1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14 • INT – Integer
16 • STR – Textual string
18 • HEXSTR – Hexadecimal string (with 0x prefix)
20 • BOOL – Boolean value (on/off or true/false)
22 • TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25 • SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28 • BASE64 – Base64 encoded string
30 • ADDR – IPv4 or IPv6 address
32 • DNAME – Domain name
34 • ... – Multi-valued item, order of the values is preserved
36 • [ ] – Optional value
38 • | – Choice
40 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 16 fixed sections (module, server, xdp, con‐
43 trol, log, statistics, database, keystore, key, remote, remotes, acl,
44 submission, policy, template, zone). Module sections are prefixed with
45 the mod- prefix (e.g. mod-stats).
46 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51 A multi-valued item can be specified either as a YAML sequence:
53 address: [10.0.0.1, 10.0.0.2]
55 or as more single-valued items each on an extra line:
57 address: 10.0.0.1
59 address: 10.0.0.2
60 If an item value contains spaces or other special characters, it is
62 necessary to enclose such a value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be in‐
72 cluded at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76 include: STR
78
80 Dynamic modules loading configuration.
81 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85 module:
87 - id: STR
88 file: STR
89 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93 file
95 A path to a shared library file with the module implementation.
96 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 tcp-fastopen: BOOL
124 quic-max-clients: INT
125 quic-outbuf-max-size: SIZE
126 quic-idle-close-timeout: TIME
127 remote-pool-limit: INT
128 remote-pool-timeout: TIME
129 remote-retry-delay: TIME
130 socket-affinity: BOOL
131 udp-max-payload: SIZE
132 udp-max-payload-ipv4: SIZE
133 udp-max-payload-ipv6: SIZE
134 key-file: STR
135 cert-file: STR
136 edns-client-subnet: BOOL
137 answer-rotation: BOOL
138 automatic-acl: BOOL
139 proxy-allowlist: ADDR[/INT] | ADDR-ADDR ...
140 dbus-event: none | running | zone-updated | ksk-submission | dnssec-invalid ...
141 dbus-init-delay: TIME
142 listen: ADDR[@INT] ...
143 CAUTION:
145 When you change configuration parameters dynamically or via configu‐
146 ration file reload, some parameters in the Server section require
147 restarting the Knot server so that the changes take effect. See be‐
148 low for the details.
149 identity
151 An identity of the server returned in the response to the query for TXT
152 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
153 to an empty value to disable.
154 Default: FQDN hostname
156 version
158 A version of the server software returned in the response to the query
159 for TXT record version.server. or version.bind. in the CHAOS class (RFC
160 4892). Set to an empty value to disable.
161 Default: server version
163 nsid
165 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
166 able.
167 Default: FQDN hostname at the moment of the daemon start
169 rundir
171 A path for storing run-time data (PID file, unix sockets, etc.).
172 Depending on the usage of this parameter, its change may require
174 restart of the Knot server to take effect.
175 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
177 user
179 A system user with an optional system group (user:group) under which
180 the server is run after starting and binding to interfaces. Linux capa‐
181 bilities are employed if supported.
182 Change of this parameter requires restart of the Knot server to take
184 effect.
185 Default: root:root
187 pidfile
189 A PID file location.
190 Change of this parameter requires restart of the Knot server to take
192 effect.
193 Default: rundir/knot.pid
195 udp-workers
197 A number of UDP workers (threads) used to process incoming queries over
198 UDP.
199 Change of this parameter requires restart of the Knot server to take
201 effect.
202 Default: equal to the number of online CPUs
204 tcp-workers
206 A number of TCP workers (threads) used to process incoming queries over
207 TCP.
208 Change of this parameter requires restart of the Knot server to take
210 effect.
211 Default: equal to the number of online CPUs, default value is at least
213 10
214 background-workers
216 A number of workers (threads) used to execute background operations
217 (zone loading, zone updates, etc.).
218 Change of this parameter requires restart of the Knot server to take
220 effect.
221 Default: equal to the number of online CPUs, default value is at most
223 10
224 async-start
226 If enabled, server doesn't wait for the zones to be loaded and starts
227 responding immediately with SERVFAIL answers until the zone loads.
228 Default: off
230 tcp-idle-timeout
232 Maximum idle time (in seconds) between requests on an inbound TCP con‐
233 nection. It means if there is no activity on an inbound TCP connection
234 during this limit, the connection is closed by the server.
235 Minimum: 1
237 Default: 10
239 tcp-io-timeout
241 Maximum time (in milliseconds) to receive or send one DNS message over
242 an inbound TCP connection. It means this limit applies to normal DNS
243 queries and replies, incoming DDNS, and outgoing zone transfers. The
244 timeout is measured since some data is already available for process‐
245 ing. Set to 0 for infinity.
246 Default: 500 (milliseconds)
248 CAUTION:
250 In order to reduce the risk of Slow Loris attacks, it's recommended
251 setting this limit as low as possible on public servers.
252 tcp-remote-io-timeout
254 Maximum time (in milliseconds) to receive or send one DNS message over
255 an outbound TCP connection which has already been established to a con‐
256 figured remote server. It means this limit applies to incoming zone
257 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
258 timeout includes the time needed for a network round-trip and for a
259 query processing by the remote. Set to 0 for infinity.
260 Default: 5000 (milliseconds)
262 tcp-reuseport
264 If enabled, each TCP worker listens on its own socket and the OS kernel
265 socket load balancing is employed using SO_REUSEPORT (or SO_REUSE‐
266 PORT_LB on FreeBSD). Due to the lack of one shared socket, the server
267 can offer higher response rate processing over TCP. However, in the
268 case of time-consuming requests (e.g. zone transfers of a TLD zone),
269 enabled reuseport may result in delayed or not being responded client
270 requests. So it is advisable to use this option on secondary servers.
271 Change of this parameter requires restart of the Knot server to take
273 effect.
274 Default: off
276 tcp-fastopen
278 If enabled, use TCP Fast Open for outbound TCP communication (client
279 side): incoming zone transfers, sending NOTIFY, and DDNS forwarding.
280 This mode simplifies TCP handshake and can result in better networking
281 performance. TCP Fast Open for inbound TCP communication (server side)
282 isn't affected by this configuration as it's enabled automatically if
283 supported by OS.
284 NOTE:
286 The TCP Fast Open support must also be enabled on the OS level:
287 • Linux/macOS: ensure kernel parameter net.ipv4.tcp_fastopen is 2 or
289 3 for server side, and 1 or 3 for client side.
290 • FreeBSD: ensure kernel parameter net.inet.tcp.fastopen.server_en‐
292 able is 1 for server side, and net.inet.tcp.fastopen.client_enable
293 is 1 for client side.
294 Default: off
296 quic-max-clients
298 A maximum number of QUIC clients connected in parallel.
299 See also quic.
301 Change of this parameter requires restart of the Knot server to take
303 effect.
304 Minimum: 128
306 Default: 10000 (ten thousand)
308 quic-outbuf-max-size
310 Maximum cumulative size of memory used for buffers of unACKed sent mes‐
311 sages.
312 NOTE:
314 Set low if little memory is available (together with
315 quic-max-clients since QUIC connections are memory-heavy). Set to
316 high value if outgoing zone transfers of big zone over QUIC are ex‐
317 pected.
318 Change of this parameter requires restart of the Knot server to take
320 effect.
321 Minimum: 1M (1 MiB)
323 Default: 100M (100 MiB)
325 quic-idle-close-timeout
327 Time in seconds, after which any idle QUIC connection is gracefully
328 closed.
329 Change of this parameter requires restart of the Knot server to take
331 effect.
332 Minimum: 1
334 Default: 4
336 remote-pool-limit
338 If nonzero, the server will keep up to this number of outgoing TCP con‐
339 nections open for later use. This is an optimization to avoid frequent
340 opening of TCP connections to the same remote.
341 Change of this parameter requires restart of the Knot server to take
343 effect.
344 Default: 0
346 remote-pool-timeout
348 The timeout in seconds after which the unused kept-open outgoing TCP
349 connections to remote servers are closed.
350 Default: 5
352 remote-retry-delay
354 When a connection attempt times out to some remote address, this infor‐
355 mation will be kept for this specified time (in milliseconds) and other
356 connections to the same address won't be attempted. This prevents
357 repetitive waiting for timeout on an unreachable remote.
358 Default: 0
360 socket-affinity
362 If enabled and if SO_REUSEPORT is available on Linux, all configured
363 network sockets are bound to UDP and TCP workers in order to increase
364 the networking performance. This mode isn't recommended for setups
365 where the number of network card queues is lower than the number of UDP
366 or TCP workers.
367 Change of this parameter requires restart of the Knot server to take
369 effect.
370 Default: off
372 tcp-max-clients
374 A maximum number of TCP clients connected in parallel, set this below
375 the file descriptor limit to avoid resource exhaustion.
376 NOTE:
378 It is advisable to adjust the maximum number of open files per
379 process in your operating system configuration.
380 Default: one half of the file descriptor limit for the server process
382 udp-max-payload
384 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
385 Default: 1232
387 udp-max-payload-ipv4
389 Maximum EDNS0 UDP payload size for IPv4.
390 Default: 1232
392 udp-max-payload-ipv6
394 Maximum EDNS0 UDP payload size for IPv6.
395 Default: 1232
397 key-file
399 Path to a server key PEM file which is used for DNS over QUIC communi‐
400 cation.
401 Change of this parameter requires restart of the Knot server to take
403 effect.
404 Default: one-time in-memory key
406 cert-file
408 Path to a server certificate PEM file which is used for DNS over QUIC
409 communication.
410 Change of this parameter requires restart of the Knot server to take
412 effect.
413 Default: one-time in-memory certificate
415 edns-client-subnet
417 Enable or disable EDNS Client Subnet support. If enabled, responses to
418 queries containing the EDNS Client Subnet option always contain a valid
419 EDNS Client Subnet option according to RFC 7871.
420 Default: off
422 answer-rotation
424 Enable or disable sorted-rrset rotation in the answer section of normal
425 replies. The rotation shift is simply determined by a query ID.
426 Default: off
428 automatic-acl
430 If enabled, automatic ACL setting of configured remotes is considered
431 when evaluating authorized operations.
432 Default: off
434 proxy-allowlist
436 An ordered list of IP addresses, network subnets, or network ranges
437 which are allowed as a source address of proxied DNS traffic over UDP.
438 The supported proxy protocol is haproxy PROXY v2.
439 NOTE:
441 TCP is not supported.
442 Default: not set
444 dbus-event
446 Specification of server or zone states which emit a D-Bus signal on the
447 system bus. The bus name is cz.nic.knotd, the object path is
448 /cz/nic/knotd, and the interface name is cz.nic.knotd.events.
449 Possible values:
451 • none – No signal is emitted.
453 • running – The signal started is emitted when the server is fully op‐
455 erational and the signal stopped is emitted at the beginning of the
456 server shutdown.
457 • zone-updated – The signal zone_updated is emitted when a zone has
459 been updated; the signal parameters are zone name and zone SOA se‐
460 rial.
461 • ksk-submission – The signal zone_ksk_submission is emitted if there
463 is a ready KSK present when the zone is signed; the signal parameters
464 are zone name, KSK keytag, and KSK KASP id.
465 • dnssec-invalid – The signal zone_dnssec_invalid is emitted when
467 DNSSEC validation fails; the signal parameter is zone name.
468 NOTE:
470 This function requires systemd version at least 221.
471 Change of this parameter requires restart of the Knot server to take
473 effect.
474 Default: none
476 dbus-init-delay
478 Time in seconds which the server waits upon D-Bus initialization to en‐
479 sure the D-Bus client is ready to receive signals.
480 Change of this parameter requires restart of the Knot server to take
482 effect.
483 Minimum: 0
485 Default: 1
487 listen
489 One or more IP addresses where the server listens for incoming queries.
490 Optional port specification (default is 53) can be appended to each ad‐
491 dress using @ separator. Use 0.0.0.0 for all configured IPv4 addresses
492 or :: for all configured IPv6 addresses. Filesystem path can be speci‐
493 fied for listening on local unix SOCK_STREAM socket. Non-local address
494 binding is automatically enabled if supported by the operating system.
495 Change of this parameter requires restart of the Knot server to take
497 effect.
498 Default: not set
500
502 Various options related to XDP listening, especially TCP.
503 xdp:
505 listen: STR[@INT] | ADDR[@INT] ...
506 udp: BOOL
507 tcp: BOOL
508 quic: BOOL
509 quic-port: INT
510 quic-log: BOOL
511 tcp-max-clients: INT
512 tcp-inbuf-max-size: SIZE
513 tcp-outbuf-max-size: SIZE
514 tcp-idle-close-timeout: TIME
515 tcp-idle-reset-timeout: TIME
516 tcp-resend-timeout: TIME
517 route-check: BOOL
518 CAUTION:
520 When you change configuration parameters dynamically or via configu‐
521 ration file reload, some parameters in the XDP section require
522 restarting the Knot server so that the changes take effect.
523 listen
525 One or more network device names (e.g. ens786f0) on which the Mode XDP
526 is enabled. Alternatively, an IP address can be used instead of a de‐
527 vice name, but the server will still listen on all addresses belonging
528 to the same interface! Optional port specification (default is 53) can
529 be appended to each device name or address using @ separator.
530 Change of this parameter requires restart of the Knot server to take
532 effect.
533 CAUTION:
535 If XDP workers only process regular DNS traffic over UDP, it is
536 strongly recommended to also listen on the addresses which are in‐
537 tended to offer the DNS service, at least to fulfil the DNS require‐
538 ment for working TCP.
539 Default: not set
541 udp
543 If enabled, DNS over UDP is processed with XDP workers.
544 Change of this parameter requires restart of the Knot server to take
546 effect.
547 Default: on
549 tcp
551 If enabled, DNS over TCP traffic is processed with XDP workers.
552 The TCP stack limitations:
554 • Congestion control is not implemented.
556 • Lost packets that do not contain TCP payload may not be resend.
558 • Not optimized for transfers of non-trivial zones.
560 Change of this parameter requires restart of the Knot server to take
562 effect.
563 Default: off
565 quic
567 If enabled, DNS over QUIC is processed with XDP workers.
568 Change of this parameter requires restart of the Knot server to take
570 effect.
571 Default: off
573 quic-port
575 DNS over QUIC will listen on the interfaces configured by listen, but
576 on different port, configured by this option.
577 Change of this parameter requires restart of the Knot server to take
579 effect.
580 Default: 853
582 quic-log
584 Triggers extensive logging of all QUIC protocol internals for every
585 connection.
586 Change of this parameter requires restart of the Knot server to take
588 effect.
589 Default: off
591 tcp-max-clients
593 A maximum number of TCP clients connected in parallel.
594 Minimum: 1024
596 Default: 1000000 (one million)
598 tcp-inbuf-max-size
600 Maximum cumulative size of memory used for buffers of incompletely re‐
601 ceived messages.
602 Minimum: 1M (1 MiB)
604 Default: 100M (100 MiB)
606 tcp-outbuf-max-size
608 Maximum cumulative size of memory used for buffers of unACKed sent mes‐
609 sages.
610 Minimum: 1M (1 MiB)
612 Default: 100M (100 MiB)
614 tcp-idle-close-timeout
616 Time in seconds, after which any idle connection is gracefully closed.
617 Minimum: 1
619 Default: 10
621 tcp-idle-reset-timeout
623 Time in seconds, after which any idle connection is forcibly closed.
624 Minimum: 1
626 Default: 20
628 tcp-resend-timeout
630 Resend outgoing data packets (with DNS response payload) if not ACKed
631 before this timeout.
632 Minimum: 1
634 Default: 5
636 route-check
638 If enabled, routing information from the operating system is considered
639 when processing every incoming DNS packet received over the XDP inter‐
640 face:
641 • If the outgoing interface of the corresponding DNS response differs
643 from the incoming one, the packet is processed normally by UDP/TCP
644 workers (XDP isn't used).
645 • If the destination address is blackholed, unreachable, or prohibited,
647 the DNS packet is dropped without any response.
648 • The destination MAC address and possible VLAN tag for the response
650 are taken from the routing system.
651 If disabled, symmetrical routing is applied. It means that the query
653 source MAC address is used as a response destination MAC address. Pos‐
654 sible VLAN tag is preserved.
655 Change of this parameter requires restart of the Knot server to take
657 effect.
658 NOTE:
660 This mode requires forwarding enabled on the loopback interface
661 (sysctl -w net.ipv4.conf.lo.forwarding=1 and sysctl -w
662 net.ipv6.conf.lo.forwarding=1). If forwarding is disabled, all in‐
663 coming DNS packets are dropped!
664 Only VLAN 802.1Q is supported.
666 Default: off
668
670 Configuration of the server control interface.
671 control:
673 listen: STR
674 timeout: TIME
675 listen
677 A UNIX socket path where the server listens for control commands.
678 Default: rundir/knot.sock
680 timeout
682 Maximum time (in seconds) the control socket operations can take. Set
683 to 0 for infinity.
684 Default: 5
686
688 Server can be configured to log to the standard output, standard error
689 output, syslog (or systemd journal if systemd is enabled) or into an
690 arbitrary file.
691 There are 6 logging severity levels:
693 • critical – Non-recoverable error resulting in server shutdown.
695 • error – Recoverable error, action should be taken.
697 • warning – Warning that might require user action.
699 • notice – Server notice or hint.
701 • info – Informational message.
703 • debug – Debug or detailed message.
705 In the case of a missing log section, warning or more serious messages
707 will be logged to both standard error output and syslog. The info and
708 notice messages will be logged to standard output.
709 log:
711 - target: stdout | stderr | syslog | STR
712 server: critical | error | warning | notice | info | debug
713 control: critical | error | warning | notice | info | debug
714 zone: critical | error | warning | notice | info | debug
715 any: critical | error | warning | notice | info | debug
716 target
718 A logging output.
719 Possible values:
721 • stdout – Standard output.
723 • stderr – Standard error output.
725 • syslog – Syslog or systemd journal.
727 • file_name – A specific file.
729 With syslog target, syslog service is used. However, if Knot DNS has
731 been compiled with systemd support and operating system has been booted
732 with systemd, systemd journal is used for logging instead of syslog.
733 server
735 Minimum severity level for messages related to general operation of the
736 server to be logged.
737 Default: not set
739 control
741 Minimum severity level for messages related to server control to be
742 logged.
743 Default: not set
745 zone
747 Minimum severity level for messages related to zones to be logged.
748 Default: not set
750 any
752 Minimum severity level for all message types to be logged.
753 Default: not set
755
757 Periodic server statistics dumping.
758 statistics:
760 timer: TIME
761 file: STR
762 append: BOOL
763 timer
765 A period after which all available statistics metrics will by written
766 to the file.
767 Default: not set
769 file
771 A file path of statistics output in the YAML format.
772 Default: rundir/stats.yaml
774 append
776 If enabled, the output will be appended to the file instead of file re‐
777 placement.
778 Default: off
780
782 Configuration of databases for zone contents, DNSSEC metadata, or event
783 timers.
784 database:
786 storage: STR
787 journal-db: STR
788 journal-db-mode: robust | asynchronous
789 journal-db-max-size: SIZE
790 kasp-db: STR
791 kasp-db-max-size: SIZE
792 timer-db: STR
793 timer-db-max-size: SIZE
794 catalog-db: str
795 catalog-db-max-size: SIZE
796 storage
798 A data directory for storing journal, KASP, and timer databases.
799 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
801 age=path)
802 journal-db
804 An explicit specification of the persistent journal database directory.
805 Non-absolute path (i.e. not starting with /) is relative to storage.
806 Default: storage/journal
808 journal-db-mode
810 Specifies journal LMDB backend configuration, which influences perfor‐
811 mance and durability.
812 Possible values:
814 • robust – The journal database disk synchronization ensures database
816 durability but is generally slower.
817 • asynchronous – The journal database disk synchronization is optimized
819 for better performance at the expense of lower database durability in
820 the case of a crash. This mode is recommended on secondary servers
821 with many zones.
822 Default: robust
824 journal-db-max-size
826 The hard limit for the journal database maximum size. There is no
827 cleanup logic in journal to recover from reaching this limit. Journal
828 simply starts refusing changes across all zones. Decreasing this value
829 has no effect if it is lower than the actual database file size.
830 It is recommended to limit journal-max-usage per-zone instead of
832 journal-db-max-size in most cases. Please keep this value larger than
833 the sum of all zones' journal usage limits. See more details regarding
834 journal behaviour.
835 NOTE:
837 This value also influences server's usage of virtual memory.
838 Default: 20G (20 GiB), or 512M (512 MiB) for 32-bit
840 kasp-db
842 An explicit specification of the KASP database directory. Non-absolute
843 path (i.e. not starting with /) is relative to storage.
844 Default: storage/keys
846 kasp-db-max-size
848 The hard limit for the KASP database maximum size.
849 NOTE:
851 This value also influences server's usage of virtual memory.
852 Default: 500M (500 MiB)
854 timer-db
856 An explicit specification of the persistent timer database directory.
857 Non-absolute path (i.e. not starting with /) is relative to storage.
858 Default: storage/timers
860 timer-db-max-size
862 The hard limit for the timer database maximum size.
863 NOTE:
865 This value also influences server's usage of virtual memory.
866 Default: 100M (100 MiB)
868 catalog-db
870 An explicit specification of the zone catalog database directory. Only
871 useful if catalog-zones are enabled. Non-absolute path (i.e. not
872 starting with /) is relative to storage.
873 Default: storage/catalog
875 catalog-db-max-size
877 The hard limit for the catalog database maximum size.
878 NOTE:
880 This value also influences server's usage of virtual memory.
881 Default: 20G (20 GiB), or 512M (512 MiB) for 32-bit
883
885 DNSSEC keystore configuration.
886 keystore:
888 - id: STR
889 backend: pem | pkcs11
890 config: STR
891 key-label: BOOL
892 id
894 A keystore identifier.
895 backend
897 A key storage backend type.
898 Possible values:
900 • pem – PEM files.
902 • pkcs11 – PKCS #11 storage.
904 Default: pem
906 config
908 A backend specific configuration. A directory with PEM files (the path
909 can be specified as a relative path to kasp-db) or a configuration
910 string for PKCS #11 storage (<pkcs11-url> <module-path>).
911 NOTE:
913 Example configuration string for PKCS #11:
914 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
916 Default: kasp-db/keys
918 key-label
920 If enabled in combination with the PKCS #11 backend, generated keys are
921 labeled in the form <zone_name> KSK|ZSK.
922 Default: off
924
926 Shared TSIG keys used to authenticate communication with the server.
927 key:
929 - id: DNAME
930 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
931 secret: BASE64
932 id
934 A key name identifier.
935 NOTE:
937 This value MUST be exactly the same as the name of the TSIG key on
938 the opposite primary/secondary server(s).
939 algorithm
941 A TSIG key algorithm. See TSIG Algorithm Numbers.
942 Possible values:
944 • hmac-md5
946 • hmac-sha1
948 • hmac-sha224
950 • hmac-sha256
952 • hmac-sha384
954 • hmac-sha512
956 Default: not set
958 secret
960 Shared key secret.
961 Default: not set
963
965 Definitions of remote servers for outgoing connections (source of a
966 zone transfer, target for a notification, etc.).
967 remote:
969 - id: STR
970 address: ADDR[@INT] ...
971 via: ADDR[@INT] ...
972 key: key_id
973 block-notify-after-transfer: BOOL
974 no-edns: BOOL
975 automatic-acl: BOOL
976 id
978 A remote identifier.
979 address
981 An ordered list of destination IP addresses which are used for communi‐
982 cation with the remote server. The addresses are tried in sequence un‐
983 til the remote is reached. Optional destination port (default is 53)
984 can be appended to the address using @ separator.
985 Default: not set
987 NOTE:
989 If the remote is contacted and it refuses to perform requested ac‐
990 tion, no more addresses will be tried for this remote.
991 via
993 An ordered list of source IP addresses. The first address with the same
994 family as the destination address is used as a source address for com‐
995 munication with the remote. This option can help if the server listens
996 on more addresses. Optional source port (default is random) can be ap‐
997 pended to the address using @ separator.
998 Default: not set
1000 key
1002 A reference to the TSIG key which is used to authenticate the communi‐
1003 cation with the remote server.
1004 Default: not set
1006 block-notify-after-transfer
1008 When incoming AXFR/IXFR from this remote (as a primary server), sup‐
1009 press sending NOTIFY messages to all configured secondary servers.
1010 Default: off
1012 no-edns
1014 If enabled, no OPT record (EDNS) is inserted to outgoing requests to
1015 this remote server. This mode is necessary for communication with some
1016 broken implementations (e.g. Windows Server 2016).
1017 Default: off
1019 automatic-acl
1021 If enabled, some authorized operations for the remote are automatically
1022 allowed based on the context:
1023 • Incoming NOTIFY is allowed from the remote if it's configured as a
1025 primary server for the zone.
1026 • Outgoing zone transfer is allowed to the remote if it's configured as
1028 a NOTIFY target for the zone.
1029 Automatic ACL rules are evaluated before explicit zone ACL configura‐
1031 tion.
1032 NOTE:
1034 This functionality requires global activation via automatic-acl in
1035 the server section.
1036 Default: on
1038
1040 Definitions of groups of remote servers. Remote grouping can simplify
1041 the configuration.
1042 remotes:
1044 - id: STR
1045 remote: remote_id ...
1046 id
1048 A remote group identifier.
1049 remote
1051 An ordered list of references to remote server definitions.
1052 Default: not set
1054
1056 Access control list rule definitions. An ACL rule is a description of
1057 one or more authorized operations (zone transfer request, zone change
1058 notification, and dynamic DNS update) which are allowed to be processed
1059 or denied.
1060 acl:
1062 - id: STR
1063 address: ADDR[/INT] | ADDR-ADDR ...
1064 key: key_id ...
1065 remote: remote_id | remotes_id ...
1066 action: query | notify | transfer | update ...
1067 deny: BOOL
1068 update-type: STR ...
1069 update-owner: key | zone | name
1070 update-owner-match: sub-or-equal | equal | sub
1071 update-owner-name: STR ...
1072 id
1074 An ACL rule identifier.
1075 address
1077 An ordered list of IP addresses, network subnets, or network ranges.
1078 The query's source address must match one of them. If this item is not
1079 set, address match is not required.
1080 Default: not set
1082 key
1084 An ordered list of references to TSIG keys. The query must match one of
1085 them. If this item is not set, transaction authentication is not used.
1086 Default: not set
1088 remote
1090 An ordered list of references remote and remotes. The query must match
1091 one of the remotes. Specifically, one of the remote's addresses and re‐
1092 mote's TSIG key if configured must match.
1093 NOTE:
1095 This option cannot be specified along with the address or key option
1096 at one ACL item.
1097 Default: not set
1099 action
1101 An ordered list of allowed (or denied) actions.
1102 Possible values:
1104 • query – Allow regular DNS query. As normal queries are always al‐
1106 lowed, this action is only useful in combination with TSIG key.
1107 • notify – Allow incoming notify (NOTIFY).
1109 • transfer – Allow zone transfer (AXFR, IXFR).
1111 • update – Allow zone updates (DDNS).
1113 Default: query
1115 deny
1117 If enabled, instead of allowing, deny the specified action, address,
1118 key, or combination if these items. If no action is specified, deny all
1119 actions.
1120 Default: off
1122 update-type
1124 A list of allowed types of Resource Records in a zone update. Every
1125 record in an update must match one of the specified types.
1126 Default: not set
1128 update-owner
1130 This option restricts possible owners of Resource Records in a zone up‐
1131 date by comparing them to either the TSIG key identity, the current
1132 zone name, or to a list of domain names given by the update-owner-name
1133 option. The comparison method is given by the update-owner-match op‐
1134 tion.
1135 Possible values:
1137 • key — The owner of each updated RR must match the identity of the
1139 TSIG key if used.
1140 • name — The owner of each updated RR must match at least one name in
1142 the update-owner-name list.
1143 • zone — The owner of each updated RR must match the current zone name.
1145 Default: not set
1147 update-owner-match
1149 This option defines how the owners of Resource Records in an update are
1150 matched to the domain name(s) set by the update-owner option.
1151 Possible values:
1153 • sub-or-equal — The owner of each RR in an update must either be equal
1155 to or be a subdomain of at least one domain name set by update-owner.
1156 • equal — The owner of each updated RR must be equal to at least one
1158 domain name set by update-owner.
1159 • sub — The owner of each updated RR must be a subdomain of, but MUST
1161 NOT be equal to at least one domain name set by update-owner.
1162 Default: sub-or-equal
1164 update-owner-name
1166 A list of allowed owners of RRs in a zone update used with update-owner
1167 set to name. Every listed owner name which is not FQDN (i.e. it doesn't
1168 end in a dot) is considered as if it was appended with the target zone
1169 name. Such a relative owner name specification allows better ACL rule
1170 reusability across multiple zones.
1171 Default: not set
1173
1175 Parameters of KSK submission checks.
1176 submission:
1178 - id: STR
1179 parent: remote_id | remotes_id ...
1180 check-interval: TIME
1181 timeout: TIME
1182 parent-delay: TIME
1183 id
1185 A submission identifier.
1186 parent
1188 A list of references remote and remotes to parent's DNS servers to be
1189 checked for presence of corresponding DS records in the case of KSK
1190 submission. All of them must have a corresponding DS for the rollover
1191 to continue. If none is specified, the rollover must be pushed forward
1192 manually.
1193 Default: not set
1195 TIP:
1197 A DNSSEC-validating resolver can be set as a parent.
1198 check-interval
1200 Interval for periodic checks of DS presence on parent's DNS servers, in
1201 the case of the KSK submission.
1202 Default: 1h (1 hour)
1204 timeout
1206 After this time period (in seconds) the KSK submission is automatically
1207 considered successful, even if all the checks were negative or no par‐
1208 ents are configured. Set to 0 for infinity.
1209 Default: 0
1211 parent-delay
1213 After successful parent DS check, wait for this period before continu‐
1214 ing the next key roll-over step. This delay shall cover the propagation
1215 delay of update in the parent zone.
1216 Default: 0
1218
1220 DNSSEC policy configuration.
1221 policy:
1223 - id: STR
1224 keystore: keystore_id
1225 manual: BOOL
1226 single-type-signing: BOOL
1227 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
1228 ksk-size: SIZE
1229 zsk-size: SIZE
1230 ksk-shared: BOOL
1231 dnskey-ttl: TIME
1232 zone-max-ttl: TIME
1233 ksk-lifetime: TIME
1234 zsk-lifetime: TIME
1235 delete-delay: TIME
1236 propagation-delay: TIME
1237 rrsig-lifetime: TIME
1238 rrsig-refresh: TIME
1239 rrsig-pre-refresh: TIME
1240 reproducible-signing: BOOL
1241 nsec3: BOOL
1242 nsec3-iterations: INT
1243 nsec3-opt-out: BOOL
1244 nsec3-salt-length: INT
1245 nsec3-salt-lifetime: TIME
1246 signing-threads: INT
1247 ksk-submission: submission_id
1248 ds-push: remote_id | remotes_id ...
1249 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
1250 cds-digest-type: sha256 | sha384
1251 dnskey-management: full | incremental
1252 offline-ksk: BOOL
1253 unsafe-operation: none | no-check-keyset | no-update-dnskey | no-update-nsec | no-update-expired ...
1254 id
1256 A policy identifier.
1257 keystore
1259 A reference to a keystore holding private key material for zones.
1260 Default: an imaginary keystore with all default values
1262 NOTE:
1264 A configured keystore called "default" won't be used unless explic‐
1265 itly referenced.
1266 manual
1268 If enabled, automatic key management is not used.
1269 Default: off
1271 single-type-signing
1273 If enabled, Single-Type Signing Scheme is used in the automatic key
1274 management mode.
1275 Default: off (module onlinesign has default on)
1277 algorithm
1279 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
1280 rithm Numbers.
1281 Possible values:
1283 • rsasha1
1285 • rsasha1-nsec3-sha1
1287 • rsasha256
1289 • rsasha512
1291 • ecdsap256sha256
1293 • ecdsap384sha384
1295 • ed25519
1297 • ed448
1299 NOTE:
1301 Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
1302 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+
1304 and Nettle 3.6+.
1305 Default: ecdsap256sha256
1307 ksk-size
1309 A length of newly generated KSK or CSK keys.
1310 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
1312 456 (ed448)
1313 zsk-size
1315 A length of newly generated ZSK keys.
1316 Default: see default for ksk-size
1318 ksk-shared
1320 If enabled, all zones with this policy assigned will share one or more
1321 KSKs. More KSKs can be shared during a KSK rollover.
1322 WARNING:
1324 As the shared KSK set is bound to the policy id, renaming the policy
1325 breaks this connection and new shared KSK set is initiated when a
1326 new KSK is needed.
1327 Default: off
1329 dnskey-ttl
1331 A TTL value for DNSKEY records added into zone apex.
1332 NOTE:
1334 Has influence over ZSK key lifetime.
1335 WARNING:
1337 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
1338 quent DNSKEY rollover starts.
1339 Default: zone SOA TTL
1341 zone-max-ttl
1343 Declare (override) maximal TTL value among all the records in zone.
1344 NOTE:
1346 It's generally recommended to override the maximal TTL computation
1347 by setting this explicitly whenever possible. It's required for
1348 DNSSEC Offline KSK and really reasonable when records are generated
1349 dynamically (e.g. by a module).
1350 Default: computed after zone is loaded
1352 ksk-lifetime
1354 A period between KSK activation and the next rollover initiation.
1355 NOTE:
1357 KSK key lifetime is also influenced by propagation-delay,
1358 dnskey-ttl, and KSK submission delay.
1359 Zero (aka infinity) value causes no KSK rollover as a result.
1361 This applies for CSK lifetime if single-type-signing is enabled.
1363 Default: 0
1365 zsk-lifetime
1367 A period between ZSK activation and the next rollover initiation.
1368 NOTE:
1370 More exactly, this period is measured since a ZSK is activated, and
1371 after this, a new ZSK is generated to replace it within following
1372 roll-over.
1373 ZSK key lifetime is also influenced by propagation-delay and
1375 dnskey-ttl
1376 Zero (aka infinity) value causes no ZSK rollover as a result.
1378 Default: 30d (30 days)
1380 delete-delay
1382 Once a key (KSK or ZSK) is rolled-over and removed from the zone, keep
1383 it in the KASP database for at least this period before deleting it
1384 completely. This might be useful in some troubleshooting cases when
1385 resurrection is needed.
1386 Default: 0
1388 propagation-delay
1390 An extra delay added for each key rollover step. This value should be
1391 high enough to cover propagation of data from the primary server to all
1392 secondary servers, as well as the duration of signing routine itself
1393 and possible outages in signing and propagation infrastructure. In
1394 other words, this delay should ensure that within this period of time
1395 after planned change of the key set, all public-facing secondaries will
1396 already serve new DNSKEY RRSet for sure.
1397 NOTE:
1399 Has influence over ZSK key lifetime.
1400 Default: 1h (1 hour)
1402 rrsig-lifetime
1404 A validity period of newly issued signatures.
1405 NOTE:
1407 The RRSIG's signature inception time is set to 90 minutes in the
1408 past. This time period is not counted to the signature lifetime.
1409 Default: 14d (14 days)
1411 rrsig-refresh
1413 A period how long at least before a signature expiration the signature
1414 will be refreshed, in order to prevent expired RRSIGs on secondary
1415 servers or resolvers' caches.
1416 Default: propagation-delay + zone-max-ttl
1418 rrsig-pre-refresh
1420 A period how long at most before a signature refresh time the signature
1421 might be refreshed, in order to refresh RRSIGs in bigger batches on a
1422 frequently updated zone (avoid re-sign event too often).
1423 Default: 1h (1 hour)
1425 reproducible-signing
1427 For ECDSA algorithms, generate RRSIG signatures deterministically (RFC
1428 6979). Besides better theoretical cryptographic security, this mode
1429 allows significant speed-up of loading signed (by the same method)
1430 zones. However, the zone signing is a bit slower.
1431 Default: off
1433 nsec3
1435 Specifies if NSEC3 will be used instead of NSEC.
1436 Default: off
1438 nsec3-iterations
1440 A number of additional times the hashing is performed.
1441 Default: 0
1443 nsec3-opt-out
1445 If set, NSEC3 records won't be created for insecure delegations. This
1446 speeds up the zone signing and reduces overall zone size.
1447 WARNING:
1449 NSEC3 with the Opt-Out bit set no longer works as a proof of non-ex‐
1450 istence in this zone.
1451 Default: off
1453 nsec3-salt-length
1455 A length of a salt field in octets, which is appended to the original
1456 owner name before hashing.
1457 Default: 8
1459 nsec3-salt-lifetime
1461 A validity period of newly issued salt field.
1462 Zero value means infinity.
1464 Special value -1 triggers re-salt every time when active ZSK changes.
1466 This optimizes the number of big changes to the zone.
1467 Default: 30d (30 days)
1469 signing-threads
1471 When signing zone or update, use this number of threads for parallel
1472 signing.
1473 Those are extra threads independent of Background workers.
1475 NOTE:
1477 Some steps of the DNSSEC signing operation are not parallelized.
1478 Default: 1 (no extra threads)
1480 ksk-submission
1482 A reference to submission section holding parameters of KSK submission
1483 checks.
1484 Default: not set
1486 ds-push
1488 Optional references remote and remotes to authoritative DNS server of
1489 the parent's zone. The remote server must be configured to accept DS
1490 record updates via DDNS. Whenever a CDS record in the local zone is
1491 changed, the corresponding DS record is sent as a dynamic update (DDNS)
1492 to the parent DNS server. All previous DS records are deleted within
1493 the DDNS message. It's possible to manage both child and parent zones
1494 by the same Knot DNS server.
1495 NOTE:
1497 This feature requires cds-cdnskey-publish not to be set to none.
1498 NOTE:
1500 The mentioned change to CDS record usually means that a KSK
1501 roll-over is running and the new key being rolled-in is in "ready"
1502 state already for the period of propagation-delay.
1503 NOTE:
1505 Module Onlinesign doesn't support DS push.
1506 Default: not set
1508 cds-cdnskey-publish
1510 Controls if and how shall the CDS and CDNSKEY be published in the zone.
1511 Possible values:
1513 • none – Never publish any CDS or CDNSKEY records in the zone.
1515 • delete-dnssec – Publish special CDS and CDNSKEY records indicating
1517 turning off DNSSEC.
1518 • rollover – Publish CDS and CDNSKEY records for ready and not yet ac‐
1520 tive KSK (submission phase of KSK rollover).
1521 • always – Always publish one CDS and one CDNSKEY records for the cur‐
1523 rent KSK.
1524 • double-ds – Always publish up to two CDS and two CDNSKEY records for
1526 ready and/or active KSKs.
1527 NOTE:
1529 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
1530 may contain more records depending on the keys available.
1531 WARNING:
1533 The double-ds value does not trigger double-DS roll-over method.
1534 That method is only suppored by Knot when performed manually, with
1535 unset ksk-submission.
1536 Default: rollover
1538 cds-digest-type
1540 Specify digest type for published CDS records.
1541 Default: sha256
1543 dnskey-management
1545 Specify how the DNSKEY, CDNSKEY, and CDS RRSets at the zone apex are
1546 handled when (re-)signing the zone.
1547 Possible values:
1549 • full – Upon every zone (re-)sign, delete all unknown DNSKEY, CDNSKEY,
1551 and CDS records and keep just those that are related to the zone keys
1552 stored in the KASP database.
1553 • incremental – Keep unknown DNSKEY, CDNSKEY, and CDS records in the
1555 zone, and modify server-managed records incrementally by employing
1556 changes in the KASP database.
1557 NOTE:
1559 Prerequisites for incremental:
1560 • The Offline KSK isn't supported.
1562 • The delete-delay is long enough to cover possible daemon shutdown
1564 (e.g. due to server maintenance).
1565 • Avoided manual deletion of keys with keymgr.
1567 Otherwise there might remain some DNSKEY records in the zone, be‐
1569 longing to deleted keys.
1570 Default: full
1572 offline-ksk
1574 Specifies if Offline KSK feature is enabled.
1575 Default: off
1577 unsafe-operation
1579 Turn off some DNSSEC safety features.
1580 Possible values:
1582 • none – Nothing disabled.
1584 • no-check-keyset – Don't check active keys in present algorithms. This
1586 may lead to violation of RFC 4035#section-2.2.
1587 • no-update-dnskey – Don't maintain/update DNSKEY, CDNSKEY, and CDS
1589 records in the zone apex according to KASP database. Juste leave them
1590 as they are in the zone.
1591 • no-update-nsec – Don't maintain/update NSEC/NSEC3 chain. Leave all
1593 the records as they are in the zone.
1594 • no-update-expired – Don't update expired RRSIGs.
1596 Multiple values may be specified.
1598 WARNING:
1600 This mode is intended for DNSSEC experts who understand the corre‐
1601 sponding consequences.
1602 Default: none
1604
1606 A template is shareable zone settings, which can simplify configuration
1607 by reducing duplicates. A special default template (with the default
1608 identifier) can be used for global zone configuration or as an implicit
1609 configuration if a zone doesn't have another template specified.
1610 template:
1612 - id: STR
1613 global-module: STR/STR ...
1614 # All zone options (excluding 'template' item)
1615 id
1617 A template identifier.
1618 global-module
1620 An ordered list of references to query modules in the form of mod‐
1621 ule_name or module_name/module_id. These modules apply to all queries.
1622 NOTE:
1624 This option is only available in the default template.
1625 Default: not set
1627
1629 Definition of zones served by the server.
1630 zone:
1632 - domain: DNAME
1633 template: template_id
1634 storage: STR
1635 file: STR
1636 master: remote_id | remotes_id ...
1637 ddns-master: remote_id
1638 notify: remote_id | remotes_id ...
1639 acl: acl_id ...
1640 semantic-checks: BOOL | soft
1641 zonefile-sync: TIME
1642 zonefile-load: none | difference | difference-no-serial | whole
1643 journal-content: none | changes | all
1644 journal-max-usage: SIZE
1645 journal-max-depth: INT
1646 zone-max-size : SIZE
1647 adjust-threads: INT
1648 dnssec-signing: BOOL
1649 dnssec-validation: BOOL
1650 dnssec-policy: policy_id
1651 ds-push: remote_id | remotes_id ...
1652 zonemd-verify: BOOL
1653 zonemd-generate: none | zonemd-sha384 | zonemd-sha512 | remove
1654 serial-policy: increment | unixtime | dateserial
1655 refresh-min-interval: TIME
1656 refresh-max-interval: TIME
1657 retry-min-interval: TIME
1658 retry-max-interval: TIME
1659 expire-min-interval: TIME
1660 expire-max-interval: TIME
1661 catalog-role: none | interpret | generate | member
1662 catalog-template: template_id ...
1663 catalog-zone: DNAME
1664 catalog-group: STR
1665 module: STR/STR ...
1666 domain
1668 A zone name identifier.
1669 template
1671 A reference to a configuration template.
1672 Default: not set or default (if the template exists)
1674 storage
1676 A data directory for storing zone files.
1677 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1679 age=path)
1680 file
1682 A path to the zone file. Non-absolute path (i.e. not starting with /)
1683 is relative to storage. It is also possible to use the following for‐
1684 matters:
1685 • %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1687 ters beginning from the Nth and ending with the Mth character of the
1688 textual zone name (see %s). The indexes are counted from 0 from the
1689 left. All dots (including the terminal one) are considered. If the
1690 character is not available, the formatter has no effect.
1691 • %l[N] – Means the Nth label of the textual zone name (see %s). The
1693 index is counted from 0 from the right (0 ~ TLD). If the label is
1694 not available, the formatter has no effect.
1695 • %s – Means the current zone name in the textual representation. The
1697 zone name doesn't include the terminating dot (the result for the
1698 root zone is the empty string!).
1699 • %% – Means the % character.
1701 WARNING:
1703 Beware of special characters which are escaped or encoded in the
1704 \DDD form where DDD is corresponding decimal ASCII code.
1705 Default: storage/%s.zone
1707 master
1709 An ordered list of references remote and remotes to zone primary
1710 servers (formerly known as master servers).
1711 Default: not set
1713 ddns-master
1715 A reference to zone primary master. If not specified, the first master
1716 server is used.
1717 Default: not set
1719 notify
1721 An ordered list of references remote and remotes to secondary servers
1722 to which notify message is sent if the zone changes.
1723 Default: not set
1725 acl
1727 An ordered list of references to ACL rules which can allow or disallow
1728 zone transfers, updates or incoming notifies.
1729 Default: not set
1731 semantic-checks
1733 Selects if extra zone semantic checks are used or impacts of the manda‐
1734 tory checks.
1735 There are several mandatory checks which are always enabled and cannot
1737 be turned off. An error in a mandatory check causes the zone not to be
1738 loaded. Some of the mandatory checks can be weakened by setting soft,
1739 when the zone isn't prevented from loading.
1740 If enabled, extra checks are used. These checks don't prevent the zone
1742 from loading.
1743 The mandatory checks are applied to zone files, zone transfers, and up‐
1745 dates via control interface. The extra checks are applied to zone files
1746 only!
1747 Mandatory checks:
1749 • Missing SOA record at the zone apex (RFC 1034)
1751 Mandatory checks affected by the soft mode:
1753 • An extra record exists together with a CNAME record except for RRSIG
1755 and NSEC (RFC 1034)
1756 • Multiple CNAME records with the same owner exist (RFC 1034)
1758 • DNAME record having a record under it (RFC 6672)
1760 • Multiple DNAME records with the same owner exist (RFC 6672)
1762 • NS record exists together with a DNAME record (RFC 6672)
1764 Extra checks:
1766 • Missing NS record at the zone apex
1768 • Missing glue A or AAAA record
1770 • Invalid DS or NSEC3PARAM record
1772 • CDS or CDNSKEY inconsistency
1774 • All other DNSSEC checks executed during dnssec-validation
1776 NOTE:
1778 The soft mode allows the refresh event to ignore a CNAME response to
1779 a SOA query (malformed message) and triggers a zone bootstrap in‐
1780 stead.
1781 Default: off
1783 zonefile-sync
1785 The time after which the current zone in memory will be synced with a
1786 zone file on the disk (see file). The server will serve the latest zone
1787 even after a restart using zone journal, but the zone file on the disk
1788 will only be synced after zonefile-sync time has expired (or after man‐
1789 ual zone flush). This is applicable when the zone is updated via IXFR,
1790 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1791 matic zone file synchronization, set the value to -1. In that case, it
1792 is still possible to force a manual zone flush using the -f option.
1793 NOTE:
1795 If you are serving large zones with frequent updates where the imme‐
1796 diate sync with a zone file is not desirable, increase the value.
1797 Default: 0 (immediate)
1799 zonefile-load
1801 Selects how the zone file contents are applied during zone load.
1802 Possible values:
1804 • none – The zone file is not used at all.
1806 • difference – If the zone contents are already available during server
1808 start or reload, the difference is computed between them and the con‐
1809 tents of the zone file. This difference is then checked for semantic
1810 errors and applied to the current zone contents.
1811 • difference-no-serial – Same as difference, but the SOA serial in the
1813 zone file is ignored, the server takes care of incrementing the se‐
1814 rial automatically.
1815 • whole – Zone contents are loaded from the zone file.
1817 When difference is configured and there are no zone contents yet (cold
1819 start and no zone contents in the journal), it behaves the same way as
1820 whole.
1821 Default: whole
1823 journal-content
1825 Selects how the journal shall be used to store zone and its changes.
1826 Possible values:
1828 • none – The journal is not used at all.
1830 • changes – Zone changes history is stored in journal.
1832 • all – Zone contents and history is stored in journal.
1834 Default: changes
1836 journal-max-usage
1838 Policy how much space in journal DB will the zone's journal occupy.
1839 NOTE:
1841 Journal DB may grow far above the sum of journal-max-usage across
1842 all zones, because of DB free space fragmentation.
1843 Default: 100M (100 MiB)
1845 journal-max-depth
1847 Maximum history length of the journal.
1848 NOTE:
1850 Zone-in-journal changeset isn't counted to the limit.
1851 Minimum: 2
1853 Default: 20
1855 zone-max-size
1857 Maximum size of the zone. The size is measured as size of the zone
1858 records in wire format without compression. The limit is enforced for
1859 incoming zone transfers and dynamic updates.
1860 For incremental transfers (IXFR), the effective limit for the total
1862 size of the records in the transfer is twice the configured value. How‐
1863 ever the final size of the zone must satisfy the configured value.
1864 Default: unlimited
1866 adjust-threads
1868 Parallelize internal zone adjusting procedures by using specified num‐
1869 ber of threads. This is useful with huge zones with NSEC3. Speedup ob‐
1870 servable at server startup and while processing NSEC3 re-salt.
1871 Default: 1 (no extra threads)
1873 dnssec-signing
1875 If enabled, automatic DNSSEC signing for the zone is turned on.
1876 Default: off
1878 dnssec-validation
1880 If enabled, the zone contents are validated for being correctly signed
1881 (including NSEC/NSEC3 chain) with DNSSEC signatures every time the zone
1882 is loaded or changed (including AXFR/IXFR).
1883 When the validation fails, the zone being loaded or update being ap‐
1885 plied is cancelled with an error, and either none or previous zone
1886 state is published.
1887 List of DNSSEC checks:
1889 • Every zone RRSet is correctly signed by at least one present DNSKEY.
1891 • DNSKEY RRSet is signed by KSK.
1893 • NSEC(3) RR exists for each name (unless opt-out) with correct bitmap.
1895 • Every NSEC(3) RR is linked to the lexicographically next one.
1897 The validation is not affected by dnssec-policy configuration, except
1899 for signing-threads option, which specifies the number of threads for
1900 parallel validation.
1901 Default: not set
1903 NOTE:
1905 Redundant or garbage NSEC3 records are ignored.
1906 This mode is not compatible with dnssec-signing.
1908 dnssec-policy
1910 A reference to DNSSEC signing policy.
1911 Default: an imaginary policy with all default values
1913 NOTE:
1915 A configured policy called "default" won't be used unless explicitly
1916 referenced.
1917 ds-push
1919 Per zone configuration of ds-push. This option overrides possible per
1920 policy option.
1921 Default: not set
1923 zonemd-verify
1925 On each zone load/update, verify that ZONEMD is present in the zone and
1926 valid.
1927 NOTE:
1929 Zone digest calculation may take much time and CPU on large zones.
1930 Default: off
1932 zonemd-generate
1934 On each zone update, calculate ZONEMD and put it into the zone.
1935 Possible values:
1937 • none – No action regarding ZONEMD.
1939 • zonemd-sha384 – Generate ZONEMD using SHA384 algorithm.
1941 • zonemd-sha512 – Generate ZONEMD using SHA512 algorithm.
1943 • remove – Remove any ZONEMD from the zone apex.
1945 Default: none
1947 serial-policy
1949 Specifies how the zone serial is updated after a dynamic update or au‐
1950 tomatic DNSSEC signing. If the serial is changed by the dynamic update,
1951 no change is made.
1952 Possible values:
1954 • increment – The serial is incremented according to serial number
1956 arithmetic.
1957 • unixtime – The serial is set to the current unix time.
1959 • dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1961 first 8 digits match the current iso-date.
1962 NOTE:
1964 If the resulting serial for unixtime or dateserial is lower than or
1965 equal to the current serial (this happens e.g. when migrating from
1966 other policy or frequent updates), the serial is incremented in‐
1967 stead.
1968 To avoid user confusion, use dateserial only if you expect at most
1970 100 updates per day per zone and unixtime only if you expect at most
1971 one update per second per zone.
1972 Generated catalog zones use unixtime only.
1974 Default: increment (unixtime for generated catalog zones)
1976 refresh-min-interval
1978 Forced minimum zone refresh interval (in seconds) to avoid flooding
1979 primary server.
1980 Minimum: 2
1982 Default: 2
1984 refresh-max-interval
1986 Forced maximum zone refresh interval (in seconds).
1987 Default: not set
1989 retry-min-interval
1991 Forced minimum zone retry interval (in seconds) to avoid flooding pri‐
1992 mary server.
1993 Minimum: 1
1995 Default: 1
1997 retry-max-interval
1999 Forced maximum zone retry interval (in seconds).
2000 Default: not set
2002 expire-min-interval
2004 Forced minimum zone expire interval (in seconds) to avoid flooding pri‐
2005 mary server.
2006 Minimum: 3
2008 Default: 3
2010 expire-max-interval
2012 Forced maximum zone expire interval (in seconds).
2013 Default: not set
2015 catalog-role
2017 Trigger zone catalog feature. Possible values:
2018 • none – Not a catalog zone.
2020 • interpret – A catalog zone which is loaded from a zone file or XFR,
2022 and member zones shall be configured based on its contents.
2023 • generate – A catalog zone whose contents are generated according to
2025 assigned member zones.
2026 • member – A member zone that is assigned to one generated catalog
2028 zone.
2029 Default: none
2031 catalog-template
2033 For the catalog member zones, the specified configuration template will
2034 be applied.
2035 Multiple catalog templates may be defined. The first one is used unless
2037 the member zone has the group property defined, matching another cata‐
2038 log template.
2039 NOTE:
2041 This option must be set if and only if catalog-role is interpret.
2042 Nested catalog zones aren't supported. Therefore catalog templates
2044 can't use catalog-template, catalog-role, catalog-zone, and
2045 catalog-group options.
2046 Default: not set
2048 catalog-zone
2050 Assign this member zone to specified generated catalog zone.
2051 NOTE:
2053 This option must be set if and only if catalog-role is member.
2054 The referenced catalog zone must exist and have catalog-role set to
2056 generate.
2057 Default: not set
2059 catalog-group
2061 Assign this member zone to specified catalog group (configuration tem‐
2062 plate).
2063 NOTE:
2065 This option has effect if and only if catalog-role is member.
2066 Default: not set
2068 module
2070 An ordered list of references to query modules in the form of mod‐
2071 ule_name or module_name/module_id. These modules apply only to the cur‐
2072 rent zone queries.
2073 Default: not set
2075
2077 CZ.NIC Labs <https://www.knot-dns.cz>
2078
2080 Copyright 2010–2022, CZ.NIC, z.s.p.o.
20813.2.4 2022-12-12 KNOT.CONF(5)