knot.conf (5) Linux Manual Page
knot.conf – Configuration file manual for Knot DNS server.
Synopsis
knot.conf
Description
knot.conf is an overview of all config options for knotc and knotd.
Example
#
#There are 8 main sections of this config file:
#system, interfaces, keys, remotes, groups, zones, control and log
#
#This is a comment.
#Section 'system' contains general options for the server
system
{
#Identity of the server(see RFC 4892).
#Used for answer to CH TXT 'id.server' or 'hostname.bind'
#Use string format "text"
#Or on | off.When 'on', FQDN hostname will be used as default.
identity off;
#Version of the server(see RFC 4892).
#Used for answer to CH TXT 'version.server' or 'version.bind'
#Use string format "text"
#Or on | off.When 'on', current server version will be used as default.
version off;
#Server identifier
#Use string format "text"
#Or hexstring 0x01ab00
#Or on | off.When 'on', FQDN hostname will be used as default.
nsid off;
#Directory for storing run - time data
#e.g.PID file and control sockets
#default : ${localstatedir } / run / knot, configured with-- with - rundir
rundir "/var/run/knot";
#Number of workers per interface
#This option is used to force number of threads used per interface
#Default : unset(auto - estimates optimal value from the number of online CPUs)
#workers 3;
#Number of background workers
#This option is used to set number of threads used to execute background
#operations(e.g., zone loading, zone signing, XFR zone updates, ...)
#Default : unset(auto - estimates optimal value from the number of online CPUs)
#background - workers 4;
#Start server asynchronously
#When asynchronous startup is enabled, server doesn't wait for the zones to be loaded, and
#starts responding immediately lame answers until the zone loads.This may be useful in
#some scenarios, but it is disabled by default.
#Default : disabled(wait for zones to be loaded before answering)
asynchronous - start off;
#User for running server
#May also specify user.group(e.g.knot.users)
#user knot.users;
#Maximum idle time between requests on a TCP connection
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#Default : 20s
max - conn - idle 20s;
#Maximum time between newly accepted TCP connection and first query
#This is useful to disconnect inactive connections faster
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#Default : 5s
max - conn - handshake 5s;
#Maximum time to wait for a reply to SOA query
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#Default : 10s
max - conn - reply 10s;
#Number of parallel TCP clients
#Set this below the descriptor limit to avoid resource exhaustion
#Default : 100
max - tcp - clients 100;
#Number of parallel transfers
#This number also includes pending SOA queries
#Minimal value is number of CPUs
#Default : 10
transfers 10;
#Rate limit
#in queries / second
#Default : off(= 0)
rate - limit 0;
#Rate limit bucket size
#Number of hashtable buckets, set to reasonable value as default.
#We chose a reasonably large prime number as it's used for hashtable size,
#it is recommended to do so as well due to better distribution.
#Rule of thumb is to set it to about 1.2 * (maximum_qps)
#Memory cost is approx.32B per bucket
#Default : 393241
rate - limit - size 393241;
#Rate limit SLIP
#Each Nth blocked response will be sent as truncated, this is a way to allow
#legitimate requests to get a chance to reconnect using TCP
#Default : 1
rate - limit - slip 1;
#Maximum EDNS0 UDP payload size
#Default value : 4096
max - udp - payload 4096;
}
#Includes can be placed anywhere at any level in the configuration file.The
#file name can be relative to current file or absolute.
#
#This include includes keys which are commented out in next section.
include "knot.keys.conf";
#Section 'keys' contains list of TSIG keys
#keys {
#
# #TSIG key
# #
# #format : name key - type "<key>";
# #where key - type may be one of the following:
# #hmac - md5
# #hmac - sha1
# #hmac - sha224
# #hmac - sha256
# #hmac - sha384
# #hmac - sha512
# #and <key> is the private key
#key0.server0 hmac - md5 "Wg==";
#
# #TSIG key for zone
#key0.example.com hmac - md5 "==gW";
#}
#Section 'interfaces' contains definitions of listening interfaces.
interfaces
{
#Interface entry
#
#Format 1 : < name> { address < address>;[port < port>;] }
ipv4
{
# <name> is an arbitrary symbolic name address 127.0.0.1;
# <address> may be ither IPv4 or IPv6 address port 53531;
#port is required for XFR / IN and NOTIFY / OUT
}
#Format 2 : < name> { address < address> @ < port>; }
#shortipv4 {
#address 127.0.0.1 [at] 53532;
#}
#Format 1(IPv6 interface)
#ipv6 {
#address ::1 @53533;
#}
#Format 2(IPv6 interface)
#ipv6b {
#address[::1] @53534;
#}
}
#Section 'remotes' contains symbolic names for remote servers.
#Syntax for 'remotes' is the same as for 'interfaces'.
remotes
{
#Remote entry
#
#Format 1 : < name> { address < address>;[port < port>;] }
server0
{
# <name> is an arbitrary symbolic name address 127.0.0.1;
# <address> may be ither IPv4 or IPv6 address port 53531;
#port is optional(default : 53)
key key0.server0;
#(optional) specification of TSIG key associated for this remote via ipv4;
#(optional) source interface for queries via 82.35.64.59;
#(optional) source interface for queries, direct IPv4 via[::cafe];
#(optional) source interface for queries, direct IPv6
}
#Format 2 : < name> { address < address> @ < port>; }
server1
{
address 127.0.0.1 [at] 53001;
}
admin - alice
{
address 192.168.100.1;
}
admin - bob
{
address 192.168.100.2;
}
}
groups
{
admins
{
admin - alice, admin - bob
}
}
#Section 'control' specifies on which interface to listen for RC commands
control
{
#Default : $(run_dir) / knot.sock
listen - on "knot.sock";
#As an alternative, you can use an IPv4 / v6 address and port
#Same syntax as for 'interfaces' items
#listen - on { address 127.0.0.1 [at] 5533; }
#Specifies ACL list for remote control
#Same syntax as for ACLs in zones
#List of remotes or groups delimited by comma
#Notice : keep in mind that ACLs bear no effect with UNIX sockets
#allow server0, admins;
}
#Section 'zones' contains information about zones to be served.
zones
{
#Shared options for all listed zones
#
#This is a default directory to place slave zone files, journals etc.
#default : ${localstatedir } / lib / knot, configured with-- with - storage
storage "/var/lib/knot";
#Location of persistent zone timers.The path can be specified as
#a relative path to the global storage directory.
timer - db "timers";
#Build differences from zone file changes.EXPERIMENTAL feature.
#Possible values : on | off
#Default value : off
ixfr - from - differences off;
#Enable semantic checks for all zones(if 'on')
#Possible values : on | off
#Default value : off
semantic - checks off;
#Disable ANY type queries for authoritative answers(if 'on')
#Possible values : on | off
#Default value : off
disable - any off;
#NOTIFY response timeout
#Possible values : < 1, ...>(seconds)
#Default value : 60
notify - timeout 60;
#Number of retries for NOTIFY
#Possible values : < 1, ...>
#Default value : 5
notify - retries 5;
#Timeout for syncing changes from zone database to zonefile
#Possible values : < 1..INT_MAX>(seconds)
#Default value : 0s - immediate sync
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#Warning : If serving a large zone, set this to a larger value
#to keep disk load down.
zonefile - sync 1h;
#File size limit for IXFR journal
#Possible values : < 1..INT_MAX>
#Default value : N / A(infinite)
#It is also possible to suffix with unit size[k / M / G]
#f.e.1k, 100M, 2G
ixfr - fslimit 1G;
#Enable DNSSEC online signing(EXPERIMENTAL)
#Possible values : on | off;
#Default value : off
#dnssec - enable off;
#Location of DNSSEC signing keys(relative to storage dir).
#Default value : not set
#dnssec - keydir "keys";
#Validity period for DNSSEC signatures
#Possible values : < 10801..INT_MAX>(seconds)
#Default value : 30d(30 days or 2592000 seconds)
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#The signatures are refreshed one tenth of the signature lifetime before
#the signature expiration(i.e., 3 days before by default)
#signature - lifetime 30d;
#Serial policy after DDNS and automatic DNSSEC signing.
#Possible values : increment | unixtime
#Default value : increment
#serial - policy increment;
#Query modules are dynamically loaded modules that can alter query plan processing
#Configuration is always module - specific, but passed as a simple string here
#Query modules listed here are effective for all queries(even those without assigned zone)
query_module
{
module_name "configuration string";
}
#Zone entry
#
#Format : < zone - name> { file "<path-to-zone-file>"; }
example.com
{
# <zone - name> is the DNS name of the zone(zone root)
#Zone specific storage directory(relative to storage in zones section).
#default : inherited from zones section
storage "example.com";
# <path - to - zone - file> may be either absolute or relative, in which case
#it is considered relative to the current directory from which the server
#was started.
file "samples/example.com.zone";
#Build differences from zone file changes
#Possible values : on | off
#Default value : off
ixfr - from - differences off;
#Disable ANY type queries for authoritative answers(if 'on')
#Possible values : on | off
#Default value : off
disable - any off;
#Enable zone semantic checks
#Possible values : on | off
#Default value : off
semantic - checks on;
#NOTIFY response timeout(specific for current zone)
#Possible values : < 1, ...>(seconds)
#Default value : 60
notify - timeout 60;
#Number of retries for NOTIFY(specific for current zone)
#Possible values : < 1, ...>
#Default value : 5
notify - retries 5;
#Timeout for syncing changes from zone database to zonefile
#Possible values : < 1..INT_MAX>(seconds)
#Default value : inherited from zones.zonefile - sync
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
zonefile - sync 1h;
#File size limit for IXFR journal
#Possible values : < 1..INT_MAX>
#Default value : N / A(infinite)
#It is also possible to suffix with unit size[k / M / G]
#f.e.1k, 100M, 2G
ixfr - fslimit 1G;
#Location of DNSSEC signing keys(relative to storage directory in zone).
#Default value : inherited from zones section
dnssec - keydir "keys";
#Enable DNSSEC online signing(EXPERIMENTAL)
#Possible values : on | off;
#Default value : inherited from zones section
dnssec - enable off;
#Validity period for DNSSEC signatures
#Possible values : < 10801..INT_MAX>(seconds)
#Default value : 30d(30 days or 2592000 seconds)
#It is also possible to suffix with unit size[s / m / h / d]
#f.e.1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
#The lower limit is because the server will trigger resign when any of the
#signatures expires in 7200 seconds or less and it was chosen as a
#reasonable value with regard to signing overhead.
#signature - lifetime 30d;
#Serial policy after DDNS and automatic DNSSEC signing.
#Possible values : increment | unixtime
#Default value : increment
#serial - policy increment;
#XFR master server
xfr - in server0;
#ACL list of XFR slaves
xfr - out server0, server1;
#ACL list of servers allowed to send NOTIFY queries
notify - in server0;
#List of servers to send NOTIFY to
notify - out server0, server1;
#List of servers to allow UPDATE queries
update - in server0, admins;
#Query modules are dynamically loaded modules that can alter query plan processing
#Configuration is always module - specific, but passed as a simple string here
query_module
{
module_one "configuration string";
module_two "specific configuration string";
}
}
}
#Section 'log' configures logging of server messages.
#
#Logging recognizes 3 symbolic names of log devices:
#stdout - Standard output
#stderr - Standard error output
#syslog - Syslog
#
#In addition, arbitrary number of log files may be specified(see below).
#
#Log messages are characterized by severity and category.
#Supported severities:
#debug - Debug messages and below.Must be turned on at compile time.
#info - Informational messages and below.
#notice - Notices and hints and below.
#warning - Warnings and below. An action from the operator may be required.
#error - Recoverable error and below. Some action should be taken.
#critical - Non - recoverable errors resulting in server shutdown.
#(Not supported yet.)
#
#Categories designate the source of the log message and roughly correspond
#to server modules
#Supported categories:
#server - Messages related to general operation of the server.
#zone - Messages related to zones, zone parsing and loading.
#any - All categories
#
#Default settings(in case there are no entries in 'log' section or the section
#is missing at all):
#
#stderr{any error; }
#syslog{any error; }
log
{
#Format 1:
# <log> {
# <category1> <severity1>;
# <category2> <severity2>;
#...
#}
syslog
{
#Log any error or critical to syslog
any error;
#Log all(excluding debug) from server to syslog
server info;
}
#Log any warning, error or critical to stderr
stderr
{
any warning;
}
#Format 2:
#file < path> { # < path> is absolute or relative path to log file
# <category1> <severity1>;
# <category2> <severity2>;
#}
file "/tmp/knot-sample/knotd.debug"
{
server debug;
}
}