1KNOT.CONF(5)                       Knot DNS                       KNOT.CONF(5)
2
3
4

NAME

6       knot.conf - Knot DNS configuration file
7

DESCRIPTION

9       Configuration files for Knot DNS use simplified YAML format. Simplified
10       means that not all of the features are supported.
11
12       For the description of configuration items, we have to declare a  mean‐
13       ing of the following symbols:
14
15INT – Integer
16
17STR – Textual string
18
19HEXSTR – Hexadecimal string (with 0x prefix)
20
21BOOL – Boolean value (on/off or true/false)
22
23TIME  –  Number  of seconds, an integer with possible time multiplier
24         suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25
26SIZE – Number of bytes, an integer with possible size multiplier suf‐
27         fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28
29BASE64 – Base64 encoded string
30
31ADDR – IPv4 or IPv6 address
32
33DNAME – Domain name
34
35       • ... – Multi-valued item, order of the values is preserved
36
37       • [ ] – Optional value
38
39       • | – Choice
40
41       The  configuration consists of several fixed sections and optional mod‐
42       ule sections. There are 15 fixed sections (module,  server,  xdp,  con‐
43       trol,  log,  statistics,  database, keystore, key, remote, acl, submis‐
44       sion, policy, template, zone).  Module sections are prefixed  with  the
45       mod- prefix (e.g. mod-stats).
46
47       Most of the sections (e.g. zone) are sequences of settings blocks. Each
48       settings block begins with a unique identifier, which can be used as  a
49       reference  from  other  sections (such an identifier must be defined in
50       advance).
51
52       A multi-valued item can be specified either as a YAML sequence:
53
54          address: [10.0.0.1, 10.0.0.2]
55
56       or as more single-valued items each on an extra line:
57
58          address: 10.0.0.1
59          address: 10.0.0.2
60
61       If an item value contains spaces or other  special  characters,  it  is
62       necessary to enclose such a value within double quotes " ".
63

COMMENTS

65       A  comment  begins with a # character and is ignored during processing.
66       Also each configuration section or sequence block  allows  a  permanent
67       comment using the comment item which is stored in the server beside the
68       configuration.
69

INCLUDES

71       Another configuration file or files, matching a  pattern,  can  be  in‐
72       cluded  at  the top level in the current file. If the path is not abso‐
73       lute, then it is considered to be relative to  the  current  file.  The
74       pattern  can  be  an  arbitrary string meeting POSIX glob requirements,
75       e.g. dir/*.conf.  Matching files are processed in sorted order.
76
77          include: STR
78

MODULE SECTION

80       Dynamic modules loading configuration.
81
82       NOTE:
83          If configured with non-empty `--with-moduledir=path` parameter,  all
84          shared modules in this directory will be automatically loaded.
85
86          module:
87            - id: STR
88              file: STR
89
90   id
91       A module identifier in the form of the mod- prefix and module name suf‐
92       fix.
93
94   file
95       A path to a shared library file with the module implementation.
96
97       WARNING:
98          If the path is not absolute, the library is searched in the  set  of
99          system directories. See man dlopen for more details.
100
101       Default:      ${libdir}/knot/modules-${version}/module_name.so      (or
102       ${path}/module_name.so if configured with --with-moduledir=path)
103

SERVER SECTION

105       General options related to the server.
106
107          server:
108              identity: [STR]
109              version: [STR]
110              nsid: [STR|HEXSTR]
111              rundir: STR
112              user: STR[:STR]
113              pidfile: STR
114              udp-workers: INT
115              tcp-workers: INT
116              background-workers: INT
117              async-start: BOOL
118              tcp-idle-timeout: TIME
119              tcp-io-timeout: INT
120              tcp-remote-io-timeout: INT
121              tcp-max-clients: INT
122              tcp-reuseport: BOOL
123              tcp-fastopen: BOOL
124              remote-pool-limit: INT
125              remote-pool-timeout: TIME
126              remote-retry-delay: TIME
127              socket-affinity: BOOL
128              udp-max-payload: SIZE
129              udp-max-payload-ipv4: SIZE
130              udp-max-payload-ipv6: SIZE
131              edns-client-subnet: BOOL
132              answer-rotation: BOOL
133              automatic-acl: BOOL
134              dbus-event: none | running | zone-updated | ksk-submission | dnssec-invalid ...
135              listen: ADDR[@INT] ...
136
137       CAUTION:
138          When you change configuration parameters dynamically or via configu‐
139          ration  file  reload,  some parameters in the Server section require
140          restarting the Knot server so that the changes take effect. See  be‐
141          low for the details.
142
143   identity
144       An identity of the server returned in the response to the query for TXT
145       record id.server. or hostname.bind. in the CHAOS class (RFC 4892).  Set
146       to an empty value to disable.
147
148       Default: FQDN hostname
149
150   version
151       A  version of the server software returned in the response to the query
152       for TXT record version.server. or version.bind. in the CHAOS class (RFC
153       4892). Set to an empty value to disable.
154
155       Default: server version
156
157   nsid
158       A  DNS name server identifier (RFC 5001). Set to an empty value to dis‐
159       able.
160
161       Default: FQDN hostname at the moment of the daemon start
162
163   rundir
164       A path for storing run-time data (PID file, unix sockets, etc.).
165
166       Depending on the usage  of  this  parameter,  its  change  may  require
167       restart of the Knot server to take effect.
168
169       Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
170
171   user
172       A  system  user  with an optional system group (user:group) under which
173       the server is run after starting and binding to interfaces. Linux capa‐
174       bilities are employed if supported.
175
176       Change  of  this  parameter requires restart of the Knot server to take
177       effect.
178
179       Default: root:root
180
181   pidfile
182       A PID file location.
183
184       Change of this parameter requires restart of the Knot  server  to  take
185       effect.
186
187       Default: rundir/knot.pid
188
189   udp-workers
190       A number of UDP workers (threads) used to process incoming queries over
191       UDP.
192
193       Change of this parameter requires restart of the Knot  server  to  take
194       effect.
195
196       Default: equal to the number of online CPUs
197
198   tcp-workers
199       A number of TCP workers (threads) used to process incoming queries over
200       TCP.
201
202       Change of this parameter requires restart of the Knot  server  to  take
203       effect.
204
205       Default:  equal to the number of online CPUs, default value is at least
206       10
207
208   background-workers
209       A number of workers (threads) used  to  execute  background  operations
210       (zone loading, zone updates, etc.).
211
212       Change  of  this  parameter requires restart of the Knot server to take
213       effect.
214
215       Default: equal to the number of online CPUs, default value is  at  most
216       10
217
218   async-start
219       If  enabled,  server doesn't wait for the zones to be loaded and starts
220       responding immediately with SERVFAIL answers until the zone loads.
221
222       Default: off
223
224   tcp-idle-timeout
225       Maximum idle time (in seconds) between requests on an inbound TCP  con‐
226       nection.  It means if there is no activity on an inbound TCP connection
227       during this limit, the connection is closed by the server.
228
229       Minimum: 1 s
230
231       Default: 10 s
232
233   tcp-io-timeout
234       Maximum time (in milliseconds) to receive or send one DNS message  over
235       an  inbound  TCP  connection. It means this limit applies to normal DNS
236       queries and replies, incoming DDNS, and outgoing  zone  transfers.  The
237       timeout  is  measured since some data is already available for process‐
238       ing.  Set to 0 for infinity.
239
240       Default: 500 ms
241
242       CAUTION:
243          In order to reduce the risk of Slow Loris attacks, it's  recommended
244          setting this limit as low as possible on public servers.
245
246   tcp-remote-io-timeout
247       Maximum  time (in milliseconds) to receive or send one DNS message over
248       an outbound TCP connection which has already been established to a con‐
249       figured  remote  server.   It means this limit applies to incoming zone
250       transfers, sending NOTIFY, DDNS forwarding, and DS check or push.  This
251       timeout  includes  the  time  needed for a network round-trip and for a
252       query processing by the remote.  Set to 0 for infinity.
253
254       Default: 5000 ms
255
256   tcp-reuseport
257       If enabled, each TCP worker listens on its own socket and the OS kernel
258       socket  load  balancing  is  employed  using SO_REUSEPORT (or SO_REUSE‐
259       PORT_LB on FreeBSD). Due to the lack of one shared socket,  the  server
260       can  offer  higher  response  rate processing over TCP. However, in the
261       case of time-consuming requests (e.g. zone transfers of  a  TLD  zone),
262       enabled  reuseport  may result in delayed or not being responded client
263       requests. So it is advisable to use this option on secondary servers.
264
265       Change of this parameter requires restart of the Knot  server  to  take
266       effect.
267
268       Default: off
269
270   tcp-fastopen
271       If  enabled,  use  TCP Fast Open for outbound TCP communication (client
272       side): incoming zone transfers, sending NOTIFY,  and  DDNS  forwarding.
273       This  mode simplifies TCP handshake and can result in better networking
274       performance. TCP Fast Open for inbound TCP communication (server  side)
275       isn't  affected  by this configuration as it's enabled automatically if
276       supported by OS.
277
278       NOTE:
279          The TCP Fast Open support must also be enabled on the OS level:
280
281          • Linux/macOS: ensure kernel parameter net.ipv4.tcp_fastopen is 2 or
282            3 for server side, and 1 or 3 for client side.
283
284          • FreeBSD:  ensure kernel parameter net.inet.tcp.fastopen.server_en‐
285            able is 1 for server side, and net.inet.tcp.fastopen.client_enable
286            is 1 for client side.
287
288       Default: off
289
290   remote-pool-limit
291       If nonzero, the server will keep up to this number of outgoing TCP con‐
292       nections open for later use. This is an optimization to avoid  frequent
293       opening of TCP connections to the same remote.
294
295       Change  of  this  parameter requires restart of the Knot server to take
296       effect.
297
298       Default: 0
299
300   remote-pool-timeout
301       The timeout in seconds after which the unused  kept-open  outgoing  TCP
302       connections to remote servers are closed.
303
304       Default: 5
305
306   remote-retry-delay
307       When a connection attempt times out to some remote address, this infor‐
308       mation will be kept for this specified time (in milliseconds) and other
309       connections  to  the  same  address  won't  be attempted. This prevents
310       repetitive waiting for timeout on an unreachable remote.
311
312       Default: 0
313
314   socket-affinity
315       If enabled and if SO_REUSEPORT is available on  Linux,  all  configured
316       network  sockets  are bound to UDP and TCP workers in order to increase
317       the networking performance.  This mode  isn't  recommended  for  setups
318       where the number of network card queues is lower than the number of UDP
319       or TCP workers.
320
321       Change of this parameter requires restart of the Knot  server  to  take
322       effect.
323
324       Default: off
325
326   tcp-max-clients
327       A  maximum  number of TCP clients connected in parallel, set this below
328       the file descriptor limit to avoid resource exhaustion.
329
330       NOTE:
331          It is advisable to adjust the  maximum  number  of  open  files  per
332          process in your operating system configuration.
333
334       Default: one half of the file descriptor limit for the server process
335
336   udp-max-payload
337       Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
338
339       Default: 1232
340
341   udp-max-payload-ipv4
342       Maximum EDNS0 UDP payload size for IPv4.
343
344       Default: 1232
345
346   udp-max-payload-ipv6
347       Maximum EDNS0 UDP payload size for IPv6.
348
349       Default: 1232
350
351   edns-client-subnet
352       Enable  or disable EDNS Client Subnet support. If enabled, responses to
353       queries containing the EDNS Client Subnet option always contain a valid
354       EDNS Client Subnet option according to RFC 7871.
355
356       Default: off
357
358   answer-rotation
359       Enable or disable sorted-rrset rotation in the answer section of normal
360       replies.  The rotation shift is simply determined by a query ID.
361
362       Default: off
363
364   automatic-acl
365       If enabled, automatic ACL setting of configured remotes  is  considered
366       when evaluating authorized operations.
367
368       Default: off
369
370   dbus-event
371       Specification of server or zone states which emit a D-Bus signal on the
372       system  bus.  The  bus  name  is  cz.nic.knotd,  the  object  path   is
373       /cz/nic/knotd, and the interface name is cz.nic.knotd.events.
374
375       Possible values:
376
377none – No signal is emitted.
378
379running  – The signal started is emitted when the server is fully op‐
380         erational and the signal stopped is emitted at the beginning  of  the
381         server shutdown.
382
383zone-updated  –  The  signal  zone_updated is emitted when a zone has
384         been updated; the signal parameters are zone name and  zone  SOA  se‐
385         rial.
386
387ksk-submission  –  The signal zone_ksk_submission is emitted if there
388         is a ready KSK present when the zone is signed; the signal parameters
389         are zone name, KSK keytag, and KSK KASP id.
390
391dnssec-invalid  –  The  signal  zone_dnssec_invalid  is  emitted when
392         DNSSEC validation fails; the signal parameter is zone name.
393
394       NOTE:
395          This function requires systemd version at least 221.
396
397       Default: none
398
399   listen
400       One or more IP addresses where the server listens for incoming queries.
401       Optional port specification (default is 53) can be appended to each ad‐
402       dress using @ separator. Use 0.0.0.0 for all configured IPv4  addresses
403       or  :: for all configured IPv6 addresses. Filesystem path can be speci‐
404       fied for listening on local unix SOCK_STREAM socket. Non-local  address
405       binding is automatically enabled if supported by the operating system.
406
407       Change  of  this  parameter requires restart of the Knot server to take
408       effect.
409
410       Default: not set
411

XDP SECTION

413       Various options related to XDP listening, especially TCP.
414
415          xdp:
416              listen: STR[@INT] | ADDR[@INT] ...
417              tcp: BOOL
418              tcp-max-clients: INT
419              tcp-inbuf-max-size: SIZE
420              tcp-idle-close-timeout: TIME
421              tcp-idle-reset-timeout: TIME
422              route-check: BOOL
423
424       CAUTION:
425          When you change configuration parameters dynamically or via configu‐
426          ration  file  reload,  some  parameters  in  the XDP section require
427          restarting the Knot server so that the changes take effect.
428
429   listen
430       One or more network device names (e.g. ens786f0) on which the Mode  XDP
431       is  enabled.  Alternatively, an IP address can be used instead of a de‐
432       vice name, but the server will still listen on all addresses  belonging
433       to the same interface!  Optional port specification (default is 53) can
434       be appended to each device name or address using @ separator.
435
436       Change of this parameter requires restart of the Knot  server  to  take
437       effect.
438
439       CAUTION:
440          If  XDP  workers  only  process  regular DNS traffic over UDP, it is
441          strongly recommended to also listen on the addresses which  are  in‐
442          tended to offer the DNS service, at least to fulfil the DNS require‐
443          ment for working TCP.
444
445       Default: not set
446
447   tcp
448       If enabled, DNS over TCP traffic is also processed with XDP workers.
449
450       The TCP stack features:
451
452       • Basic connection handling, sending/receiving data
453
454       • Close inactive connections
455
456       • Reset inactive connections which aren't able to close
457
458       • Reset invalid connections
459
460       • Ignore invalid resets and ACKs
461
462       • Receive fragmented data – one DNS message in multiple packets
463
464       • Limit total size of incoming buffers, reset most inactive connections
465         with buffered data
466
467       • Send fragmented data – DNS message larger than allowed by MSS
468
469       • Send MSS option calculated from configured MSS and device MTU
470
471       • Receive and honor MSS option, limit the size of outgoing packet
472
473       • Send window size option (set to infinity)
474
475       Missing features:
476
477       • Receive  and  honor window size option, send only such amount of data
478         at once, cache outgoing data
479
480       • Allow multi-message DNS responses (depends on above)
481
482       • Resend lost outgoing packets (not ACKed in time), including data
483
484       Change of this parameter requires restart of the Knot  server  to  take
485       effect.
486
487       WARNING:
488          This  feature is experimental and it may eat your hamster as well as
489          any other hamsters connected to the network.
490
491       Default: off
492
493   tcp-max-clients
494       A maximum number of TCP clients connected in parallel.
495
496       Default: 1000000 (one million)
497
498   tcp-inbuf-max-size
499       Maximum cumulative size of memory used for buffers of incompletely  re‐
500       ceived messages.
501
502       Minimum: 1 MiB
503
504       Default: 100 MiB
505
506   tcp-idle-close-timeout
507       Time in seconds, after which any idle connection is gracefully closed.
508
509       Minimum: 1 s
510
511       Default: 10 s
512
513   tcp-idle-reset-timeout
514       Time in seconds, after which any idle connection is forcibly closed.
515
516       Minimum: 1 s
517
518       Default: 20 s
519
520   route-check
521       If enabled, routing information from the operating system is considered
522       when processing every incoming DNS packet received over the XDP  inter‐
523       face:
524
525       • If  the  outgoing interface of the corresponding DNS response differs
526         from the incoming one, the packet is processed  normally  by  UDP/TCP
527         workers (XDP isn't used).
528
529       • If the destination address is blackholed, unreachable, or prohibited,
530         the DNS packet is dropped without any response.
531
532       • The destination MAC address for the response is taken from the  rout‐
533         ing system.
534
535       If  disabled,  symmetrical  routing is applied. It means that the query
536       source MAC address is used as a response destination MAC address.
537
538       Change of this parameter requires restart of the Knot  server  to  take
539       effect.
540
541       NOTE:
542          This  mode  requires  forwarding  enabled  on the loopback interface
543          (sysctl   -w    net.ipv4.conf.lo.forwarding=1    and    sysctl    -w
544          net.ipv6.conf.lo.forwarding=1).   If forwarding is disabled, all in‐
545          coming DNS packets are dropped!
546
547       Default: off
548

CONTROL SECTION

550       Configuration of the server control interface.
551
552          control:
553              listen: STR
554              timeout: TIME
555
556   listen
557       A UNIX socket path where the server listens for control commands.
558
559       Default: rundir/knot.sock
560
561   timeout
562       Maximum time (in seconds) the control socket operations can take.   Set
563       to 0 for infinity.
564
565       Default: 5
566

LOGGING SECTION

568       Server  can be configured to log to the standard output, standard error
569       output, syslog (or systemd journal if systemd is enabled)  or  into  an
570       arbitrary file.
571
572       There are 6 logging severity levels:
573
574critical – Non-recoverable error resulting in server shutdown.
575
576error – Recoverable error, action should be taken.
577
578warning – Warning that might require user action.
579
580notice – Server notice or hint.
581
582info – Informational message.
583
584debug – Debug or detailed message.
585
586       In  the case of a missing log section, warning or more serious messages
587       will be logged to both standard error output and syslog. The  info  and
588       notice messages will be logged to standard output.
589
590          log:
591            - target: stdout | stderr | syslog | STR
592              server: critical | error | warning | notice | info | debug
593              control: critical | error | warning | notice | info | debug
594              zone: critical | error | warning | notice | info | debug
595              any: critical | error | warning | notice | info | debug
596
597   target
598       A logging output.
599
600       Possible values:
601
602stdout – Standard output.
603
604stderr – Standard error output.
605
606syslog – Syslog or systemd journal.
607
608file_name – A specific file.
609
610       With  syslog  target,  syslog service is used. However, if Knot DNS has
611       been compiled with systemd support and operating system has been booted
612       with systemd, systemd journal is used for logging instead of syslog.
613
614   server
615       Minimum severity level for messages related to general operation of the
616       server to be logged.
617
618       Default: not set
619
620   control
621       Minimum severity level for messages related to  server  control  to  be
622       logged.
623
624       Default: not set
625
626   zone
627       Minimum severity level for messages related to zones to be logged.
628
629       Default: not set
630
631   any
632       Minimum severity level for all message types to be logged.
633
634       Default: not set
635

STATISTICS SECTION

637       Periodic server statistics dumping.
638
639          statistics:
640              timer: TIME
641              file: STR
642              append: BOOL
643
644   timer
645       A  period  after which all available statistics metrics will by written
646       to the file.
647
648       Default: not set
649
650   file
651       A file path of statistics output in the YAML format.
652
653       Default: rundir/stats.yaml
654
655   append
656       If enabled, the output will be appended to the file instead of file re‐
657       placement.
658
659       Default: off
660

DATABASE SECTION

662       Configuration of databases for zone contents, DNSSEC metadata, or event
663       timers.
664
665          database:
666              storage: STR
667              journal-db: STR
668              journal-db-mode: robust | asynchronous
669              journal-db-max-size: SIZE
670              kasp-db: STR
671              kasp-db-max-size: SIZE
672              timer-db: STR
673              timer-db-max-size: SIZE
674              catalog-db: str
675              catalog-db-max-size: SIZE
676
677   storage
678       A data directory for storing journal, KASP, and timer databases.
679
680       Default:  ${localstatedir}/lib/knot   (configured   with   --with-stor‐
681       age=path)
682
683   journal-db
684       An explicit specification of the persistent journal database directory.
685       Non-absolute path (i.e. not starting with /) is relative to storage.
686
687       Default: storage/journal
688
689   journal-db-mode
690       Specifies journal LMDB backend configuration, which influences  perfor‐
691       mance and durability.
692
693       Possible values:
694
695robust  –  The journal database disk synchronization ensures database
696         durability but is generally slower.
697
698asynchronous – The journal database disk synchronization is optimized
699         for better performance at the expense of lower database durability in
700         the case of a crash. This mode is recommended  on  secondary  servers
701         with many zones.
702
703       Default: robust
704
705   journal-db-max-size
706       The  hard  limit  for  the  journal  database maximum size. There is no
707       cleanup logic in journal to recover from reaching this  limit.  Journal
708       simply  starts refusing changes across all zones. Decreasing this value
709       has no effect if it is lower than the actual database file size.
710
711       It is  recommended  to  limit  journal-max-usage  per-zone  instead  of
712       journal-db-max-size  in  most cases. Please keep this value larger than
713       the sum of all zones' journal usage limits. See more details  regarding
714       journal behaviour.
715
716       NOTE:
717          This value also influences server's usage of virtual memory.
718
719       Default: 20 GiB (512 MiB for 32-bit)
720
721   kasp-db
722       An explicit specification of the KASP database directory.  Non-absolute
723       path (i.e. not starting with /) is relative to storage.
724
725       Default: storage/keys
726
727   kasp-db-max-size
728       The hard limit for the KASP database maximum size.
729
730       NOTE:
731          This value also influences server's usage of virtual memory.
732
733       Default: 500 MiB
734
735   timer-db
736       An explicit specification of the persistent timer  database  directory.
737       Non-absolute path (i.e. not starting with /) is relative to storage.
738
739       Default: storage/timers
740
741   timer-db-max-size
742       The hard limit for the timer database maximum size.
743
744       NOTE:
745          This value also influences server's usage of virtual memory.
746
747       Default: 100 MiB
748
749   catalog-db
750       An explicit specification of the zone catalog database directory.  Only
751       useful if catalog-zones  are  enabled.   Non-absolute  path  (i.e.  not
752       starting with /) is relative to storage.
753
754       Default: storage/catalog
755
756   catalog-db-max-size
757       The hard limit for the catalog database maximum size.
758
759       NOTE:
760          This value also influences server's usage of virtual memory.
761
762       Default: 20 GiB (512 MiB for 32-bit)
763

KEYSTORE SECTION

765       DNSSEC keystore configuration.
766
767          keystore:
768            - id: STR
769              backend: pem | pkcs11
770              config: STR
771
772   id
773       A keystore identifier.
774
775   backend
776       A key storage backend type.
777
778       Possible values:
779
780pem – PEM files.
781
782pkcs11 – PKCS #11 storage.
783
784       Default: pem
785
786   config
787       A  backend specific configuration. A directory with PEM files (the path
788       can be specified as a relative path  to  kasp-db)  or  a  configuration
789       string for PKCS #11 storage (<pkcs11-url> <module-path>).
790
791       NOTE:
792          Example configuration string for PKCS #11:
793
794              "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
795
796       Default: kasp-db/keys
797

KEY SECTION

799       Shared TSIG keys used to authenticate communication with the server.
800
801          key:
802            - id: DNAME
803              algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
804              secret: BASE64
805
806   id
807       A key name identifier.
808
809       NOTE:
810          This  value  MUST be exactly the same as the name of the TSIG key on
811          the opposite primary/secondary server(s).
812
813   algorithm
814       A TSIG key algorithm. See TSIG Algorithm Numbers.
815
816       Possible values:
817
818hmac-md5
819
820hmac-sha1
821
822hmac-sha224
823
824hmac-sha256
825
826hmac-sha384
827
828hmac-sha512
829
830       Default: not set
831
832   secret
833       Shared key secret.
834
835       Default: not set
836

REMOTE SECTION

838       Definitions of remote servers for outgoing  connections  (source  of  a
839       zone transfer, target for a notification, etc.).
840
841          remote:
842            - id: STR
843              address: ADDR[@INT] ...
844              via: ADDR[@INT] ...
845              key: key_id
846              block-notify-after-transfer: BOOL
847              no-edns: BOOL
848              automatic-acl: BOOL
849
850   id
851       A remote identifier.
852
853   address
854       An ordered list of destination IP addresses which are used for communi‐
855       cation with the remote server. The addresses are tried in sequence  un‐
856       til  the  remote  is reached. Optional destination port (default is 53)
857       can be appended to the address using @ separator.
858
859       Default: not set
860
861       NOTE:
862          If the remote is contacted and it refuses to perform  requested  ac‐
863          tion, no more addresses will be tried for this remote.
864
865   via
866       An ordered list of source IP addresses. The first address with the same
867       family as the destination address is used as a source address for  com‐
868       munication  with the remote. This option can help if the server listens
869       on more addresses.  Optional source port (default is random) can be ap‐
870       pended to the address using @ separator.
871
872       Default: not set
873
874   key
875       A  reference to the TSIG key which is used to authenticate the communi‐
876       cation with the remote server.
877
878       Default: not set
879
880   block-notify-after-transfer
881       When incoming AXFR/IXFR from this remote (as a  primary  server),  sup‐
882       press sending NOTIFY messages to all configured secondary servers.
883
884       Default: off
885
886   no-edns
887       If  enabled,  no  OPT record (EDNS) is inserted to outgoing requests to
888       this remote server. This mode is necessary for communication with  some
889       broken implementations (e.g. Windows Server 2016).
890
891       Default: off
892
893   automatic-acl
894       If enabled, some authorized operations for the remote are automatically
895       allowed based on the context:
896
897       • Incoming NOTIFY is allowed from the remote if it's  configured  as  a
898         primary server for the zone.
899
900       • Outgoing zone transfer is allowed to the remote if it's configured as
901         a NOTIFY target for the zone.
902
903       Automatic ACL rules are evaluated before explicit zone  ACL  configura‐
904       tion.
905
906       NOTE:
907          This  functionality  requires global activation via automatic-acl in
908          the server section.
909
910       Default: on
911

ACL SECTION

913       Access control list rule definitions. An ACL rule is a  description  of
914       one  or  more authorized operations (zone transfer request, zone change
915       notification, and dynamic DNS update) which are allowed to be processed
916       or denied.
917
918          acl:
919            - id: STR
920              address: ADDR[/INT] | ADDR-ADDR ...
921              key: key_id ...
922              remote: remote_id ...
923              action: notify | transfer | update ...
924              deny: BOOL
925              update-type: STR ...
926              update-owner: key | zone | name
927              update-owner-match: sub-or-equal | equal | sub
928              update-owner-name: STR ...
929
930   id
931       An ACL rule identifier.
932
933   address
934       An  ordered  list  of IP addresses, network subnets, or network ranges.
935       The query's source address must match one of them.  Empty  value  means
936       that address match is not required.
937
938       Default: not set
939
940   key
941       An ordered list of references to TSIG keys. The query must match one of
942       them. Empty value means that transaction authentication is not used.
943
944       Default: not set
945
946   remote
947       An ordered list of references to remotes. The query must match  one  of
948       the  remotes.  Specifically, one of the remote's addresses and remote's
949       TSIG key if configured must match.
950
951       NOTE:
952          This option cannot be specified along with the address or key option
953          at one ACL item.
954
955       Default: not set
956
957   action
958       An ordered list of allowed (or denied) actions.
959
960       Possible values:
961
962notify – Allow incoming notify (NOTIFY).
963
964transfer – Allow zone transfer (AXFR, IXFR).
965
966update – Allow zone updates (DDNS).
967
968       Default: not set
969
970   deny
971       If  enabled,  instead  of allowing, deny the specified action, address,
972       key, or combination if these items. If no action is specified, deny all
973       actions.
974
975       Default: off
976
977   update-type
978       A  list  of  allowed  types of Resource Records in a zone update. Every
979       record in an update must match one of the specified types.
980
981       Default: not set
982
983   update-owner
984       This option restricts possible owners of Resource Records in a zone up‐
985       date  by  comparing  them  to either the TSIG key identity, the current
986       zone name, or to a list of domain names given by the  update-owner-name
987       option.   The  comparison method is given by the update-owner-match op‐
988       tion.
989
990       Possible values:
991
992key — The owner of each updated RR must match  the  identity  of  the
993         TSIG key if used.
994
995name  —  The owner of each updated RR must match at least one name in
996         the update-owner-name list.
997
998zone — The owner of each updated RR must match the current zone name.
999
1000       Default: not set
1001
1002   update-owner-match
1003       This option defines how the owners of Resource Records in an update are
1004       matched to the domain name(s) set by the update-owner option.
1005
1006       Possible values:
1007
1008sub-or-equal  —  The  owner of each Resource Record in an update must
1009         either be equal to or be a subdomain of at least one  domain  set  by
1010         update-owner.
1011
1012equal  —  The  owner of each updated RR must be equal to at least one
1013         domain set by update-owner.
1014
1015sub — The owner of each updated RR must be a subdomain of,  but  MUST
1016         NOT be equal to at least one domain set by update-owner.
1017
1018       Default: sub-or-equal
1019
1020   update-owner-name
1021       A list of allowed owners of RRs in a zone update used with update-owner
1022       set to name. Every listed owner name which is not FQDN (i.e. it doesn't
1023       end  in a dot) is considered as if it was appended with the target zone
1024       name.  Such a relative owner name specification allows better ACL  rule
1025       reusability across multiple zones.
1026
1027       Default: not set
1028

SUBMISSION SECTION

1030       Parameters of KSK submission checks.
1031
1032          submission:
1033            - id: STR
1034              parent: remote_id ...
1035              check-interval: TIME
1036              timeout: TIME
1037              parent-delay: TIME
1038
1039   id
1040       A submission identifier.
1041
1042   parent
1043       A list of references to parent's DNS servers to be checked for presence
1044       of corresponding DS records in the case of KSK submission. All of  them
1045       must  have  a corresponding DS for the rollover to continue. If none is
1046       specified, the rollover must be pushed forward manually.
1047
1048       Default: not set
1049
1050       TIP:
1051          A DNSSEC-validating resolver can be set as a parent.
1052
1053   check-interval
1054       Interval for periodic checks of DS presence on parent's DNS servers, in
1055       the case of the KSK submission.
1056
1057       Default: 1 hour
1058
1059   timeout
1060       After this time period (in seconds) the KSK submission is automatically
1061       considered successful, even if all the checks were negative or no  par‐
1062       ents are configured.  Set to 0 for infinity.
1063
1064       Default: 0
1065
1066   parent-delay
1067       After  successful parent DS check, wait for this period before continu‐
1068       ing the next key roll-over step. This delay shall cover the propagation
1069       delay of update in the parent zone.
1070
1071       Default: 0
1072

POLICY SECTION

1074       DNSSEC policy configuration.
1075
1076          policy:
1077            - id: STR
1078              keystore: keystore_id
1079              manual: BOOL
1080              single-type-signing: BOOL
1081              algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
1082              ksk-size: SIZE
1083              zsk-size: SIZE
1084              ksk-shared: BOOL
1085              dnskey-ttl: TIME
1086              zone-max-ttl: TIME
1087              ksk-lifetime: TIME
1088              zsk-lifetime: TIME
1089              delete-delay: TIME
1090              propagation-delay: TIME
1091              rrsig-lifetime: TIME
1092              rrsig-refresh: TIME
1093              rrsig-pre-refresh: TIME
1094              reproducible-signing: BOOL
1095              nsec3: BOOL
1096              nsec3-iterations: INT
1097              nsec3-opt-out: BOOL
1098              nsec3-salt-length: INT
1099              nsec3-salt-lifetime: TIME
1100              signing-threads: INT
1101              ksk-submission: submission_id
1102              ds-push: remote_id
1103              cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
1104              cds-digest-type: sha256 | sha384
1105              offline-ksk: BOOL
1106              unsafe-operation: none | no-check-keyset | no-update-dnskey | no-update-nsec | no-update-expired ...
1107
1108   id
1109       A policy identifier.
1110
1111   keystore
1112       A reference to a keystore holding private key material for zones.
1113
1114       Default: an imaginary keystore with all default values
1115
1116       NOTE:
1117          A  configured keystore called "default" won't be used unless explic‐
1118          itly referenced.
1119
1120   manual
1121       If enabled, automatic key management is not used.
1122
1123       Default: off
1124
1125   single-type-signing
1126       If enabled, Single-Type Signing Scheme is used  in  the  automatic  key
1127       management mode.
1128
1129       Default: off (module onlinesign has default on)
1130
1131   algorithm
1132       An  algorithm  of  signing keys and issued signatures. See DNSSEC Algo‐
1133       rithm Numbers.
1134
1135       Possible values:
1136
1137rsasha1
1138
1139rsasha1-nsec3-sha1
1140
1141rsasha256
1142
1143rsasha512
1144
1145ecdsap256sha256
1146
1147ecdsap384sha384
1148
1149ed25519
1150
1151ed448
1152
1153       NOTE:
1154          Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
1155
1156          Ed448 algorithm is only available if compiled  with  GnuTLS  3.6.12+
1157          and Nettle 3.6+.
1158
1159       Default: ecdsap256sha256
1160
1161   ksk-size
1162       A length of newly generated KSK or CSK keys.
1163
1164       Default:  2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
1165       456 (ed448)
1166
1167   zsk-size
1168       A length of newly generated ZSK keys.
1169
1170       Default: see default for ksk-size
1171
1172   ksk-shared
1173       If enabled, all zones with this policy assigned will share one or  more
1174       KSKs.  More KSKs can be shared during a KSK rollover.
1175
1176       WARNING:
1177          As the shared KSK set is bound to the policy id, renaming the policy
1178          breaks this connection and new shared KSK set is  initiated  when  a
1179          new KSK is needed.
1180
1181       Default: off
1182
1183   dnskey-ttl
1184       A TTL value for DNSKEY records added into zone apex.
1185
1186       NOTE:
1187          Has influence over ZSK key lifetime.
1188
1189       WARNING:
1190          Ensure all DNSKEYs with updated TTL are propagated before any subse‐
1191          quent DNSKEY rollover starts.
1192
1193       Default: zone SOA TTL
1194
1195   zone-max-ttl
1196       Declare (override) maximal TTL value among all the records in zone.
1197
1198       NOTE:
1199          It's generally recommended to override the maximal  TTL  computation
1200          by  setting  this  explicitly  whenever  possible. It's required for
1201          DNSSEC Offline KSK and really reasonable when records are  generated
1202          dynamically (e.g. by a module).
1203
1204       Default: computed after zone is loaded
1205
1206   ksk-lifetime
1207       A period between KSK activation and the next rollover initiation.
1208
1209       NOTE:
1210          KSK   key   lifetime   is   also  influenced  by  propagation-delay,
1211          dnskey-ttl, and KSK submission delay.
1212
1213          Zero (aka infinity) value causes no KSK rollover as a result.
1214
1215          This applies for CSK lifetime if single-type-signing is enabled.
1216
1217       Default: 0
1218
1219   zsk-lifetime
1220       A period between ZSK activation and the next rollover initiation.
1221
1222       NOTE:
1223          More exactly, this period is measured since a ZSK is activated,  and
1224          after  this,  a  new ZSK is generated to replace it within following
1225          roll-over.
1226
1227          ZSK  key  lifetime  is  also  influenced  by  propagation-delay  and
1228          dnskey-ttl
1229
1230          Zero (aka infinity) value causes no ZSK rollover as a result.
1231
1232       Default: 30 days
1233
1234   delete-delay
1235       Once  a key (KSK or ZSK) is rolled-over and removed from the zone, keep
1236       it in the KASP database for at least this  period  before  deleting  it
1237       completely.   This  might  be useful in some troubleshooting cases when
1238       resurrection is needed.
1239
1240       Default: 0
1241
1242   propagation-delay
1243       An extra delay added for each key rollover step. This value  should  be
1244       high enough to cover propagation of data from the primary server to all
1245       secondary servers.
1246
1247       NOTE:
1248          Has influence over ZSK key lifetime.
1249
1250       Default: 1 hour
1251
1252   rrsig-lifetime
1253       A validity period of newly issued signatures.
1254
1255       NOTE:
1256          The RRSIG's signature inception time is set to  90  minutes  in  the
1257          past. This time period is not counted to the signature lifetime.
1258
1259       Default: 14 days
1260
1261   rrsig-refresh
1262       A  period how long at least before a signature expiration the signature
1263       will be refreshed, in order to  prevent  expired  RRSIGs  on  secondary
1264       servers or resolvers' caches.
1265
1266       Default: 7 days
1267
1268   rrsig-pre-refresh
1269       A period how long at most before a signature refresh time the signature
1270       might be refreshed, in order to refresh RRSIGs in bigger batches  on  a
1271       frequently updated zone (avoid re-sign event too often).
1272
1273       Default: 1 hour
1274
1275   reproducible-signing
1276       For  ECDSA algorithms, generate RRSIG signatures deterministically (RFC
1277       6979).  Besides better theoretical cryptographic  security,  this  mode
1278       allows  significant  speed-up  of  loading  signed (by the same method)
1279       zones. However, the zone signing is a bit slower.
1280
1281       Default: off
1282
1283   nsec3
1284       Specifies if NSEC3 will be used instead of NSEC.
1285
1286       Default: off
1287
1288   nsec3-iterations
1289       A number of additional times the hashing is performed.
1290
1291       Default: 10
1292
1293   nsec3-opt-out
1294       If set, NSEC3 records won't be created for insecure delegations.   This
1295       speeds up the zone signing and reduces overall zone size.
1296
1297       WARNING:
1298          NSEC3 with the Opt-Out bit set no longer works as a proof of non-ex‐
1299          istence in this zone.
1300
1301       Default: off
1302
1303   nsec3-salt-length
1304       A length of a salt field in octets, which is appended to  the  original
1305       owner name before hashing.
1306
1307       Default: 8
1308
1309   nsec3-salt-lifetime
1310       A validity period of newly issued salt field.
1311
1312       Zero value means infinity.
1313
1314       Default: 30 days
1315
1316   signing-threads
1317       When  signing  zone  or update, use this number of threads for parallel
1318       signing.
1319
1320       Those are extra threads independent of Background workers.
1321
1322       NOTE:
1323          Some steps of the DNSSEC signing operation are not parallelized.
1324
1325       Default: 1 (no extra threads)
1326
1327   ksk-submission
1328       A reference to submission section holding parameters of KSK  submission
1329       checks.
1330
1331       Default: not set
1332
1333   ds-push
1334       An optional reference to authoritative DNS server of the parent's zone.
1335       The remote server must be configured to accept DS  record  updates  via
1336       DDNS.  Whenever  a  CDS record in the local zone is changed, the corre‐
1337       sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
1338       server.  All  previous  DS records are deleted within the DDNS message.
1339       It's possible to manage both child and parent zones by  the  same  Knot
1340       DNS server.
1341
1342       NOTE:
1343          This feature requires cds-cdnskey-publish not to be set to none.
1344
1345       NOTE:
1346          Module Onlinesign doesn't support DS push.
1347
1348       Default: not set
1349
1350   cds-cdnskey-publish
1351       Controls if and how shall the CDS and CDNSKEY be published in the zone.
1352
1353       Possible values:
1354
1355none – Never publish any CDS or CDNSKEY records in the zone.
1356
1357delete-dnssec  –  Publish  special CDS and CDNSKEY records indicating
1358         turning off DNSSEC.
1359
1360rollover – Publish CDS and CDNSKEY records for ready and not yet  ac‐
1361         tive KSK (submission phase of KSK rollover).
1362
1363always  – Always publish one CDS and one CDNSKEY records for the cur‐
1364         rent KSK.
1365
1366double-ds – Always publish up to two CDS and two CDNSKEY records  for
1367         ready and/or active KSKs.
1368
1369       NOTE:
1370          If  the  zone  keys are managed manually, the CDS and CDNSKEY rrsets
1371          may contain more records depending on the keys available.
1372
1373       Default: rollover
1374
1375   cds-digest-type
1376       Specify digest type for published CDS records.
1377
1378       Default: sha256
1379
1380   offline-ksk
1381       Specifies if Offline KSK feature is enabled.
1382
1383       Default: off
1384
1385   unsafe-operation
1386       Turn off some DNSSEC safety features.
1387
1388       Possible values:
1389
1390none – Nothing disabled.
1391
1392no-check-keyset – Don't check active keys in present algorithms. This
1393         may lead to violation of RFC 4035#section-2.2.
1394
1395no-update-dnskey  –  Don't  maintain/update  DNSKEY, CDNSKEY, and CDS
1396         records in the zone apex according to KASP database. Juste leave them
1397         as they are in the zone.
1398
1399no-update-nsec  –  Don't  maintain/update NSEC/NSEC3 chain. Leave all
1400         the records as they are in the zone.
1401
1402no-update-expired – Don't update expired RRSIGs.
1403
1404       Multiple values may be specified.
1405
1406       WARNING:
1407          This mode is intended for DNSSEC experts who understand  the  corre‐
1408          sponding consequences.
1409
1410       Default: none
1411

TEMPLATE SECTION

1413       A template is shareable zone settings, which can simplify configuration
1414       by reducing duplicates. A special default template  (with  the  default
1415       identifier) can be used for global zone configuration or as an implicit
1416       configuration if a zone doesn't have another template specified.
1417
1418          template:
1419            - id: STR
1420              global-module: STR/STR ...
1421              # All zone options (excluding 'template' item)
1422
1423   id
1424       A template identifier.
1425
1426   global-module
1427       An ordered list of references to query modules  in  the  form  of  mod‐
1428       ule_name or module_name/module_id. These modules apply to all queries.
1429
1430       NOTE:
1431          This option is only available in the default template.
1432
1433       Default: not set
1434

ZONE SECTION

1436       Definition of zones served by the server.
1437
1438          zone:
1439            - domain: DNAME
1440              template: template_id
1441              storage: STR
1442              file: STR
1443              master: remote_id ...
1444              ddns-master: remote_id
1445              notify: remote_id ...
1446              acl: acl_id ...
1447              semantic-checks: BOOL | soft
1448              zonefile-sync: TIME
1449              zonefile-load: none | difference | difference-no-serial | whole
1450              journal-content: none | changes | all
1451              journal-max-usage: SIZE
1452              journal-max-depth: INT
1453              zone-max-size : SIZE
1454              adjust-threads: INT
1455              dnssec-signing: BOOL
1456              dnssec-validation: BOOL
1457              dnssec-policy: policy_id
1458              zonemd-verify: BOOL
1459              zonemd-generate: none | zonemd-sha384 | zonemd-sha512 | remove
1460              serial-policy: increment | unixtime | dateserial
1461              refresh-min-interval: TIME
1462              refresh-max-interval: TIME
1463              retry-min-interval: TIME
1464              retry-max-interval: TIME
1465              expire-min-interval: TIME
1466              expire-max-interval: TIME
1467              catalog-role: none | interpret | generate | member
1468              catalog-template: template_id ...
1469              catalog-zone: DNAME
1470              catalog-group: STR
1471              module: STR/STR ...
1472
1473   domain
1474       A zone name identifier.
1475
1476   template
1477       A reference to a configuration template.
1478
1479       Default: not set or default (if the template exists)
1480
1481   storage
1482       A data directory for storing zone files.
1483
1484       Default:   ${localstatedir}/lib/knot   (configured   with  --with-stor‐
1485       age=path)
1486
1487   file
1488       A path to the zone file. Non-absolute path (i.e. not starting  with  /)
1489       is  relative to storage.  It is also possible to use the following for‐
1490       matters:
1491
1492%c[N] or %c[N-M] – Means the Nth character or a sequence  of  charac‐
1493         ters  beginning from the Nth and ending with the Mth character of the
1494         textual zone name (see %s). The indexes are counted from 0  from  the
1495         left.  All  dots  (including the terminal one) are considered. If the
1496         character is not available, the formatter has no effect.
1497
1498%l[N] – Means the Nth label of the textual zone name  (see  %s).  The
1499         index  is  counted  from 0 from the right (0 ~ TLD).  If the label is
1500         not available, the formatter has no effect.
1501
1502%s – Means the current zone name in the textual representation.   The
1503         zone  name  doesn't  include  the terminating dot (the result for the
1504         root zone is the empty string!).
1505
1506%% – Means the % character.
1507
1508       WARNING:
1509          Beware of special characters which are escaped  or  encoded  in  the
1510          \DDD form where DDD is corresponding decimal ASCII code.
1511
1512       Default: storage/%s.zone
1513
1514   master
1515       An  ordered  list of references to zone primary servers (formerly known
1516       as master servers).
1517
1518       Default: not set
1519
1520   ddns-master
1521       A reference to zone primary master. If not specified, the first  master
1522       server is used.
1523
1524       Default: not set
1525
1526   notify
1527       An  ordered  list  of  references to remotes to which notify message is
1528       sent if the zone changes.
1529
1530       Default: not set
1531
1532   acl
1533       An ordered list of references to ACL rules which can allow or  disallow
1534       zone transfers, updates or incoming notifies.
1535
1536       Default: not set
1537
1538   semantic-checks
1539       Selects if extra zone semantic checks are used or impacts of the manda‐
1540       tory checks.
1541
1542       There are several mandatory checks which are always enabled and  cannot
1543       be  turned off. An error in a mandatory check causes the zone not to be
1544       loaded. Some of the mandatory checks can be weakened by  setting  soft,
1545       when the zone isn't prevented from loading.
1546
1547       If  enabled, extra checks are used. These checks don't prevent the zone
1548       from loading.
1549
1550       Mandatory checks:
1551
1552       • Missing SOA record at the zone apex (RFC 1034)
1553
1554       Mandatory checks affected by the soft mode:
1555
1556       • An extra record exists together with a CNAME record except for  RRSIG
1557         and DS (RFC 1034)
1558
1559       • Multiple CNAME records with the same owner exist (RFC 1034)
1560
1561       • DNAME record having a record under it (RFC 6672)
1562
1563       • Multiple DNAME records with the same owner exist (RFC 6672)
1564
1565       • NS record exists together with a DNAME record (RFC 6672)
1566
1567       Extra checks:
1568
1569       • Missing NS record at the zone apex
1570
1571       • Missing glue A or AAAA record
1572
1573       • Invalid DNSKEY, DS, or NSEC3PARAM record
1574
1575       • CDS or CDNSKEY inconsistency
1576
1577       • Missing, invalid, or unverifiable RRSIG record
1578
1579       • Invalid NSEC(3) record
1580
1581       • Broken or non-cyclic NSEC(3) chain
1582
1583       NOTE:
1584          The soft mode allows the refresh event to ignore a CNAME response to
1585          a SOA query (malformed message) and triggers a  zone  bootstrap  in‐
1586          stead.
1587
1588       Default: off
1589
1590   zonefile-sync
1591       The  time  after which the current zone in memory will be synced with a
1592       zone file on the disk (see file). The server will serve the latest zone
1593       even  after a restart using zone journal, but the zone file on the disk
1594       will only be synced after zonefile-sync time has expired (or after man‐
1595       ual  zone flush). This is applicable when the zone is updated via IXFR,
1596       DDNS or automatic DNSSEC signing. In order to completely disable  auto‐
1597       matic  zone file synchronization, set the value to -1. In that case, it
1598       is still possible to force a manual zone flush using the -f option.
1599
1600       NOTE:
1601          If you are serving large zones with frequent updates where the imme‐
1602          diate sync with a zone file is not desirable, increase the value.
1603
1604       Default: 0 (immediate)
1605
1606   zonefile-load
1607       Selects how the zone file contents are applied during zone load.
1608
1609       Possible values:
1610
1611none – The zone file is not used at all.
1612
1613difference – If the zone contents are already available during server
1614         start or reload, the difference is computed between them and the con‐
1615         tents  of the zone file. This difference is then checked for semantic
1616         errors and applied to the current zone contents.
1617
1618difference-no-serial – Same as difference, but the SOA serial in  the
1619         zone  file  is ignored, the server takes care of incrementing the se‐
1620         rial automatically.
1621
1622whole – Zone contents are loaded from the zone file.
1623
1624       When difference is configured and there are no zone contents yet  (cold
1625       start  and no zone contents in the journal), it behaves the same way as
1626       whole.
1627
1628       Default: whole
1629
1630   journal-content
1631       Selects how the journal shall be used to store zone and its changes.
1632
1633       Possible values:
1634
1635none – The journal is not used at all.
1636
1637changes – Zone changes history is stored in journal.
1638
1639all – Zone contents and history is stored in journal.
1640
1641       Default: changes
1642
1643   journal-max-usage
1644       Policy how much space in journal DB will the zone's journal occupy.
1645
1646       NOTE:
1647          Journal DB may grow far above the sum  of  journal-max-usage  across
1648          all zones, because of DB free space fragmentation.
1649
1650       Default: 100 MiB
1651
1652   journal-max-depth
1653       Maximum history length of the journal.
1654
1655       NOTE:
1656          Zone-in-journal changeset isn't counted to the limit.
1657
1658       Minimum: 2
1659
1660       Default: 2^64
1661
1662   zone-max-size
1663       Maximum  size  of  the  zone.  The size is measured as size of the zone
1664       records in wire format without compression. The limit is  enforced  for
1665       incoming zone transfers and dynamic updates.
1666
1667       For  incremental  transfers  (IXFR),  the effective limit for the total
1668       size of the records in the transfer is twice the configured value. How‐
1669       ever the final size of the zone must satisfy the configured value.
1670
1671       Default: 2^64
1672
1673   adjust-threads
1674       Parallelize  internal  zone  adjusting  procedures. This is useful with
1675       huge zones with NSEC3. Speedup observable at server startup  and  while
1676       processing NSEC3 re-salt.
1677
1678       Default: 1
1679
1680   dnssec-signing
1681       If enabled, automatic DNSSEC signing for the zone is turned on.
1682
1683       Default: off
1684
1685   dnssec-validation
1686       If  enabled, the zone contents are validated for being correctly signed
1687       (including NSEC/NSEC3 chain) with DNSSEC signatures every time the zone
1688       is loaded or changed (including AXFR/IXFR).
1689
1690       When  the  validation  fails, the zone being loaded or update being ap‐
1691       plied is cancelled with an error, and  either  none  or  previous  zone
1692       state is published.
1693
1694       List of DNSSEC checks:
1695
1696       • Every zone RRSet is correctly signed by at least one present DNSKEY.
1697
1698       • DNSKEY RRSet is signed by KSK.
1699
1700       • NSEC(3) RR exists for each name (unless opt-out) with correct bitmap.
1701
1702       • Every NSEC(3) RR is linked to the lexicographically next one.
1703
1704       The  validation  is not affected by dnssec-policy configuration, except
1705       for signing-threads option, which specifies the number of  threads  for
1706       parallel validation.
1707
1708       NOTE:
1709          Redundant or garbage NSEC3 records are ignored.
1710
1711          This mode is not compatible with dnssec-signing.
1712
1713   dnssec-policy
1714       A reference to DNSSEC signing policy.
1715
1716       Default: an imaginary policy with all default values
1717
1718       NOTE:
1719          A configured policy called "default" won't be used unless explicitly
1720          referenced.
1721
1722   zonemd-verify
1723       On each zone load/update, verify that ZONEMD is present in the zone and
1724       valid.
1725
1726       NOTE:
1727          Zone digest calculation may take much time and CPU on large zones.
1728
1729       Default: off
1730
1731   zonemd-generate
1732       On each zone update, calculate ZONEMD and put it into the zone.
1733
1734       Possible values:
1735
1736none – No action regarding ZONEMD.
1737
1738zonemd-sha384 – Generate ZONEMD using SHA384 algorithm.
1739
1740zonemd-sha512 – Generate ZONEMD using SHA512 algorithm.
1741
1742remove – Remove any ZONEMD from the zone apex.
1743
1744       Default: none
1745
1746   serial-policy
1747       Specifies  how the zone serial is updated after a dynamic update or au‐
1748       tomatic DNSSEC signing. If the serial is changed by the dynamic update,
1749       no change is made.
1750
1751       Possible values:
1752
1753increment  –  The  serial  is  incremented according to serial number
1754         arithmetic.
1755
1756unixtime – The serial is set to the current unix time.
1757
1758dateserial – The 10-digit serial  (YYYYMMDDnn)  is  incremented,  the
1759         first 8 digits match the current iso-date.
1760
1761       NOTE:
1762          If the resulting serial for unixtime or dateserial is lower or equal
1763          than the current serial (this happens e.g. when migrating from other
1764          policy or frequent updates), the serial is incremented instead.
1765
1766          To  avoid  user confusion, use dateserial only if you expect at most
1767          100 updates per day per zone and unixtime only if you expect at most
1768          one update per second per zone.
1769
1770          Generated catalog zones use unixtime only.
1771
1772       Default: increment (unixtime for generated catalog zones)
1773
1774   refresh-min-interval
1775       Forced  minimum  zone  refresh  interval (in seconds) to avoid flooding
1776       primary server.
1777
1778       Default: 2 (minimum allowed)
1779
1780   refresh-max-interval
1781       Forced maximum zone refresh interval (in seconds).
1782
1783       Default: not set
1784
1785   retry-min-interval
1786       Forced minimum zone retry interval (in seconds) to avoid flooding  pri‐
1787       mary server.
1788
1789       Default: 1 (minimum allowed)
1790
1791   retry-max-interval
1792       Forced maximum zone retry interval (in seconds).
1793
1794       Default: not set
1795
1796   expire-min-interval
1797       Forced minimum zone expire interval (in seconds) to avoid flooding pri‐
1798       mary server.
1799
1800       Default: 3 (minimum allowed)
1801
1802   expire-max-interval
1803       Forced maximum zone expire interval (in seconds).
1804
1805       Default: not set
1806
1807   catalog-role
1808       Trigger zone catalog feature. Possible values:
1809
1810none – Not a catalog zone.
1811
1812interpret – A catalog zone which is loaded from a zone file  or  XFR,
1813         and member zones shall be configured based on its contents.
1814
1815generate  –  A catalog zone whose contents are generated according to
1816         assigned member zones.
1817
1818member – A member zone that is  assigned  to  one  generated  catalog
1819         zone.
1820
1821       Default: none
1822
1823   catalog-template
1824       For the catalog member zones, the specified configuration template will
1825       be applied.
1826
1827       Multiple catalog templates may be defined. The first one is used unless
1828       the  member zone has the group property defined, matching another cata‐
1829       log template.
1830
1831       NOTE:
1832          This option must be set if and only if catalog-role is interpret.
1833
1834       Default: not set
1835
1836   catalog-zone
1837       Assign this member zone to specified generated catalog zone.
1838
1839       NOTE:
1840          This option must be set if and only if catalog-role is member.
1841
1842          The referenced catalog zone must exist and have catalog-role set  to
1843          generate.
1844
1845       Default: not set
1846
1847   catalog-group
1848       Assign  this member zone to specified catalog group (configuration tem‐
1849       plate).
1850
1851       NOTE:
1852          This option has effect if and only if catalog-role is member.
1853
1854       Default: not set
1855
1856   module
1857       An ordered list of references to query modules  in  the  form  of  mod‐
1858       ule_name or module_name/module_id. These modules apply only to the cur‐
1859       rent zone queries.
1860
1861       Default: not set
1862

AUTHOR

1864       CZ.NIC Labs <https://www.knot-dns.cz>
1865
1867       Copyright 2010–2022, CZ.NIC, z.s.p.o.
1868
1869
1870
1871
18723.1.8                             2022-04-28                      KNOT.CONF(5)
Impressum