KNOT.CONF(5) | Knot DNS | KNOT.CONF(5) |
knot.conf - Knot DNS configuration file
Configuration files for Knot DNS use simplified YAML format. Simplified means that not all of the features are supported.
For the description of configuration items, we have to declare a meaning of the following symbols:
There are 12 main sections (module, server, control, log, statistics, keystore, policy, key, acl, remote, template, and zone) and module sections with the mod- prefix. Most of the sections (excluding server, control, and statistics) are sequences of settings blocks. Each settings block begins with a unique identifier, which can be used as a reference from other sections (such identifier must be defined in advance).
A multi-valued item can be specified either as a YAML sequence:
address: [10.0.0.1, 10.0.0.2]
or as more single-valued items each on an extra line:
address: 10.0.0.1 address: 10.0.0.2
If an item value contains spaces or other special characters, it is necessary to enclose such value within double quotes " ".
A comment begins with a # character and is ignored during processing. Also each configuration section or sequence block allows a permanent comment using the comment item which is stored in the server beside the configuration.
Another configuration file or files, matching a pattern, can be included at the top level in the current file. If the path is not absolute, then it is considered to be relative to the current file. The pattern can be an arbitrary string meeting POSIX glob requirements, e.g. dir/*.conf. Matching files are processed in sorted order.
include: STR
Dynamic modules loading configuration.
NOTE:
module:
- id: STR
file: STR
A module identifier in the form of the mod- prefix and module name suffix.
A path to a shared library file with the module implementation.
Default: ${libdir}/knot/modules-${version}/module_name.so (or ${path}/module_name.so if configured with --with-moduledir=path)
WARNING:
General options related to the server.
server:
identity: [STR]
version: [STR]
nsid: [STR|HEXSTR]
rundir: STR
user: STR[:STR]
pidfile: STR
udp-workers: INT
tcp-workers: INT
background-workers: INT
async-start: BOOL
tcp-handshake-timeout: TIME
tcp-idle-timeout: TIME
tcp-reply-timeout: TIME
max-tcp-clients: INT
max-udp-payload: SIZE
max-ipv4-udp-payload: SIZE
max-ipv6-udp-payload: SIZE
edns-client-subnet: BOOL
answer-rotation: BOOL
listen: ADDR[@INT] ...
An identity of the server returned in the response to the query for TXT record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set empty value to disable.
Default: FQDN hostname
A version of the server software returned in the response to the query for TXT record version.server. or version.bind. in the CHAOS class (RFC 4892). Set empty value to disable.
Default: server version
A DNS name server identifier (RFC 5001). Set empty value to disable.
Default: FQDN hostname
A path for storing run-time data (PID file, unix sockets, etc.).
Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
A system user with an optional system group (user:group) under which the server is run after starting and binding to interfaces. Linux capabilities are employed if supported.
Default: root:root
A PID file location.
Default: rundir/knot.pid
A number of UDP workers (threads) used to process incoming queries over UDP.
Default: auto-estimated optimal value based on the number of online CPUs
A number of TCP workers (threads) used to process incoming queries over TCP.
Default: auto-estimated optimal value based on the number of online CPUs
A number of workers (threads) used to execute background operations (zone loading, zone updates, etc.).
Default: auto-estimated optimal value based on the number of online CPUs
If enabled, server doesn't wait for the zones to be loaded and starts responding immediately with SERVFAIL answers until the zone loads.
Default: off
Maximum time between newly accepted TCP connection and the first query. This is useful to disconnect inactive connections faster than connections that already made at least 1 meaningful query.
Default: 5
Maximum idle time between requests on a TCP connection. This also limits receiving of a single query, each query must be received in this time limit.
Default: 20
Maximum time to wait for an outgoing connection or for a reply to an issued request (SOA, NOTIFY, AXFR...).
Default: 10
A maximum number of TCP clients connected in parallel, set this below the file descriptor limit to avoid resource exhaustion.
Default: 100
Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
Default: 4096
Maximum EDNS0 UDP payload size for IPv4.
Default: 4096
Maximum EDNS0 UDP payload size for IPv6.
Default: 4096
Enable or disable EDNS Client Subnet support. If enabled, responses to queries containing the EDNS Client Subnet option always contain a valid EDNS Client Subnet option according to RFC 7871.
Default: off
Enable or disable sorted-rrset rotation in the answer section of normal replies. The rotation shift is simply determined by a query ID.
Default: off
One or more IP addresses where the server listens for incoming queries. Optional port specification (default is 53) can be appended to each address using @ separator. Use 0.0.0.0 for all configured IPv4 addresses or :: for all configured IPv6 addresses.
Default: not set
Shared TSIG keys used to authenticate communication with the server.
key:
- id: DNAME
algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
secret: BASE64
A key name identifier.
NOTE:
A TSIG key algorithm. See TSIG Algorithm Numbers.
Possible values:
Default: not set
Shared key secret.
Default: not set
Access control list rule definitions. The ACLs are used to match incoming connections to allow or deny requested operation (zone transfer request, DDNS update, etc.).
acl:
- id: STR
address: ADDR[/INT] | ADDR-ADDR ...
key: key_id ...
action: notify | transfer | update ...
deny: BOOL
An ACL rule identifier.
An ordered list of IP addresses, network subnets, or network ranges. The query must match one of them. Empty value means that address match is not required.
Default: not set
An ordered list of references to TSIG keys. The query must match one of them. Empty value means that transaction authentication is not used.
Default: not set
An ordered list of allowed (or denied) actions.
Possible values:
Default: not set
If enabled, instead of allowing, deny the specified action, address, key, or combination if these items. If no action is specified, deny all actions.
Default: off
Configuration of the server control interface.
control:
listen: STR
timeout: TIME
A UNIX socket path where the server listens for control commands.
Default: rundir/knot.sock
Maximum time the control socket operations can take. Set 0 for infinity.
Default: 5
Periodic server statistics dumping.
statistics:
timer: TIME
file: STR
append: BOOL
A period after which all available statistics metrics will by written to the file.
Default: not set
A file path of statistics output in the YAML format.
Default: rundir/stats.yaml
If enabled, the output will be appended to the file instead of file replacement.
Default: off
DNSSEC keystore configuration.
keystore:
- id: STR
backend: pem | pkcs11
config: STR
A keystore identifier.
A key storage backend type.
Possible values:
Default: pem
A backend specific configuration. A directory with PEM files (the path can be specified as a relative path to kasp-db) or a configuration string for PKCS #11 storage (<pkcs11-url> <module-path>).
NOTE:
"pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
Default: kasp-db/keys
Parameters of KSK submission checks.
submission:
- id: STR
parent: remote_id ...
check-interval: TIME
timeout: TIME
A submission identifier.
A list of references to parent's DNS servers to be checked for presence of corresponding DS records in the case of KSK submission. All of them must have a corresponding DS for the rollover to continue. If none is specified, the rollover must be pushed forward manually.
Default: not set
TIP:
Interval for periodic checks of DS presence on parent's DNS servers, in the case of the KSK submission.
Default: 1 hour
After this period, the KSK submission is automatically considered successful, even if all the checks were negative or no parents are configured. Set 0 for infinity.
Default: 0
DNSSEC policy configuration.
policy:
- id: STR
keystore: STR
manual: BOOL
single-type-signing: BOOL
algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
ksk-size: SIZE
zsk-size: SIZE
ksk-shared: BOOL
dnskey-ttl: TIME
zsk-lifetime: TIME
ksk-lifetime: TIME
propagation-delay: TIME
rrsig-lifetime: TIME
rrsig-refresh: TIME
nsec3: BOOL
nsec3-iterations: INT
nsec3-opt-out: BOOL
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submission: submission_id
cds-cdnskey-publish: none | delete-dnssec | rollover | always
A policy identifier.
A reference to a keystore holding private key material for zones. A special default value can be used for the default keystore settings.
Default: default
If enabled, automatic key management is not used.
Default: off
If enabled, Single-Type Signing Scheme is used in the automatic key management mode.
Default: off
An algorithm of signing keys and issued signatures. See DNSSEC Algorithm Numbers.
Possible values:
Default: ecdsap256sha256
NOTE:
A length of newly generated KSK or CSK keys.
Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
A length of newly generated ZSK keys.
Default: see default for ksk-size
If enabled, all zones with this policy assigned will share one KSK.
Default: off
A TTL value for DNSKEY records added into zone apex.
Default: zone SOA TTL
NOTE:
A period between ZSK publication and the next rollover initiation.
Default: 30 days
NOTE:
Zero (aka infinity) value causes no ZSK rollover as a result.
A period between KSK publication and the next rollover initiation.
Default: 0
NOTE:
Zero (aka infinity) value causes no KSK rollover as a result.
This applies for CSK lifetime if single-type-signing is enabled.
An extra delay added for each key rollover step. This value should be high enough to cover propagation of data from the master server to all slaves.
Default: 1 hour
NOTE:
A validity period of newly issued signatures.
Default: 14 days
A period how long before a signature expiration the signature will be refreshed.
Default: 7 days
Specifies if NSEC3 will be used instead of NSEC.
Default: off
A number of additional times the hashing is performed.
Default: 5
If set, NSEC3 records won't be created for insecure delegations. This speeds up the zone signing and reduces overall zone size.
WARNING:
Default: off
A length of a salt field in octets, which is appended to the original owner name before hashing.
Default: 8
A validity period of newly issued salt field.
Default: 30 days
A reference to submission section holding parameters of KSK submittion checks.
Default: not set
Controls if and how shall the CDS and CDNSKEY be published in the zone.
NOTE:
Possible values:
Default: always
Definitions of remote servers for outgoing connections (source of a zone transfer, target for a notification, etc.).
remote:
- id: STR
address: ADDR[@INT] ...
via: ADDR[@INT] ...
key: key_id
A remote identifier.
An ordered list of destination IP addresses which are used for communication with the remote server. The addresses are tried in sequence unless the operation is successful. Optional destination port (default is 53) can be appended to the address using @ separator.
Default: not set
An ordered list of source IP addresses. The first address with the same family as the destination address is used. Optional source port (default is random) can be appended to the address using @ separator.
Default: not set
A reference to the TSIG key which is used to authenticate the communication with the remote server.
Default: not set
A template is a shareable zone setting which can be used for configuration of many zones in one place. A special default template (with the default identifier) can be used for global querying configuration or as an implicit configuration if a zone doesn't have another template specified.
template:
- id: STR
timer-db: STR
max-timer-db-size: SIZE
journal-db: STR
journal-db-mode: robust | asynchronous
max-journal-db-size: SIZE
kasp-db: STR
max-kasp-db-size: SIZE
global-module: STR/STR ...
# All zone options (excluding 'template' item)
A template identifier.
Specifies a path of the persistent timer database. The path can be specified as a relative path to the default template storage.
NOTE:
Default: storage/timers
Hard limit for the timer database maximum size.
NOTE:
Default: 100 MiB
Specifies a path of the persistent journal database. The path can be specified as a relative path to the default template storage.
NOTE:
Default: storage/journal
Specifies journal LMDB backend configuration, which influences performance and durability.
Possible values:
NOTE:
Default: robust
Hard limit for the common journal DB. There is no cleanup logic in journal to recover from reaching this limit: journal simply starts refusing changes across all zones. Decreasing this value has no effect if lower than actual DB file size.
It is recommended to limit max-journal-usage per-zone instead of max-journal-size in most cases. Please keep this value larger than the sum of all zones' journal usage limits. See more details regarding journal behaviour.
This value also influences server's usage of virtual memory.
NOTE:
Default: 20 GiB (1 GiB for 32-bit)
A KASP database path. Non-absolute path is relative to storage.
Default: storage/keys
NOTE:
Hard limit for the KASP database maximum size.
NOTE:
Default: 500 MiB
An ordered list of references to query modules in the form of module_name or module_name/module_id. These modules apply to all queries.
NOTE:
Default: not set
Definition of zones served by the server.
zone:
- domain: DNAME
template: template_id
storage: STR
file: STR
master: remote_id ...
ddns-master: remote_id
notify: remote_id ...
acl: acl_id ...
semantic-checks: BOOL
disable-any: BOOL
zonefile-sync: TIME
zonefile-load: none | difference | difference-no-serial | whole
journal-content: none | changes | all
max-journal-usage: SIZE
max-journal-depth: INT
max-zone-size : SIZE
dnssec-signing: BOOL
dnssec-policy: STR
request-edns-option: INT:[HEXSTR]
serial-policy: increment | unixtime | dateserial
min-refresh-interval: TIME
max-refresh-interval: TIME
module: STR/STR ...
A zone name identifier.
A reference to a configuration template.
Default: not set or default (if the template exists)
A data directory for storing zone files, journal database, and timers database.
Default: ${localstatedir}/lib/knot (configured with --with-storage=path)
A path to the zone file. Non-absolute path is relative to storage. It is also possible to use the following formatters:
WARNING:
Default: storage/%s.zone
An ordered list of references to zone master servers.
Default: not set
A reference to zone primary master server. If not specified, the first master server is used.
Default: not set
An ordered list of references to remotes to which notify message is sent if the zone changes.
Default: not set
An ordered list of references to ACL rules which can allow or disallow zone transfers, updates or incoming notifies.
Default: not set
If enabled, extra zone semantic checks are turned on.
Several checks are enabled by default and cannot be turned off. An error in mandatory checks causes zone not to be loaded. An error in extra checks is logged only.
Mandatory checks:
Extra checks:
Default: off
If enabled, all authoritative ANY queries sent over UDP will be answered with an empty response and with the TC bit set. Use this option to minimize the risk of DNS reflection attack.
Default: off
The time after which the current zone in memory will be synced with a zone file on the disk (see file). The server will serve the latest zone even after a restart using zone journal, but the zone file on the disk will only be synced after zonefile-sync time has expired (or after manual zone flush). This is applicable when the zone is updated via IXFR, DDNS or automatic DNSSEC signing. In order to completely disable automatic zone file synchronization, set the value to -1. In that case, it is still possible to force a manual zone flush using the -f option.
NOTE:
Default: 0 (immediate)
Selects how the zone file contents are applied during zone load.
Possible values:
When difference is configured and there are no zone contents yet (cold start of Knot and no zone contents in journal), it behaves the same way like whole.
Default: whole
Selects how the journal shall be used to store zone and its changes.
Possible values:
Default: changes
Policy how much space in journal DB will the zone's journal occupy.
Default: 100 MiB
NOTE:
Maximum history length of journal.
Minimum: 2
Default: 2^64
Maximum size of the zone. The size is measured as size of the zone records in wire format without compression. The limit is enforced for incoming zone transfers and dynamic updates.
For incremental transfers (IXFR), the effective limit for the total size of the records in the transfer is twice the configured value. However the final size of the zone must satisfy the configured value.
Default: 2^64
If enabled, automatic DNSSEC signing for the zone is turned on.
Default: off
A reference to DNSSEC signing policy. A special default value can be used for the default policy settings.
Required
An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR, SOA, or NOTIFY). The value is in the option_code:option_data format.
Default: not set
Specifies how the zone serial is updated after a dynamic update or automatic DNSSEC signing. If the serial is changed by the dynamic update, no change is made.
Possible values:
NOTE:
Use dateserial only if you expect less than 100 updates per day per zone.
Default: increment
Forced minimum zone refresh interval to avoid flooding master.
Default: 2
Forced maximum zone refresh interval.
Default: not set
An ordered list of references to query modules in the form of module_name or module_name/module_id. These modules apply only to the current zone queries.
Default: not set
Server can be configured to log to the standard output, standard error output, syslog (or systemd journal if systemd is enabled) or into an arbitrary file.
There are 6 logging severity levels:
In the case of missing log section, warning or more serious messages will be logged to both standard error output and syslog. The info and notice messages will be logged to standard output.
log:
- target: stdout | stderr | syslog | STR
server: critical | error | warning | notice | info | debug
control: critical | error | warning | notice | info | debug
zone: critical | error | warning | notice | info | debug
any: critical | error | warning | notice | info | debug
A logging output.
Possible values:
Minimum severity level for messages related to general operation of the server that are logged.
Default: not set
Minimum severity level for messages related to server control that are logged.
Default: not set
Minimum severity level for messages related to zones that are logged.
Default: not set
Minimum severity level for all message types that are logged.
Default: not set
CZ.NIC Labs <https://www.knot-dns.cz>
Copyright 2010–2019, CZ.NIC, z.s.p.o.
2019-01-23 | 2.7.6 |