knot.conf.5.in 21.4 KB
Newer Older
1 2 3
.\" Man page generated from reStructuredText.
.
.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
4
.SH NAME
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
knot.conf \- Knot DNS configuration file
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
33
.SH DESCRIPTION
34 35 36 37 38 39 40 41 42 43 44 45 46 47
.sp
Configuration file for Knot DNS uses simplified YAML format. Simplified means
that not all features are supported.
.sp
For the configuration items description, there are some symbol with the
folowing meaning:
.INDENT 0.0
.IP \(bu 2
\fIINT\fP \- Integer
.IP \(bu 2
\fISTR\fP \- Textual string
.IP \(bu 2
\fIHEXSTR\fP \- Hexadecimal string (with \fB0x\fP prefix)
.IP \(bu 2
48
\fIBOOL\fP \- Boolean value (\fBon\fP, \fBoff\fP, \fBtrue\fP or \fBfalse\fP)
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
.IP \(bu 2
\fITIME\fP \- Number of seconds, integer with possible time mutliplier suffix
(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
.IP \(bu 2
\fISIZE\fP \- Number of bytes, integer with possible size multiplier suffix
(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
.IP \(bu 2
\fIBASE64\fP \- Base64 encoded string
.IP \(bu 2
\fIADDR\fP \- IPv4 or IPv6 address
.IP \(bu 2
\fIDNAME\fP \- Domain name
.IP \(bu 2
\&... \- Multi\-valued item, order of the values is preserved
.IP \(bu 2
[ ] \- Optional value
.IP \(bu 2
| \- Choice
.UNINDENT
.sp
There are 8 main sections (\fBserver\fP, \fBkey\fP, \fBacl\fP, \fBcontrol\fP,
\fBremote\fP, \fBtemplate\fP, \fBzone\fP and \fBlog\fP) and module sections with
\fBmod\-\fP prefix . Most of the sections (excluding \fBserver\fP and
\fBcontrol\fP) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
.sp
Multi\-valued item can be specified either as a YAML sequence [val1, val2, ...]
or as more single\-valued items each on the extra line.
.sp
If an item value contains spaces or other special characters, it is necessary
to double quote such value with \fB"\fP \fB"\fP\&.
.SH COMMENTS
.sp
A comment begins with a \fB#\fP character and is ignored during the processing.
Also each configuration section or sequence block allows to specify permanent
comment using \fBcomment\fP item which is stored in the server beside the
configuration.
.SH INCLUDES
.sp
Another configuration file or all configuration files in a directory can be
included at the top level in the current file. If the file or directory path
is not absolute, then it is relative to the current file directory.
.INDENT 0.0
.INDENT 3.5
.sp
95
.nf
96 97 98
.ft C
include: STR
.ft P
99
.fi
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137
.UNINDENT
.UNINDENT
.SH SERVER SECTION
.sp
General options related to the server.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
server:
    identity: [STR]
    version: [STR]
    nsid: [STR|HEXSTR]
    rundir: STR
    user: STR[:STR]
    pidfile: STR
    workers: INT
    background\-workers: INT
    asynchronous\-start: BOOL
    max\-conn\-idle: TIME
    max\-conn\-handshake: TIME
    max\-conn\-reply: TIME
    max\-tcp\-clients: INT
    max\-udp\-payload: SIZE
    transfers: INT
    rate\-limit: INT
    rate\-limit\-slip: INT
    rate\-limit\-size: INT
    listen: ADDR[@INT] ...
.ft P
.fi
.UNINDENT
.UNINDENT
.SS identity
.sp
An identity of the server returned in the response for the query for TXT
record \fBid.server.\fP or \fBhostname.bind.\fP in the CHAOS class (see RFC 4892).
138
Set empty value to disable.
139
.sp
140
Default: FQDN hostname
141 142 143 144
.SS version
.sp
A version of the server software returned in the response for the query
for TXT record \fBversion.server.\fP or \fBversion.bind.\fP in the CHAOS
145
class (see RFC 4892). Set empty value to disable.
146
.sp
147
Default: server version
148 149
.SS nsid
.sp
150
A DNS name server identifier (see RFC 5001). Set empty value to disable.
151
.sp
152
Default: FQDN hostname
153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872
.SS rundir
.sp
A path for storing run\-time data (PID file, unix sockets, etc.).
.sp
Default: \fB${localstatedir}/run/knot\fP (configured with \fB\-\-with\-rundir=path\fP)
.SS user
.sp
A system user with an optional system group (\fIuser\fP:\fIgroup\fP) under which the
server is run after starting and binding to interfaces. Linux capabilities
are employed if supported.
.sp
Default: root:root
.SS pidfile
.sp
A PID file location.
.sp
Default: \fI\%rundir\fP/knot.pid
.SS workers
.sp
A number of quering workers (threads) per server interface.
.sp
Default: auto\-estimated optimal value based on the number of online CPUs
.SS background\-workers
.sp
A number of workers (threads) used to execute background operations (zone
loading, zone updates, etc.).
.sp
Default: auto\-estimated optimal value based on the number of online CPUs
.SS asynchronous\-start
.sp
If enabled, server doesn\(aqt wait for the zones to be loaded and starts
responding immediately with SERVFAIL answers until the zone loads.
.sp
Default: off
.SS max\-conn\-idle
.sp
Maximum idle time between requests on a TCP connection. This also limits
receiving of a single query, each query must be received in this time limit.
.sp
Default: 20
.SS max\-conn\-handshake
.sp
Maximum time between newly accepted TCP connection and the first query.
This is useful to disconnect inactive connections faster than connections
that already made at least 1 meaningful query.
.sp
Default: 5
.SS max\-conn\-reply
.sp
Maximum time to wait for a reply to an issued SOA query.
.sp
Default: 10
.SS max\-tcp\-clients
.sp
A maximum number of TCP clients connected in parallel, set this below the file
descriptor limit to avoid resource exhaustion.
.sp
Default: 100
.SS transfers
.sp
A maximum number of parallel transfers, including pending SOA queries. The
minimum value is determined by the number of CPUs.
.sp
Default: 10
.SS rate\-limit
.sp
Rate limiting is based on the token bucket scheme. Rate basically
represents number of tokens available each second. Each response is
processed and classified (based on several discriminators, e.g.
source netblock, qtype, name, rcode, etc.). Classified responses are
then hashed and assigned to a bucket containing number of available
tokens, timestamp and metadata. When available tokens are exhausted,
response is rejected or enters \fI\%SLIP\fP
(server responds with a truncated response). Number of available tokens
is recalculated each second.
.sp
Default: 0 (disabled)
.SS rate\-limit\-size
.sp
Size of hashtable buckets. The larger the hashtable, the lesser probability
of a hash collision, but at the expense of additional memory costs. Each bucket
is estimated roughly to 32 bytes. Size should be selected as a reasonably large
prime due to the better hash function distribution properties. Hash table is
internally chained and works well up to a fill rate of 90 %, general
rule of thumb is to select a prime near 1.2 * maximum_qps.
.sp
Default: 393241
.SS rate\-limit\-slip
.sp
As attacks using DNS/UDP are usually based on a forged source address,
an attacker could deny services to the victim netblock if all
responses would be completely blocked. The idea behind SLIP mechanism
is to send each Nth response as truncated, thus allowing client to
reconnect via TCP for at least some degree of service. It is worth
noting, that some responses can\(aqt be truncated (e.g. SERVFAIL).
.sp
It is advisable not to set the slip interval to a value larger than 2,
as too large slip value means more denial of service for legitimate
requestors, and introduces excessive timeouts during resolution.
On the other hand, slipping truncated answer gives the legitimate
requestors a chance to reconnect over TCP.
.sp
Default: 1
.SS max\-udp\-payload
.sp
Maximum EDNS0 UDP payload size.
.sp
Default: 4096
.SS listen
.sp
One or more IP addresses where the server listens for incoming queries.
Optional port specification (default is 53) can be appended to each address
using \fB@\fP separator. Use \fB0.0.0.0\fP for all configured IPv4 addresses or
\fB::\fP for all configured IPv6 addresses.
.sp
Default: empty
.SH KEY SECTION
.sp
Shared TSIG keys used to authenticate communication with the server.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
key:
  \- id: DNAME
    algorithm: hmac\-md5 | hmac\-sha1 | hmac\-sha224 | hmac\-sha256 | hmac\-sha384 | hmac\-sha512
    secret: BASE64
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A key name identifier.
.SS algorithm
.sp
A key algorithm.
.sp
Default: empty
.SS secret
.sp
Shared key secret.
.sp
Default: empty
.SH ACL SECTION
.sp
Access control list rules definition.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
acl:
  \- id: STR
    address: ADDR[/INT]
    key: key_id
    action: deny | xfer | notify | update | control ...
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
An ACL rule identifier.
.SS address
.sp
A single IP address or network subnet with the given prefix the query
must match.
.sp
Default: empty
.SS key
.sp
A \fI\%reference\fP to the TSIG key the query must match.
.sp
Default: empty
.SS action
.sp
An ordered list of allowed actions.
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBdeny\fP \- Block the matching query
.IP \(bu 2
\fBxfer\fP \- Allow zone transfer
.IP \(bu 2
\fBnotify\fP \- Allow incoming notify
.IP \(bu 2
\fBupdate\fP \- Allow zone updates
.IP \(bu 2
\fBcontrol\fP \- Allow remote control
.UNINDENT
.sp
Default: deny
.SH CONTROL SECTION
.sp
Configuration of the server remote control.
.sp
Caution: The control protocol is not encrypted, and susceptible to replay
attacks in a short timeframe until message digest expires, for that reason,
it is recommended to use default UNIX socket.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
control:
    listen: ADDR[@INT]
    acl: acl_id ...
.ft P
.fi
.UNINDENT
.UNINDENT
.SS listen
.sp
A UNIX socket path or IP address where the server listens for remote control
commands. Optional port specification (default is 5533) can be appended to the
address using \fB@\fP separator.
.sp
Default: \fI\%rundir\fP/knot.sock
.SS acl
.sp
An ordered list of \fI\%references\fP to ACL rules allowing the remote
control.
.sp
Caution: This option has no effect with UNIX socket.
.sp
Default: empty
.SH REMOTE SECTION
.sp
Definition of remote servers for zone transfers or notifications.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
remote:
  \- id: STR
    address: ADDR[@INT]
    via: ADDR[@INT]
    key: key_id
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A remote identifier.
.SS address
.sp
A destination IP address of the remote server. Optional destination port
specification (default is 53) can be appended to the address using \fB@\fP
separator.
.sp
Default: empty
.SS via
.sp
A source IP address which is used to communicate with the remote server.
Optional source port specification can be appended to the address using
\fB@\fP separator.
.sp
Default: empty
.SS key
.sp
A \fI\%reference\fP to the TSIG key which ise used to autenticate
the communication with the remote server.
.sp
Default: empty
.SH TEMPLATE SECTION
.sp
A template is shareable zone settings which can be used for configuration of
many zones at one place. A special default template (with \fIdefault\fP identifier)
can be used for general quering configuration or as an implicit default
configuration if a zone doesn\(aqt have a teplate specified.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
template:
  \- id: STR
    storage: STR
    master: remote_id ...
    notify: remote_id ...
    acl: acl_id ...
    semantic\-checks: BOOL
    disable\-any: BOOL
    notify\-timeout: TIME
    notify\-retries: INT
    zonefile\-sync: TIME
    ixfr\-from\-differences: BOOL
    ixfr\-fslimit: SIZE
    dnssec\-enable: BOOL
    dnssec\-keydir: STR
    signature\-lifetime: TIME
    serial\-policy: increment | unixtime
    module: STR/STR ...
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A template identifier.
.SS storage
.sp
A data directory for storing zone files, journal files and timers database.
.sp
Default: \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
.SS master
.sp
An ordered list of \fI\%references\fP to zone master servers.
.sp
Default: empty
.SS notify
.sp
An ordered list of \fI\%references\fP to remotes to which notify
message is sent if the zone changes.
.sp
Default: empty
.SS acl
.sp
An ordered list of \fI\%references\fP to ACL rules which can allow
or disallow zone transfers, updates or incoming notifies.
.sp
Default: empty
.SS semantic\-checks
.sp
If enabled, extra zone file semantic checks are turned on.
.sp
Several checks are enabled by default and cannot be turned off. An error in
mandatory checks causes zone not to be loaded. An error in extra checks is
logged only.
.sp
Mandatory checks:
.INDENT 0.0
.IP \(bu 2
An extra record together with CNAME record (except for RRSIG and DS)
.IP \(bu 2
CNAME link chain length greater than 10 (including infinite cycles)
.IP \(bu 2
DNAME and CNAME records under the same owner (RFC 2672)
.IP \(bu 2
CNAME and DNAME wildcards pointing to themselves
.IP \(bu 2
SOA record missing in the zone (RFC 1034)
.IP \(bu 2
DNAME records having records under it (DNAME children) (RFC 2672)
.UNINDENT
.sp
Extra checks:
.INDENT 0.0
.IP \(bu 2
Missing NS record at the zone apex
.IP \(bu 2
Missing glue A or AAAA records
.IP \(bu 2
Broken or non\-cyclic NSEC(3) chain
.IP \(bu 2
Wrong NSEC(3) type bitmap
.IP \(bu 2
Multiple NSEC records at the same node
.IP \(bu 2
Missing NSEC records at authoritative nodes
.IP \(bu 2
Extra record types under same name as NSEC3 record (this is RFC\-valid, but
Knot will not serve such a zone correctly)
.IP \(bu 2
NSEC3\-unsecured delegation that is not part of Opt\-out span
.IP \(bu 2
Wrong original TTL value in NSEC3 records
.IP \(bu 2
Wrong RDATA TTL value in RRSIG record
.IP \(bu 2
Signer name in RRSIG RR not the same as in DNSKEY
.IP \(bu 2
Signed RRSIG
.IP \(bu 2
Not all RRs in node are signed
.IP \(bu 2
Wrong key flags or wrong key in RRSIG record (not the same as ZSK)
.UNINDENT
.sp
Default: off
.SS disable\-any
.sp
If you enabled, all authoritative ANY queries sent over UDP will be answered
with an empty response and with the TC bit set. Use this option to minimize
the risk of DNS reflection attack.
.sp
Default: off
.SS notify\-timeout
.sp
The time how long will server wait for a notify response.
.sp
Default: 60
.SS notify\-retries
.sp
The number of retries the server sends a notify message.
.sp
Default: 5
.SS zonefile\-sync
.sp
The time after which the current zone in memory will be synced to zone file
on the disk (see \fI\%file\fP). The server will serve the latest
zone even after restart using zone journal, but the zone file on the disk will
only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone
flush) This is applicable when the zone is updated via IXFR, DDNS or automatic
DNSSEC signing.
.sp
\fICaution:\fP If you are serving large zones with frequent updates where
the immediate sync to zone file is not desirable, increase the default value.
.sp
Default: 0 (immediate)
.SS ixfr\-from\-differences
.sp
If enabled, the server creates zone differences from changes you made to the
zone file upon server reload. This option is only relevant if the server
is a master server for the zone.
.sp
Default: off
.SS ixfr\-fslimit
.sp
Maximum zone journal file.
.sp
Default: unlimited
.SS dnssec\-enable
.sp
If enabled, automatic DNSSEC signing for the zone is turned on.
.sp
Default: off
.SS dnssec\-keydir
.sp
A data directory for storing DNSSEC signing keys. Non absolute path is
relative to \fI\%storage\fP\&.
.sp
Default: \fI\%storage\fP/keys
.SS signature\-lifetime
.sp
The time how long the automatically generated DNSSEC signatures should be valid.
Expiration will thus be set as current time (in the moment of signing)
+ \fBsignature\-lifetime\fP\&. The signatures are refreshed one tenth of the
signature lifetime before the signature expiration (i.e. 3 days before the
expiration with the default value). Minimum possible value is 10801.
.sp
Default: 30 * 24 * 3600
.SS serial\-policy
.sp
Specifies how the zone serial is updated after a dynamic update or
automatic DNSSEC signing. If the serial is changed by the dynamic update,
no change is made.
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBincrement\fP \- The serial is incremented according to serial number arithmetic
.IP \(bu 2
\fBunixtime\fP \- The serial is set to the current unix time
.UNINDENT
.sp
\fICaution:\fP If your serial was in other than unix time format, be careful
with the transition to unix time.  It may happen that the new serial will
be \(aqlower\(aq than the old one. If this is the case, the transition should be
done by hand (see RFC 1982).
.sp
Default: increment
.SS module
.sp
An ordered list of references to query modules in the form
\fImodule_name/module_id\fP\&.
.sp
Default: empty
.SH ZONE SECTION
.sp
Definitions of zones served by the server.
.sp
Zone configuration is a superset of \fI\%template configuration\fP,
so each zone configuration can contain all template configuration options which
may override possible template configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone:
  \- domain: DNAME
    file: STR
    template: template_id
    # All template options
.ft P
.fi
.UNINDENT
.UNINDENT
.SS domain
.sp
A zone name identifier.
.SS file
.sp
A path to the zone file. Non absolute path is relative to
\fI\%storage\fP\&.
.sp
Default: \fI\%storage\fP/\fBdomain\fP\&.zone
.SS template
.sp
A \fI\%reference\fP to configuration template. If not specified
and \fIdefault\fP template exists, then the default template is used.
.sp
Default: empty
.SH LOGGING SECTION
.sp
Server can be configured to log to the standard output, standard error
output, syslog (or systemd journal if systemd is enabled) or into an arbitrary
file.
.sp
There are 6 logging severities:
.INDENT 0.0
.IP \(bu 2
\fBcritical\fP \- Non\-recoverable error resulting in server shutdown
.IP \(bu 2
\fBerror\fP \- Recoverable error, action should be taken
.IP \(bu 2
\fBwarning\fP \- Warning that might require user action
.IP \(bu 2
\fBnotice\fP \- Server notice or hint
.IP \(bu 2
\fBinfo\fP \- Informational message
.IP \(bu 2
\fBdebug\fP \- Debug messages (must be turned on at compile time)
.UNINDENT
.sp
In case of missing log section, \fBwarning\fP or more serious messages
will be logged to both standard error output and syslog. The \fBinfo\fP and
\fBnotice\fP messages will be logged to standard output.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
log:
  \- to: stdout | stderr | syslog | STR
    server: critical | error | warning | notice | info | debug
    zone: critical | error | warning | notice | info | debug
    any: critical | error | warning | notice | info | debug
.ft P
.fi
.UNINDENT
.UNINDENT
.SS to
.sp
A logging output.
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBstdout\fP \- Standard output
.IP \(bu 2
\fBstderr\fP \- Standard error output
.IP \(bu 2
\fBsyslog\fP \- Syslog
.IP \(bu 2
\fIfile_name\fP \- File.
.UNINDENT
.SS server
.sp
Minimum severity level for messages related to general operation of the server
that are logged.
.sp
Default: empty
.SS zone
.sp
Minimum severity level for messages related to zones that are logged.
.sp
Default: empty
.SS any
.sp
Minimum severity level for all message types that are logged.
.sp
Default: empty
.SH MODULE DNSTAP
.sp
Module dnstap allows query and response logging.
.sp
For all queries logging, use this module in the \fIdefault\fP template. For
zone\-specific logging, use this module in the proper zone configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mod\-dnstap:
  \- id: STR
    sink: STR
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A module identifier.
.SS sink
.sp
A sink path, which can either be a file or a UNIX socket prefixed with
\fBunix:\fP\&.
.sp
Default: empty
.SH MODULE SYNTH-RECORD
.sp
This module is able to synthetise either forward or reverse records for the
given prefix and subnet.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mod\-synth\-record:
  \- id: STR
    type: forward | reverse
    prefix: STR
    zone: DNAME
    ttl: INT
    address: ADDR[/INT]
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A module identifier.
.SS type
.sp
The type of generated records.
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBforward\fP \- Forward records
.IP \(bu 2
\fBreverse\fP \- Reverse records
.UNINDENT
.sp
Default: empty
.SS prefix
.sp
A record owner prefix.
.sp
Caution: \fIprefix\fP doesn’t allow dots, address parts in the synthetic names are
separated with a dash.
.sp
Default: empty
.SS zone
.sp
A zone name suffix (only valid for \fI\%reverse type\fP).
.sp
Default: empty
.SS ttl
.sp
Time to live of the generated records.
.sp
Default: 3600
.SS address
.sp
A network subnet in the form of \fIaddress/prefix\fP\&.
.sp
Default: empty
.SH MODULE DNSPROXY
.sp
The module catches all unsatisfied queries and forwards them to the configured
server for resolution.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mod\-dnsproxy:
  \- id: STR
    remote: ADDR[@INT]
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A module identifier.
.SS remote
.sp
An IP address of the destination server. Optional port specification
(default is 53) can be appended to the address using \fB@\fP separator.
.sp
Default: empty
.SH MODULE ROSEDB
.sp
The module provides a mean to override responses for certain queries before
the record is searched in the available zones.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mod\-rosedb:
  \- id: STR
    dbdir: STR
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A module identifier.
.SS dbdir
.sp
A path to the directory where the database will is stored.
.sp
Default: empty
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
Copyright 2010-2015, CZ.NIC, z.s.p.o.
.\" Generated by docutils manpage writer.
.