file descriptor limit for the server process
335 udp-max-payload
337 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
338 Default: 1232
340 udp-max-payload-ipv4
342 Maximum EDNS0 UDP payload size for IPv4.
343 Default: 1232
345 udp-max-payload-ipv6
347 Maximum EDNS0 UDP payload size for IPv6.
348 Default: 1232
350 edns-client-subnet
352 Enable or disable EDNS Client Subnet support. If enabled, responses to
353 queries containing the EDNS Client Subnet option always contain a valid
354 EDNS Client Subnet option according to RFC 7871.
355 Default: off
357 answer-rotation
359 Enable or disable sorted-rrset rotation in the answer section of normal
360 replies. The rotation shift is simply determined by a query ID.
361 Default: off
363 automatic-acl
365 If enabled, automatic ACL setting of configured remotes is considered
366 when evaluating authorized operations.
367 Default: off
369 dbus-event
371 Specification of server or zone states which emit a D-Bus signal on the
372 system bus. The bus name is cz.nic.knotd, the object path is
373 /cz/nic/knotd, and the interface name is cz.nic.knotd.events.
374 Possible values:
376 • none – No signal is emitted.
378 • running – The signal started is emitted when the server is fully op‐
380 erational and the signal stopped is emitted at the beginning of the
381 server shutdown.
382 • zone-updated – The signal zone_updated is emitted when a zone has
384 been updated; the signal parameters are zone name and zone SOA se‐
385 rial.
386 • ksk-submission – The signal zone_ksk_submission is emitted if there
388 is a ready KSK present when the zone is signed; the signal parameters
389 are zone name, KSK keytag, and KSK KASP id.
390 • dnssec-invalid – The signal zone_dnssec_invalid is emitted when
392 DNSSEC validation fails; the signal parameter is zone name.
393 NOTE:
395 This function requires systemd version at least 221.
396 Default: none
398 listen
400 One or more IP addresses where the server listens for incoming queries.
401 Optional port specification (default is 53) can be appended to each ad‐
402 dress using @ separator. Use 0.0.0.0 for all configured IPv4 addresses
403 or :: for all configured IPv6 addresses. Filesystem path can be speci‐
404 fied for listening on local unix SOCK_STREAM socket. Non-local address
405 binding is automatically enabled if supported by the operating system.
406 Change of this parameter requires restart of the Knot server to take
408 effect.
409 Default: not set
411
413 Various options related to XDP listening, especially TCP.
414 xdp:
416 listen: STR[@INT] | ADDR[@INT] ...
417 tcp: BOOL
418 tcp-max-clients: INT
419 tcp-inbuf-max-size: SIZE
420 tcp-idle-close-timeout: TIME
421 tcp-idle-reset-timeout: TIME
422 route-check: BOOL
423 CAUTION:
425 When you change configuration parameters dynamically or via configu‐
426 ration file reload, some parameters in the XDP section require
427 restarting the Knot server so that the changes take effect.
428 listen
430 One or more network device names (e.g. ens786f0) on which the Mode XDP
431 is enabled. Alternatively, an IP address can be used instead of a de‐
432 vice name, but the server will still listen on all addresses belonging
433 to the same interface! Optional port specification (default is 53) can
434 be appended to each device name or address using @ separator.
435 Change of this parameter requires restart of the Knot server to take
437 effect.
438 CAUTION:
440 If XDP workers only process regular DNS traffic over UDP, it is
441 strongly recommended to also listen on the addresses which are in‐
442 tended to offer the DNS service, at least to fulfil the DNS require‐
443 ment for working TCP.
444 Default: not set
446 tcp
448 If enabled, DNS over TCP traffic is also processed with XDP workers.
449 The TCP stack features:
451 • Basic connection handling, sending/receiving data
453 • Close inactive connections
455 • Reset inactive connections which aren't able to close
457 • Reset invalid connections
459 • Ignore invalid resets and ACKs
461 • Receive fragmented data – one DNS message in multiple packets
463 • Limit total size of incoming buffers, reset most inactive connections
465 with buffered data
466 • Send fragmented data – DNS message larger than allowed by MSS
468 • Send MSS option calculated from configured MSS and device MTU
470 • Receive and honor MSS option, limit the size of outgoing packet
472 • Send window size option (set to infinity)
474 Missing features:
476 • Receive and honor window size option, send only such amount of data
478 at once, cache outgoing data
479 • Allow multi-message DNS responses (depends on above)
481 • Resend lost outgoing packets (not ACKed in time), including data
483 Change of this parameter requires restart of the Knot server to take
485 effect.
486 WARNING:
488 This feature is experimental and it may eat your hamster as well as
489 any other hamsters connected to the network.
490 Default: off
492 tcp-max-clients
494 A maximum number of TCP clients connected in parallel.
495 Default: 1000000 (one million)
497 tcp-inbuf-max-size
499 Maximum cumulative size of memory used for buffers of incompletely re‐
500 ceived messages.
501 Minimum: 1 MiB
503 Default: 100 MiB
505 tcp-idle-close-timeout
507 Time in seconds, after which any idle connection is gracefully closed.
508 Minimum: 1 s
510 Default: 10 s
512 tcp-idle-reset-timeout
514 Time in seconds, after which any idle connection is forcibly closed.
515 Minimum: 1 s
517 Default: 20 s
519 route-check
521 If enabled, routing information from the operating system is considered
522 when processing every incoming DNS packet received over the XDP inter‐
523 face:
524 • If the outgoing interface of the corresponding DNS response differs
526 from the incoming one, the packet is processed normally by UDP/TCP
527 workers (XDP isn't used).
528 • If the destination address is blackholed, unreachable, or prohibited,
530 the DNS packet is dropped without any response.
531 • The destination MAC address for the response is taken from the rout‐
533 ing system.
534 If disabled, symmetrical routing is applied. It means that the query
536 source MAC address is used as a response destination MAC address.
537 Change of this parameter requires restart of the Knot server to take
539 effect.
540 NOTE:
542 This mode requires forwarding enabled on the loopback interface
543 (sysctl -w net.ipv4.conf.lo.forwarding=1 and sysctl -w
544 net.ipv6.conf.lo.forwarding=1). If forwarding is disabled, all in‐
545 coming DNS packets are dropped!
546 Default: off
548
550 Configuration of the server control interface.
551 control:
553 listen: STR
554 timeout: TIME
555 listen
557 A UNIX socket path where the server listens for control commands.
558 Default: rundir/knot.sock
560 timeout
562 Maximum time (in seconds) the control socket operations can take. Set
563 to 0 for infinity.
564 Default: 5
566
568 Server can be configured to log to the standard output, standard error
569 output, syslog (or systemd journal if systemd is enabled) or into an
570 arbitrary file.
571 There are 6 logging severity levels:
573 • critical – Non-recoverable error resulting in server shutdown.
575 • error – Recoverable error, action should be taken.
577 • warning – Warning that might require user action.
579 • notice – Server notice or hint.
581 • info – Informational message.
583 • debug – Debug or detailed message.
585 In the case of a missing log section, warning or more serious messages
587 will be logged to both standard error output and syslog. The info and
588 notice messages will be logged to standard output.
589 log:
591 - target: stdout | stderr | syslog | STR
592 server: critical | error | warning | notice | info | debug
593 control: critical | error | warning | notice | info | debug
594 zone: critical | error | warning | notice | info | debug
595 any: critical | error | warning | notice | info | debug
596 target
598 A logging output.
599 Possible values:
601 • stdout – Standard output.
603 • stderr – Standard error output.
605 • syslog – Syslog or systemd journal.
607 • file_name – A specific file.
609 With syslog target, syslog service is used. However, if Knot DNS has
611 been compiled with systemd support and operating system has been booted
612 with systemd, systemd journal is used for logging instead of syslog.
613 server
615 Minimum severity level for messages related to general operation of the
616 server to be logged.
617 Default: not set
619 control
621 Minimum severity level for messages related to server control to be
622 logged.
623 Default: not set
625 zone
627 Minimum severity level for messages related to zones to be logged.
628 Default: not set
630 any
632 Minimum severity level for all message types to be logged.
633 Default: not set
635
637 Periodic server statistics dumping.
638 statistics:
640 timer: TIME
641 file: STR
642 append: BOOL
643 timer
645 A period after which all available statistics metrics will by written
646 to the file.
647 Default: not set
649 file
651 A file path of statistics output in the YAML format.
652 Default: rundir/stats.yaml
654 append
656 If enabled, the output will be appended to the file instead of file re‐
657 placement.
658 Default: off
660
662 Configuration of databases for zone contents, DNSSEC metadata, or event
663 timers.
664 database:
666 storage: STR
667 journal-db: STR
668 journal-db-mode: robust | asynchronous
669 journal-db-max-size: SIZE
670 kasp-db: STR
671 kasp-db-max-size: SIZE
672 timer-db: STR
673 timer-db-max-size: SIZE
674 catalog-db: str
675 catalog-db-max-size: SIZE
676 storage
678 A data directory for storing journal, KASP, and timer databases.
679 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
681 age=path)
682 journal-db
684 An explicit specification of the persistent journal database directory.
685 Non-absolute path (i.e. not starting with /) is relative to storage.
686 Default: storage/journal
688 journal-db-mode
690 Specifies journal LMDB backend configuration, which influences perfor‐
691 mance and durability.
692 Possible values:
694 • robust – The journal database disk synchronization ensures database
696 durability but is generally slower.
697 • asynchronous – The journal database disk synchronization is optimized
699 for better performance at the expense of lower database durability in
700 the case of a crash. This mode is recommended on secondary servers
701 with many zones.
702 Default: robust
704 journal-db-max-size
706 The hard limit for the journal database maximum size. There is no
707 cleanup logic in journal to recover from reaching this limit. Journal
708 simply starts refusing changes across all zones. Decreasing this value
709 has no effect if it is lower than the actual database file size.
710 It is recommended to limit journal-max-usage per-zone instead of
712 journal-db-max-size in most cases. Please keep this value larger than
713 the sum of all zones' journal usage limits. See more details regarding
714 journal behaviour.
715 NOTE:
717 This value also influences server's usage of virtual memory.
718 Default: 20 GiB (512 MiB for 32-bit)
720 kasp-db
722 An explicit specification of the KASP database directory. Non-absolute
723 path (i.e. not starting with /) is relative to storage.
724 Default: storage/keys
726 kasp-db-max-size
728 The hard limit for the KASP database maximum size.
729 NOTE:
731 This value also influences server's usage of virtual memory.
732 Default: 500 MiB
734 timer-db
736 An explicit specification of the persistent timer database directory.
737 Non-absolute path (i.e. not starting with /) is relative to storage.
738 Default: storage/timers
740 timer-db-max-size
742 The hard limit for the timer database maximum size.
743 NOTE:
745 This value also influences server's usage of virtual memory.
746 Default: 100 MiB
748 catalog-db
750 An explicit specification of the zone catalog database directory. Only
751 useful if catalog-zones are enabled. Non-absolute path (i.e. not
752 starting with /) is relative to storage.
753 Default: storage/catalog
755 catalog-db-max-size
757 The hard limit for the catalog database maximum size.
758 NOTE:
760 This value also influences server's usage of virtual memory.
761 Default: 20 GiB (512 MiB for 32-bit)
763
765 DNSSEC keystore configuration.
766 keystore:
768 - id: STR
769 backend: pem | pkcs11
770 config: STR
771 id
773 A keystore identifier.
774 backend
776 A key storage backend type.
777 Possible values:
779 • pem – PEM files.
781 • pkcs11 – PKCS #11 storage.
783 Default: pem
785 config
787 A backend specific configuration. A directory with PEM files (the path
788 can be specified as a relative path to kasp-db) or a configuration
789 string for PKCS #11 storage (<pkcs11-url> <module-path>).
790 NOTE:
792 Example configuration string for PKCS #11:
793 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
795 Default: kasp-db/keys
797
799 Shared TSIG keys used to authenticate communication with the server.
800 key:
802 - id: DNAME
803 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
804 secret: BASE64
805 id
807 A key name identifier.
808 NOTE:
810 This value MUST be exactly the same as the name of the TSIG key on
811 the opposite primary/secondary server(s).
812 algorithm
814 A TSIG key algorithm. See TSIG Algorithm Numbers.
815 Possible values:
817 • hmac-md5
819 • hmac-sha1
821 • hmac-sha224
823 • hmac-sha256
825 • hmac-sha384
827 • hmac-sha512
829 Default: not set
831 secret
833 Shared key secret.
834 Default: not set
836
838 Definitions of remote servers for outgoing connections (source of a
839 zone transfer, target for a notification, etc.).
840 remote:
842 - id: STR
843 address: ADDR[@INT] ...
844 via: ADDR[@INT] ...
845 key: key_id
846 block-notify-after-transfer: BOOL
847 no-edns: BOOL
848 automatic-acl: BOOL
849 id
851 A remote identifier.
852 address
854 An ordered list of destination IP addresses which are used for communi‐
855 cation with the remote server. The addresses are tried in sequence un‐
856 til the remote is reached. Optional destination port (default is 53)
857 can be appended to the address using @ separator.
858 Default: not set
860 NOTE:
862 If the remote is contacted and it refuses to perform requested ac‐
863 tion, no more addresses will be tried for this remote.
864 via
866 An ordered list of source IP addresses. The first address with the same
867 family as the destination address is used as a source address for com‐
868 munication with the remote. This option can help if the server listens
869 on more addresses. Optional source port (default is random) can be ap‐
870 pended to the address using @ separator.
871 Default: not set
873 key
875 A reference to the TSIG key which is used to authenticate the communi‐
876 cation with the remote server.
877 Default: not set
879 block-notify-after-transfer
881 When incoming AXFR/IXFR from this remote (as a primary server), sup‐
882 press sending NOTIFY messages to all configured secondary servers.
883 Default: off
885 no-edns
887 If enabled, no OPT record (EDNS) is inserted to outgoing requests to
888 this remote server. This mode is necessary for communication with some
889 broken implementations (e.g. Windows Server 2016).
890 Default: off
892 automatic-acl
894 If enabled, some authorized operations for the remote are automatically
895 allowed based on the context:
896 • Incoming NOTIFY is allowed from the remote if it's configured as a
898 primary server for the zone.
899 • Outgoing zone transfer is allowed to the remote if it's configured as
901 a NOTIFY target for the zone.
902 Automatic ACL rules are evaluated before explicit zone ACL configura‐
904 tion.
905 NOTE:
907 This functionality requires global activation via automatic-acl in
908 the server section.
909 Default: on
911
913 Access control list rule definitions. An ACL rule is a description of
914 one or more authorized operations (zone transfer request, zone change
915 notification, and dynamic DNS update) which are allowed to be processed
916 or denied.
917 acl:
919 - id: STR
920 address: ADDR[/INT] | ADDR-ADDR ...
921 key: key_id ...
922 remote: remote_id ...
923 action: notify | transfer | update ...
924 deny: BOOL
925 update-type: STR ...
926 update-owner: key | zone | name
927 update-owner-match: sub-or-equal | equal | sub
928 update-owner-name: STR ...
929 id
931 An ACL rule identifier.
932 address
934 An ordered list of IP addresses, network subnets, or network ranges.
935 The query's source address must match one of them. Empty value means
936 that address match is not required.
937 Default: not set
939 key
941 An ordered list of references to TSIG keys. The query must match one of
942 them. Empty value means that transaction authentication is not used.
943 Default: not set
945 remote
947 An ordered list of references to remotes. The query must match one of
948 the remotes. Specifically, one of the remote's addresses and remote's
949 TSIG key if configured must match.
950 NOTE:
952 This option cannot be specified along with the address or key option
953 at one ACL item.
954 Default: not set
956 action
958 An ordered list of allowed (or denied) actions.
959 Possible values:
961 • notify – Allow incoming notify (NOTIFY).
963 • transfer – Allow zone transfer (AXFR, IXFR).
965 • update – Allow zone updates (DDNS).
967 Default: not set
969 deny
971 If enabled, instead of allowing, deny the specified action, address,
972 key, or combination if these items. If no action is specified, deny all
973 actions.
974 Default: off
976 update-type
978 A list of allowed types of Resource Records in a zone update. Every
979 record in an update must match one of the specified types.
980 Default: not set
982 update-owner
984 This option restricts possible owners of Resource Records in a zone up‐
985 date by comparing them to either the TSIG key identity, the current
986 zone name, or to a list of domain names given by the update-owner-name
987 option. The comparison method is given by the update-owner-match op‐
988 tion.
989 Possible values:
991 • key — The owner of each updated RR must match the identity of the
993 TSIG key if used.
994 • name — The owner of each updated RR must match at least one name in
996 the update-owner-name list.
997 • zone — The owner of each updated RR must match the current zone name.
999 Default: not set
1001 update-owner-match
1003 This option defines how the owners of Resource Records in an update are
1004 matched to the domain name(s) set by the update-owner option.
1005 Possible values:
1007 • sub-or-equal — The owner of each Resource Record in an update must
1009 either be equal to or be a subdomain of at least one domain set by
1010 update-owner.
1011 • equal — The owner of each updated RR must be equal to at least one
1013 domain set by update-owner.
1014 • sub — The owner of each updated RR must be a subdomain of, but MUST
1016 NOT be equal to at least one domain set by update-owner.
1017 Default: sub-or-equal
1019 update-owner-name
1021 A list of allowed owners of RRs in a zone update used with update-owner
1022 set to name. Every listed owner name which is not FQDN (i.e. it doesn't
1023 end in a dot) is considered as if it was appended with the target zone
1024 name. Such a relative owner name specification allows better ACL rule
1025 reusability across multiple zones.
1026 Default: not set
1028
1030 Parameters of KSK submission checks.
1031 submission:
1033 - id: STR
1034 parent: remote_id ...
1035 check-interval: TIME
1036 timeout: TIME
1037 parent-delay: TIME
1038 id
1040 A submission identifier.
1041 parent
1043 A list of references to parent's DNS servers to be checked for presence
1044 of corresponding DS records in the case of KSK submission. All of them
1045 must have a corresponding DS for the rollover to continue. If none is
1046 specified, the rollover must be pushed forward manually.
1047 Default: not set
1049 TIP:
1051 A DNSSEC-validating resolver can be set as a parent.
1052 check-interval
1054 Interval for periodic checks of DS presence on parent's DNS servers, in
1055 the case of the KSK submission.
1056 Default: 1 hour
1058 timeout
1060 After this time period (in seconds) the KSK submission is automatically
1061 considered successful, even if all the checks were negative or no par‐
1062 ents are configured. Set to 0 for infinity.
1063 Default: 0
1065 parent-delay
1067 After successful parent DS check, wait for this period before continu‐
1068 ing the next key roll-over step. This delay shall cover the propagation
1069 delay of update in the parent zone.
1070 Default: 0
1072
1074 DNSSEC policy configuration.
1075 policy:
1077 - id: STR
1078 keystore: keystore_id
1079 manual: BOOL
1080 single-type-signing: BOOL
1081 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
1082 ksk-size: SIZE
1083 zsk-size: SIZE
1084 ksk-shared: BOOL
1085 dnskey-ttl: TIME
1086 zone-max-ttl: TIME
1087 ksk-lifetime: TIME
1088 zsk-lifetime: TIME
1089 delete-delay: TIME
1090 propagation-delay: TIME
1091 rrsig-lifetime: TIME
1092 rrsig-refresh: TIME
1093 rrsig-pre-refresh: TIME
1094 reproducible-signing: BOOL
1095 nsec3: BOOL
1096 nsec3-iterations: INT
1097 nsec3-opt-out: BOOL
1098 nsec3-salt-length: INT
1099 nsec3-salt-lifetime: TIME
1100 signing-threads: INT
1101 ksk-submission: submission_id
1102 ds-push: remote_id
1103 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
1104 cds-digest-type: sha256 | sha384
1105 offline-ksk: BOOL
1106 unsafe-operation: none | no-check-keyset | no-update-dnskey | no-update-nsec | no-update-expired ...
1107 id
1109 A policy identifier.
1110 keystore
1112 A reference to a keystore holding private key material for zones.
1113 Default: an imaginary keystore with all default values
1115 NOTE:
1117 A configured keystore called "default" won't be used unless explic‐
1118 itly referenced.
1119 manual
1121 If enabled, automatic key management is not used.
1122 Default: off
1124 single-type-signing
1126 If enabled, Single-Type Signing Scheme is used in the automatic key
1127 management mode.
1128 Default: off (module onlinesign has default on)
1130 algorithm
1132 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
1133 rithm Numbers.
1134 Possible values:
1136 • rsasha1
1138 • rsasha1-nsec3-sha1
1140 • rsasha256
1142 • rsasha512
1144 • ecdsap256sha256
1146 • ecdsap384sha384
1148 • ed25519
1150 • ed448
1152 NOTE:
1154 Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
1155 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+
1157 and Nettle 3.6+.
1158 Default: ecdsap256sha256
1160 ksk-size
1162 A length of newly generated KSK or CSK keys.
1163 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
1165 456 (ed448)
1166 zsk-size
1168 A length of newly generated ZSK keys.
1169 Default: see default for ksk-size
1171 ksk-shared
1173 If enabled, all zones with this policy assigned will share one or more
1174 KSKs. More KSKs can be shared during a KSK rollover.
1175 WARNING:
1177 As the shared KSK set is bound to the policy id, renaming the policy
1178 breaks this connection and new shared KSK set is initiated when a
1179 new KSK is needed.
1180 Default: off
1182 dnskey-ttl
1184 A TTL value for DNSKEY records added into zone apex.
1185 NOTE:
1187 Has influence over ZSK key lifetime.
1188 WARNING:
1190 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
1191 quent DNSKEY rollover starts.
1192 Default: zone SOA TTL
1194 zone-max-ttl
1196 Declare (override) maximal TTL value among all the records in zone.
1197 NOTE:
1199 It's generally recommended to override the maximal TTL computation
1200 by setting this explicitly whenever possible. It's required for
1201 DNSSEC Offline KSK and really reasonable when records are generated
1202 dynamically (e.g. by a module).
1203 Default: computed after zone is loaded
1205 ksk-lifetime
1207 A period between KSK activation and the next rollover initiation.
1208 NOTE:
1210 KSK key lifetime is also influenced by propagation-delay,
1211 dnskey-ttl, and KSK submission delay.
1212 Zero (aka infinity) value causes no KSK rollover as a result.
1214 This applies for CSK lifetime if single-type-signing is enabled.
1216 Default: 0
1218 zsk-lifetime
1220 A period between ZSK activation and the next rollover initiation.
1221 NOTE:
1223 More exactly, this period is measured since a ZSK is activated, and
1224 after this, a new ZSK is generated to replace it within following
1225 roll-over.
1226 ZSK key lifetime is also influenced by propagation-delay and
1228 dnskey-ttl
1229 Zero (aka infinity) value causes no ZSK rollover as a result.
1231 Default: 30 days
1233 delete-delay
1235 Once a key (KSK or ZSK) is rolled-over and removed from the zone, keep
1236 it in the KASP database for at least this period before deleting it
1237 completely. This might be useful in some troubleshooting cases when
1238 resurrection is needed.
1239 Default: 0
1241 propagation-delay
1243 An extra delay added for each key rollover step. This value should be
1244 high enough to cover propagation of data from the primary server to all
1245 secondary servers.
1246 NOTE:
1248 Has influence over ZSK key lifetime.
1249 Default: 1 hour
1251 rrsig-lifetime
1253 A validity period of newly issued signatures.
1254 NOTE:
1256 The RRSIG's signature inception time is set to 90 minutes in the
1257 past. This time period is not counted to the signature lifetime.
1258 Default: 14 days
1260 rrsig-refresh
1262 A period how long at least before a signature expiration the signature
1263 will be refreshed, in order to prevent expired RRSIGs on secondary
1264 servers or resolvers' caches.
1265 Default: 7 days
1267 rrsig-pre-refresh
1269 A period how long at most before a signature refresh time the signature
1270 might be refreshed, in order to refresh RRSIGs in bigger batches on a
1271 frequently updated zone (avoid re-sign event too often).
1272 Default: 1 hour
1274 reproducible-signing
1276 For ECDSA algorithms, generate RRSIG signatures deterministically (RFC
1277 6979). Besides better theoretical cryptographic security, this mode
1278 allows significant speed-up of loading signed (by the same method)
1279 zones. However, the zone signing is a bit slower.
1280 Default: off
1282 nsec3
1284 Specifies if NSEC3 will be used instead of NSEC.
1285 Default: off
1287 nsec3-iterations
1289 A number of additional times the hashing is performed.
1290 Default: 10
1292 nsec3-opt-out
1294 If set, NSEC3 records won't be created for insecure delegations. This
1295 speeds up the zone signing and reduces overall zone size.
1296 WARNING:
1298 NSEC3 with the Opt-Out bit set no longer works as a proof of non-ex‐
1299 istence in this zone.
1300 Default: off
1302 nsec3-salt-length
1304 A length of a salt field in octets, which is appended to the original
1305 owner name before hashing.
1306 Default: 8
1308 nsec3-salt-lifetime
1310 A validity period of newly issued salt field.
1311 Zero value means infinity.
1313 Default: 30 days
1315 signing-threads
1317 When signing zone or update, use this number of threads for parallel
1318 signing.
1319 Those are extra threads independent of Background workers.
1321 NOTE:
1323 Some steps of the DNSSEC signing operation are not parallelized.
1324 Default: 1 (no extra threads)
1326 ksk-submission
1328 A reference to submission section holding parameters of KSK submission
1329 checks.
1330 Default: not set
1332 ds-push
1334 An optional reference to authoritative DNS server of the parent's zone.
1335 The remote server must be configured to accept DS record updates via
1336 DDNS. Whenever a CDS record in the local zone is changed, the corre‐
1337 sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
1338 server. All previous DS records are deleted within the DDNS message.
1339 It's possible to manage both child and parent zones by the same Knot
1340 DNS server.
1341 NOTE:
1343 This feature requires cds-cdnskey-publish not to be set to none.
1344 NOTE:
1346 Module Onlinesign doesn't support DS push.
1347 Default: not set
1349 cds-cdnskey-publish
1351 Controls if and how shall the CDS and CDNSKEY be published in the zone.
1352 Possible values:
1354 • none – Never publish any CDS or CDNSKEY records in the zone.
1356 • delete-dnssec – Publish special CDS and CDNSKEY records indicating
1358 turning off DNSSEC.
1359 • rollover – Publish CDS and CDNSKEY records for ready and not yet ac‐
1361 tive KSK (submission phase of KSK rollover).
1362 • always – Always publish one CDS and one CDNSKEY records for the cur‐
1364 rent KSK.
1365 • double-ds – Always publish up to two CDS and two CDNSKEY records for
1367 ready and/or active KSKs.
1368 NOTE:
1370 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
1371 may contain more records depending on the keys available.
1372 Default: rollover
1374 cds-digest-type
1376 Specify digest type for published CDS records.
1377 Default: sha256
1379 offline-ksk
1381 Specifies if Offline KSK feature is enabled.
1382 Default: off
1384 unsafe-operation
1386 Turn off some DNSSEC safety features.
1387 Possible values:
1389 • none – Nothing disabled.
1391 • no-check-keyset – Don't check active keys in present algorithms. This
1393 may lead to violation of RFC 4035#section-2.2.
1394 • no-update-dnskey – Don't maintain/update DNSKEY, CDNSKEY, and CDS
1396 records in the zone apex according to KASP database. Juste leave them
1397 as they are in the zone.
1398 • no-update-nsec – Don't maintain/update NSEC/NSEC3 chain. Leave all
1400 the records as they are in the zone.
1401 • no-update-expired – Don't update expired RRSIGs.
1403 Multiple values may be specified.
1405 WARNING:
1407 This mode is intended for DNSSEC experts who understand the corre‐
1408 sponding consequences.
1409 Default: none
1411
1413 A template is shareable zone settings, which can simplify configuration
1414 by reducing duplicates. A special default template (with the default
1415 identifier) can be used for global zone configuration or as an implicit
1416 configuration if a zone doesn't have another template specified.
1417 template:
1419 - id: STR
1420 global-module: STR/STR ...
1421 # All zone options (excluding 'template' item)
1422 id
1424 A template identifier.
1425 global-module
1427 An ordered list of references to query modules in the form of mod‐
1428 ule_name or module_name/module_id. These modules apply to all queries.
1429 NOTE:
1431 This option is only available in the default template.
1432 Default: not set
1434
1436 Definition of zones served by the server.
1437 zone:
1439 - domain: DNAME
1440 template: template_id
1441 storage: STR
1442 file: STR
1443 master: remote_id ...
1444 ddns-master: remote_id
1445 notify: remote_id ...
1446 acl: acl_id ...
1447 semantic-checks: BOOL | soft
1448 zonefile-sync: TIME
1449 zonefile-load: none | difference | difference-no-serial | whole
1450 journal-content: none | changes | all
1451 journal-max-usage: SIZE
1452 journal-max-depth: INT
1453 zone-max-size : SIZE
1454 adjust-threads: INT
1455 dnssec-signing: BOOL
1456 dnssec-validation: BOOL
1457 dnssec-policy: policy_id
1458 zonemd-verify: BOOL
1459 zonemd-generate: none | zonemd-sha384 | zonemd-sha512 | remove
1460 serial-policy: increment | unixtime | dateserial
1461 refresh-min-interval: TIME
1462 refresh-max-interval: TIME
1463 retry-min-interval: TIME
1464 retry-max-interval: TIME
1465 expire-min-interval: TIME
1466 expire-max-interval: TIME
1467 catalog-role: none | interpret | generate | member
1468 catalog-template: template_id ...
1469 catalog-zone: DNAME
1470 catalog-group: STR
1471 module: STR/STR ...
1472 domain
1474 A zone name identifier.
1475 template
1477 A reference to a configuration template.
1478 Default: not set or default (if the template exists)
1480 storage
1482 A data directory for storing zone files.
1483 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1485 age=path)
1486 file
1488 A path to the zone file. Non-absolute path (i.e. not starting with /)
1489 is relative to storage. It is also possible to use the following for‐
1490 matters:
1491 • %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1493 ters beginning from the Nth and ending with the Mth character of the
1494 textual zone name (see %s). The indexes are counted from 0 from the
1495 left. All dots (including the terminal one) are considered. If the
1496 character is not available, the formatter has no effect.
1497 • %l[N] – Means the Nth label of the textual zone name (see %s). The
1499 index is counted from 0 from the right (0 ~ TLD). If the label is
1500 not available, the formatter has no effect.
1501 • %s – Means the current zone name in the textual representation. The
1503 zone name doesn't include the terminating dot (the result for the
1504 root zone is the empty string!).
1505 • %% – Means the % character.
1507 WARNING:
1509 Beware of special characters which are escaped or encoded in the
1510 \DDD form where DDD is corresponding decimal ASCII code.
1511 Default: storage/%s.zone
1513 master
1515 An ordered list of references to zone primary servers (formerly known
1516 as master servers).
1517 Default: not set
1519 ddns-master
1521 A reference to zone primary master. If not specified, the first master
1522 server is used.
1523 Default: not set
1525 notify
1527 An ordered list of references to remotes to which notify message is
1528 sent if the zone changes.
1529 Default: not set
1531 acl
1533 An ordered list of references to ACL rules which can allow or disallow
1534 zone transfers, updates or incoming notifies.
1535 Default: not set
1537 semantic-checks
1539 Selects if extra zone semantic checks are used or impacts of the manda‐
1540 tory checks.
1541 There are several mandatory checks which are always enabled and cannot
1543 be turned off. An error in a mandatory check causes the zone not to be
1544 loaded. Some of the mandatory checks can be weakened by setting soft,
1545 when the zone isn't prevented from loading.
1546 If enabled, extra checks are used. These checks don't prevent the zone
1548 from loading.
1549 Mandatory checks:
1551 • Missing SOA record at the zone apex (RFC 1034)
1553 Mandatory checks affected by the soft mode:
1555 • An extra record exists together with a CNAME record except for RRSIG
1557 and DS (RFC 1034)
1558 • Multiple CNAME records with the same owner exist (RFC 1034)
1560 • DNAME record having a record under it (RFC 6672)
1562 • Multiple DNAME records with the same owner exist (RFC 6672)
1564 • NS record exists together with a DNAME record (RFC 6672)
1566 Extra checks:
1568 • Missing NS record at the zone apex
1570 • Missing glue A or AAAA record
1572 • Invalid DNSKEY, DS, or NSEC3PARAM record
1574 • CDS or CDNSKEY inconsistency
1576 • Missing, invalid, or unverifiable RRSIG record
1578 • Invalid NSEC(3) record
1580 • Broken or non-cyclic NSEC(3) chain
1582 NOTE:
1584 The soft mode allows the refresh event to ignore a CNAME response to
1585 a SOA query (malformed message) and triggers a zone bootstrap in‐
1586 stead.
1587 Default: off
1589 zonefile-sync
1591 The time after which the current zone in memory will be synced with a
1592 zone file on the disk (see file). The server will serve the latest zone
1593 even after a restart using zone journal, but the zone file on the disk
1594 will only be synced after zonefile-sync time has expired (or after man‐
1595 ual zone flush). This is applicable when the zone is updated via IXFR,
1596 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1597 matic zone file synchronization, set the value to -1. In that case, it
1598 is still possible to force a manual zone flush using the -f option.
1599 NOTE:
1601 If you are serving large zones with frequent updates where the imme‐
1602 diate sync with a zone file is not desirable, increase the value.
1603 Default: 0 (immediate)
1605 zonefile-load
1607 Selects how the zone file contents are applied during zone load.
1608 Possible values:
1610 • none – The zone file is not used at all.
1612 • difference – If the zone contents are already available during server
1614 start or reload, the difference is computed between them and the con‐
1615 tents of the zone file. This difference is then checked for semantic
1616 errors and applied to the current zone contents.
1617 • difference-no-serial – Same as difference, but the SOA serial in the
1619 zone file is ignored, the server takes care of incrementing the se‐
1620 rial automatically.
1621 • whole – Zone contents are loaded from the zone file.
1623 When difference is configured and there are no zone contents yet (cold
1625 start and no zone contents in the journal), it behaves the same way as
1626 whole.
1627 Default: whole
1629 journal-content
1631 Selects how the journal shall be used to store zone and its changes.
1632 Possible values:
1634 • none – The journal is not used at all.
1636 • changes – Zone changes history is stored in journal.
1638 • all – Zone contents and history is stored in journal.
1640 Default: changes
1642 journal-max-usage
1644 Policy how much space in journal DB will the zone's journal occupy.
1645 NOTE:
1647 Journal DB may grow far above the sum of journal-max-usage across
1648 all zones, because of DB free space fragmentation.
1649 Default: 100 MiB
1651 journal-max-depth
1653 Maximum history length of the journal.
1654 NOTE:
1656 Zone-in-journal changeset isn't counted to the limit.
1657 Minimum: 2
1659 Default: 2^64
1661 zone-max-size
1663 Maximum size of the zone. The size is measured as size of the zone
1664 records in wire format without compression. The limit is enforced for
1665 incoming zone transfers and dynamic updates.
1666 For incremental transfers (IXFR), the effective limit for the total
1668 size of the records in the transfer is twice the configured value. How‐
1669 ever the final size of the zone must satisfy the configured value.
1670 Default: 2^64
1672 adjust-threads
1674 Parallelize internal zone adjusting procedures. This is useful with
1675 huge zones with NSEC3. Speedup observable at server startup and while
1676 processing NSEC3 re-salt.
1677 Default: 1
1679 dnssec-signing
1681 If enabled, automatic DNSSEC signing for the zone is turned on.
1682 Default: off
1684 dnssec-validation
1686 If enabled, the zone contents are validated for being correctly signed
1687 (including NSEC/NSEC3 chain) with DNSSEC signatures every time the zone
1688 is loaded or changed (including AXFR/IXFR).
1689 When the validation fails, the zone being loaded or update being ap‐
1691 plied is cancelled with an error, and either none or previous zone
1692 state is published.
1693 List of DNSSEC checks:
1695 • Every zone RRSet is correctly signed by at least one present DNSKEY.
1697 • DNSKEY RRSet is signed by KSK.
1699 • NSEC(3) RR exists for each name (unless opt-out) with correct bitmap.
1701 • Every NSEC(3) RR is linked to the lexicographically next one.
1703 The validation is not affected by dnssec-policy configuration, except
1705 for signing-threads option, which specifies the number of threads for
1706 parallel validation.
1707 NOTE:
1709 Redundant or garbage NSEC3 records are ignored.
1710 This mode is not compatible with dnssec-signing.
1712 dnssec-policy
1714 A reference to DNSSEC signing policy.
1715 Default: an imaginary policy with all default values
1717 NOTE:
1719 A configured policy called "default" won't be used unless explicitly
1720 referenced.
1721 zonemd-verify
1723 On each zone load/update, verify that ZONEMD is present in the zone and
1724 valid.
1725 NOTE:
1727 Zone digest calculation may take much time and CPU on large zones.
1728 Default: off
1730 zonemd-generate
1732 On each zone update, calculate ZONEMD and put it into the zone.
1733 Possible values:
1735 • none – No action regarding ZONEMD.
1737 • zonemd-sha384 – Generate ZONEMD using SHA384 algorithm.
1739 • zonemd-sha512 – Generate ZONEMD using SHA512 algorithm.
1741 • remove – Remove any ZONEMD from the zone apex.
1743 Default: none
1745 serial-policy
1747 Specifies how the zone serial is updated after a dynamic update or au‐
1748 tomatic DNSSEC signing. If the serial is changed by the dynamic update,
1749 no change is made.
1750 Possible values:
1752 • increment – The serial is incremented according to serial number
1754 arithmetic.
1755 • unixtime – The serial is set to the current unix time.
1757 • dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1759 first 8 digits match the current iso-date.
1760 NOTE:
1762 If the resulting serial for unixtime or dateserial is lower or equal
1763 than the current serial (this happens e.g. when migrating from other
1764 policy or frequent updates), the serial is incremented instead.
1765 To avoid user confusion, use dateserial only if you expect at most
1767 100 updates per day per zone and unixtime only if you expect at most
1768 one update per second per zone.
1769 Generated catalog zones use unixtime only.
1771 Default: increment (unixtime for generated catalog zones)
1773 refresh-min-interval
1775 Forced minimum zone refresh interval (in seconds) to avoid flooding
1776 primary server.
1777 Default: 2 (minimum allowed)
1779 refresh-max-interval
1781 Forced maximum zone refresh interval (in seconds).
1782 Default: not set
1784 retry-min-interval
1786 Forced minimum zone retry interval (in seconds) to avoid flooding pri‐
1787 mary server.
1788 Default: 1 (minimum allowed)
1790 retry-max-interval
1792 Forced maximum zone retry interval (in seconds).
1793 Default: not set
1795 expire-min-interval
1797 Forced minimum zone expire interval (in seconds) to avoid flooding pri‐
1798 mary server.
1799 Default: 3 (minimum allowed)
1801 expire-max-interval
1803 Forced maximum zone expire interval (in seconds).
1804 Default: not set
1806 catalog-role
1808 Trigger zone catalog feature. Possible values:
1809 • none – Not a catalog zone.
1811 • interpret – A catalog zone which is loaded from a zone file or XFR,
1813 and member zones shall be configured based on its contents.
1814 • generate – A catalog zone whose contents are generated according to
1816 assigned member zones.
1817 • member – A member zone that is assigned to one generated catalog
1819 zone.
1820 Default: none
1822 catalog-template
1824 For the catalog member zones, the specified configuration template will
1825 be applied.
1826 Multiple catalog templates may be defined. The first one is used unless
1828 the member zone has the group property defined, matching another cata‐
1829 log template.
1830 NOTE:
1832 This option must be set if and only if catalog-role is interpret.
1833 Default: not set
1835 catalog-zone
1837 Assign this member zone to specified generated catalog zone.
1838 NOTE:
1840 This option must be set if and only if catalog-role is member.
1841 The referenced catalog zone must exist and have catalog-role set to
1843 generate.
1844 Default: not set
1846 catalog-group
1848 Assign this member zone to specified catalog group (configuration tem‐
1849 plate).
1850 NOTE:
1852 This option has effect if and only if catalog-role is member.
1853 Default: not set
1855 module
1857 An ordered list of references to query modules in the form of mod‐
1858 ule_name or module_name/module_id. These modules apply only to the cur‐
1859 rent zone queries.
1860 Default: not set
1862
1864 CZ.NIC Labs <https://www.knot-dns.cz>
1865
1867 Copyright 2010–2022, CZ.NIC, z.s.p.o.
18683.1.8 2022-04-28 KNOT.CONF(5)