|
|
|
|
@ -0,0 +1,327 @@
@@ -0,0 +1,327 @@
|
|
|
|
|
# |
|
|
|
|
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). |
|
|
|
|
# |
|
|
|
|
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. |
|
|
|
|
# |
|
|
|
|
# See LICENSE for the license. |
|
|
|
|
# |
|
|
|
|
|
|
|
|
|
# This is a comment. |
|
|
|
|
# Sample configuration file |
|
|
|
|
# include: "file" # include that file's text over here. Globbed, "*.conf" |
|
|
|
|
|
|
|
|
|
# options for the nsd server |
|
|
|
|
server: |
|
|
|
|
# Number of NSD servers to fork. Put the number of CPUs to use here. |
|
|
|
|
# server-count: 1 |
|
|
|
|
|
|
|
|
|
# uncomment to specify specific interfaces to bind (default are the |
|
|
|
|
# wildcard interfaces 0.0.0.0 and ::0). |
|
|
|
|
# For servers with multiple IP addresses, list them one by one, |
|
|
|
|
# or the source address of replies could be wrong. |
|
|
|
|
# Use ip-transparent to be able to list addresses that turn on later. |
|
|
|
|
# ip-address: 1.2.3.4 |
|
|
|
|
# ip-address: 1.2.3.4@5678 |
|
|
|
|
# ip-address: 12fe::8ef0 |
|
|
|
|
|
|
|
|
|
# Allow binding to non local addresses. Default no. |
|
|
|
|
# ip-transparent: no |
|
|
|
|
|
|
|
|
|
# Allow binding to addresses that are down. Default no. |
|
|
|
|
# ip-freebind: no |
|
|
|
|
|
|
|
|
|
# use the reuseport socket option for performance. Default no. |
|
|
|
|
# reuseport: no |
|
|
|
|
|
|
|
|
|
# enable debug mode, does not fork daemon process into the background. |
|
|
|
|
# debug-mode: no |
|
|
|
|
|
|
|
|
|
# use systemd for readiness signalling. |
|
|
|
|
use-systemd: yes |
|
|
|
|
|
|
|
|
|
# listen on IPv4 connections |
|
|
|
|
# do-ip4: yes |
|
|
|
|
|
|
|
|
|
# listen on IPv6 connections |
|
|
|
|
# do-ip6: yes |
|
|
|
|
|
|
|
|
|
# port to answer queries on. default is 53. |
|
|
|
|
# port: 53 |
|
|
|
|
|
|
|
|
|
# Verbosity level. |
|
|
|
|
# verbosity: 0 |
|
|
|
|
|
|
|
|
|
# After binding socket, drop user privileges. |
|
|
|
|
# can be a username, id or id.gid. |
|
|
|
|
# username: nsd |
|
|
|
|
|
|
|
|
|
# Run NSD in a chroot-jail. |
|
|
|
|
# make sure to have pidfile and database reachable from there. |
|
|
|
|
# by default, no chroot-jail is used. |
|
|
|
|
# chroot: "/etc/nsd" |
|
|
|
|
|
|
|
|
|
# The directory for zonefile: files. The daemon chdirs here. |
|
|
|
|
# zonesdir: "/etc/nsd" |
|
|
|
|
|
|
|
|
|
# the list of dynamically added zones. |
|
|
|
|
# zonelistfile: "/var/lib/nsd/zone.list" |
|
|
|
|
|
|
|
|
|
# the database to use |
|
|
|
|
# if set to "" then no disk-database is used, less memory usage. |
|
|
|
|
database: "" |
|
|
|
|
|
|
|
|
|
# log messages to file. Default to stderr and syslog (with |
|
|
|
|
# facility LOG_DAEMON). stderr disappears when daemon goes to bg. |
|
|
|
|
# logfile: "/var/log/nsd.log" |
|
|
|
|
|
|
|
|
|
# File to store pid for nsd in. |
|
|
|
|
# pidfile: "/var/run/nsd/nsd.pid" |
|
|
|
|
|
|
|
|
|
# The file where secondary zone refresh and expire timeouts are kept. |
|
|
|
|
# If you delete this file, all secondary zones are forced to be |
|
|
|
|
# 'refreshing' (as if nsd got a notify). Set to "" to disable. |
|
|
|
|
# xfrdfile: "/var/lib/nsd/ixfr.state" |
|
|
|
|
|
|
|
|
|
# The directory where zone transfers are stored, in a subdir of it. |
|
|
|
|
# xfrdir: "/tmp" |
|
|
|
|
|
|
|
|
|
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries |
|
|
|
|
# hide-version: no |
|
|
|
|
|
|
|
|
|
# version string the server responds with for chaos queries. |
|
|
|
|
# default is 'NSD x.y.z' with the server's version number. |
|
|
|
|
# version: "NSD" |
|
|
|
|
|
|
|
|
|
# identify the server (CH TXT ID.SERVER entry). |
|
|
|
|
# identity: "unidentified server" |
|
|
|
|
|
|
|
|
|
# NSID identity (hex string, or "ascii_somestring"). default disabled. |
|
|
|
|
# nsid: "aabbccdd" |
|
|
|
|
|
|
|
|
|
# Maximum number of concurrent TCP connections per server. |
|
|
|
|
# tcp-count: 100 |
|
|
|
|
|
|
|
|
|
# Maximum number of queries served on a single TCP connection. |
|
|
|
|
# By default 0, which means no maximum. |
|
|
|
|
# tcp-query-count: 0 |
|
|
|
|
|
|
|
|
|
# Override the default (120 seconds) TCP timeout. |
|
|
|
|
# tcp-timeout: 120 |
|
|
|
|
|
|
|
|
|
# Maximum segment size (MSS) of TCP socket on which the server |
|
|
|
|
# responds to queries. Default is 0, system default MSS. |
|
|
|
|
# tcp-mss: 0 |
|
|
|
|
|
|
|
|
|
# Maximum segment size (MSS) of TCP socket for outgoing AXFR request. |
|
|
|
|
# Default is 0, system default MSS. |
|
|
|
|
# outgoing-tcp-mss: 0 |
|
|
|
|
|
|
|
|
|
# Preferred EDNS buffer size for IPv4. |
|
|
|
|
# ipv4-edns-size: 4096 |
|
|
|
|
|
|
|
|
|
# Preferred EDNS buffer size for IPv6. |
|
|
|
|
# ipv6-edns-size: 4096 |
|
|
|
|
|
|
|
|
|
# statistics are produced every number of seconds. Prints to log. |
|
|
|
|
# Default is 0, meaning no statistics are produced. |
|
|
|
|
# statistics: 3600 |
|
|
|
|
|
|
|
|
|
# Number of seconds between reloads triggered by xfrd. |
|
|
|
|
# xfrd-reload-timeout: 1 |
|
|
|
|
|
|
|
|
|
# log timestamp in ascii (y-m-d h:m:s.msec), yes is default. |
|
|
|
|
# log-time-ascii: yes |
|
|
|
|
|
|
|
|
|
# round robin rotation of records in the answer. |
|
|
|
|
round-robin: yes |
|
|
|
|
|
|
|
|
|
# minimal-responses only emits extra data for referrals. |
|
|
|
|
minimal-responses: yes |
|
|
|
|
|
|
|
|
|
# refuse queries of type ANY. For stopping floods. |
|
|
|
|
refuse-any: yes |
|
|
|
|
|
|
|
|
|
# check mtime of all zone files on start and sighup |
|
|
|
|
# zonefiles-check: yes |
|
|
|
|
|
|
|
|
|
# write changed zonefiles to disk, every N seconds. |
|
|
|
|
# default is 0(disabled) or 3600(if database is ""). |
|
|
|
|
# zonefiles-write: 3600 |
|
|
|
|
|
|
|
|
|
# RRLconfig |
|
|
|
|
# Response Rate Limiting, size of the hashtable. Default 1000000. |
|
|
|
|
# rrl-size: 1000000 |
|
|
|
|
|
|
|
|
|
# Response Rate Limiting, maximum QPS allowed (from one query source). |
|
|
|
|
# If set to 0, ratelimiting is disabled. Also set |
|
|
|
|
# rrl-whitelist-ratelimit to 0 to disable ratelimit processing. |
|
|
|
|
# Default is on. |
|
|
|
|
# rrl-ratelimit: 200 |
|
|
|
|
|
|
|
|
|
# Response Rate Limiting, number of packets to discard before |
|
|
|
|
# sending a SLIP response (a truncated one, allowing an honest |
|
|
|
|
# resolver to retry with TCP). Default is 2 (one half of the |
|
|
|
|
# queries will receive a SLIP response, 0 disables SLIP (all |
|
|
|
|
# packets are discarded), 1 means every request will get a |
|
|
|
|
# SLIP response. When the ratelimit is hit the traffic is |
|
|
|
|
# divided by the rrl-slip value. |
|
|
|
|
# rrl-slip: 2 |
|
|
|
|
|
|
|
|
|
# Response Rate Limiting, IPv4 prefix length. Addresses are |
|
|
|
|
# grouped by netblock. |
|
|
|
|
# rrl-ipv4-prefix-length: 24 |
|
|
|
|
|
|
|
|
|
# Response Rate Limiting, IPv6 prefix length. Addresses are |
|
|
|
|
# grouped by netblock. |
|
|
|
|
# rrl-ipv6-prefix-length: 64 |
|
|
|
|
|
|
|
|
|
# Response Rate Limiting, maximum QPS allowed (from one query source) |
|
|
|
|
# for whitelisted types. Default is on. |
|
|
|
|
# rrl-whitelist-ratelimit: 2000 |
|
|
|
|
# RRLend |
|
|
|
|
|
|
|
|
|
# Optional local server config |
|
|
|
|
include: "/etc/nsd/server.d/*.conf" |
|
|
|
|
|
|
|
|
|
# Include optional local configs. |
|
|
|
|
include: "/etc/nsd/conf.d/*.conf" |
|
|
|
|
|
|
|
|
|
# Remote control config section. |
|
|
|
|
remote-control: |
|
|
|
|
# Enable remote control with nsd-control(8) here. |
|
|
|
|
# set up the keys and certificates with nsd-control-setup. |
|
|
|
|
control-enable: yes |
|
|
|
|
|
|
|
|
|
# what interfaces are listened to for control, default is on localhost. |
|
|
|
|
# control-interface: 127.0.0.1 |
|
|
|
|
# control-interface: ::1 |
|
|
|
|
control-interface: /run/nsd/nsd.ctl |
|
|
|
|
|
|
|
|
|
# port number for remote control operations (uses TLS over TCP). |
|
|
|
|
# control-port: 8952 |
|
|
|
|
|
|
|
|
|
# nsd server key file for remote control. |
|
|
|
|
# server-key-file: "/etc/nsd/nsd_server.key" |
|
|
|
|
|
|
|
|
|
# nsd server certificate file for remote control. |
|
|
|
|
# server-cert-file: "/etc/nsd/nsd_server.pem" |
|
|
|
|
|
|
|
|
|
# nsd-control key file. |
|
|
|
|
# control-key-file: "/etc/nsd/nsd_control.key" |
|
|
|
|
|
|
|
|
|
# nsd-control certificate file. |
|
|
|
|
# control-cert-file: "/etc/nsd/nsd_control.pem" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Secret keys for TSIGs that secure zone transfers. |
|
|
|
|
# You could include: "secret.keys" and put the 'key:' statements in there, |
|
|
|
|
# and give that file special access control permissions. |
|
|
|
|
# |
|
|
|
|
# key: |
|
|
|
|
# The key name is sent to the other party, it must be the same |
|
|
|
|
#name: "keyname" |
|
|
|
|
# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512 |
|
|
|
|
#algorithm: sha256 |
|
|
|
|
# secret material, must be the same as the other party uses. |
|
|
|
|
# base64 encoded random number. |
|
|
|
|
# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 |
|
|
|
|
#secret: "K2tf3TRjvQkVCmJF3/Z9vA==" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Patterns have zone configuration and they are shared by one or more zones. |
|
|
|
|
# |
|
|
|
|
# pattern: |
|
|
|
|
# name by which the pattern is referred to |
|
|
|
|
#name: "myzones" |
|
|
|
|
# the zonefile for the zones that use this pattern. |
|
|
|
|
# if relative then from the zonesdir (inside the chroot). |
|
|
|
|
# the name is processed: %s - zone name (as appears in zone:name). |
|
|
|
|
# %1 - first character of zone name, %2 second, %3 third. |
|
|
|
|
# %z - topleveldomain label of zone, %y, %x next labels in name. |
|
|
|
|
# if label or character does not exist you get a dot '.'. |
|
|
|
|
# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" |
|
|
|
|
#zonefile: "%s.zone" |
|
|
|
|
|
|
|
|
|
# If no master and slave access control elements are provided, |
|
|
|
|
# this zone will not be served to/from other servers. |
|
|
|
|
|
|
|
|
|
# A master zone needs notify: and provide-xfr: lists. A slave |
|
|
|
|
# may also allow zone transfer (for debug or other secondaries). |
|
|
|
|
# notify these slaves when the master zone changes, address TSIG|NOKEY |
|
|
|
|
# IP can be ipv4 and ipv6, with @port for a nondefault port number. |
|
|
|
|
#notify: 192.0.2.1 NOKEY |
|
|
|
|
# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED |
|
|
|
|
# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 |
|
|
|
|
#provide-xfr: 192.0.2.0/24 my_tsig_key_name |
|
|
|
|
# set the number of retries for notify. |
|
|
|
|
#notify-retry: 5 |
|
|
|
|
|
|
|
|
|
# uncomment to provide AXFR to all the world |
|
|
|
|
# provide-xfr: 0.0.0.0/0 NOKEY |
|
|
|
|
# provide-xfr: ::0/0 NOKEY |
|
|
|
|
|
|
|
|
|
# A slave zone needs allow-notify: and request-xfr: lists. |
|
|
|
|
#allow-notify: 2001:db8::0/64 my_tsig_key_name |
|
|
|
|
# By default, a slave will request a zone transfer with IXFR/TCP. |
|
|
|
|
# If you want to make use of IXFR/UDP use: UDP addr tsigkey |
|
|
|
|
# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey |
|
|
|
|
#request-xfr: 192.0.2.2 the_tsig_key_name |
|
|
|
|
# Attention: You cannot use UDP and AXFR together. AXFR is always over |
|
|
|
|
# TCP. If you use UDP, we higly recommend you to deploy TSIG. |
|
|
|
|
# Allow AXFR fallback if the master does not support IXFR. Default |
|
|
|
|
# is yes. |
|
|
|
|
#allow-axfr-fallback: yes |
|
|
|
|
# set local interface for sending zone transfer requests. |
|
|
|
|
# default is let the OS choose. |
|
|
|
|
#outgoing-interface: 10.0.0.10 |
|
|
|
|
# limit the refresh and retry interval in seconds. |
|
|
|
|
#max-refresh-time: 2419200 |
|
|
|
|
#min-refresh-time: 0 |
|
|
|
|
#max-retry-time: 1209600 |
|
|
|
|
#min-retry-time: 0 |
|
|
|
|
|
|
|
|
|
# Slave server tries zone transfer to all masters and picks highest |
|
|
|
|
# zone version available, for when masters have different versions. |
|
|
|
|
#multi-master-check: no |
|
|
|
|
|
|
|
|
|
# limit the zone transfer size (in bytes), stops very large transfers |
|
|
|
|
# 0 is no limits enforced. |
|
|
|
|
# size-limit-xfr: 0 |
|
|
|
|
|
|
|
|
|
# if compiled with --enable-zone-stats, give name of stat block for |
|
|
|
|
# this zone (or group of zones). Output from nsd-control stats. |
|
|
|
|
# zonestats: "%s" |
|
|
|
|
|
|
|
|
|
# if you give another pattern name here, at this point the settings |
|
|
|
|
# from that pattern are inserted into this one (as if it were a |
|
|
|
|
# macro). The statement can be given in between other statements, |
|
|
|
|
# because the order of access control elements can make a difference |
|
|
|
|
# (which master to request from first, which slave to notify first). |
|
|
|
|
#include-pattern: "common-masters" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Fixed zone entries. Here you can config zones that cannot be deleted. |
|
|
|
|
# Zones that are dynamically added and deleted are put in the zonelist file. |
|
|
|
|
# |
|
|
|
|
# zone: |
|
|
|
|
# name: "example.com" |
|
|
|
|
# you can give a pattern here, all the settings from that pattern |
|
|
|
|
# are then inserted at this point |
|
|
|
|
# include-pattern: "master" |
|
|
|
|
# You can also specify (additional) options directly for this zone. |
|
|
|
|
# zonefile: "example.com.zone" |
|
|
|
|
# request-xfr: 192.0.2.1 example.com.key |
|
|
|
|
|
|
|
|
|
# RRLconfig |
|
|
|
|
# Response Rate Limiting, whitelist types |
|
|
|
|
# rrl-whitelist: nxdomain |
|
|
|
|
# rrl-whitelist: error |
|
|
|
|
# rrl-whitelist: referral |
|
|
|
|
# rrl-whitelist: any |
|
|
|
|
# rrl-whitelist: rrsig |
|
|
|
|
# rrl-whitelist: wildcard |
|
|
|
|
# rrl-whitelist: nodata |
|
|
|
|
# rrl-whitelist: dnskey |
|
|
|
|
# rrl-whitelist: positive |
|
|
|
|
# rrl-whitelist: all |
|
|
|
|
# RRLend |
webbuilder_pel7ppc64bebuilder0
5 years ago