1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
3
4
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11
12 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14
15 • INT – Integer
16
17 • STR – Textual string
18
19 • HEXSTR – Hexadecimal string (with 0x prefix)
20
21 • BOOL – Boolean value (on/off or true/false)
22
23 • TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25
26 • SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28
29 • BASE64 – Base64 encoded string
30
31 • ADDR – IPv4 or IPv6 address
32
33 • DNAME – Domain name
34
35 • ... – Multi-valued item, order of the values is preserved
36
37 • [ ] – Optional value
38
39 • | – Choice
40
41 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 16 fixed sections (module, server, xdp, con‐
43 trol, log, statistics, database, keystore, key, remote, remotes, acl,
44 submission, policy, template, zone). Module sections are prefixed with
45 the mod- prefix (e.g. mod-stats).
46
47 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51
52 A multi-valued item can be specified either as a YAML sequence:
53
54 address: [10.0.0.1, 10.0.0.2]
55
56 or as more single-valued items each on an extra line:
57
58 address: 10.0.0.1
59 address: 10.0.0.2
60
61 If an item value contains spaces or other special characters, it is
62 necessary to enclose such a value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be in‐
72 cluded at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76
77 include: STR
78
80 Dynamic modules loading configuration.
81
82 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85
86 module:
87 - id: STR
88 file: STR
89
90 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93
94 file
95 A path to a shared library file with the module implementation.
96
97 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100
101 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106
107 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 tcp-fastopen: BOOL
124 quic-max-clients: INT
125 quic-outbuf-max-size: SIZE
126 quic-idle-close-timeout: TIME
127 remote-pool-limit: INT
128 remote-pool-timeout: TIME
129 remote-retry-delay: TIME
130 socket-affinity: BOOL
131 udp-max-payload: SIZE
132 udp-max-payload-ipv4: SIZE
133 udp-max-payload-ipv6: SIZE
134 key-file: STR
135 cert-file: STR
136 edns-client-subnet: BOOL
137 answer-rotation: BOOL
138 automatic-acl: BOOL
139 proxy-allowlist: ADDR[/INT] | ADDR-ADDR ...
140 dbus-event: none | running | zone-updated | ksk-submission | dnssec-invalid ...
141 dbus-init-delay: TIME
142 listen: ADDR[@INT] ...
143
144 CAUTION:
145 When you change configuration parameters dynamically or via configu‐
146 ration file reload, some parameters in the Server section require
147 restarting the Knot server so that the changes take effect. See be‐
148 low for the details.
149
150 identity
151 An identity of the server returned in the response to the query for TXT
152 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
153 to an empty value to disable.
154
155 Default: FQDN hostname
156
157 version
158 A version of the server software returned in the response to the query
159 for TXT record version.server. or version.bind. in the CHAOS class (RFC
160 4892). Set to an empty value to disable.
161
162 Default: server version
163
164 nsid
165 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
166 able.
167
168 Default: FQDN hostname at the moment of the daemon start
169
170 rundir
171 A path for storing run-time data (PID file, unix sockets, etc.).
172
173 Depending on the usage of this parameter, its change may require
174 restart of the Knot server to take effect.
175
176 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
177
178 user
179 A system user with an optional system group (user:group) under which
180 the server is run after starting and binding to interfaces. Linux capa‐
181 bilities are employed if supported.
182
183 Change of this parameter requires restart of the Knot server to take
184 effect.
185
186 Default: root:root
187
188 pidfile
189 A PID file location.
190
191 Change of this parameter requires restart of the Knot server to take
192 effect.
193
194 Default: rundir/knot.pid
195
196 udp-workers
197 A number of UDP workers (threads) used to process incoming queries over
198 UDP.
199
200 Change of this parameter requires restart of the Knot server to take
201 effect.
202
203 Default: equal to the number of online CPUs
204
205 tcp-workers
206 A number of TCP workers (threads) used to process incoming queries over
207 TCP.
208
209 Change of this parameter requires restart of the Knot server to take
210 effect.
211
212 Default: equal to the number of online CPUs, default value is at least
213 10
214
215 background-workers
216 A number of workers (threads) used to execute background operations
217 (zone loading, zone updates, etc.).
218
219 Change of this parameter requires restart of the Knot server to take
220 effect.
221
222 Default: equal to the number of online CPUs, default value is at most
223 10
224
225 async-start
226 If enabled, server doesn't wait for the zones to be loaded and starts
227 responding immediately with SERVFAIL answers until the zone loads.
228
229 Default: off
230
231 tcp-idle-timeout
232 Maximum idle time (in seconds) between requests on an inbound TCP con‐
233 nection. It means if there is no activity on an inbound TCP connection
234 during this limit, the connection is closed by the server.
235
236 Minimum: 1
237
238 Default: 10
239
240 tcp-io-timeout
241 Maximum time (in milliseconds) to receive or send one DNS message over
242 an inbound TCP connection. It means this limit applies to normal DNS
243 queries and replies, incoming DDNS, and outgoing zone transfers. The
244 timeout is measured since some data is already available for process‐
245 ing. Set to 0 for infinity.
246
247 Default: 500 (milliseconds)
248
249 CAUTION:
250 In order to reduce the risk of Slow Loris attacks, it's recommended
251 setting this limit as low as possible on public servers.
252
253 tcp-remote-io-timeout
254 Maximum time (in milliseconds) to receive or send one DNS message over
255 an outbound TCP connection which has already been established to a con‐
256 figured remote server. It means this limit applies to incoming zone
257 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
258 timeout includes the time needed for a network round-trip and for a
259 query processing by the remote. Set to 0 for infinity.
260
261 Default: 5000 (milliseconds)
262
263 tcp-reuseport
264 If enabled, each TCP worker listens on its own socket and the OS kernel
265 socket load balancing is employed using SO_REUSEPORT (or SO_REUSE‐
266 PORT_LB on FreeBSD). Due to the lack of one shared socket, the server
267 can offer higher response rate processing over TCP. However, in the
268 case of time-consuming requests (e.g. zone transfers of a TLD zone),
269 enabled reuseport may result in delayed or not being responded client
270 requests. So it is advisable to use this option on secondary servers.
271
272 Change of this parameter requires restart of the Knot server to take
273 effect.
274
275 Default: off
276
277 tcp-fastopen
278 If enabled, use TCP Fast Open for outbound TCP communication (client
279 side): incoming zone transfers, sending NOTIFY, and DDNS forwarding.
280 This mode simplifies TCP handshake and can result in better networking
281 performance. TCP Fast Open for inbound TCP communication (server side)
282 isn't affected by this configuration as it's enabled automatically if
283 supported by OS.
284
285 NOTE:
286 The TCP Fast Open support must also be enabled on the OS level:
287
288 • Linux/macOS: ensure kernel parameter net.ipv4.tcp_fastopen is 2 or
289 3 for server side, and 1 or 3 for client side.
290
291 • FreeBSD: ensure kernel parameter net.inet.tcp.fastopen.server_en‐
292 able is 1 for server side, and net.inet.tcp.fastopen.client_enable
293 is 1 for client side.
294
295 Default: off
296
297 quic-max-clients
298 A maximum number of QUIC clients connected in parallel.
299
300 See also quic.
301
302 Change of this parameter requires restart of the Knot server to take
303 effect.
304
305 Minimum: 128
306
307 Default: 10000 (ten thousand)
308
309 quic-outbuf-max-size
310 Maximum cumulative size of memory used for buffers of unACKed sent mes‐
311 sages.
312
313 NOTE:
314 Set low if little memory is available (together with
315 quic-max-clients since QUIC connections are memory-heavy). Set to
316 high value if outgoing zone transfers of big zone over QUIC are ex‐
317 pected.
318
319 Change of this parameter requires restart of the Knot server to take
320 effect.
321
322 Minimum: 1M (1 MiB)
323
324 Default: 100M (100 MiB)
325
326 quic-idle-close-timeout
327 Time in seconds, after which any idle QUIC connection is gracefully
328 closed.
329
330 Change of this parameter requires restart of the Knot server to take
331 effect.
332
333 Minimum: 1
334
335 Default: 4
336
337 remote-pool-limit
338 If nonzero, the server will keep up to this number of outgoing TCP con‐
339 nections open for later use. This is an optimization to avoid frequent
340 opening of TCP connections to the same remote.
341
342 Change of this parameter requires restart of the Knot server to take
343 effect.
344
345 Default: 0
346
347 remote-pool-timeout
348 The timeout in seconds after which the unused kept-open outgoing TCP
349 connections to remote servers are closed.
350
351 Default: 5
352
353 remote-retry-delay
354 When a connection attempt times out to some remote address, this infor‐
355 mation will be kept for this specified time (in milliseconds) and other
356 connections to the same address won't be attempted. This prevents
357 repetitive waiting for timeout on an unreachable remote.
358
359 Default: 0
360
361 socket-affinity
362 If enabled and if SO_REUSEPORT is available on Linux, all configured
363 network sockets are bound to UDP and TCP workers in order to increase
364 the networking performance. This mode isn't recommended for setups
365 where the number of network card queues is lower than the number of UDP
366 or TCP workers.
367
368 Change of this parameter requires restart of the Knot server to take
369 effect.
370
371 Default: off
372
373 tcp-max-clients
374 A maximum number of TCP clients connected in parallel, set this below
375 the file descriptor limit to avoid resource exhaustion.
376
377 NOTE:
378 It is advisable to adjust the maximum number of open files per
379 process in your operating system configuration.
380
381 Default: one half of the file descriptor limit for the server process
382
383 udp-max-payload
384 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
385
386 Default: 1232
387
388 udp-max-payload-ipv4
389 Maximum EDNS0 UDP payload size for IPv4.
390
391 Default: 1232
392
393 udp-max-payload-ipv6
394 Maximum EDNS0 UDP payload size for IPv6.
395
396 Default: 1232
397
398 key-file
399 Path to a server key PEM file which is used for DNS over QUIC communi‐
400 cation.
401
402 Change of this parameter requires restart of the Knot server to take
403 effect.
404
405 Default: one-time in-memory key
406
407 cert-file
408 Path to a server certificate PEM file which is used for DNS over QUIC
409 communication.
410
411 Change of this parameter requires restart of the Knot server to take
412 effect.
413
414 Default: one-time in-memory certificate
415
416 edns-client-subnet
417 Enable or disable EDNS Client Subnet support. If enabled, responses to
418 queries containing the EDNS Client Subnet option always contain a valid
419 EDNS Client Subnet option according to RFC 7871.
420
421 Default: off
422
423 answer-rotation
424 Enable or disable sorted-rrset rotation in the answer section of normal
425 replies. The rotation shift is simply determined by a query ID.
426
427 Default: off
428
429 automatic-acl
430 If enabled, automatic ACL setting of configured remotes is considered
431 when evaluating authorized operations.
432
433 Default: off
434
435 proxy-allowlist
436 An ordered list of IP addresses, network subnets, or network ranges
437 which are allowed as a source address of proxied DNS traffic over UDP.
438 The supported proxy protocol is haproxy PROXY v2.
439
440 NOTE:
441 TCP is not supported.
442
443 Default: not set
444
445 dbus-event
446 Specification of server or zone states which emit a D-Bus signal on the
447 system bus. The bus name is cz.nic.knotd, the object path is
448 /cz/nic/knotd, and the interface name is cz.nic.knotd.events.
449
450 Possible values:
451
452 • none – No signal is emitted.
453
454 • running – The signal started is emitted when the server is fully op‐
455 erational and the signal stopped is emitted at the beginning of the
456 server shutdown.
457
458 • zone-updated – The signal zone_updated is emitted when a zone has
459 been updated; the signal parameters are zone name and zone SOA se‐
460 rial.
461
462 • ksk-submission – The signal zone_ksk_submission is emitted if there
463 is a ready KSK present when the zone is signed; the signal parameters
464 are zone name, KSK keytag, and KSK KASP id.
465
466 • dnssec-invalid – The signal zone_dnssec_invalid is emitted when
467 DNSSEC validation fails; the signal parameter is zone name.
468
469 NOTE:
470 This function requires systemd version at least 221.
471
472 Change of this parameter requires restart of the Knot server to take
473 effect.
474
475 Default: none
476
477 dbus-init-delay
478 Time in seconds which the server waits upon D-Bus initialization to en‐
479 sure the D-Bus client is ready to receive signals.
480
481 Change of this parameter requires restart of the Knot server to take
482 effect.
483
484 Minimum: 0
485
486 Default: 1
487
488 listen
489 One or more IP addresses where the server listens for incoming queries.
490 Optional port specification (default is 53) can be appended to each ad‐
491 dress using @ separator. Use 0.0.0.0 for all configured IPv4 addresses
492 or :: for all configured IPv6 addresses. Filesystem path can be speci‐
493 fied for listening on local unix SOCK_STREAM socket. Non-local address
494 binding is automatically enabled if supported by the operating system.
495
496 Change of this parameter requires restart of the Knot server to take
497 effect.
498
499 Default: not set
500
502 Various options related to XDP listening, especially TCP.
503
504 xdp:
505 listen: STR[@INT] | ADDR[@INT] ...
506 udp: BOOL
507 tcp: BOOL
508 quic: BOOL
509 quic-port: INT
510 quic-log: BOOL
511 tcp-max-clients: INT
512 tcp-inbuf-max-size: SIZE
513 tcp-outbuf-max-size: SIZE
514 tcp-idle-close-timeout: TIME
515 tcp-idle-reset-timeout: TIME
516 tcp-resend-timeout: TIME
517 route-check: BOOL
518
519 CAUTION:
520 When you change configuration parameters dynamically or via configu‐
521 ration file reload, some parameters in the XDP section require
522 restarting the Knot server so that the changes take effect.
523
524 listen
525 One or more network device names (e.g. ens786f0) on which the Mode XDP
526 is enabled. Alternatively, an IP address can be used instead of a de‐
527 vice name, but the server will still listen on all addresses belonging
528 to the same interface! Optional port specification (default is 53) can
529 be appended to each device name or address using @ separator.
530
531 Change of this parameter requires restart of the Knot server to take
532 effect.
533
534 CAUTION:
535 If XDP workers only process regular DNS traffic over UDP, it is
536 strongly recommended to also listen on the addresses which are in‐
537 tended to offer the DNS service, at least to fulfil the DNS require‐
538 ment for working TCP.
539
540 Default: not set
541
542 udp
543 If enabled, DNS over UDP is processed with XDP workers.
544
545 Change of this parameter requires restart of the Knot server to take
546 effect.
547
548 Default: on
549
550 tcp
551 If enabled, DNS over TCP traffic is processed with XDP workers.
552
553 The TCP stack limitations:
554
555 • Congestion control is not implemented.
556
557 • Lost packets that do not contain TCP payload may not be resend.
558
559 • Not optimized for transfers of non-trivial zones.
560
561 Change of this parameter requires restart of the Knot server to take
562 effect.
563
564 Default: off
565
566 quic
567 If enabled, DNS over QUIC is processed with XDP workers.
568
569 Change of this parameter requires restart of the Knot server to take
570 effect.
571
572 Default: off
573
574 quic-port
575 DNS over QUIC will listen on the interfaces configured by listen, but
576 on different port, configured by this option.
577
578 Change of this parameter requires restart of the Knot server to take
579 effect.
580
581 Default: 853
582
583 quic-log
584 Triggers extensive logging of all QUIC protocol internals for every
585 connection.
586
587 Change of this parameter requires restart of the Knot server to take
588 effect.
589
590 Default: off
591
592 tcp-max-clients
593 A maximum number of TCP clients connected in parallel.
594
595 Minimum: 1024
596
597 Default: 1000000 (one million)
598
599 tcp-inbuf-max-size
600 Maximum cumulative size of memory used for buffers of incompletely re‐
601 ceived messages.
602
603 Minimum: 1M (1 MiB)
604
605 Default: 100M (100 MiB)
606
607 tcp-outbuf-max-size
608 Maximum cumulative size of memory used for buffers of unACKed sent mes‐
609 sages.
610
611 Minimum: 1M (1 MiB)
612
613 Default: 100M (100 MiB)
614
615 tcp-idle-close-timeout
616 Time in seconds, after which any idle connection is gracefully closed.
617
618 Minimum: 1
619
620 Default: 10
621
622 tcp-idle-reset-timeout
623 Time in seconds, after which any idle connection is forcibly closed.
624
625 Minimum: 1
626
627 Default: 20
628
629 tcp-resend-timeout
630 Resend outgoing data packets (with DNS response payload) if not ACKed
631 before this timeout.
632
633 Minimum: 1
634
635 Default: 5
636
637 route-check
638 If enabled, routing information from the operating system is considered
639 when processing every incoming DNS packet received over the XDP inter‐
640 face:
641
642 • If the outgoing interface of the corresponding DNS response differs
643 from the incoming one, the packet is processed normally by UDP/TCP
644 workers (XDP isn't used).
645
646 • If the destination address is blackholed, unreachable, or prohibited,
647 the DNS packet is dropped without any response.
648
649 • The destination MAC address and possible VLAN tag for the response
650 are taken from the routing system.
651
652 If disabled, symmetrical routing is applied. It means that the query
653 source MAC address is used as a response destination MAC address. Pos‐
654 sible VLAN tag is preserved.
655
656 Change of this parameter requires restart of the Knot server to take
657 effect.
658
659 NOTE:
660 This mode requires forwarding enabled on the loopback interface
661 (sysctl -w net.ipv4.conf.lo.forwarding=1 and sysctl -w
662 net.ipv6.conf.lo.forwarding=1). If forwarding is disabled, all in‐
663 coming DNS packets are dropped!
664
665 Only VLAN 802.1Q is supported.
666
667 Default: off
668
670 Configuration of the server control interface.
671
672 control:
673 listen: STR
674 timeout: TIME
675
676 listen
677 A UNIX socket path where the server listens for control commands.
678
679 Default: rundir/knot.sock
680
681 timeout
682 Maximum time (in seconds) the control socket operations can take. Set
683 to 0 for infinity.
684
685 Default: 5
686
688 Server can be configured to log to the standard output, standard error
689 output, syslog (or systemd journal if systemd is enabled) or into an
690 arbitrary file.
691
692 There are 6 logging severity levels:
693
694 • critical – Non-recoverable error resulting in server shutdown.
695
696 • error – Recoverable error, action should be taken.
697
698 • warning – Warning that might require user action.
699
700 • notice – Server notice or hint.
701
702 • info – Informational message.
703
704 • debug – Debug or detailed message.
705
706 In the case of a missing log section, warning or more serious messages
707 will be logged to both standard error output and syslog. The info and
708 notice messages will be logged to standard output.
709
710 log:
711 - target: stdout | stderr | syslog | STR
712 server: critical | error | warning | notice | info | debug
713 control: critical | error | warning | notice | info | debug
714 zone: critical | error | warning | notice | info | debug
715 any: critical | error | warning | notice | info | debug
716
717 target
718 A logging output.
719
720 Possible values:
721
722 • stdout – Standard output.
723
724 • stderr – Standard error output.
725
726 • syslog – Syslog or systemd journal.
727
728 • file_name – A specific file.
729
730 With syslog target, syslog service is used. However, if Knot DNS has
731 been compiled with systemd support and operating system has been booted
732 with systemd, systemd journal is used for logging instead of syslog.
733
734 server
735 Minimum severity level for messages related to general operation of the
736 server to be logged.
737
738 Default: not set
739
740 control
741 Minimum severity level for messages related to server control to be
742 logged.
743
744 Default: not set
745
746 zone
747 Minimum severity level for messages related to zones to be logged.
748
749 Default: not set
750
751 any
752 Minimum severity level for all message types to be logged.
753
754 Default: not set
755
757 Periodic server statistics dumping.
758
759 statistics:
760 timer: TIME
761 file: STR
762 append: BOOL
763
764 timer
765 A period after which all available statistics metrics will by written
766 to the file.
767
768 Default: not set
769
770 file
771 A file path of statistics output in the YAML format.
772
773 Default: rundir/stats.yaml
774
775 append
776 If enabled, the output will be appended to the file instead of file re‐
777 placement.
778
779 Default: off
780
782 Configuration of databases for zone contents, DNSSEC metadata, or event
783 timers.
784
785 database:
786 storage: STR
787 journal-db: STR
788 journal-db-mode: robust | asynchronous
789 journal-db-max-size: SIZE
790 kasp-db: STR
791 kasp-db-max-size: SIZE
792 timer-db: STR
793 timer-db-max-size: SIZE
794 catalog-db: str
795 catalog-db-max-size: SIZE
796
797 storage
798 A data directory for storing journal, KASP, and timer databases.
799
800 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
801 age=path)
802
803 journal-db
804 An explicit specification of the persistent journal database directory.
805 Non-absolute path (i.e. not starting with /) is relative to storage.
806
807 Default: storage/journal
808
809 journal-db-mode
810 Specifies journal LMDB backend configuration, which influences perfor‐
811 mance and durability.
812
813 Possible values:
814
815 • robust – The journal database disk synchronization ensures database
816 durability but is generally slower.
817
818 • asynchronous – The journal database disk synchronization is optimized
819 for better performance at the expense of lower database durability in
820 the case of a crash. This mode is recommended on secondary servers
821 with many zones.
822
823 Default: robust
824
825 journal-db-max-size
826 The hard limit for the journal database maximum size. There is no
827 cleanup logic in journal to recover from reaching this limit. Journal
828 simply starts refusing changes across all zones. Decreasing this value
829 has no effect if it is lower than the actual database file size.
830
831 It is recommended to limit journal-max-usage per-zone instead of
832 journal-db-max-size in most cases. Please keep this value larger than
833 the sum of all zones' journal usage limits. See more details regarding
834 journal behaviour.
835
836 NOTE:
837 This value also influences server's usage of virtual memory.
838
839 Default: 20G (20 GiB), or 512M (512 MiB) for 32-bit
840
841 kasp-db
842 An explicit specification of the KASP database directory. Non-absolute
843 path (i.e. not starting with /) is relative to storage.
844
845 Default: storage/keys
846
847 kasp-db-max-size
848 The hard limit for the KASP database maximum size.
849
850 NOTE:
851 This value also influences server's usage of virtual memory.
852
853 Default: 500M (500 MiB)
854
855 timer-db
856 An explicit specification of the persistent timer database directory.
857 Non-absolute path (i.e. not starting with /) is relative to storage.
858
859 Default: storage/timers
860
861 timer-db-max-size
862 The hard limit for the timer database maximum size.
863
864 NOTE:
865 This value also influences server's usage of virtual memory.
866
867 Default: 100M (100 MiB)
868
869 catalog-db
870 An explicit specification of the zone catalog database directory. Only
871 useful if catalog-zones are enabled. Non-absolute path (i.e. not
872 starting with /) is relative to storage.
873
874 Default: storage/catalog
875
876 catalog-db-max-size
877 The hard limit for the catalog database maximum size.
878
879 NOTE:
880 This value also influences server's usage of virtual memory.
881
882 Default: 20G (20 GiB), or 512M (512 MiB) for 32-bit
883
885 DNSSEC keystore configuration.
886
887 keystore:
888 - id: STR
889 backend: pem | pkcs11
890 config: STR
891 key-label: BOOL
892
893 id
894 A keystore identifier.
895
896 backend
897 A key storage backend type.
898
899 Possible values:
900
901 • pem – PEM files.
902
903 • pkcs11 – PKCS #11 storage.
904
905 Default: pem
906
907 config
908 A backend specific configuration. A directory with PEM files (the path
909 can be specified as a relative path to kasp-db) or a configuration
910 string for PKCS #11 storage (<pkcs11-url> <module-path>).
911
912 NOTE:
913 Example configuration string for PKCS #11:
914
915 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
916
917 Default: kasp-db/keys
918
919 key-label
920 If enabled in combination with the PKCS #11 backend, generated keys are
921 labeled in the form <zone_name> KSK|ZSK.
922
923 Default: off
924
926 Shared TSIG keys used to authenticate communication with the server.
927
928 key:
929 - id: DNAME
930 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
931 secret: BASE64
932
933 id
934 A key name identifier.
935
936 NOTE:
937 This value MUST be exactly the same as the name of the TSIG key on
938 the opposite primary/secondary server(s).
939
940 algorithm
941 A TSIG key algorithm. See TSIG Algorithm Numbers.
942
943 Possible values:
944
945 • hmac-md5
946
947 • hmac-sha1
948
949 • hmac-sha224
950
951 • hmac-sha256
952
953 • hmac-sha384
954
955 • hmac-sha512
956
957 Default: not set
958
959 secret
960 Shared key secret.
961
962 Default: not set
963
965 Definitions of remote servers for outgoing connections (source of a
966 zone transfer, target for a notification, etc.).
967
968 remote:
969 - id: STR
970 address: ADDR[@INT] ...
971 via: ADDR[@INT] ...
972 key: key_id
973 block-notify-after-transfer: BOOL
974 no-edns: BOOL
975 automatic-acl: BOOL
976
977 id
978 A remote identifier.
979
980 address
981 An ordered list of destination IP addresses which are used for communi‐
982 cation with the remote server. The addresses are tried in sequence un‐
983 til the remote is reached. Optional destination port (default is 53)
984 can be appended to the address using @ separator.
985
986 Default: not set
987
988 NOTE:
989 If the remote is contacted and it refuses to perform requested ac‐
990 tion, no more addresses will be tried for this remote.
991
992 via
993 An ordered list of source IP addresses. The first address with the same
994 family as the destination address is used as a source address for com‐
995 munication with the remote. This option can help if the server listens
996 on more addresses. Optional source port (default is random) can be ap‐
997 pended to the address using @ separator.
998
999 Default: not set
1000
1001 key
1002 A reference to the TSIG key which is used to authenticate the communi‐
1003 cation with the remote server.
1004
1005 Default: not set
1006
1007 block-notify-after-transfer
1008 When incoming AXFR/IXFR from this remote (as a primary server), sup‐
1009 press sending NOTIFY messages to all configured secondary servers.
1010
1011 Default: off
1012
1013 no-edns
1014 If enabled, no OPT record (EDNS) is inserted to outgoing requests to
1015 this remote server. This mode is necessary for communication with some
1016 broken implementations (e.g. Windows Server 2016).
1017
1018 Default: off
1019
1020 automatic-acl
1021 If enabled, some authorized operations for the remote are automatically
1022 allowed based on the context:
1023
1024 • Incoming NOTIFY is allowed from the remote if it's configured as a
1025 primary server for the zone.
1026
1027 • Outgoing zone transfer is allowed to the remote if it's configured as
1028 a NOTIFY target for the zone.
1029
1030 Automatic ACL rules are evaluated before explicit zone ACL configura‐
1031 tion.
1032
1033 NOTE:
1034 This functionality requires global activation via automatic-acl in
1035 the server section.
1036
1037 Default: on
1038
1040 Definitions of groups of remote servers. Remote grouping can simplify
1041 the configuration.
1042
1043 remotes:
1044 - id: STR
1045 remote: remote_id ...
1046
1047 id
1048 A remote group identifier.
1049
1050 remote
1051 An ordered list of references to remote server definitions.
1052
1053 Default: not set
1054
1056 Access control list rule definitions. An ACL rule is a description of
1057 one or more authorized operations (zone transfer request, zone change
1058 notification, and dynamic DNS update) which are allowed to be processed
1059 or denied.
1060
1061 acl:
1062 - id: STR
1063 address: ADDR[/INT] | ADDR-ADDR ...
1064 key: key_id ...
1065 remote: remote_id | remotes_id ...
1066 action: query | notify | transfer | update ...
1067 deny: BOOL
1068 update-type: STR ...
1069 update-owner: key | zone | name
1070 update-owner-match: sub-or-equal | equal | sub
1071 update-owner-name: STR ...
1072
1073 id
1074 An ACL rule identifier.
1075
1076 address
1077 An ordered list of IP addresses, network subnets, or network ranges.
1078 The query's source address must match one of them. If this item is not
1079 set, address match is not required.
1080
1081 Default: not set
1082
1083 key
1084 An ordered list of references to TSIG keys. The query must match one of
1085 them. If this item is not set, transaction authentication is not used.
1086
1087 Default: not set
1088
1089 remote
1090 An ordered list of references remote and remotes. The query must match
1091 one of the remotes. Specifically, one of the remote's addresses and re‐
1092 mote's TSIG key if configured must match.
1093
1094 NOTE:
1095 This option cannot be specified along with the address or key option
1096 at one ACL item.
1097
1098 Default: not set
1099
1100 action
1101 An ordered list of allowed (or denied) actions.
1102
1103 Possible values:
1104
1105 • query – Allow regular DNS query. As normal queries are always al‐
1106 lowed, this action is only useful in combination with TSIG key.
1107
1108 • notify – Allow incoming notify (NOTIFY).
1109
1110 • transfer – Allow zone transfer (AXFR, IXFR).
1111
1112 • update – Allow zone updates (DDNS).
1113
1114 Default: query
1115
1116 deny
1117 If enabled, instead of allowing, deny the specified action, address,
1118 key, or combination if these items. If no action is specified, deny all
1119 actions.
1120
1121 Default: off
1122
1123 update-type
1124 A list of allowed types of Resource Records in a zone update. Every
1125 record in an update must match one of the specified types.
1126
1127 Default: not set
1128
1129 update-owner
1130 This option restricts possible owners of Resource Records in a zone up‐
1131 date by comparing them to either the TSIG key identity, the current
1132 zone name, or to a list of domain names given by the update-owner-name
1133 option. The comparison method is given by the update-owner-match op‐
1134 tion.
1135
1136 Possible values:
1137
1138 • key — The owner of each updated RR must match the identity of the
1139 TSIG key if used.
1140
1141 • name — The owner of each updated RR must match at least one name in
1142 the update-owner-name list.
1143
1144 • zone — The owner of each updated RR must match the current zone name.
1145
1146 Default: not set
1147
1148 update-owner-match
1149 This option defines how the owners of Resource Records in an update are
1150 matched to the domain name(s) set by the update-owner option.
1151
1152 Possible values:
1153
1154 • sub-or-equal — The owner of each RR in an update must either be equal
1155 to or be a subdomain of at least one domain name set by update-owner.
1156
1157 • equal — The owner of each updated RR must be equal to at least one
1158 domain name set by update-owner.
1159
1160 • sub — The owner of each updated RR must be a subdomain of, but MUST
1161 NOT be equal to at least one domain name set by update-owner.
1162
1163 Default: sub-or-equal
1164
1165 update-owner-name
1166 A list of allowed owners of RRs in a zone update used with update-owner
1167 set to name. Every listed owner name which is not FQDN (i.e. it doesn't
1168 end in a dot) is considered as if it was appended with the target zone
1169 name. Such a relative owner name specification allows better ACL rule
1170 reusability across multiple zones.
1171
1172 Default: not set
1173
1175 Parameters of KSK submission checks.
1176
1177 submission:
1178 - id: STR
1179 parent: remote_id | remotes_id ...
1180 check-interval: TIME
1181 timeout: TIME
1182 parent-delay: TIME
1183
1184 id
1185 A submission identifier.
1186
1187 parent
1188 A list of references remote and remotes to parent's DNS servers to be
1189 checked for presence of corresponding DS records in the case of KSK
1190 submission. All of them must have a corresponding DS for the rollover
1191 to continue. If none is specified, the rollover must be pushed forward
1192 manually.
1193
1194 Default: not set
1195
1196 TIP:
1197 A DNSSEC-validating resolver can be set as a parent.
1198
1199 check-interval
1200 Interval for periodic checks of DS presence on parent's DNS servers, in
1201 the case of the KSK submission.
1202
1203 Default: 1h (1 hour)
1204
1205 timeout
1206 After this time period (in seconds) the KSK submission is automatically
1207 considered successful, even if all the checks were negative or no par‐
1208 ents are configured. Set to 0 for infinity.
1209
1210 Default: 0
1211
1212 parent-delay
1213 After successful parent DS check, wait for this period before continu‐
1214 ing the next key roll-over step. This delay shall cover the propagation
1215 delay of update in the parent zone.
1216
1217 Default: 0
1218
1220 DNSSEC policy configuration.
1221
1222 policy:
1223 - id: STR
1224 keystore: keystore_id
1225 manual: BOOL
1226 single-type-signing: BOOL
1227 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
1228 ksk-size: SIZE
1229 zsk-size: SIZE
1230 ksk-shared: BOOL
1231 dnskey-ttl: TIME
1232 zone-max-ttl: TIME
1233 ksk-lifetime: TIME
1234 zsk-lifetime: TIME
1235 delete-delay: TIME
1236 propagation-delay: TIME
1237 rrsig-lifetime: TIME
1238 rrsig-refresh: TIME
1239 rrsig-pre-refresh: TIME
1240 reproducible-signing: BOOL
1241 nsec3: BOOL
1242 nsec3-iterations: INT
1243 nsec3-opt-out: BOOL
1244 nsec3-salt-length: INT
1245 nsec3-salt-lifetime: TIME
1246 signing-threads: INT
1247 ksk-submission: submission_id
1248 ds-push: remote_id | remotes_id ...
1249 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
1250 cds-digest-type: sha256 | sha384
1251 dnskey-management: full | incremental
1252 offline-ksk: BOOL
1253 unsafe-operation: none | no-check-keyset | no-update-dnskey | no-update-nsec | no-update-expired ...
1254
1255 id
1256 A policy identifier.
1257
1258 keystore
1259 A reference to a keystore holding private key material for zones.
1260
1261 Default: an imaginary keystore with all default values
1262
1263 NOTE:
1264 A configured keystore called "default" won't be used unless explic‐
1265 itly referenced.
1266
1267 manual
1268 If enabled, automatic key management is not used.
1269
1270 Default: off
1271
1272 single-type-signing
1273 If enabled, Single-Type Signing Scheme is used in the automatic key
1274 management mode.
1275
1276 Default: off (module onlinesign has default on)
1277
1278 algorithm
1279 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
1280 rithm Numbers.
1281
1282 Possible values:
1283
1284 • rsasha1
1285
1286 • rsasha1-nsec3-sha1
1287
1288 • rsasha256
1289
1290 • rsasha512
1291
1292 • ecdsap256sha256
1293
1294 • ecdsap384sha384
1295
1296 • ed25519
1297
1298 • ed448
1299
1300 NOTE:
1301 Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
1302
1303 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+
1304 and Nettle 3.6+.
1305
1306 Default: ecdsap256sha256
1307
1308 ksk-size
1309 A length of newly generated KSK or CSK keys.
1310
1311 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
1312 456 (ed448)
1313
1314 zsk-size
1315 A length of newly generated ZSK keys.
1316
1317 Default: see default for ksk-size
1318
1319 ksk-shared
1320 If enabled, all zones with this policy assigned will share one or more
1321 KSKs. More KSKs can be shared during a KSK rollover.
1322
1323 WARNING:
1324 As the shared KSK set is bound to the policy id, renaming the policy
1325 breaks this connection and new shared KSK set is initiated when a
1326 new KSK is needed.
1327
1328 Default: off
1329
1330 dnskey-ttl
1331 A TTL value for DNSKEY records added into zone apex.
1332
1333 NOTE:
1334 Has influence over ZSK key lifetime.
1335
1336 WARNING:
1337 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
1338 quent DNSKEY rollover starts.
1339
1340 Default: zone SOA TTL
1341
1342 zone-max-ttl
1343 Declare (override) maximal TTL value among all the records in zone.
1344
1345 NOTE:
1346 It's generally recommended to override the maximal TTL computation
1347 by setting this explicitly whenever possible. It's required for
1348 DNSSEC Offline KSK and really reasonable when records are generated
1349 dynamically (e.g. by a module).
1350
1351 Default: computed after zone is loaded
1352
1353 ksk-lifetime
1354 A period between KSK activation and the next rollover initiation.
1355
1356 NOTE:
1357 KSK key lifetime is also influenced by propagation-delay,
1358 dnskey-ttl, and KSK submission delay.
1359
1360 Zero (aka infinity) value causes no KSK rollover as a result.
1361
1362 This applies for CSK lifetime if single-type-signing is enabled.
1363
1364 Default: 0
1365
1366 zsk-lifetime
1367 A period between ZSK activation and the next rollover initiation.
1368
1369 NOTE:
1370 More exactly, this period is measured since a ZSK is activated, and
1371 after this, a new ZSK is generated to replace it within following
1372 roll-over.
1373
1374 ZSK key lifetime is also influenced by propagation-delay and
1375 dnskey-ttl
1376
1377 Zero (aka infinity) value causes no ZSK rollover as a result.
1378
1379 Default: 30d (30 days)
1380
1381 delete-delay
1382 Once a key (KSK or ZSK) is rolled-over and removed from the zone, keep
1383 it in the KASP database for at least this period before deleting it
1384 completely. This might be useful in some troubleshooting cases when
1385 resurrection is needed.
1386
1387 Default: 0
1388
1389 propagation-delay
1390 An extra delay added for each key rollover step. This value should be
1391 high enough to cover propagation of data from the primary server to all
1392 secondary servers, as well as the duration of signing routine itself
1393 and possible outages in signing and propagation infrastructure. In
1394 other words, this delay should ensure that within this period of time
1395 after planned change of the key set, all public-facing secondaries will
1396 already serve new DNSKEY RRSet for sure.
1397
1398 NOTE:
1399 Has influence over ZSK key lifetime.
1400
1401 Default: 1h (1 hour)
1402
1403 rrsig-lifetime
1404 A validity period of newly issued signatures.
1405
1406 NOTE:
1407 The RRSIG's signature inception time is set to 90 minutes in the
1408 past. This time period is not counted to the signature lifetime.
1409
1410 Default: 14d (14 days)
1411
1412 rrsig-refresh
1413 A period how long at least before a signature expiration the signature
1414 will be refreshed, in order to prevent expired RRSIGs on secondary
1415 servers or resolvers' caches.
1416
1417 Default: propagation-delay + zone-max-ttl
1418
1419 rrsig-pre-refresh
1420 A period how long at most before a signature refresh time the signature
1421 might be refreshed, in order to refresh RRSIGs in bigger batches on a
1422 frequently updated zone (avoid re-sign event too often).
1423
1424 Default: 1h (1 hour)
1425
1426 reproducible-signing
1427 For ECDSA algorithms, generate RRSIG signatures deterministically (RFC
1428 6979). Besides better theoretical cryptographic security, this mode
1429 allows significant speed-up of loading signed (by the same method)
1430 zones. However, the zone signing is a bit slower.
1431
1432 Default: off
1433
1434 nsec3
1435 Specifies if NSEC3 will be used instead of NSEC.
1436
1437 Default: off
1438
1439 nsec3-iterations
1440 A number of additional times the hashing is performed.
1441
1442 Default: 0
1443
1444 nsec3-opt-out
1445 If set, NSEC3 records won't be created for insecure delegations. This
1446 speeds up the zone signing and reduces overall zone size.
1447
1448 WARNING:
1449 NSEC3 with the Opt-Out bit set no longer works as a proof of non-ex‐
1450 istence in this zone.
1451
1452 Default: off
1453
1454 nsec3-salt-length
1455 A length of a salt field in octets, which is appended to the original
1456 owner name before hashing.
1457
1458 Default: 8
1459
1460 nsec3-salt-lifetime
1461 A validity period of newly issued salt field.
1462
1463 Zero value means infinity.
1464
1465 Special value -1 triggers re-salt every time when active ZSK changes.
1466 This optimizes the number of big changes to the zone.
1467
1468 Default: 30d (30 days)
1469
1470 signing-threads
1471 When signing zone or update, use this number of threads for parallel
1472 signing.
1473
1474 Those are extra threads independent of Background workers.
1475
1476 NOTE:
1477 Some steps of the DNSSEC signing operation are not parallelized.
1478
1479 Default: 1 (no extra threads)
1480
1481 ksk-submission
1482 A reference to submission section holding parameters of KSK submission
1483 checks.
1484
1485 Default: not set
1486
1487 ds-push
1488 Optional references remote and remotes to authoritative DNS server of
1489 the parent's zone. The remote server must be configured to accept DS
1490 record updates via DDNS. Whenever a CDS record in the local zone is
1491 changed, the corresponding DS record is sent as a dynamic update (DDNS)
1492 to the parent DNS server. All previous DS records are deleted within
1493 the DDNS message. It's possible to manage both child and parent zones
1494 by the same Knot DNS server.
1495
1496 NOTE:
1497 This feature requires cds-cdnskey-publish not to be set to none.
1498
1499 NOTE:
1500 The mentioned change to CDS record usually means that a KSK
1501 roll-over is running and the new key being rolled-in is in "ready"
1502 state already for the period of propagation-delay.
1503
1504 NOTE:
1505 Module Onlinesign doesn't support DS push.
1506
1507 Default: not set
1508
1509 cds-cdnskey-publish
1510 Controls if and how shall the CDS and CDNSKEY be published in the zone.
1511
1512 Possible values:
1513
1514 • none – Never publish any CDS or CDNSKEY records in the zone.
1515
1516 • delete-dnssec – Publish special CDS and CDNSKEY records indicating
1517 turning off DNSSEC.
1518
1519 • rollover – Publish CDS and CDNSKEY records for ready and not yet ac‐
1520 tive KSK (submission phase of KSK rollover).
1521
1522 • always – Always publish one CDS and one CDNSKEY records for the cur‐
1523 rent KSK.
1524
1525 • double-ds – Always publish up to two CDS and two CDNSKEY records for
1526 ready and/or active KSKs.
1527
1528 NOTE:
1529 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
1530 may contain more records depending on the keys available.
1531
1532 WARNING:
1533 The double-ds value does not trigger double-DS roll-over method.
1534 That method is only suppored by Knot when performed manually, with
1535 unset ksk-submission.
1536
1537 Default: rollover
1538
1539 cds-digest-type
1540 Specify digest type for published CDS records.
1541
1542 Default: sha256
1543
1544 dnskey-management
1545 Specify how the DNSKEY, CDNSKEY, and CDS RRSets at the zone apex are
1546 handled when (re-)signing the zone.
1547
1548 Possible values:
1549
1550 • full – Upon every zone (re-)sign, delete all unknown DNSKEY, CDNSKEY,
1551 and CDS records and keep just those that are related to the zone keys
1552 stored in the KASP database.
1553
1554 • incremental – Keep unknown DNSKEY, CDNSKEY, and CDS records in the
1555 zone, and modify server-managed records incrementally by employing
1556 changes in the KASP database.
1557
1558 NOTE:
1559 Prerequisites for incremental:
1560
1561 • The Offline KSK isn't supported.
1562
1563 • The delete-delay is long enough to cover possible daemon shutdown
1564 (e.g. due to server maintenance).
1565
1566 • Avoided manual deletion of keys with keymgr.
1567
1568 Otherwise there might remain some DNSKEY records in the zone, be‐
1569 longing to deleted keys.
1570
1571 Default: full
1572
1573 offline-ksk
1574 Specifies if Offline KSK feature is enabled.
1575
1576 Default: off
1577
1578 unsafe-operation
1579 Turn off some DNSSEC safety features.
1580
1581 Possible values:
1582
1583 • none – Nothing disabled.
1584
1585 • no-check-keyset – Don't check active keys in present algorithms. This
1586 may lead to violation of RFC 4035#section-2.2.
1587
1588 • no-update-dnskey – Don't maintain/update DNSKEY, CDNSKEY, and CDS
1589 records in the zone apex according to KASP database. Juste leave them
1590 as they are in the zone.
1591
1592 • no-update-nsec – Don't maintain/update NSEC/NSEC3 chain. Leave all
1593 the records as they are in the zone.
1594
1595 • no-update-expired – Don't update expired RRSIGs.
1596
1597 Multiple values may be specified.
1598
1599 WARNING:
1600 This mode is intended for DNSSEC experts who understand the corre‐
1601 sponding consequences.
1602
1603 Default: none
1604
1606 A template is shareable zone settings, which can simplify configuration
1607 by reducing duplicates. A special default template (with the default
1608 identifier) can be used for global zone configuration or as an implicit
1609 configuration if a zone doesn't have another template specified.
1610
1611 template:
1612 - id: STR
1613 global-module: STR/STR ...
1614 # All zone options (excluding 'template' item)
1615
1616 id
1617 A template identifier.
1618
1619 global-module
1620 An ordered list of references to query modules in the form of mod‐
1621 ule_name or module_name/module_id. These modules apply to all queries.
1622
1623 NOTE:
1624 This option is only available in the default template.
1625
1626 Default: not set
1627
1629 Definition of zones served by the server.
1630
1631 zone:
1632 - domain: DNAME
1633 template: template_id
1634 storage: STR
1635 file: STR
1636 master: remote_id | remotes_id ...
1637 ddns-master: remote_id
1638 notify: remote_id | remotes_id ...
1639 acl: acl_id ...
1640 semantic-checks: BOOL | soft
1641 zonefile-sync: TIME
1642 zonefile-load: none | difference | difference-no-serial | whole
1643 journal-content: none | changes | all
1644 journal-max-usage: SIZE
1645 journal-max-depth: INT
1646 zone-max-size : SIZE
1647 adjust-threads: INT
1648 dnssec-signing: BOOL
1649 dnssec-validation: BOOL
1650 dnssec-policy: policy_id
1651 ds-push: remote_id | remotes_id ...
1652 zonemd-verify: BOOL
1653 zonemd-generate: none | zonemd-sha384 | zonemd-sha512 | remove
1654 serial-policy: increment | unixtime | dateserial
1655 refresh-min-interval: TIME
1656 refresh-max-interval: TIME
1657 retry-min-interval: TIME
1658 retry-max-interval: TIME
1659 expire-min-interval: TIME
1660 expire-max-interval: TIME
1661 catalog-role: none | interpret | generate | member
1662 catalog-template: template_id ...
1663 catalog-zone: DNAME
1664 catalog-group: STR
1665 module: STR/STR ...
1666
1667 domain
1668 A zone name identifier.
1669
1670 template
1671 A reference to a configuration template.
1672
1673 Default: not set or default (if the template exists)
1674
1675 storage
1676 A data directory for storing zone files.
1677
1678 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1679 age=path)
1680
1681 file
1682 A path to the zone file. Non-absolute path (i.e. not starting with /)
1683 is relative to storage. It is also possible to use the following for‐
1684 matters:
1685
1686 • %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1687 ters beginning from the Nth and ending with the Mth character of the
1688 textual zone name (see %s). The indexes are counted from 0 from the
1689 left. All dots (including the terminal one) are considered. If the
1690 character is not available, the formatter has no effect.
1691
1692 • %l[N] – Means the Nth label of the textual zone name (see %s). The
1693 index is counted from 0 from the right (0 ~ TLD). If the label is
1694 not available, the formatter has no effect.
1695
1696 • %s – Means the current zone name in the textual representation. The
1697 zone name doesn't include the terminating dot (the result for the
1698 root zone is the empty string!).
1699
1700 • %% – Means the % character.
1701
1702 WARNING:
1703 Beware of special characters which are escaped or encoded in the
1704 \DDD form where DDD is corresponding decimal ASCII code.
1705
1706 Default: storage/%s.zone
1707
1708 master
1709 An ordered list of references remote and remotes to zone primary
1710 servers (formerly known as master servers).
1711
1712 Default: not set
1713
1714 ddns-master
1715 A reference to zone primary master. If not specified, the first master
1716 server is used.
1717
1718 Default: not set
1719
1720 notify
1721 An ordered list of references remote and remotes to secondary servers
1722 to which notify message is sent if the zone changes.
1723
1724 Default: not set
1725
1726 acl
1727 An ordered list of references to ACL rules which can allow or disallow
1728 zone transfers, updates or incoming notifies.
1729
1730 Default: not set
1731
1732 semantic-checks
1733 Selects if extra zone semantic checks are used or impacts of the manda‐
1734 tory checks.
1735
1736 There are several mandatory checks which are always enabled and cannot
1737 be turned off. An error in a mandatory check causes the zone not to be
1738 loaded. Some of the mandatory checks can be weakened by setting soft,
1739 when the zone isn't prevented from loading.
1740
1741 If enabled, extra checks are used. These checks don't prevent the zone
1742 from loading.
1743
1744 The mandatory checks are applied to zone files, zone transfers, and up‐
1745 dates via control interface. The extra checks are applied to zone files
1746 only!
1747
1748 Mandatory checks:
1749
1750 • Missing SOA record at the zone apex (RFC 1034)
1751
1752 Mandatory checks affected by the soft mode:
1753
1754 • An extra record exists together with a CNAME record except for RRSIG
1755 and NSEC (RFC 1034)
1756
1757 • Multiple CNAME records with the same owner exist (RFC 1034)
1758
1759 • DNAME record having a record under it (RFC 6672)
1760
1761 • Multiple DNAME records with the same owner exist (RFC 6672)
1762
1763 • NS record exists together with a DNAME record (RFC 6672)
1764
1765 Extra checks:
1766
1767 • Missing NS record at the zone apex
1768
1769 • Missing glue A or AAAA record
1770
1771 • Invalid DS or NSEC3PARAM record
1772
1773 • CDS or CDNSKEY inconsistency
1774
1775 • All other DNSSEC checks executed during dnssec-validation
1776
1777 NOTE:
1778 The soft mode allows the refresh event to ignore a CNAME response to
1779 a SOA query (malformed message) and triggers a zone bootstrap in‐
1780 stead.
1781
1782 Default: off
1783
1784 zonefile-sync
1785 The time after which the current zone in memory will be synced with a
1786 zone file on the disk (see file). The server will serve the latest zone
1787 even after a restart using zone journal, but the zone file on the disk
1788 will only be synced after zonefile-sync time has expired (or after man‐
1789 ual zone flush). This is applicable when the zone is updated via IXFR,
1790 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1791 matic zone file synchronization, set the value to -1. In that case, it
1792 is still possible to force a manual zone flush using the -f option.
1793
1794 NOTE:
1795 If you are serving large zones with frequent updates where the imme‐
1796 diate sync with a zone file is not desirable, increase the value.
1797
1798 Default: 0 (immediate)
1799
1800 zonefile-load
1801 Selects how the zone file contents are applied during zone load.
1802
1803 Possible values:
1804
1805 • none – The zone file is not used at all.
1806
1807 • difference – If the zone contents are already available during server
1808 start or reload, the difference is computed between them and the con‐
1809 tents of the zone file. This difference is then checked for semantic
1810 errors and applied to the current zone contents.
1811
1812 • difference-no-serial – Same as difference, but the SOA serial in the
1813 zone file is ignored, the server takes care of incrementing the se‐
1814 rial automatically.
1815
1816 • whole – Zone contents are loaded from the zone file.
1817
1818 When difference is configured and there are no zone contents yet (cold
1819 start and no zone contents in the journal), it behaves the same way as
1820 whole.
1821
1822 Default: whole
1823
1824 journal-content
1825 Selects how the journal shall be used to store zone and its changes.
1826
1827 Possible values:
1828
1829 • none – The journal is not used at all.
1830
1831 • changes – Zone changes history is stored in journal.
1832
1833 • all – Zone contents and history is stored in journal.
1834
1835 Default: changes
1836
1837 journal-max-usage
1838 Policy how much space in journal DB will the zone's journal occupy.
1839
1840 NOTE:
1841 Journal DB may grow far above the sum of journal-max-usage across
1842 all zones, because of DB free space fragmentation.
1843
1844 Default: 100M (100 MiB)
1845
1846 journal-max-depth
1847 Maximum history length of the journal.
1848
1849 NOTE:
1850 Zone-in-journal changeset isn't counted to the limit.
1851
1852 Minimum: 2
1853
1854 Default: 20
1855
1856 zone-max-size
1857 Maximum size of the zone. The size is measured as size of the zone
1858 records in wire format without compression. The limit is enforced for
1859 incoming zone transfers and dynamic updates.
1860
1861 For incremental transfers (IXFR), the effective limit for the total
1862 size of the records in the transfer is twice the configured value. How‐
1863 ever the final size of the zone must satisfy the configured value.
1864
1865 Default: unlimited
1866
1867 adjust-threads
1868 Parallelize internal zone adjusting procedures by using specified num‐
1869 ber of threads. This is useful with huge zones with NSEC3. Speedup ob‐
1870 servable at server startup and while processing NSEC3 re-salt.
1871
1872 Default: 1 (no extra threads)
1873
1874 dnssec-signing
1875 If enabled, automatic DNSSEC signing for the zone is turned on.
1876
1877 Default: off
1878
1879 dnssec-validation
1880 If enabled, the zone contents are validated for being correctly signed
1881 (including NSEC/NSEC3 chain) with DNSSEC signatures every time the zone
1882 is loaded or changed (including AXFR/IXFR).
1883
1884 When the validation fails, the zone being loaded or update being ap‐
1885 plied is cancelled with an error, and either none or previous zone
1886 state is published.
1887
1888 List of DNSSEC checks:
1889
1890 • Every zone RRSet is correctly signed by at least one present DNSKEY.
1891
1892 • DNSKEY RRSet is signed by KSK.
1893
1894 • NSEC(3) RR exists for each name (unless opt-out) with correct bitmap.
1895
1896 • Every NSEC(3) RR is linked to the lexicographically next one.
1897
1898 The validation is not affected by dnssec-policy configuration, except
1899 for signing-threads option, which specifies the number of threads for
1900 parallel validation.
1901
1902 Default: not set
1903
1904 NOTE:
1905 Redundant or garbage NSEC3 records are ignored.
1906
1907 This mode is not compatible with dnssec-signing.
1908
1909 dnssec-policy
1910 A reference to DNSSEC signing policy.
1911
1912 Default: an imaginary policy with all default values
1913
1914 NOTE:
1915 A configured policy called "default" won't be used unless explicitly
1916 referenced.
1917
1918 ds-push
1919 Per zone configuration of ds-push. This option overrides possible per
1920 policy option.
1921
1922 Default: not set
1923
1924 zonemd-verify
1925 On each zone load/update, verify that ZONEMD is present in the zone and
1926 valid.
1927
1928 NOTE:
1929 Zone digest calculation may take much time and CPU on large zones.
1930
1931 Default: off
1932
1933 zonemd-generate
1934 On each zone update, calculate ZONEMD and put it into the zone.
1935
1936 Possible values:
1937
1938 • none – No action regarding ZONEMD.
1939
1940 • zonemd-sha384 – Generate ZONEMD using SHA384 algorithm.
1941
1942 • zonemd-sha512 – Generate ZONEMD using SHA512 algorithm.
1943
1944 • remove – Remove any ZONEMD from the zone apex.
1945
1946 Default: none
1947
1948 serial-policy
1949 Specifies how the zone serial is updated after a dynamic update or au‐
1950 tomatic DNSSEC signing. If the serial is changed by the dynamic update,
1951 no change is made.
1952
1953 Possible values:
1954
1955 • increment – The serial is incremented according to serial number
1956 arithmetic.
1957
1958 • unixtime – The serial is set to the current unix time.
1959
1960 • dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1961 first 8 digits match the current iso-date.
1962
1963 NOTE:
1964 If the resulting serial for unixtime or dateserial is lower than or
1965 equal to the current serial (this happens e.g. when migrating from
1966 other policy or frequent updates), the serial is incremented in‐
1967 stead.
1968
1969 To avoid user confusion, use dateserial only if you expect at most
1970 100 updates per day per zone and unixtime only if you expect at most
1971 one update per second per zone.
1972
1973 Generated catalog zones use unixtime only.
1974
1975 Default: increment (unixtime for generated catalog zones)
1976
1977 refresh-min-interval
1978 Forced minimum zone refresh interval (in seconds) to avoid flooding
1979 primary server.
1980
1981 Minimum: 2
1982
1983 Default: 2
1984
1985 refresh-max-interval
1986 Forced maximum zone refresh interval (in seconds).
1987
1988 Default: not set
1989
1990 retry-min-interval
1991 Forced minimum zone retry interval (in seconds) to avoid flooding pri‐
1992 mary server.
1993
1994 Minimum: 1
1995
1996 Default: 1
1997
1998 retry-max-interval
1999 Forced maximum zone retry interval (in seconds).
2000
2001 Default: not set
2002
2003 expire-min-interval
2004 Forced minimum zone expire interval (in seconds) to avoid flooding pri‐
2005 mary server.
2006
2007 Minimum: 3
2008
2009 Default: 3
2010
2011 expire-max-interval
2012 Forced maximum zone expire interval (in seconds).
2013
2014 Default: not set
2015
2016 catalog-role
2017 Trigger zone catalog feature. Possible values:
2018
2019 • none – Not a catalog zone.
2020
2021 • interpret – A catalog zone which is loaded from a zone file or XFR,
2022 and member zones shall be configured based on its contents.
2023
2024 • generate – A catalog zone whose contents are generated according to
2025 assigned member zones.
2026
2027 • member – A member zone that is assigned to one generated catalog
2028 zone.
2029
2030 Default: none
2031
2032 catalog-template
2033 For the catalog member zones, the specified configuration template will
2034 be applied.
2035
2036 Multiple catalog templates may be defined. The first one is used unless
2037 the member zone has the group property defined, matching another cata‐
2038 log template.
2039
2040 NOTE:
2041 This option must be set if and only if catalog-role is interpret.
2042
2043 Nested catalog zones aren't supported. Therefore catalog templates
2044 can't use catalog-template, catalog-role, catalog-zone, and
2045 catalog-group options.
2046
2047 Default: not set
2048
2049 catalog-zone
2050 Assign this member zone to specified generated catalog zone.
2051
2052 NOTE:
2053 This option must be set if and only if catalog-role is member.
2054
2055 The referenced catalog zone must exist and have catalog-role set to
2056 generate.
2057
2058 Default: not set
2059
2060 catalog-group
2061 Assign this member zone to specified catalog group (configuration tem‐
2062 plate).
2063
2064 NOTE:
2065 This option has effect if and only if catalog-role is member.
2066
2067 Default: not set
2068
2069 module
2070 An ordered list of references to query modules in the form of mod‐
2071 ule_name or module_name/module_id. These modules apply only to the cur‐
2072 rent zone queries.
2073
2074 Default: not set
2075
2077 CZ.NIC Labs <https://www.knot-dns.cz>
2078
2080 Copyright 2010–2022, CZ.NIC, z.s.p.o.
2081
2082
2083
2084
20853.2.4 2022-12-12 KNOT.CONF(5)