Fabio Alessandro Locati 05a4b5a
#
Fabio Alessandro Locati 05a4b5a
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
Fabio Alessandro Locati 05a4b5a
#
Fabio Alessandro Locati 05a4b5a
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
Fabio Alessandro Locati 05a4b5a
#
Fabio Alessandro Locati 05a4b5a
# See LICENSE for the license.
Fabio Alessandro Locati 05a4b5a
#
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
# This is a comment.
Fabio Alessandro Locati 05a4b5a
# Sample configuration file
Fabio Alessandro Locati 05a4b5a
# include: "file" # include that file's text over here.  Globbed, "*.conf"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
# options for the nsd server
Fabio Alessandro Locati 05a4b5a
server:
Fabio Alessandro Locati 05a4b5a
	# Number of NSD servers to fork.  Put the number of CPUs to use here.
Fabio Alessandro Locati 05a4b5a
	# server-count: 1
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# uncomment to specify specific interfaces to bind (default are the
Fabio Alessandro Locati 05a4b5a
	# wildcard interfaces 0.0.0.0 and ::0).
Fabio Alessandro Locati 05a4b5a
	# For servers with multiple IP addresses, list them one by one,
Fabio Alessandro Locati 05a4b5a
	# or the source address of replies could be wrong.
Fabio Alessandro Locati 05a4b5a
	# Use ip-transparent to be able to list addresses that turn on later.
Fabio Alessandro Locati 05a4b5a
	# ip-address: 1.2.3.4
Fabio Alessandro Locati 05a4b5a
	# ip-address: 1.2.3.4@5678
Fabio Alessandro Locati 05a4b5a
	# ip-address: 12fe::8ef0
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Allow binding to non local addresses. Default no.
Fabio Alessandro Locati 05a4b5a
	# ip-transparent: no
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# use the reuseport socket option for performance. Default no.
Fabio Alessandro Locati 05a4b5a
	# reuseport: no
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# enable debug mode, does not fork daemon process into the background.
Fabio Alessandro Locati 05a4b5a
	# debug-mode: no
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# listen on IPv4 connections
Fabio Alessandro Locati 05a4b5a
	# do-ip4: yes
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# listen on IPv6 connections
Fabio Alessandro Locati 05a4b5a
	# do-ip6: yes
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# port to answer queries on. default is 53.
Fabio Alessandro Locati 05a4b5a
	# port: 53
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Verbosity level.
Fabio Alessandro Locati 05a4b5a
	# verbosity: 0
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# After binding socket, drop user privileges.
Fabio Alessandro Locati 05a4b5a
	# can be a username, id or id.gid.
Fabio Alessandro Locati 05a4b5a
	# username: @user@
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Run NSD in a chroot-jail.
Fabio Alessandro Locati 05a4b5a
	# make sure to have pidfile and database reachable from there.
Fabio Alessandro Locati 05a4b5a
	# by default, no chroot-jail is used.
Fabio Alessandro Locati 05a4b5a
	# chroot: "@configdir@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# The directory for zonefile: files.  The daemon chdirs here.
Fabio Alessandro Locati 05a4b5a
	# zonesdir: "@zonesdir@"
Fabio Alessandro Locati 05a4b5a
	
Fabio Alessandro Locati 05a4b5a
	# the list of dynamically added zones.
Fabio Alessandro Locati 05a4b5a
	# zonelistfile: "@zonelistfile@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# the database to use
Fabio Alessandro Locati 05a4b5a
	# if set to "" then no disk-database is used, less memory usage.
Fabio Alessandro Locati 05a4b5a
	# database: "@dbfile@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# log messages to file. Default to stderr and syslog (with
Fabio Alessandro Locati 05a4b5a
	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
Fabio Alessandro Locati 05a4b5a
	# logfile: "@logfile@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# File to store pid for nsd in.
Fabio Alessandro Locati 05a4b5a
	# pidfile: "@pidfile@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# The file where secondary zone refresh and expire timeouts are kept.
Fabio Alessandro Locati 05a4b5a
	# If you delete this file, all secondary zones are forced to be 
Fabio Alessandro Locati 05a4b5a
	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
Fabio Alessandro Locati 05a4b5a
	# xfrdfile: "@xfrdfile@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# The directory where zone transfers are stored, in a subdir of it.
Fabio Alessandro Locati 05a4b5a
	# xfrdir: "@xfrdir@"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
Fabio Alessandro Locati 05a4b5a
	# hide-version: no
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# version string the server responds with for chaos queries.
Fabio Alessandro Locati 05a4b5a
	# default is 'NSD x.y.z' with the server's version number.
Fabio Alessandro Locati 05a4b5a
	# version: "NSD"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# identify the server (CH TXT ID.SERVER entry).
Fabio Alessandro Locati 05a4b5a
	# identity: "unidentified server"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# NSID identity (hex string, or "ascii_somestring"). default disabled.
Fabio Alessandro Locati 05a4b5a
	# nsid: "aabbccdd"
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Maximum number of concurrent TCP connections per server.
Fabio Alessandro Locati 05a4b5a
	# tcp-count: 100
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Maximum number of queries served on a single TCP connection.
Fabio Alessandro Locati 05a4b5a
	# By default 0, which means no maximum.
Fabio Alessandro Locati 05a4b5a
	# tcp-query-count: 0
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Override the default (120 seconds) TCP timeout.
Fabio Alessandro Locati 05a4b5a
	# tcp-timeout: 120
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Preferred EDNS buffer size for IPv4.
Fabio Alessandro Locati 05a4b5a
	# ipv4-edns-size: 4096
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Preferred EDNS buffer size for IPv6.
Fabio Alessandro Locati 05a4b5a
	# ipv6-edns-size: 4096
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# statistics are produced every number of seconds. Prints to log.
Fabio Alessandro Locati 05a4b5a
	# Default is 0, meaning no statistics are produced.
Fabio Alessandro Locati 05a4b5a
	# statistics: 3600
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Number of seconds between reloads triggered by xfrd.
Fabio Alessandro Locati 05a4b5a
	# xfrd-reload-timeout: 1
Fabio Alessandro Locati 05a4b5a
	
Fabio Alessandro Locati 05a4b5a
	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
Fabio Alessandro Locati 05a4b5a
	# log-time-ascii: yes
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# round robin rotation of records in the answer.
Fabio Alessandro Locati 05a4b5a
	# round-robin: no
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# check mtime of all zone files on start and sighup
Fabio Alessandro Locati 05a4b5a
	# zonefiles-check: yes
Fabio Alessandro Locati 05a4b5a
	
Fabio Alessandro Locati 05a4b5a
	# write changed zonefiles to disk, every N seconds.
Fabio Alessandro Locati 05a4b5a
	# default is 0(disabled) or 3600(if database is "").
Fabio Alessandro Locati 05a4b5a
	# zonefiles-write: 3600
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# RRLconfig
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, size of the hashtable. Default 1000000.
Fabio Alessandro Locati 05a4b5a
	# rrl-size: 1000000
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, maximum QPS allowed (from one query source).
Fabio Alessandro Locati 05a4b5a
	# If set to 0, ratelimiting is disabled. Also set
Fabio Alessandro Locati 05a4b5a
	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
Fabio Alessandro Locati 05a4b5a
	# Default is @ratelimit_default@.
Fabio Alessandro Locati 05a4b5a
	# rrl-ratelimit: 200
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, number of packets to discard before
Fabio Alessandro Locati 05a4b5a
	# sending a SLIP response (a truncated one, allowing an honest
Fabio Alessandro Locati 05a4b5a
	# resolver to retry with TCP). Default is 2 (one half of the
Fabio Alessandro Locati 05a4b5a
	# queries will receive a SLIP response, 0 disables SLIP (all
Fabio Alessandro Locati 05a4b5a
	# packets are discarded), 1 means every request will get a
Fabio Alessandro Locati 05a4b5a
	# SLIP response.  When the ratelimit is hit the traffic is
Fabio Alessandro Locati 05a4b5a
	# divided by the rrl-slip value.
Fabio Alessandro Locati 05a4b5a
	# rrl-slip: 2
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, IPv4 prefix length. Addresses are
Fabio Alessandro Locati 05a4b5a
	# grouped by netblock. 
Fabio Alessandro Locati 05a4b5a
	# rrl-ipv4-prefix-length: 24
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, IPv6 prefix length. Addresses are
Fabio Alessandro Locati 05a4b5a
	# grouped by netblock. 
Fabio Alessandro Locati 05a4b5a
	# rrl-ipv6-prefix-length: 64
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
	# Response Rate Limiting, maximum QPS allowed (from one query source)
Fabio Alessandro Locati 05a4b5a
	# for whitelisted types. Default is @ratelimit_default@.
Fabio Alessandro Locati 05a4b5a
	# rrl-whitelist-ratelimit: 2000
Fabio Alessandro Locati 05a4b5a
	# RRLend
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 05a4b5a
database: /var/lib/nsd/nsd.db
Fabio Alessandro Locati 05a4b5a
Fabio Alessandro Locati 301b0b1
remote-control:
Fabio Alessandro Locati 301b0b1
        control-enable: yes
Fabio Alessandro Locati 301b0b1
        control-interface: 127.0.0.1
Fabio Alessandro Locati 301b0b1
        control-port: 8952
Fabio Alessandro Locati 301b0b1
        server-key-file: "/etc/nsd/nsd_server.key"
Fabio Alessandro Locati 301b0b1
        server-cert-file: "/etc/nsd/nsd_server.pem"
Fabio Alessandro Locati 301b0b1
        control-key-file: "/etc/nsd/nsd_control.key"
Fabio Alessandro Locati 301b0b1
        control-cert-file: "/etc/nsd/nsd_control.pem"
Fabio Alessandro Locati 301b0b1
Fabio Alessandro Locati 05a4b5a
include: /etc/nsd/conf.d/*.conf