Configuration file manual for knot dns server.
knot.conf
knot.conf is an overview of all config options for knotc and knotd.
# # There are 8 main sections of this config file: # system, interfaces, keys, remotes, groups, zones, control and log # # This is a comment. # Section 'system' contains general options for the server system { # Identity of the server (see RFC 4892). # Used for answer to CH TXT 'id.server' or 'hostname.bind' # Use string format "text" # Or on|off. When 'on', FQDN hostname will be used as default. identity off; # Version of the server (see RFC 4892). # Used for answer to CH TXT 'version.server' or 'version.bind' # Use string format "text" # Or on|off. When 'on', current server version will be used as default. version off; # Server identifier # Use string format "text" # Or hexstring 0x01ab00 # Or on|off. When 'on', FQDN hostname will be used as default. nsid off; # Directory for storing run-time data # e.g. PID file and control sockets # default: ${localstatedir}/run/knot, configured with --with-rundir rundir "/var/run/knot"; # Number of workers per interface # This option is used to force number of threads used per interface # Default: unset (auto-estimates optimal value from the number of online CPUs) # workers 3; # Number of background workers # This option is used to set number of threads used to execute background # operations (e.g., zone loading, zone signing, XFR zone updates, ...) # Default: unset (auto-estimates optimal value from the number of online CPUs) # background-workers 4; # Start server asynchronously # When asynchronous startup is enabled, server doesn't wait for the zones to be loaded, and # starts responding immediately lame answers until the zone loads. This may be useful in # some scenarios, but it is disabled by default. # Default: disabled (wait for zones to be loaded before answering) asynchronous-start off; # User for running server # May also specify user.group (e.g. knot.users) # user knot.users; # Maximum idle time between requests on a TCP connection # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # Default: 60s max-conn-idle 60s; # Maximum time between newly accepted TCP connection and first query # This is useful to disconnect inactive connections faster # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # Default: 10s max-conn-handshake 10s; # Maximum time to wait for a reply to SOA query # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # Default: 10s max-conn-reply 10s; # Number of parallel transfers # This number also includes pending SOA queries # Minimal value is number of CPUs # Default: 10 transfers 10; # Rate limit # in queries / second # Default: off (=0) rate-limit 0; # Rate limit bucket size # Number of hashtable buckets, set to reasonable value as default. # We chose a reasonably large prime number as it's used for hashtable size, # it is recommended to do so as well due to better distribution. # Rule of thumb is to set it to about 1.2 * (maximum_qps) # Memory cost is approx. 32B per bucket # Default: 393241 rate-limit-size 393241; # Rate limit SLIP # Each Nth blocked response will be sent as truncated, this is a way to allow # legitimate requests to get a chance to reconnect using TCP # Default: 1 rate-limit-slip 1; # Maximum EDNS0 UDP payload size # Default value: 4096 max-udp-payload 4096; } # Includes can be placed anywhere at any level in the configuration file. The # file name can be relative to current file or absolute. # # This include includes keys which are commented out in next section. include "knot.keys.conf"; # Section 'keys' contains list of TSIG keys #keys { # # # TSIG key # # # # format: name key-type "<key>"; # # where key-type may be one of the following: # # hmac-md5 # # hmac-sha1 # # hmac-sha224 # # hmac-sha256 # # hmac-sha384 # # hmac-sha512 # # and <key> is the private key # key0.server0 hmac-md5 "Wg=="; # # # TSIG key for zone # key0.example.com hmac-md5 "==gW"; #} # Section 'interfaces' contains definitions of listening interfaces. interfaces { # Interface entry # # Format 1: <name> { address <address>; [port <port>;] } ipv4 { # <name> is an arbitrary symbolic name address 127.0.0.1; # <address> may be ither IPv4 or IPv6 address port 53531; # port is required for XFR/IN and NOTIFY/OUT } # Format 2: <name> { address <address>@<port>; } # shortipv4 { # address 127.0.0.1@53532; #} # Format 1 (IPv6 interface) # ipv6 { # address ::1@53533; # } # Format 2 (IPv6 interface) # ipv6b { # address [::1]@53534; # } } # Section 'remotes' contains symbolic names for remote servers. # Syntax for 'remotes' is the same as for 'interfaces'. remotes { # Remote entry # # Format 1: <name> { address <address>; [port <port>;] } server0 { # <name> is an arbitrary symbolic name address 127.0.0.1; # <address> may be ither IPv4 or IPv6 address port 53531; # port is optional (default: 53) key key0.server0; # (optional) specification of TSIG key associated for this remote via ipv4; # (optional) source interface for queries via 82.35.64.59; # (optional) source interface for queries, direct IPv4 via [::cafe]; # (optional) source interface for queries, direct IPv6 } # Format 2: <name> { address <address>@<port>; } server1 { address 127.0.0.1@53001; } admin-alice { address 192.168.100.1; } admin-bob { address 192.168.100.2; } } groups { admins { admin-alice, admin-bob } } # Section 'control' specifies on which interface to listen for RC commands control { # Default: $(run_dir)/knot.sock listen-on "knot.sock"; # As an alternative, you can use an IPv4/v6 address and port # Same syntax as for 'interfaces' items # listen-on { address 127.0.0.1@5533; } # Specifies ACL list for remote control # Same syntax as for ACLs in zones # List of remotes or groups delimited by comma # Notice: keep in mind that ACLs bear no effect with UNIX sockets # allow server0, admins; } # Section 'zones' contains information about zones to be served. zones { # Shared options for all listed zones # # This is a default directory to place slave zone files, journals etc. # default: ${localstatedir}/lib/knot, configured with --with-storage storage "/var/lib/knot"; # Build differences from zone file changes. EXPERIMENTAL feature. # Possible values: on|off # Default value: off ixfr-from-differences off; # Enable semantic checks for all zones (if 'on') # Possible values: on|off # Default value: off semantic-checks off; # Disable ANY type queries for authoritative answers (if 'on') # Possible values: on|off # Default value: off disable-any off; # NOTIFY response timeout # Possible values: <1,...> (seconds) # Default value: 60 notify-timeout 60; # Number of retries for NOTIFY # Possible values: <1,...> # Default value: 5 notify-retries 5; # Timeout for syncing changes from zone database to zonefile # Possible values: <1..INT_MAX> (seconds) # Default value: 0s - immediate sync # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # Warning: If serving a large zone, set this to a larger value # to keep disk load down. zonefile-sync 1h; # File size limit for IXFR journal # Possible values: <1..INT_MAX> # Default value: N/A (infinite) # It is also possible to suffix with unit size [k/M/G] # f.e. 1k, 100M, 2G ixfr-fslimit 1G; # Enable DNSSEC online signing (EXPERIMENTAL) # Possible values: on | off; # Default value: off # dnssec-enable off; # Location of DNSSEC signing keys (relative to storage dir). # Default value: not set # dnssec-keydir "keys"; # Validity period for DNSSEC signatures # Possible values: <10801..INT_MAX> (seconds) # Default value: 30d (30 days or 2592000 seconds) # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # The signatures are refreshed one tenth of the signature lifetime before # the signature expiration (i.e., 3 days before by default) # signature-lifetime 30d; # Serial policy after DDNS and automatic DNSSEC signing. # Possible values: increment | unixtime # Default value: increment # serial-policy increment; # Query modules are dynamically loaded modules that can alter query plan processing # Configuration is always module-specific, but passed as a simple string here # Query modules listed here are effective for all queries (even those without assigned zone) query_module { module_name "configuration string"; } # Zone entry # # Format: <zone-name> { file "<path-to-zone-file>"; } example.com { # <zone-name> is the DNS name of the zone (zone root) # Zone specific storage directory (relative to storage in zones section). # default: inherited from zones section storage "example.com"; # <path-to-zone-file> may be either absolute or relative, in which case # it is considered relative to the current directory from which the server # was started. file "samples/example.com.zone"; # Build differences from zone file changes # Possible values: on|off # Default value: off ixfr-from-differences off; # Disable ANY type queries for authoritative answers (if 'on') # Possible values: on|off # Default value: off disable-any off; # Enable zone semantic checks # Possible values: on|off # Default value: off semantic-checks on; # NOTIFY response timeout (specific for current zone) # Possible values: <1,...> (seconds) # Default value: 60 notify-timeout 60; # Number of retries for NOTIFY (specific for current zone) # Possible values: <1,...> # Default value: 5 notify-retries 5; # Timeout for syncing changes from zone database to zonefile # Possible values: <1..INT_MAX> (seconds) # Default value: inherited from zones.zonefile-sync # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day zonefile-sync 1h; # File size limit for IXFR journal # Possible values: <1..INT_MAX> # Default value: N/A (infinite) # It is also possible to suffix with unit size [k/M/G] # f.e. 1k, 100M, 2G ixfr-fslimit 1G; # Location of DNSSEC signing keys (relative to storage directory in zone). # Default value: inherited from zones section dnssec-keydir "keys"; # Enable DNSSEC online signing (EXPERIMENTAL) # Possible values: on | off; # Default value: inherited from zones section dnssec-enable off; # Validity period for DNSSEC signatures # Possible values: <10801..INT_MAX> (seconds) # Default value: 30d (30 days or 2592000 seconds) # It is also possible to suffix with unit size [s/m/h/d] # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day # The lower limit is because the server will trigger resign when any of the # signatures expires in 7200 seconds or less and it was chosen as a # reasonable value with regard to signing overhead. # signature-lifetime 30d; # Serial policy after DDNS and automatic DNSSEC signing. # Possible values: increment | unixtime # Default value: increment # serial-policy increment; # XFR master server xfr-in server0; # ACL list of XFR slaves xfr-out server0, server1; # ACL list of servers allowed to send NOTIFY queries notify-in server0; # List of servers to send NOTIFY to notify-out server0, server1; # List of servers to allow UPDATE queries update-in server0, admins; # Query modules are dynamically loaded modules that can alter query plan processing # Configuration is always module-specific, but passed as a simple string here query_module { module_one "configuration string"; module_two "specific configuration string"; } } } # Section 'log' configures logging of server messages. # # Logging recognizes 3 symbolic names of log devices: # stdout - Standard output # stderr - Standard error output # syslog - Syslog # # In addition, arbitrary number of log files may be specified (see below). # # Log messages are characterized by severity and category. # Supported severities: # debug - Debug messages and below. Must be turned on at compile time. # info - Informational messages and below. # notice - Notices and hints and below. # warning - Warnings and below. An action from the operator may be required. # error - Recoverable error and below. Some action should be taken. # critical - Non-recoverable errors resulting in server shutdown. # (Not supported yet.) # # Categories designate the source of the log message and roughly correspond # to server modules # Supported categories: # server - Messages related to general operation of the server. # zone - Messages related to zones, zone parsing and loading. # any - All categories # # Default settings (in case there are no entries in 'log' section or the section # is missing at all): # # stderr { any error; } # syslog { any error; } log { # Format 1: # <log> { # <category1> <severity1>; # <category2> <severity2>; # ... # } syslog { # Log any error or critical to syslog any error; # Log all (excluding debug) from server to syslog server info; } # Log any warning, error or critical to stderr stderr { any warning; } # Format 2: # file <path> { # <path> is absolute or relative path to log file # <category1> <severity1>; # <category2> <severity2>; # } file "/tmp/knot-sample/knotd.debug" { server debug; } }