]> git.ipfire.org Git - thirdparty/pdns.git/blame - docs/settings.rst
Remove disable-tcp option
[thirdparty/pdns.git] / docs / settings.rst
CommitLineData
0e2063c3
PL
1Authoritative Server Settings
2=============================
3
4All PowerDNS Authoritative Server settings are listed here, excluding
5those that originate from backends, which are documented in the relevant
6chapters. These settings can be set inside ``pdns.conf`` or on the
7commandline when invoking the ``pdns`` binary.
8
9You can use ``+=`` syntax to set some variables incrementally, but this
10requires you to have at least one non-incremental setting for the
11variable to act as base setting. This is mostly useful for
12:ref:`setting-include-dir` directive.
13
14For boolean settings, specifying the name of the setting without a value
15means ``yes``.
16
17.. _setting-8bit-dns:
18
19``8bit-dns``
20------------
21
27f39e15 22- Boolean
0e2063c3
PL
23- Default: no
24
25.. versionadded:: 4.0.0
26
27Allow 8 bit DNS queries.
28
29.. _setting-allow-axfr-ips:
30
31``allow-axfr-ips``
32------------------
33
34- IP ranges, separated by commas
35- Default: 127.0.0.0/8,::1
36
37If set, only these IP addresses or netmasks will be able to perform
38AXFR.
39
40.. _setting-allow-dnsupdate-from:
41
42``allow-dnsupdate-from``
43------------------------
44
45- IP ranges, separated by commas
88d771bc 46- Default: 127.0.0.0/8,::1
0e2063c3 47
4991656e 48Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DNSUPDATE-FROM`` in :ref:`metadata-allow-dnsupdate-from`.
0e2063c3
PL
49
50.. _setting-allow-notify-from:
51
52``allow-notify-from``
53---------------------
54
55- IP ranges, separated by commas
56- Default: 0.0.0.0/0,::/0
57
58Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
59will drop all incoming notifies.
60
43f61934
GD
61.. _setting-allow-recursion:
62
63``allow-recursion``
64-------------------
65
66- IP ranges, separated by commas
67- Default: 0.0.0.0/0
68
69.. deprecated:: 4.1.0
70 Recursion has been removed, see :doc:`guides/recursion`
71
72By specifying ``allow-recursion``, recursion can be restricted to
73netmasks specified. The default is to allow recursion from everywhere.
74Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
75
0e2063c3
PL
76.. _setting-allow-unsigned-notify:
77
78``allow-unsigned-notify``
79-------------------------
80
81- Boolean
82- Default: yes
83
84.. versionadded:: 4.0.0
85
86Turning this off requires all notifications that are received to be
87signed by valid TSIG signature for the zone.
88
89.. _setting-allow-unsigned-supermaster:
90
91``allow-unsigned-supermaster``
92------------------------------
93
94- Boolean
95- Default: yes
96
97.. versionadded:: 4.0.0
98
99Turning this off requires all supermaster notifications to be signed by
100valid TSIG signature. It will accept any existing key on slave.
101
0e2063c3
PL
102.. _setting-also-notify:
103
104``also-notify``
105---------------
106
107- IP addresses, separated by commas
108
109When notifying a domain, also notify these nameservers. Example:
110``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in
111``also-notify`` always receive a notification. Even if they do not match
112the list in :ref:`setting-only-notify`.
113
114.. _setting-any-to-tcp:
115
116``any-to-tcp``
117--------------
118
119- Boolean
120- Default: yes
121
08532264
GD
122.. versionchanged:: 4.0.1
123 was 'no' before.
0e2063c3
PL
124
125Answer questions for the ANY on UDP with a truncated packet that refers
126the remote server to TCP. Useful for mitigating reflection attacks.
127
128.. _setting-api:
129
130``api``
131-------
132
133- Boolean
134- Default: no
135
136Enable/disable the :doc:`http-api/index`.
137
138.. _setting-api-key:
139
140``api-key``
141-----------
142
143- String
144
145.. versionadded:: 4.0.0
146
147Static pre-shared authentication key for access to the REST API.
148
149.. _setting-api-readonly:
150
151``api-readonly``
152----------------
153
154- Boolean
155- Default: no
156
157.. versionadded:: 4.0.0
85be413d 158.. versionchanged:: 4.2.0
da7a5d84 159 This setting has been removed in 4.2.0.
0e2063c3
PL
160
161Disallow data modification through the REST API when set.
162
163.. _setting-axfr-lower-serial:
164
165``axfr-lower-serial``
166---------------------
167
168- Boolean
169- Default: no
170
171.. versionadded:: 4.0.4
172
173Also AXFR a zone from a master with a lower serial.
174
175.. _setting-cache-ttl:
176
177``cache-ttl``
178-------------
179
180- Integer
181- Default: 20
182
183Seconds to store packets in the :ref:`packet-cache`.
184
43f61934
GD
185.. _setting-carbon-instance:
186
187``carbon-instance``
188-------------------
189
190- String
191- Default: auth
192
193.. versionadded:: 4.2.0
194
195Set the instance or third string of the metric key. Be careful not to include
196any dots in this setting, unless you know what you are doing.
197See :ref:`metricscarbon`
198
199.. _setting-carbon-interval:
200
201``carbon-interval``
202-------------------
203
204- Integer
205- Default: 30
206
207If sending carbon updates, this is the interval between them in seconds.
208See :ref:`metricscarbon`.
209
b0d4aa0b
G
210.. _setting-carbon-namespace:
211
212``carbon-namespace``
213--------------------
214
215- String
216- Default: pdns
217
7dd919af
G
218.. versionadded:: 4.2.0
219
b0d4aa0b
G
220Set the namespace or first string of the metric key. Be careful not to include
221any dots in this setting, unless you know what you are doing.
222See :ref:`metricscarbon`
223
0e2063c3
PL
224.. _setting-carbon-ourname:
225
226``carbon-ourname``
227------------------
228
229- String
230- Default: the hostname of the server
231
232If sending carbon updates, if set, this will override our hostname. Be
233careful not to include any dots in this setting, unless you know what
234you are doing. See :ref:`metricscarbon`
235
236.. _setting-carbon-server:
237
238``carbon-server``
239-----------------
240
241- IP Address
242
243Send all available metrics to this server via the carbon protocol, which
244is used by graphite and metronome. It has to be an address (no
fd47d762
S
245hostnames). Moreover you can specify more than one server using a comma delimited list, ex:
246carbon-server=10.10.10.10,10.10.10.20.
247You may specify an alternate port by appending :port, ex:
0e2063c3
PL
248127.0.0.1:2004. See :ref:`metricscarbon`.
249
0e2063c3
PL
250.. _setting-chroot:
251
252``chroot``
253----------
254
255- Path
256
257If set, chroot to this directory for more security. See :doc:`security`.
258
259Make sure that ``/dev/log`` is available from within the chroot. Logging
260will silently fail over time otherwise (on logrotate).
261
262When setting ``chroot``, all other paths in the config (except for
263:ref:`setting-config-dir` and :ref:`setting-module-dir`)
264set in the configuration are relative to the new root.
265
266When running on a system where systemd manages services, ``chroot`` does
267not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
268Either don't ``chroot`` on these systems or set the 'Type' of the this
269service to 'simple' instead of 'notify' (refer to the systemd
270documentation on how to modify unit-files)
271
272.. _setting-config-dir:
273
274``config-dir``
275--------------
276
277- Path
278
279Location of configuration directory (``pdns.conf``). Usually
280``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during
281compile-time.
282
283.. _setting-config-name:
284
285``config-name``
286---------------
287
288- String
289
290Name of this virtual configuration - will rename the binary image. See
291:doc:`guides/virtual-instances`.
292
293.. _setting-control-console:
294
295``control-console``
296-------------------
297
298Debugging switch - don't use.
299
300.. _setting-daemon:
301
302``daemon``
303----------
304
305- Boolean
306- Default: no
307
308Operate as a daemon.
309
b8cd24cc
SH
310.. _setting-default-api-rectify:
311
312``default-api-rectify``
313-----------------------
314- Boolean
315- Default: yes
316
317.. versionadded:: 4.2.0
318
319The value of :ref:`metadata-api-rectify` if it is not set on the zone.
320
321.. note::
322 Pre 4.2.0 the default was always no.
323
0e2063c3 324.. _setting-default-ksk-algorithms:
c01b3507 325.. _setting-default-ksk-algorithm:
0e2063c3 326
c01b3507 327``default-ksk-algorithm``
da7a5d84 328-------------------------
0e2063c3
PL
329
330- String
331- Default: ecdsa256
332
c01b3507 333.. versionchanged:: 4.1.0
28080ce6 334 Renamed from ``default-ksk-algorithms``. No longer supports multiple algorithm names.
c01b3507 335
0e2063c3 336The algorithm that should be used for the KSK when running
af28a1c2 337:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
28080ce6
PL
338to enable DNSSEC. Must be one of:
339
28080ce6
PL
340* rsasha1
341* rsasha256
0e2063c3 342* rsasha512
28080ce6
PL
343* ecdsa256 (ECDSA P-256 with SHA256)
344* ecdsa384 (ECDSA P-384 with SHA384)
0e2063c3 345* ed25519
37356d71 346* ed448
0e2063c3 347
28080ce6
PL
348.. note::
349 Actual supported algorithms depend on the crypto-libraries
350 PowerDNS was compiled against. To check the supported DNSSEC algoritms
351 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
352
0e2063c3
PL
353.. _setting-default-ksk-size:
354
355``default-ksk-size``
356--------------------
357
358- Integer
c01b3507 359- Default: whichever is default for `default-ksk-algorithm`_
0e2063c3
PL
360
361The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
28080ce6 362Only relevant for algorithms with non-fixed keysizes (like RSA).
0e2063c3 363
0e2063c3
PL
364.. _setting-default-soa-edit:
365
366``default-soa-edit``
367--------------------
368
369- String
370- Default: empty
371
372Use this soa-edit value for all zones if no
373:ref:`metadata-soa-edit` metadata value is set.
374
375.. _setting-default-soa-edit-signed:
376
377``default-soa-edit-signed``
378---------------------------
379
380- String
381- Default: empty
382
383Use this soa-edit value for all signed zones if no
384:ref:`metadata-soa-edit` metadata value is set.
385Overrides :ref:`setting-default-soa-edit`
386
387.. _setting-default-soa-mail:
388
389``default-soa-mail``
390--------------------
391
392- String
393
394Mail address to insert in the SOA record if none set in the backend.
395
43f61934
GD
396.. _setting-default-soa-name:
397
398``default-soa-name``
399--------------------
400
401- String
402- Default: a.misconfigured.powerdns.server
403
404Name to insert in the SOA record if none set in the backend.
405
0e2063c3
PL
406.. _setting-default-ttl:
407
408``default-ttl``
409---------------
410
411- Integer
412- Default: 3600
413
414TTL to use when none is provided.
415
416.. _setting-default-zsk-algorithms:
c01b3507 417.. _setting-default-zsk-algorithm:
0e2063c3 418
c01b3507 419``default-zsk-algorithm``
0e2063c3
PL
420--------------------------
421
422- String
423- Default: (empty)
424
c01b3507
PL
425.. versionchanged:: 4.1.0
426 Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names.
427
0e2063c3 428The algorithm that should be used for the ZSK when running
af28a1c2 429:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
28080ce6
PL
430to enable DNSSEC. Must be one of:
431
28080ce6
PL
432* rsasha1
433* rsasha256
0e2063c3 434* rsasha512
28080ce6
PL
435* ecdsa256 (ECDSA P-256 with SHA256)
436* ecdsa384 (ECDSA P-384 with SHA384)
0e2063c3 437* ed25519
37356d71 438* ed448
0e2063c3 439
28080ce6
PL
440.. note::
441 Actual supported algorithms depend on the crypto-libraries
442 PowerDNS was compiled against. To check the supported DNSSEC algoritms
443 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
444
0e2063c3
PL
445.. _setting-default-zsk-size:
446
447``default-zsk-size``
448--------------------
449
450- Integer
c01b3507 451- Default: 0 (automatic default for `default-zsk-algorithm`_)
0e2063c3
PL
452
453The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
28080ce6 454Only relevant for algorithms with non-fixed keysizes (like RSA).
0e2063c3
PL
455
456.. _setting-direct-dnskey:
457
458``direct-dnskey``
459-----------------
460
461- Boolean
462- Default: no
463
16d72778
OS
464Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not
465set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored.
0e2063c3
PL
466
467.. _setting-disable-axfr:
468
469``disable-axfr``
470----------------
471
472- Boolean
473- Default: no
474
475Do not allow zone transfers.
476
477.. _setting-disable-axfr-rectify:
478
479``disable-axfr-rectify``
480------------------------
481
482- Boolean
483- Default: no
484
485Disable the rectify step during an outgoing AXFR. Only required for
486regression testing.
487
488.. _setting-disable-syslog:
489
490``disable-syslog``
491------------------
492
493- Boolean
494- Default: no
495
496Do not log to syslog, only to stdout. Use this setting when running
497inside a supervisor that handles logging (like systemd).
498
964d0eb6 499.. warning::
0e2063c3
PL
500 Do not use this setting in combination with :ref:`setting-daemon` as all
501 logging will disappear.
502
503.. _setting-disable-tcp:
504
505``disable-tcp``
506---------------
507
508- Boolean
509- Default: no
510
998fddc3
PL
511.. versionchanged:: 4.2.0
512 This setting has been removed
513
0e2063c3
PL
514Do not listen to TCP queries. Breaks RFC compliance.
515
516.. _setting-distributor-threads:
517
518``distributor-threads``
519-----------------------
520
521- Integer
522- Default: 3
523
524Number of Distributor (backend) threads to start per receiver thread.
525See :doc:`performance`.
526
527.. _setting-dname-processing:
528
529``dname-processing``
530--------------------
531
532- Boolean
533- Default: no
534
535Synthesise CNAME records from DNAME records as required. This
536approximately doubles query load. **Do not combine with DNSSEC!**
537
538.. _setting-dnssec-key-cache-ttl:
539
540``dnssec-key-cache-ttl``
541------------------------
542
543- Integer
544- Default: 30
545
546Seconds to cache DNSSEC keys from the database. A value of 0 disables
547caching.
548
549.. _setting-dnsupdate:
550
551``dnsupdate``
552-------------
553
554- Boolean
555- Default: no
556
557Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
558
559.. _setting-do-ipv6-additional-processing:
560
561``do-ipv6-additional-processing``
562---------------------------------
563
564- Boolean
565- Default: yes
566
567Perform AAAA additional processing. This sends AAAA records in the
568ADDITIONAL section when sending a referral.
569
570.. _setting-domain-metadata-cache-ttl:
571
572``domain-metadata-cache-ttl``
573-----------------------------
574
575- Integer
576- Default: 60
577
578Seconds to cache domain metadata from the database. A value of 0
579disables caching.
580
581.. _setting-edns-subnet-processing:
582
583``edns-subnet-processing``
584--------------------------
585
586- Boolean
587- Default: no
588
589Enables EDNS subnet processing, for backends that support it.
590
af68014f
CHB
591.. _setting-enable-lua-records:
592
593``enable-lua-records``
4fb906ee 594----------------------
af68014f
CHB
595
596- Boolean
597- Default: no
598
599Enable globally the LUA records feature
600
0e2063c3
PL
601.. _setting-entropy-source:
602
603``entropy-source``
604------------------
605
606- Path
607- Default: /dev/urandom
608
609Entropy source file to use.
610
611.. _setting-expand-alias:
612
613``expand-alias``
614----------------
615
616- Boolean
617- Default: no
d99d1243
PL
618
619.. versionadded:: 4.1.0
0e2063c3
PL
620
621If this is enabled, ALIAS records are expanded (synthesised to their
622A/AAAA).
623
81b050b3 624If this is disabled (the default), ALIAS records will not be expanded and
0e2063c3
PL
625the server will will return NODATA for A/AAAA queries for such names.
626
d5eff893
GD
627.. note::
628 :ref:`setting-resolver` must also be set for ALIAS expansion to work!
0e2063c3 629
d5eff893
GD
630.. note::
631 In PowerDNS Authoritative Server 4.0.x, this setting did not exist and
632 ALIAS was always expanded.
0e2063c3
PL
633
634.. _setting-forward-dnsupdate:
635
636``forward-dnsupdate``
637---------------------
638
639- Boolean
640- Default: no
641
642Forward DNS updates sent to a slave to the master.
643
644.. _setting-forward-notify:
645
646``forward-notify``
647------------------
648
649- IP addresses, separated by commas
650
651IP addresses to forward received notifications to regardless of master
652or slave settings.
653
654.. note::
655 The intended use is in anycast environments where it might be
656 necessary for a proxy server to perform the AXFR. The usual checks are
657 performed before any received notification is forwarded.
658
659.. _setting-guardian:
660
661``guardian``
662------------
663
664- Boolean
665- Default: no
666
667Run within a guardian process. See :ref:`running-guardian`.
668
669.. _setting-include-dir:
670
671``include-dir``
672---------------
673
674- Path
675
676Directory to scan for additional config files. All files that end with
677.conf are loaded in order using ``POSIX`` as locale.
678
679.. _setting-launch:
680
681``launch``
682----------
683
684- Backend names, separated by commas
685
686Which backends to launch and order to query them in. Launches backends.
687In its most simple form, supply all backends that need to be launched.
688e.g.
689
633489be 690.. code-block:: ini
0e2063c3
PL
691
692 launch=bind,gmysql,remote
693
694If you find that you need to query a backend multiple times with
695different configuration, you can specify a name for later
696instantiations. e.g.:
697
633489be 698.. code-block:: ini
0e2063c3
PL
699
700 launch=gmysql,gmysql:server2
701
702In this case, there are 2 instances of the gmysql backend, one by the
703normal name and the second one is called 'server2'. The backend
704configuration item names change: e.g. ``gmysql-host`` is available to
705configure the ``host`` setting of the first or main instance, and
706``gmysql-server2-host`` for the second one.
707
efdd3d7c 708Running multiple instances of the BIND backend is not allowed.
ea4d3e1d 709
0e2063c3
PL
710.. _setting-load-modules:
711
712``load-modules``
713----------------
714
715- Paths, separated by commas
716
717If backends are available in nonstandard directories, specify their
718location here. Multiple files can be loaded if separated by commas. Only
719available in non-static distributions.
720
721.. _setting-local-address:
722
723``local-address``
724-----------------
725
726- IPv4 Addresses, separated by commas or whitespace
727- Default: 0.0.0.0
728
729Local IP address to which we bind. It is highly advised to bind to
730specific interfaces and not use the default 'bind to any'. This causes
731big problems if you have multiple IP addresses. Unix does not provide a
732way of figuring out what IP address a packet was sent to when binding to
733any.
734
0e2063c3
PL
735.. _setting-local-address-nonexist-fail:
736
737``local-address-nonexist-fail``
738-------------------------------
739
740- Boolean
741- Default: no
742
743Fail to start if one or more of the
744:ref:`setting-local-address`'s do not exist on this server.
745
746.. _setting-local-ipv6:
747
748``local-ipv6``
749--------------
750
751- IPv6 Addresses, separated by commas or whitespace
752- Default: '::'
753
754Local IPv6 address to which we bind. It is highly advised to bind to
755specific interfaces and not use the default 'bind to any'. This causes
756big problems if you have multiple IP addresses.
757
758.. _setting-local-ipv6-nonexist-fail:
759
760``local-ipv6-nonexist-fail``
761----------------------------
762
763- Boolean
764- Default: no
765
766Fail to start if one or more of the :ref:`setting-local-ipv6`
767addresses do not exist on this server.
768
769.. _setting-local-port:
770
771``local-port``
772--------------
773
774- Integer
775- Default: 53
776
777The port on which we listen. Only one port possible.
778
779.. _setting-log-dns-details:
780
781``log-dns-details``
782-------------------
783
784- Boolean
785- Default: no
786
787If set to 'no', informative-only DNS details will not even be sent to
788syslog, improving performance.
789
43f61934
GD
790.. _setting-log-dns-queries:
791
792``log-dns-queries``
793-------------------
794
795- Boolean
796- Default: no
797
798Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
799of logging! Only enable for debugging! Set :ref:`setting-loglevel`
800to at least 5 to see the logs.
801
802.. _setting-log-timestamp:
803
804``log-timestamp``
805-----------------
806
807- Bool
808- Default: yes
809
810.. versionadded:: 4.1.0
811
812When printing log lines to stdout, prefix them with timestamps.
813Disable this if the process supervisor timestamps these lines already.
814
815.. note::
816 The systemd unit file supplied with the source code already disables timestamp printing
817
0e2063c3
PL
818.. _setting-logging-facility:
819
820``logging-facility``
821--------------------
822
823If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`.
824Do not pass names like 'local0'!
825
826.. _setting-loglevel:
827
828``loglevel``
829------------
830
831- Integer
832- Default: 4
833
e7e225a7
PL
834Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
835e.g. error = 3, warning = 4, notice = 5, info = 6
0e2063c3 836
43f61934 837.. _setting-lua-axfr-script:
0e2063c3 838
43f61934 839``lua-axfr-script``
0e2063c3
PL
840-------------------
841
43f61934
GD
842- String
843- Default: empty
0e2063c3 844
43f61934
GD
845.. versionadded:: 4.1.0
846
847Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
0e2063c3
PL
848
849.. _setting-lua-prequery-script:
850
851``lua-prequery-script``
852-----------------------
853
854- Path
855
856Lua script to run before answering a query. This is a feature used
857internally for regression testing. The API of this functionality is not
858guaranteed to be stable, and is in fact likely to change.
859
43f61934
GD
860.. _setting-lua-records-exec-limit:
861
862``lua-records-exec-limit``
863-----------------------------
864
865- Integer
866- Default: 1000
867
868Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
869Setting this to any value less than or equal to 0 will set no limit.
870
0e2063c3
PL
871.. _setting-master:
872
873``master``
874----------
875
876- Boolean
877- Default: no
878
879Turn on master support. See :ref:`master-operation`.
880
881.. _setting-max-cache-entries:
882
883``max-cache-entries``
884---------------------
885
886- Integer
887- Default: 1000000
888
d99d1243
PL
889.. versionchanged:: 4.1.0
890 The packet and query caches are distinct. Previously, this setting was used for
9e461099 891 both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for
d99d1243
PL
892 the packet-cache setting.
893
0e2063c3 894Maximum number of entries in the query cache. 1 million (the default)
d99d1243 895will generally suffice for most installations.
0e2063c3
PL
896
897.. _setting-max-ent-entries:
898
899``max-ent-entries``
900-------------------
901
902- Integer
903- Default: 100000
904
905Maximum number of empty non-terminals to add to a zone. This is a
906protection measure to avoid database explosion due to long names.
907
908.. _setting-max-nsec3-iterations:
909
910``max-nsec3-iterations``
911------------------------
912
913- Integer
914- Default: 500
915
f02f619d
GD
916Limit the number of NSEC3 hash iterations for zone configurations.
917For more information see :ref:`dnssec-operational-nsec-modes-params`.
0e2063c3
PL
918
919.. _setting-max-packet-cache-entries:
920
921``max-packet-cache-entries``
922----------------------------
923
924- Integer
925- Default: 1000000
926
d99d1243
PL
927.. versionadded:: 4.1.0
928
0e2063c3 929Maximum number of entries in the packet cache. 1 million (the default)
d99d1243 930will generally suffice for most installations.
0e2063c3
PL
931
932.. _setting-max-queue-length:
933
934``max-queue-length``
935--------------------
936
937- Integer
938- Default: 5000
939
940If this many packets are waiting for database attention, consider the
941situation hopeless and respawn.
942
943.. _setting-max-signature-cache-entries:
944
945``max-signature-cache-entries``
946-------------------------------
947
948- Integer
57b16af7 949- Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems)
0e2063c3
PL
950
951Maximum number of signatures cache entries
952
953.. _setting-max-tcp-connection-duration:
954
955``max-tcp-connection-duration``
956-------------------------------
957
958- Integer
959- Default: 0
960
961Maximum time in seconds that a TCP DNS connection is allowed to stay
962open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR
963are not affected by this setting.
964
965.. _setting-max-tcp-connections:
966
967``max-tcp-connections``
968-----------------------
969
970- Integer
971- Default: 20
972
973Allow this many incoming TCP DNS connections simultaneously.
974
975.. _setting-max-tcp-connections-per-client:
976
977``max-tcp-connections-per-client``
978----------------------------------
979
980- Integer
981- Default: 0
982
983Maximum number of simultaneous TCP connections per client. 0 means
984unlimited.
985
986.. _setting-max-tcp-transactions-per-conn:
987
988``max-tcp-transactions-per-conn``
989---------------------------------
990
991- Integer
992- Default: 0
993
994Allow this many DNS queries in a single TCP transaction. 0 means
995unlimited. Note that exchanges related to an AXFR or IXFR are not
996affected by this setting.
997
998.. _setting-module-dir:
999
1000``module-dir``
1001--------------
1002
1003- Path
1004
1005Directory for modules. Default depends on ``PKGLIBDIR`` during
1006compile-time.
1007
1008.. _setting-negquery-cache-ttl:
1009
1010``negquery-cache-ttl``
1011----------------------
1012
1013- Integer
1014- Default: 60
1015
9e461099 1016Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`.
0e2063c3
PL
1017
1018.. _setting-no-config:
1019
1020``no-config``
1021-------------
1022
1023- Boolean
1024- Default: no
1025
3eee5ed0
GD
1026Do not attempt to read the configuration file. Useful for configuration
1027by parameters from the command line only.
0e2063c3
PL
1028
1029.. _setting-no-shuffle:
1030
1031``no-shuffle``
1032--------------
1033
1034- Boolean
1035- Default: no
1036
1037Do not attempt to shuffle query results, used for regression testing.
1038
43f61934 1039.. _setting-non-local-bind:
0e2063c3 1040
43f61934
GD
1041``non-local-bind``
1042------------------
0e2063c3
PL
1043
1044- Boolean
43f61934 1045- Default: no
0e2063c3 1046
43f61934
GD
1047Bind to addresses even if one or more of the
1048:ref:`setting-local-address`'s do not exist on this server.
1049Setting this option will enable the needed socket options to allow
1050binding to non-local addresses. This feature is intended to facilitate
1051ip-failover setups, but it may also mask configuration issues and for
1052this reason it is disabled by default.
0e2063c3
PL
1053
1054.. _setting-only-notify:
1055
1056``only-notify``
1057---------------
1058
1059- IP Ranges, separated by commas or whitespace
1060- Default: 0.0.0.0/0, ::/0
1061
1062For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
1063PowerDNS automatically sends NOTIFYs to the name servers specified in
1064the NS records. By specifying networks/mask as whitelist, the targets
1065can be limited. The default is to notify the world. To completely
1066disable these NOTIFYs set ``only-notify`` to an empty value. Independent
1067of this setting, the IP addresses or netmasks configured with
1068:ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata
1069always receive AXFR NOTIFYs.
1070
22928c2f
PL
1071IP addresses and netmasks can be excluded by prefixing them with a ``!``.
1072To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following::
1073
1074 only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24
1075
0e2063c3
PL
1076.. note::
1077 Even if NOTIFYs are limited by a netmask, PowerDNS first has to
1078 resolve all the hostnames to check their IP addresses against the
1079 specified whitelist. The resolving may take considerable time,
1080 especially if those hostnames are slow to resolve. If you do not need to
1081 NOTIFY the slaves defined in the NS records (e.g. you are using another
1082 method to distribute the zone data to the slaves), then set
1083 :ref:`setting-only-notify` to an empty value and specify the notification targets
1084 explicitly using :ref:`setting-also-notify` and/or
1085 :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
1086
f8d48529 1087.. note::
81b050b3 1088 If your slaves support an Internet Protocol version, which your master does not,
fd47d762 1089 then set ``only-notify`` to include only supported protocol version.
f8d48529 1090 Otherwise there will be error trying to resolve address.
fd47d762
S
1091
1092 For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
633489be
GD
1093 so allow only IPv4 with ``only-notify``:
1094
1095 .. code-block:: ini
fd47d762 1096
f8d48529
AS
1097 only-notify=0.0.0.0/0
1098
0e2063c3
PL
1099.. _setting-out-of-zone-additional-processing:
1100
1101``out-of-zone-additional-processing``
1102-------------------------------------
1103
1104- Boolean
1105- Default: yes
1106
76c250a6
GD
1107.. deprecated:: 4.2.0
1108 This setting has been removed.
1109
0e2063c3
PL
1110Do out of zone additional processing. This means that if a malicious
1111user adds a '.com' zone to your server, it is not used for other domains
1112and will not contaminate answers. Do not enable this setting if you run
1113a public DNS service with untrusted users.
1114
1115The docs had previously indicated that the default was "no", but the
1116default has been "yes" since 2005.
1117
1118.. _setting-outgoing-axfr-expand-alias:
1119
1120``outgoing-axfr-expand-alias``
1121------------------------------
1122
1123- Boolean
1124- Default: no
1125
1126If this is enabled, ALIAS records are expanded (synthesised to their
1127A/AAAA) during outgoing AXFR. This means slaves will not automatically
1128follow changes in those A/AAAA records unless you AXFR regularly!
1129
1130If this is disabled (the default), ALIAS records are sent verbatim
1131during outgoing AXFR. Note that if your slaves do not support ALIAS,
1132they will return NODATA for A/AAAA queries for such names.
1133
43f61934
GD
1134.. _setting-overload-queue-length:
1135
1136``overload-queue-length``
1137-------------------------
1138
1139- Integer
1140- Default: 0 (disabled)
1141
1142If this many packets are waiting for database attention, answer any new
1143questions strictly from the packet cache.
1144
0e2063c3
PL
1145.. _setting-prevent-self-notification:
1146
1147``prevent-self-notification``
1148-----------------------------
1149
1150- Boolean
1151- Default: yes
1152
1153PowerDNS Authoritative Server attempts to not send out notifications to
1154itself in master mode. In very complicated situations we could guess
1155wrong and not notify a server that should be notified. In that case, set
1156prevent-self-notification to "no".
1157
1158.. _setting-query-cache-ttl:
1159
1160``query-cache-ttl``
1161-------------------
1162
1163- Integer
1164- Default: 20
1165
1166Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`.
1167
1168.. _setting-query-local-address:
1169
1170``query-local-address``
1171-----------------------
1172
1173- IPv4 Address
1174- Default: 0.0.0.0
1175
1176The IP address to use as a source address for sending queries. Useful if
1177you have multiple IPs and PowerDNS is not bound to the IP address your
1178operating system uses by default for outgoing packets.
1179
1180.. _setting-query-local-address6:
1181
1182``query-local-address6``
1183------------------------
1184
1185- IPv6 Address
1186- Default: '::'
1187
1188Source IP address for sending IPv6 queries.
1189
1190.. _setting-query-logging:
1191
1192``query-logging``
1193-----------------
1194
1195- Boolean
1196- Default: no
1197
1198Boolean, hints to a backend that it should log a textual representation
1199of queries it performs. Can be set at runtime.
1200
1201.. _setting-queue-limit:
1202
1203``queue-limit``
1204---------------
1205
1206- Integer
1207- Default: 1500
1208
1209Maximum number of milliseconds to queue a query. See :doc:`performance`.
1210
1211.. _setting-receiver-threads:
1212
1213``receiver-threads``
1214--------------------
1215
1216- Integer
1217- Default: 1
1218
1219Number of receiver (listening) threads to start. See :doc:`performance`.
1220
1221.. _setting-recursive-cache-ttl:
1222
1223``recursive-cache-ttl``
1224-----------------------
1225
1226- Integer
1227- Default: 10
d99d1243
PL
1228
1229.. deprecated:: 4.1.0
1230 Recursion has been removed, see :doc:`guides/recursion`
0e2063c3
PL
1231
1232Seconds to store recursive packets in the :ref:`packet-cache`.
1233
1234.. _setting-recursor:
1235
1236``recursor``
1237------------
1238
1239- IP Address
1240
1241.. deprecated:: 4.1.0
d99d1243 1242 Recursion has been removed, see :doc:`guides/recursion`
0e2063c3
PL
1243
1244If set, recursive queries will be handed to the recursor specified here.
1245
1246.. _setting-resolver:
1247
1248``resolver``
1249------------
1250
1251- IP Addresses with optional port, separated by commas
d99d1243
PL
1252
1253.. versionadded:: 4.1.0
0e2063c3
PL
1254
1255Use these resolver addresses for ALIAS and the internal stub resolver.
1256If this is not set, ``/etc/resolv.conf`` is parsed for upstream
1257resolvers.
1258
1259.. _setting-retrieval-threads:
1260
1261``retrieval-threads``
1262---------------------
1263
1264- Integer
1265- Default: 2
1266
1267Number of AXFR slave threads to start.
1268
43f61934
GD
1269.. _setting-reuseport:
1270
1271``reuseport``
1272-------------
1273
1274- Boolean
1275- Default: No
1276
1277On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
1278each receiver-thread to open a new socket on the same port which allows
1279for much higher performance on multi-core boxes. Setting this option
1280will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
1281back to a single socket when it is not available. A side-effect is that
1282you can start multiple servers on the same IP/port combination which may
1283or may not be a good idea. You could use this to enable transparent
1284restarts, but it may also mask configuration issues and for this reason
1285it is disabled by default.
1286
1287.. _setting-rng:
1288
1289``rng``
1290-------
1291
1292- String
1293- Default: auto
1294
1295Specify which random number generator to use. Permissible choises are:
1296
1297- auto - choose automatically
1298- sodium - Use libsodium ``randombytes_uniform``
1299- openssl - Use libcrypto ``RAND_bytes``
1300- getrandom - Use libc getrandom, falls back to urandom if it does not really work
1301- arc4random - Use BSD ``arc4random_uniform``
1302- urandom - Use ``/dev/urandom``
1303- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
1304
1305.. note::
1306 Not all choises are available on all systems.
1307
1308.. _setting-security-poll-suffix:
1309
1310``security-poll-suffix``
1311------------------------
1312
1313- String
1314- Default: secpoll.powerdns.com.
1315
1316Domain name from which to query security update notifications. Setting
1317this to an empty string disables secpoll.
1318
ac340505
KD
1319.. _setting-send-signed-notify:
1320
1321``send-signed-notify``
15d44156 1322----------------------
ac340505
KD
1323
1324- Boolean
1325- Default: yes
1326
1327If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone.
1328If there are multiple TSIG keys configured for a domain, PowerDNS will use the
1329first one retrieved from the backend, which may not be the correct one for the
f3a29133 1330respective slave. Hence, in setups with multiple slaves with different TSIG keys
ac340505
KD
1331it may be required to send NOTIFYs unsigned.
1332
43f61934
GD
1333.. _setting-server-id:
1334
1335``server-id``
1336-------------
1337
1338- String
1339- Default: The hostname of the server
1340
1341This is the server ID that will be returned on an EDNS NSID query.
1342
0e2063c3
PL
1343.. _setting-setgid:
1344
1345``setgid``
1346----------
1347
1348- String
1349
1350If set, change group id to this gid for more security. See :doc:`security`.
1351
1352.. _setting-setuid:
1353
1354``setuid``
1355----------
1356
1357- String
1358
1359If set, change user id to this uid for more security. See :doc:`security`.
1360
43f61934
GD
1361.. _setting-signing-threads:
1362
1363``signing-threads``
1364-------------------
1365
1366- Integer
1367- Default: 3
1368
1369Tell PowerDNS how many threads to use for signing. It might help improve
1370signing speed by changing this number.
1371
0e2063c3
PL
1372.. _setting-slave:
1373
1374``slave``
1375---------
1376
1377- Boolean
1378- Default: no
1379
1380Turn on slave support. See :ref:`slave-operation`.
1381
1382.. _setting-slave-cycle-interval:
1383
1384``slave-cycle-interval``
1385------------------------
1386
1387- Integer
9346d84f 1388- Default: 60
0e2063c3 1389
81b050b3 1390On a master, this is the amount of seconds between the master checking
0e2063c3
PL
1391the SOA serials in its database to determine to send out NOTIFYs to the
1392slaves. On slaves, this is the number of seconds between the slave
1393checking for updates to zones.
1394
1395.. _setting-slave-renotify:
1396
1397``slave-renotify``
1398------------------
1399
1400- Boolean
1401- Default: no
1402
1403This setting will make PowerDNS renotify the slaves after an AXFR is
1404*received* from a master. This is useful when using when running a
1405signing-slave.
1406
0e2063c3
PL
1407.. _setting-soa-expire-default:
1408
1409``soa-expire-default``
1410----------------------
1411
1412- Integer
1413- Default: 604800
1414
1415Default :ref:`types-soa` expire.
1416
1417.. _setting-soa-minimum-ttl:
1418
1419``soa-minimum-ttl``
1420-------------------
1421
1422- Integer
1423- Default: 3600
1424
1425Default :ref:`types-soa` minimum ttl.
1426
1427.. _setting-soa-refresh-default:
1428
1429``soa-refresh-default``
1430-----------------------
1431
1432- Integer
1433- Default: 10800
1434
1435Default :ref:`types-soa` refresh.
1436
1437.. _setting-soa-retry-default:
1438
1439``soa-retry-default``
1440---------------------
1441
1442- Integer
1443- Default: 3600
1444
1445Default :ref:`types-soa` retry.
1446
1447.. _setting-socket-dir:
1448
1449``socket-dir``
1450--------------
1451
1452- Path
1453
1454Where the controlsocket will live. The default depends on
1455``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or
1456``/run``). See :ref:`control-socket`.
1457
1458This path will also contain the pidfile for this instance of PowerDNS
1459called ``pdns.pid`` by default. See :ref:`setting-config-name`
1460and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
1461
d3dfd71e 1462.. _setting-superslave:
b8013977 1463
d3dfd71e 1464``superslave``
d4033dc3 1465---------------
b8013977
KM
1466
1467- Boolean
1468- Default: no
1469
1470.. versionadded:: 4.2.0
985a932c
GD
1471 In versions before 4.2.x, this setting did not exist and supermaster support
1472 was enabled by default.
b8013977 1473
d4033dc3 1474Turn on supermaster support. See :ref:`supermaster-operation`.
b8013977 1475
0e2063c3
PL
1476.. _setting-tcp-control-address:
1477
1478``tcp-control-address``
1479-----------------------
1480
1481- IP Address
1482
1483Address to bind to for TCP control.
1484
1485.. _setting-tcp-control-port:
1486
1487``tcp-control-port``
1488--------------------
1489
1490- Integer
1491- Default: 53000
1492
1493Port to bind to for TCP control.
1494
1495.. _setting-tcp-control-range:
1496
1497``tcp-control-range``
1498---------------------
1499
1500- IP Ranges, separated by commas or whitespace
1501
1502Limit TCP control to a specific client range.
1503
1504.. _setting-tcp-control-secret:
1505
1506``tcp-control-secret``
1507----------------------
1508
1509- String
1510
1511Password for TCP control.
1512
1513.. _setting-tcp-fast-open:
1514
1515``tcp-fast-open``
1516-----------------
1517
1518- Integer
1519- Default: 0 (Disabled)
1520
1521.. versionadded:: 4.1.0
1522
1523Enable TCP Fast Open support, if available, on the listening sockets.
1524The numerical value supplied is used as the queue size, 0 meaning
1525disabled.
1526
1527.. _setting-tcp-idle-timeout:
1528
1529``tcp-idle-timeout``
1530--------------------
1531
1532- Integer
1533- Default: 5
1534
1535Maximum time in seconds that a TCP DNS connection is allowed to stay
1536open while being idle, meaning without PowerDNS receiving or sending
1537even a single byte.
1538
1539.. _setting-traceback-handler:
1540
1541``traceback-handler``
1542---------------------
1543
1544- Boolean
1545- Default: yes
1546
1547Enable the Linux-only traceback handler.
1548
1549.. _setting-trusted-notification-proxy:
1550
1551``trusted-notification-proxy``
1552------------------------------
1553
1554- String
1555
1556IP address of incoming notification proxy
1557
1558.. _setting-udp-truncation-threshold:
1559
1560``udp-truncation-threshold``
1561----------------------------
473c9aa3
PL
1562.. versionchanged:: 4.2.0
1563 Before 4.2.0, the default was 1680
0e2063c3
PL
1564
1565- Integer
e77145bb 1566- Default: 1232
0e2063c3
PL
1567
1568EDNS0 allows for large UDP response datagrams, which can potentially
1569raise performance. Large responses however also have downsides in terms
e77145bb 1570of reflection attacks. Maximum value is 65535, but values above
0e2063c3
PL
15714096 should probably not be attempted.
1572
e77145bb
PL
1573.. note:: Why 1232?
1574
1575 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet.
6c90a075 1576 IPv6 has a minimum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
e77145bb 1577
0e2063c3
PL
1578.. _setting-version-string:
1579
1580``version-string``
1581------------------
1582
1583- Any of: ``anonymous``, ``powerdns``, ``full``, String
1584- Default: full
1585
1586When queried for its version over DNS
1587(``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally
1588responds truthfully. With this setting you can overrule what will be
1589returned. Set the ``version-string`` to ``full`` to get the default
1590behaviour, to ``powerdns`` to just make it state
1591``served by PowerDNS - http://www.powerdns.com``. The ``anonymous``
1592setting will return a ServFail, much like Microsoft nameservers do. You
1593can set this response to a custom value as well.
1594
1595.. _setting-webserver:
1596
1597``webserver``
1598-------------
1599
1600- Boolean
1601- Default: no
1602
1603Start a webserver for monitoring. See :doc:`performance`".
1604
1605.. versionchanged:: 4.1.0
1606 It was necessary to enable the webserver to use the REST API, this is no longer the case.
1607
1608.. _setting-webserver-address:
1609
1610``webserver-address``
1611---------------------
1612
1613- IP Address
1614- Default: 127.0.0.1
1615
1616IP Address for webserver/API to listen on.
1617
1618.. _setting-webserver-allow-from:
1619
1620``webserver-allow-from``
1621------------------------
1622
1623- IP ranges, separated by commas or whitespace
be3e1477
RG
1624- Default: 127.0.0.1,::1
1625
1626.. versionchanged:: 4.1.0
1627
d1594faf 1628 Default is now 127.0.0.1,::1, was 0.0.0.0/0,::/0 before.
0e2063c3
PL
1629
1630Webserver/API access is only allowed from these subnets.
1631
64c08e25
PL
1632.. _setting-webserver-loglevel:
1633
1634``webserver-loglevel``
1635----------------------
1636.. versionadded:: 4.2.0
1637
1638- String, one of "none", "normal", "detailed"
1639
1640The amount of logging the webserver must do. "none" means no useful webserver information will be logged.
1641When set to "normal", the webserver will log a line per request that should be familiar::
1642
a0badc0b 1643 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
64c08e25
PL
1644
1645When set to "detailed", all information about the request and response are logged::
1646
a0badc0b
PL
1647 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Request Details:
1648 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1649 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1650 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-encoding: gzip, deflate
1651 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-language: en-US,en;q=0.5
1652 [webserver] e235780e-a5cf-415e-9326-9d33383e739e connection: keep-alive
1653 [webserver] e235780e-a5cf-415e-9326-9d33383e739e dnt: 1
1654 [webserver] e235780e-a5cf-415e-9326-9d33383e739e host: 127.0.0.1:8081
1655 [webserver] e235780e-a5cf-415e-9326-9d33383e739e upgrade-insecure-requests: 1
1656 [webserver] e235780e-a5cf-415e-9326-9d33383e739e user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
1657 [webserver] e235780e-a5cf-415e-9326-9d33383e739e No body
1658 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Response details:
1659 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1660 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Connection: close
1661 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Length: 49
1662 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Type: text/html; charset=utf-8
1663 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Server: PowerDNS/0.0.15896.0.gaba8bab3ab
1664 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Full body:
1665 [webserver] e235780e-a5cf-415e-9326-9d33383e739e <!html><title>Not Found</title><h1>Not Found</h1>
1666 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
64c08e25
PL
1667
1668The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
1669
1670.. note::
0b9ef9e0 1671 The webserver logs these line on the NOTICE level. The :ref:`setting-loglevel` seting must be 5 or higher for these lines to end up in the log.
64c08e25 1672
0e2063c3
PL
1673.. _setting-webserver-password:
1674
1675``webserver-password``
1676----------------------
1677
1678- String
1679
1680The plaintext password required for accessing the webserver.
1681
1682.. _setting-webserver-port:
1683
1684``webserver-port``
1685------------------
1686
1687- Integer
8c9cb460 1688- Default: 8081
0e2063c3
PL
1689
1690The port where webserver/API will listen on.
1691
1692.. _setting-webserver-print-arguments:
1693
1694``webserver-print-arguments``
1695-----------------------------
1696
1697- Boolean
1698- Default: no
1699
fd47d762 1700If the webserver should print arguments.
0e2063c3
PL
1701
1702.. _setting-write-pid:
1703
1704``write-pid``
1705-------------
1706
1707- Boolean
1708- Default: yes
1709
1710If a PID file should be written.
1711
1712.. _setting-xfr-max-received-mbytes:
1713
1714``xfr-max-received-mbytes``
1715---------------------------
1716
1717- Integer
1718- Default: 100
1719
1720Specifies the maximum number of received megabytes allowed on an
1721incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0
1722means no restriction.