#

# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).

#

# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.

#

# See LICENSE for the license.

#

# This is a comment.

# Sample configuration file

# include: "file" # include that file's text over here.  Globbed, "*.conf"

# options for the nsd server

server:

	# Number of NSD servers to fork.  Put the number of CPUs to use here.

	# server-count: 1

	# uncomment to specify specific interfaces to bind (default are the

	# wildcard interfaces 0.0.0.0 and ::0).

	# For servers with multiple IP addresses, list them one by one,

	# or the source address of replies could be wrong.

	# Use ip-transparent to be able to list addresses that turn on later.

	# ip-address: 1.2.3.4

	# ip-address: 1.2.3.4@5678

	# ip-address: 12fe::8ef0

	# Allow binding to non local addresses. Default no.

	# ip-transparent: no

	# Allow binding to addresses that are down.  Default no.

	# ip-freebind: no

	# use the reuseport socket option for performance. Default no.

	# reuseport: no

	# enable debug mode, does not fork daemon process into the background.

	# debug-mode: no

	# listen on IPv4 connections

	# do-ip4: yes

	# listen on IPv6 connections

	# do-ip6: yes

	# port to answer queries on. default is 53.

	# port: 53

	# Verbosity level.

	# verbosity: 0

	# After binding socket, drop user privileges.

	# can be a username, id or id.gid.

	# username: nsd

	# Run NSD in a chroot-jail.

	# make sure to have pidfile and database reachable from there.

	# by default, no chroot-jail is used.

	# chroot: "/etc/nsd"

	# The directory for zonefile: files.  The daemon chdirs here.

	# zonesdir: "/etc/nsd"

	# the list of dynamically added zones.

	# zonelistfile: "/var/lib/nsd/zone.list"

	# the database to use

	# if set to "" then no disk-database is used, less memory usage.

	# database: ""

	# log messages to file. Default to stderr and syslog (with

	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.

	# logfile: "/var/log/nsd.log"

	# File to store pid for nsd in.

	# pidfile: "/var/run/nsd/nsd.pid"

	# The file where secondary zone refresh and expire timeouts are kept.

	# If you delete this file, all secondary zones are forced to be

	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.

	# xfrdfile: "/var/lib/nsd/ixfr.state"

	# The directory where zone transfers are stored, in a subdir of it.

	# xfrdir: "/tmp"

	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries

	# hide-version: no

	# version string the server responds with for chaos queries.

	# default is 'NSD x.y.z' with the server's version number.

	# version: "NSD"

	# identify the server (CH TXT ID.SERVER entry).

	# identity: "unidentified server"

	# NSID identity (hex string, or "ascii_somestring"). default disabled.

	# nsid: "aabbccdd"

	# Maximum number of concurrent TCP connections per server.

	# tcp-count: 100

	# Maximum number of queries served on a single TCP connection.

	# By default 0, which means no maximum.

	# tcp-query-count: 0

	# Override the default (120 seconds) TCP timeout.

	# tcp-timeout: 120

	# Maximum segment size (MSS) of TCP socket on which the server

	# responds to queries. Default is 0, system default MSS.

	# tcp-mss: 0

	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.

	# Default is 0, system default MSS.

	# outgoing-tcp-mss: 0

	# Preferred EDNS buffer size for IPv4.

	# ipv4-edns-size: 4096

	# Preferred EDNS buffer size for IPv6.

	# ipv6-edns-size: 4096

	# statistics are produced every number of seconds. Prints to log.

	# Default is 0, meaning no statistics are produced.

	# statistics: 3600

	# Number of seconds between reloads triggered by xfrd.

	# xfrd-reload-timeout: 1

	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.

	# log-time-ascii: yes

	# round robin rotation of records in the answer.

	# round-robin: no

	# check mtime of all zone files on start and sighup

	# zonefiles-check: yes

	# write changed zonefiles to disk, every N seconds.

	# default is 0(disabled) or 3600(if database is "").

	# zonefiles-write: 3600

	# RRLconfig

	# Response Rate Limiting, size of the hashtable. Default 1000000.

	# rrl-size: 1000000

	# Response Rate Limiting, maximum QPS allowed (from one query source).

	# If set to 0, ratelimiting is disabled. Also set

	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.

	# Default is on.

	# rrl-ratelimit: 200

	# Response Rate Limiting, number of packets to discard before

	# sending a SLIP response (a truncated one, allowing an honest

	# resolver to retry with TCP). Default is 2 (one half of the

	# queries will receive a SLIP response, 0 disables SLIP (all

	# packets are discarded), 1 means every request will get a

	# SLIP response.  When the ratelimit is hit the traffic is

	# divided by the rrl-slip value.

	# rrl-slip: 2

	# Response Rate Limiting, IPv4 prefix length. Addresses are

	# grouped by netblock.

	# rrl-ipv4-prefix-length: 24

	# Response Rate Limiting, IPv6 prefix length. Addresses are

	# grouped by netblock.

	# rrl-ipv6-prefix-length: 64

	# Response Rate Limiting, maximum QPS allowed (from one query source)

	# for whitelisted types. Default is on.

	# rrl-whitelist-ratelimit: 2000

	# RRLend

	# Optional local server config

	include: "/etc/nsd/server.d/*.conf"

# Include optional local configs.

include: "/etc/nsd/conf.d/*.conf"

# Remote control config section.

remote-control:

	# Enable remote control with nsd-control(8) here.

	# set up the keys and certificates with nsd-control-setup.

	control-enable: yes

	# what interfaces are listened to for control, default is on localhost.

	# control-interface: 127.0.0.1

	# control-interface: ::1

	# port number for remote control operations (uses TLS over TCP).

	# control-port: 8952

	# nsd server key file for remote control.

	# server-key-file: "/etc/nsd/nsd_server.key"

	# nsd server certificate file for remote control.

	# server-cert-file: "/etc/nsd/nsd_server.pem"

	# nsd-control key file.

	# control-key-file: "/etc/nsd/nsd_control.key"

	# nsd-control certificate file.

	# control-cert-file: "/etc/nsd/nsd_control.pem"

# Secret keys for TSIGs that secure zone transfers.

# You could include: "secret.keys" and put the 'key:' statements in there,

# and give that file special access control permissions.

#

# key:

	# The key name is sent to the other party, it must be the same

	#name: "keyname"

	# algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in)

	#algorithm: hmac-sha256

	# secret material, must be the same as the other party uses.

	# base64 encoded random number.

	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64

	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="

# Patterns have zone configuration and they are shared by one or more zones.

#

# pattern:

	# name by which the pattern is referred to

	#name: "myzones"

	# the zonefile for the zones that use this pattern.

	# if relative then from the zonesdir (inside the chroot).

	# the name is processed: %s - zone name (as appears in zone:name).

	# %1 - first character of zone name, %2 second, %3 third.

	# %z - topleveldomain label of zone, %y, %x next labels in name.

	# if label or character does not exist you get a dot '.'.

	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"

	#zonefile: "%s.zone"

	# If no master and slave access control elements are provided,

	# this zone will not be served to/from other servers.

	# A master zone needs notify: and provide-xfr: lists.  A slave

	# may also allow zone transfer (for debug or other secondaries).

	# notify these slaves when the master zone changes, address TSIG|NOKEY

	# IP can be ipv4 and ipv6, with @port for a nondefault port number.

	#notify: 192.0.2.1 NOKEY

	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED

	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40

	#provide-xfr: 192.0.2.0/24 my_tsig_key_name

	# set the number of retries for notify.

	#notify-retry: 5

	# uncomment to provide AXFR to all the world

	# provide-xfr: 0.0.0.0/0 NOKEY

	# provide-xfr: ::0/0 NOKEY

	# A slave zone needs allow-notify: and request-xfr: lists.

	#allow-notify: 2001:db8::0/64 my_tsig_key_name

	# By default, a slave will request a zone transfer with IXFR/TCP.

	# If you want to make use of IXFR/UDP use: UDP addr tsigkey

	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey

	#request-xfr: 192.0.2.2 the_tsig_key_name

	# Attention: You cannot use UDP and AXFR together. AXFR is always over

	# TCP. If you use UDP, we higly recommend you to deploy TSIG.

	# Allow AXFR fallback if the master does not support IXFR. Default

	# is yes.

	#allow-axfr-fallback: yes

	# set local interface for sending zone transfer requests.

	# default is let the OS choose.

	#outgoing-interface: 10.0.0.10

	# limit the refresh and retry interval in seconds.

	#max-refresh-time: 2419200

	#min-refresh-time: 0

	#max-retry-time: 1209600

	#min-retry-time: 0

	# limit the zone transfer size (in bytes), stops very large transfers

	# 0 is no limits enforced.

	# size-limit-xfr: 0

	# if compiled with --enable-zone-stats, give name of stat block for

	# this zone (or group of zones).  Output from nsd-control stats.

	# zonestats: "%s"

	# if you give another pattern name here, at this point the settings

	# from that pattern are inserted into this one (as if it were a

	# macro).  The statement can be given in between other statements,

	# because the order of access control elements can make a difference

	# (which master to request from first, which slave to notify first).

	#include-pattern: "common-masters"

# Fixed zone entries.  Here you can config zones that cannot be deleted.

# Zones that are dynamically added and deleted are put in the zonelist file.

#

# zone:

	# name: "example.com"

	# you can give a pattern here, all the settings from that pattern

	# are then inserted at this point

	# include-pattern: "master"

	# You can also specify (additional) options directly for this zone.

	# zonefile: "example.com.zone"

	# request-xfr: 192.0.2.1 example.com.key

	# RRLconfig

	# Response Rate Limiting, whitelist types

	# rrl-whitelist: nxdomain

	# rrl-whitelist: error

	# rrl-whitelist: referral

	# rrl-whitelist: any

	# rrl-whitelist: rrsig

	# rrl-whitelist: wildcard

	# rrl-whitelist: nodata

	# rrl-whitelist: dnskey

	# rrl-whitelist: positive

	# rrl-whitelist: all

	# RRLend