]>
Commit | Line | Data |
---|---|---|
0e2063c3 PL |
1 | Authoritative Server Settings |
2 | ============================= | |
3 | ||
4 | All PowerDNS Authoritative Server settings are listed here, excluding | |
5 | those that originate from backends, which are documented in the relevant | |
6 | chapters. These settings can be set inside ``pdns.conf`` or on the | |
7 | commandline when invoking the ``pdns`` binary. | |
8 | ||
9 | You can use ``+=`` syntax to set some variables incrementally, but this | |
10 | requires you to have at least one non-incremental setting for the | |
11 | variable to act as base setting. This is mostly useful for | |
12 | :ref:`setting-include-dir` directive. | |
13 | ||
14 | For boolean settings, specifying the name of the setting without a value | |
15 | means ``yes``. | |
16 | ||
17 | .. _setting-8bit-dns: | |
18 | ||
19 | ``8bit-dns`` | |
20 | ------------ | |
21 | ||
27f39e15 | 22 | - Boolean |
0e2063c3 PL |
23 | - Default: no |
24 | ||
25 | .. versionadded:: 4.0.0 | |
26 | ||
27 | Allow 8 bit DNS queries. | |
28 | ||
29 | .. _setting-allow-axfr-ips: | |
30 | ||
31 | ``allow-axfr-ips`` | |
32 | ------------------ | |
33 | ||
34 | - IP ranges, separated by commas | |
35 | - Default: 127.0.0.0/8,::1 | |
36 | ||
37 | If set, only these IP addresses or netmasks will be able to perform | |
38 | AXFR. | |
39 | ||
40 | .. _setting-allow-dnsupdate-from: | |
41 | ||
42 | ``allow-dnsupdate-from`` | |
43 | ------------------------ | |
44 | ||
45 | - IP ranges, separated by commas | |
88d771bc | 46 | - Default: 127.0.0.0/8,::1 |
0e2063c3 | 47 | |
4991656e | 48 | Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DNSUPDATE-FROM`` in :ref:`metadata-allow-dnsupdate-from`. |
0e2063c3 PL |
49 | |
50 | .. _setting-allow-notify-from: | |
51 | ||
52 | ``allow-notify-from`` | |
53 | --------------------- | |
54 | ||
55 | - IP ranges, separated by commas | |
56 | - Default: 0.0.0.0/0,::/0 | |
57 | ||
58 | Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string | |
59 | will drop all incoming notifies. | |
60 | ||
43f61934 GD |
61 | .. _setting-allow-recursion: |
62 | ||
63 | ``allow-recursion`` | |
64 | ------------------- | |
65 | ||
66 | - IP ranges, separated by commas | |
67 | - Default: 0.0.0.0/0 | |
68 | ||
69 | .. deprecated:: 4.1.0 | |
70 | Recursion has been removed, see :doc:`guides/recursion` | |
71 | ||
72 | By specifying ``allow-recursion``, recursion can be restricted to | |
73 | netmasks specified. The default is to allow recursion from everywhere. | |
74 | Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``. | |
75 | ||
0e2063c3 PL |
76 | .. _setting-allow-unsigned-notify: |
77 | ||
78 | ``allow-unsigned-notify`` | |
79 | ------------------------- | |
80 | ||
81 | - Boolean | |
82 | - Default: yes | |
83 | ||
84 | .. versionadded:: 4.0.0 | |
85 | ||
86 | Turning this off requires all notifications that are received to be | |
87 | signed by valid TSIG signature for the zone. | |
88 | ||
89 | .. _setting-allow-unsigned-supermaster: | |
90 | ||
91 | ``allow-unsigned-supermaster`` | |
92 | ------------------------------ | |
93 | ||
94 | - Boolean | |
95 | - Default: yes | |
96 | ||
97 | .. versionadded:: 4.0.0 | |
98 | ||
99 | Turning this off requires all supermaster notifications to be signed by | |
100 | valid TSIG signature. It will accept any existing key on slave. | |
101 | ||
0e2063c3 PL |
102 | .. _setting-also-notify: |
103 | ||
104 | ``also-notify`` | |
105 | --------------- | |
106 | ||
107 | - IP addresses, separated by commas | |
108 | ||
109 | When notifying a domain, also notify these nameservers. Example: | |
110 | ``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in | |
111 | ``also-notify`` always receive a notification. Even if they do not match | |
112 | the list in :ref:`setting-only-notify`. | |
113 | ||
114 | .. _setting-any-to-tcp: | |
115 | ||
116 | ``any-to-tcp`` | |
117 | -------------- | |
118 | ||
119 | - Boolean | |
120 | - Default: yes | |
121 | ||
08532264 GD |
122 | .. versionchanged:: 4.0.1 |
123 | was 'no' before. | |
0e2063c3 PL |
124 | |
125 | Answer questions for the ANY on UDP with a truncated packet that refers | |
126 | the remote server to TCP. Useful for mitigating reflection attacks. | |
127 | ||
128 | .. _setting-api: | |
129 | ||
130 | ``api`` | |
131 | ------- | |
132 | ||
133 | - Boolean | |
134 | - Default: no | |
135 | ||
136 | Enable/disable the :doc:`http-api/index`. | |
137 | ||
138 | .. _setting-api-key: | |
139 | ||
140 | ``api-key`` | |
141 | ----------- | |
142 | ||
143 | - String | |
144 | ||
145 | .. versionadded:: 4.0.0 | |
146 | ||
147 | Static pre-shared authentication key for access to the REST API. | |
148 | ||
149 | .. _setting-api-readonly: | |
150 | ||
151 | ``api-readonly`` | |
152 | ---------------- | |
153 | ||
154 | - Boolean | |
155 | - Default: no | |
156 | ||
157 | .. versionadded:: 4.0.0 | |
85be413d | 158 | .. versionchanged:: 4.2.0 |
da7a5d84 | 159 | This setting has been removed in 4.2.0. |
0e2063c3 PL |
160 | |
161 | Disallow data modification through the REST API when set. | |
162 | ||
e3619f57 MH |
163 | .. _setting-axfr-fetch-timeout: |
164 | ||
165 | ``axfr-fetch-timeout`` | |
166 | ---------------------- | |
167 | ||
168 | - Integer | |
169 | - Default: 10 | |
170 | ||
171 | .. versionadded:: 4.3.0 | |
172 | ||
173 | Maximum time in seconds for inbound AXFR to start or be idle after starting. | |
174 | ||
0e2063c3 PL |
175 | .. _setting-axfr-lower-serial: |
176 | ||
177 | ``axfr-lower-serial`` | |
178 | --------------------- | |
179 | ||
180 | - Boolean | |
181 | - Default: no | |
182 | ||
183 | .. versionadded:: 4.0.4 | |
184 | ||
185 | Also AXFR a zone from a master with a lower serial. | |
186 | ||
187 | .. _setting-cache-ttl: | |
188 | ||
189 | ``cache-ttl`` | |
190 | ------------- | |
191 | ||
192 | - Integer | |
193 | - Default: 20 | |
194 | ||
828e5107 | 195 | Seconds to store packets in the :ref:`packet-cache`. A value of 0 will disable the cache. |
0e2063c3 | 196 | |
43f61934 GD |
197 | .. _setting-carbon-instance: |
198 | ||
199 | ``carbon-instance`` | |
200 | ------------------- | |
201 | ||
202 | - String | |
203 | - Default: auth | |
204 | ||
205 | .. versionadded:: 4.2.0 | |
206 | ||
207 | Set the instance or third string of the metric key. Be careful not to include | |
208 | any dots in this setting, unless you know what you are doing. | |
209 | See :ref:`metricscarbon` | |
210 | ||
211 | .. _setting-carbon-interval: | |
212 | ||
213 | ``carbon-interval`` | |
214 | ------------------- | |
215 | ||
216 | - Integer | |
217 | - Default: 30 | |
218 | ||
219 | If sending carbon updates, this is the interval between them in seconds. | |
220 | See :ref:`metricscarbon`. | |
221 | ||
b0d4aa0b G |
222 | .. _setting-carbon-namespace: |
223 | ||
224 | ``carbon-namespace`` | |
225 | -------------------- | |
226 | ||
227 | - String | |
228 | - Default: pdns | |
229 | ||
7dd919af G |
230 | .. versionadded:: 4.2.0 |
231 | ||
b0d4aa0b G |
232 | Set the namespace or first string of the metric key. Be careful not to include |
233 | any dots in this setting, unless you know what you are doing. | |
234 | See :ref:`metricscarbon` | |
235 | ||
0e2063c3 PL |
236 | .. _setting-carbon-ourname: |
237 | ||
238 | ``carbon-ourname`` | |
239 | ------------------ | |
240 | ||
241 | - String | |
242 | - Default: the hostname of the server | |
243 | ||
244 | If sending carbon updates, if set, this will override our hostname. Be | |
245 | careful not to include any dots in this setting, unless you know what | |
246 | you are doing. See :ref:`metricscarbon` | |
247 | ||
248 | .. _setting-carbon-server: | |
249 | ||
250 | ``carbon-server`` | |
251 | ----------------- | |
252 | ||
253 | - IP Address | |
254 | ||
255 | Send all available metrics to this server via the carbon protocol, which | |
256 | is used by graphite and metronome. It has to be an address (no | |
fd47d762 S |
257 | hostnames). Moreover you can specify more than one server using a comma delimited list, ex: |
258 | carbon-server=10.10.10.10,10.10.10.20. | |
259 | You may specify an alternate port by appending :port, ex: | |
0e2063c3 PL |
260 | 127.0.0.1:2004. See :ref:`metricscarbon`. |
261 | ||
0e2063c3 PL |
262 | .. _setting-chroot: |
263 | ||
264 | ``chroot`` | |
265 | ---------- | |
266 | ||
267 | - Path | |
268 | ||
269 | If set, chroot to this directory for more security. See :doc:`security`. | |
270 | ||
271 | Make sure that ``/dev/log`` is available from within the chroot. Logging | |
272 | will silently fail over time otherwise (on logrotate). | |
273 | ||
274 | When setting ``chroot``, all other paths in the config (except for | |
275 | :ref:`setting-config-dir` and :ref:`setting-module-dir`) | |
276 | set in the configuration are relative to the new root. | |
277 | ||
278 | When running on a system where systemd manages services, ``chroot`` does | |
279 | not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``. | |
280 | Either don't ``chroot`` on these systems or set the 'Type' of the this | |
281 | service to 'simple' instead of 'notify' (refer to the systemd | |
282 | documentation on how to modify unit-files) | |
283 | ||
284 | .. _setting-config-dir: | |
285 | ||
286 | ``config-dir`` | |
287 | -------------- | |
288 | ||
289 | - Path | |
290 | ||
291 | Location of configuration directory (``pdns.conf``). Usually | |
292 | ``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during | |
293 | compile-time. | |
294 | ||
295 | .. _setting-config-name: | |
296 | ||
297 | ``config-name`` | |
298 | --------------- | |
299 | ||
300 | - String | |
301 | ||
302 | Name of this virtual configuration - will rename the binary image. See | |
303 | :doc:`guides/virtual-instances`. | |
304 | ||
305 | .. _setting-control-console: | |
306 | ||
307 | ``control-console`` | |
308 | ------------------- | |
309 | ||
310 | Debugging switch - don't use. | |
311 | ||
312 | .. _setting-daemon: | |
313 | ||
314 | ``daemon`` | |
315 | ---------- | |
316 | ||
317 | - Boolean | |
318 | - Default: no | |
319 | ||
320 | Operate as a daemon. | |
321 | ||
b8cd24cc SH |
322 | .. _setting-default-api-rectify: |
323 | ||
324 | ``default-api-rectify`` | |
325 | ----------------------- | |
326 | - Boolean | |
327 | - Default: yes | |
328 | ||
329 | .. versionadded:: 4.2.0 | |
330 | ||
331 | The value of :ref:`metadata-api-rectify` if it is not set on the zone. | |
332 | ||
333 | .. note:: | |
334 | Pre 4.2.0 the default was always no. | |
335 | ||
0e2063c3 | 336 | .. _setting-default-ksk-algorithms: |
c01b3507 | 337 | .. _setting-default-ksk-algorithm: |
0e2063c3 | 338 | |
c01b3507 | 339 | ``default-ksk-algorithm`` |
da7a5d84 | 340 | ------------------------- |
0e2063c3 PL |
341 | |
342 | - String | |
343 | - Default: ecdsa256 | |
344 | ||
c01b3507 | 345 | .. versionchanged:: 4.1.0 |
28080ce6 | 346 | Renamed from ``default-ksk-algorithms``. No longer supports multiple algorithm names. |
c01b3507 | 347 | |
0e2063c3 | 348 | The algorithm that should be used for the KSK when running |
af28a1c2 | 349 | :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>` |
28080ce6 PL |
350 | to enable DNSSEC. Must be one of: |
351 | ||
28080ce6 PL |
352 | * rsasha1 |
353 | * rsasha256 | |
0e2063c3 | 354 | * rsasha512 |
28080ce6 PL |
355 | * ecdsa256 (ECDSA P-256 with SHA256) |
356 | * ecdsa384 (ECDSA P-384 with SHA384) | |
0e2063c3 | 357 | * ed25519 |
37356d71 | 358 | * ed448 |
0e2063c3 | 359 | |
28080ce6 PL |
360 | .. note:: |
361 | Actual supported algorithms depend on the crypto-libraries | |
362 | PowerDNS was compiled against. To check the supported DNSSEC algoritms | |
363 | in your build of PowerDNS, run ``pdnsutil list-algorithms``. | |
364 | ||
0e2063c3 PL |
365 | .. _setting-default-ksk-size: |
366 | ||
367 | ``default-ksk-size`` | |
368 | -------------------- | |
369 | ||
370 | - Integer | |
c01b3507 | 371 | - Default: whichever is default for `default-ksk-algorithm`_ |
0e2063c3 PL |
372 | |
373 | The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`. | |
28080ce6 | 374 | Only relevant for algorithms with non-fixed keysizes (like RSA). |
0e2063c3 | 375 | |
0e2063c3 PL |
376 | .. _setting-default-soa-edit: |
377 | ||
378 | ``default-soa-edit`` | |
379 | -------------------- | |
380 | ||
381 | - String | |
382 | - Default: empty | |
383 | ||
384 | Use this soa-edit value for all zones if no | |
385 | :ref:`metadata-soa-edit` metadata value is set. | |
386 | ||
387 | .. _setting-default-soa-edit-signed: | |
388 | ||
389 | ``default-soa-edit-signed`` | |
390 | --------------------------- | |
391 | ||
392 | - String | |
393 | - Default: empty | |
394 | ||
395 | Use this soa-edit value for all signed zones if no | |
396 | :ref:`metadata-soa-edit` metadata value is set. | |
397 | Overrides :ref:`setting-default-soa-edit` | |
398 | ||
399 | .. _setting-default-soa-mail: | |
400 | ||
401 | ``default-soa-mail`` | |
402 | -------------------- | |
403 | ||
404 | - String | |
405 | ||
d57f0fa6 KM |
406 | .. deprecated:: 4.2.0 |
407 | This setting has been deprecated and will be removed in 4.3.0 | |
408 | ||
0e2063c3 PL |
409 | Mail address to insert in the SOA record if none set in the backend. |
410 | ||
43f61934 GD |
411 | .. _setting-default-soa-name: |
412 | ||
413 | ``default-soa-name`` | |
414 | -------------------- | |
415 | ||
416 | - String | |
417 | - Default: a.misconfigured.powerdns.server | |
418 | ||
d57f0fa6 KM |
419 | .. deprecated:: 4.2.0 |
420 | This setting has been deprecated and will be removed in 4.3.0 | |
421 | ||
43f61934 GD |
422 | Name to insert in the SOA record if none set in the backend. |
423 | ||
0e2063c3 PL |
424 | .. _setting-default-ttl: |
425 | ||
426 | ``default-ttl`` | |
427 | --------------- | |
428 | ||
429 | - Integer | |
430 | - Default: 3600 | |
431 | ||
432 | TTL to use when none is provided. | |
433 | ||
434 | .. _setting-default-zsk-algorithms: | |
c01b3507 | 435 | .. _setting-default-zsk-algorithm: |
0e2063c3 | 436 | |
c01b3507 | 437 | ``default-zsk-algorithm`` |
0e2063c3 PL |
438 | -------------------------- |
439 | ||
440 | - String | |
441 | - Default: (empty) | |
442 | ||
c01b3507 PL |
443 | .. versionchanged:: 4.1.0 |
444 | Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names. | |
445 | ||
0e2063c3 | 446 | The algorithm that should be used for the ZSK when running |
af28a1c2 | 447 | :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>` |
28080ce6 PL |
448 | to enable DNSSEC. Must be one of: |
449 | ||
28080ce6 PL |
450 | * rsasha1 |
451 | * rsasha256 | |
0e2063c3 | 452 | * rsasha512 |
28080ce6 PL |
453 | * ecdsa256 (ECDSA P-256 with SHA256) |
454 | * ecdsa384 (ECDSA P-384 with SHA384) | |
0e2063c3 | 455 | * ed25519 |
37356d71 | 456 | * ed448 |
0e2063c3 | 457 | |
28080ce6 PL |
458 | .. note:: |
459 | Actual supported algorithms depend on the crypto-libraries | |
460 | PowerDNS was compiled against. To check the supported DNSSEC algoritms | |
461 | in your build of PowerDNS, run ``pdnsutil list-algorithms``. | |
462 | ||
0e2063c3 PL |
463 | .. _setting-default-zsk-size: |
464 | ||
465 | ``default-zsk-size`` | |
466 | -------------------- | |
467 | ||
468 | - Integer | |
c01b3507 | 469 | - Default: 0 (automatic default for `default-zsk-algorithm`_) |
0e2063c3 PL |
470 | |
471 | The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`. | |
28080ce6 | 472 | Only relevant for algorithms with non-fixed keysizes (like RSA). |
0e2063c3 PL |
473 | |
474 | .. _setting-direct-dnskey: | |
475 | ||
476 | ``direct-dnskey`` | |
477 | ----------------- | |
478 | ||
479 | - Boolean | |
480 | - Default: no | |
481 | ||
16d72778 OS |
482 | Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not |
483 | set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored. | |
0e2063c3 PL |
484 | |
485 | .. _setting-disable-axfr: | |
486 | ||
487 | ``disable-axfr`` | |
488 | ---------------- | |
489 | ||
490 | - Boolean | |
491 | - Default: no | |
492 | ||
493 | Do not allow zone transfers. | |
494 | ||
495 | .. _setting-disable-axfr-rectify: | |
496 | ||
497 | ``disable-axfr-rectify`` | |
498 | ------------------------ | |
499 | ||
500 | - Boolean | |
501 | - Default: no | |
502 | ||
503 | Disable the rectify step during an outgoing AXFR. Only required for | |
504 | regression testing. | |
505 | ||
506 | .. _setting-disable-syslog: | |
507 | ||
508 | ``disable-syslog`` | |
509 | ------------------ | |
510 | ||
511 | - Boolean | |
512 | - Default: no | |
513 | ||
514 | Do not log to syslog, only to stdout. Use this setting when running | |
515 | inside a supervisor that handles logging (like systemd). | |
516 | ||
964d0eb6 | 517 | .. warning:: |
0e2063c3 PL |
518 | Do not use this setting in combination with :ref:`setting-daemon` as all |
519 | logging will disappear. | |
520 | ||
521 | .. _setting-disable-tcp: | |
522 | ||
523 | ``disable-tcp`` | |
524 | --------------- | |
525 | ||
526 | - Boolean | |
527 | - Default: no | |
528 | ||
998fddc3 PL |
529 | .. versionchanged:: 4.2.0 |
530 | This setting has been removed | |
531 | ||
0e2063c3 PL |
532 | Do not listen to TCP queries. Breaks RFC compliance. |
533 | ||
534 | .. _setting-distributor-threads: | |
535 | ||
536 | ``distributor-threads`` | |
537 | ----------------------- | |
538 | ||
539 | - Integer | |
540 | - Default: 3 | |
541 | ||
542 | Number of Distributor (backend) threads to start per receiver thread. | |
543 | See :doc:`performance`. | |
544 | ||
545 | .. _setting-dname-processing: | |
546 | ||
547 | ``dname-processing`` | |
548 | -------------------- | |
549 | ||
550 | - Boolean | |
551 | - Default: no | |
552 | ||
553 | Synthesise CNAME records from DNAME records as required. This | |
554 | approximately doubles query load. **Do not combine with DNSSEC!** | |
555 | ||
556 | .. _setting-dnssec-key-cache-ttl: | |
557 | ||
558 | ``dnssec-key-cache-ttl`` | |
559 | ------------------------ | |
560 | ||
561 | - Integer | |
562 | - Default: 30 | |
563 | ||
564 | Seconds to cache DNSSEC keys from the database. A value of 0 disables | |
565 | caching. | |
566 | ||
567 | .. _setting-dnsupdate: | |
568 | ||
569 | ``dnsupdate`` | |
570 | ------------- | |
571 | ||
572 | - Boolean | |
573 | - Default: no | |
574 | ||
575 | Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more. | |
576 | ||
577 | .. _setting-do-ipv6-additional-processing: | |
578 | ||
579 | ``do-ipv6-additional-processing`` | |
580 | --------------------------------- | |
581 | ||
582 | - Boolean | |
583 | - Default: yes | |
584 | ||
585 | Perform AAAA additional processing. This sends AAAA records in the | |
586 | ADDITIONAL section when sending a referral. | |
587 | ||
588 | .. _setting-domain-metadata-cache-ttl: | |
589 | ||
590 | ``domain-metadata-cache-ttl`` | |
591 | ----------------------------- | |
592 | ||
593 | - Integer | |
594 | - Default: 60 | |
595 | ||
596 | Seconds to cache domain metadata from the database. A value of 0 | |
597 | disables caching. | |
598 | ||
599 | .. _setting-edns-subnet-processing: | |
600 | ||
601 | ``edns-subnet-processing`` | |
602 | -------------------------- | |
603 | ||
604 | - Boolean | |
605 | - Default: no | |
606 | ||
607 | Enables EDNS subnet processing, for backends that support it. | |
608 | ||
af68014f CHB |
609 | .. _setting-enable-lua-records: |
610 | ||
611 | ``enable-lua-records`` | |
4fb906ee | 612 | ---------------------- |
af68014f | 613 | |
afafac85 | 614 | - One of ``no``, ``yes`` (or empty), or ``shared``, String |
af68014f CHB |
615 | - Default: no |
616 | ||
afafac85 PD |
617 | .. versionadded:: 4.2.0 |
618 | ||
619 | Globally enable the :doc:`LUA records <lua-records/index>` feature. | |
620 | ||
621 | To use shared LUA states, set this to ``shared``, see :ref:`lua-records-shared-state`. | |
af68014f | 622 | |
0e2063c3 PL |
623 | .. _setting-entropy-source: |
624 | ||
625 | ``entropy-source`` | |
626 | ------------------ | |
627 | ||
628 | - Path | |
629 | - Default: /dev/urandom | |
630 | ||
631 | Entropy source file to use. | |
632 | ||
633 | .. _setting-expand-alias: | |
634 | ||
635 | ``expand-alias`` | |
636 | ---------------- | |
637 | ||
638 | - Boolean | |
639 | - Default: no | |
d99d1243 PL |
640 | |
641 | .. versionadded:: 4.1.0 | |
0e2063c3 PL |
642 | |
643 | If this is enabled, ALIAS records are expanded (synthesised to their | |
644 | A/AAAA). | |
645 | ||
81b050b3 | 646 | If this is disabled (the default), ALIAS records will not be expanded and |
0e2063c3 PL |
647 | the server will will return NODATA for A/AAAA queries for such names. |
648 | ||
d5eff893 GD |
649 | .. note:: |
650 | :ref:`setting-resolver` must also be set for ALIAS expansion to work! | |
0e2063c3 | 651 | |
d5eff893 GD |
652 | .. note:: |
653 | In PowerDNS Authoritative Server 4.0.x, this setting did not exist and | |
654 | ALIAS was always expanded. | |
0e2063c3 PL |
655 | |
656 | .. _setting-forward-dnsupdate: | |
657 | ||
658 | ``forward-dnsupdate`` | |
659 | --------------------- | |
660 | ||
661 | - Boolean | |
662 | - Default: no | |
663 | ||
664 | Forward DNS updates sent to a slave to the master. | |
665 | ||
666 | .. _setting-forward-notify: | |
667 | ||
668 | ``forward-notify`` | |
669 | ------------------ | |
670 | ||
671 | - IP addresses, separated by commas | |
672 | ||
673 | IP addresses to forward received notifications to regardless of master | |
674 | or slave settings. | |
675 | ||
676 | .. note:: | |
677 | The intended use is in anycast environments where it might be | |
678 | necessary for a proxy server to perform the AXFR. The usual checks are | |
679 | performed before any received notification is forwarded. | |
680 | ||
681 | .. _setting-guardian: | |
682 | ||
683 | ``guardian`` | |
684 | ------------ | |
685 | ||
686 | - Boolean | |
687 | - Default: no | |
688 | ||
689 | Run within a guardian process. See :ref:`running-guardian`. | |
690 | ||
691 | .. _setting-include-dir: | |
692 | ||
693 | ``include-dir`` | |
694 | --------------- | |
695 | ||
696 | - Path | |
697 | ||
698 | Directory to scan for additional config files. All files that end with | |
699 | .conf are loaded in order using ``POSIX`` as locale. | |
700 | ||
701 | .. _setting-launch: | |
702 | ||
703 | ``launch`` | |
704 | ---------- | |
705 | ||
706 | - Backend names, separated by commas | |
707 | ||
708 | Which backends to launch and order to query them in. Launches backends. | |
709 | In its most simple form, supply all backends that need to be launched. | |
710 | e.g. | |
711 | ||
633489be | 712 | .. code-block:: ini |
0e2063c3 PL |
713 | |
714 | launch=bind,gmysql,remote | |
715 | ||
716 | If you find that you need to query a backend multiple times with | |
717 | different configuration, you can specify a name for later | |
718 | instantiations. e.g.: | |
719 | ||
633489be | 720 | .. code-block:: ini |
0e2063c3 PL |
721 | |
722 | launch=gmysql,gmysql:server2 | |
723 | ||
724 | In this case, there are 2 instances of the gmysql backend, one by the | |
725 | normal name and the second one is called 'server2'. The backend | |
726 | configuration item names change: e.g. ``gmysql-host`` is available to | |
727 | configure the ``host`` setting of the first or main instance, and | |
728 | ``gmysql-server2-host`` for the second one. | |
729 | ||
efdd3d7c | 730 | Running multiple instances of the BIND backend is not allowed. |
ea4d3e1d | 731 | |
0e2063c3 PL |
732 | .. _setting-load-modules: |
733 | ||
734 | ``load-modules`` | |
735 | ---------------- | |
736 | ||
737 | - Paths, separated by commas | |
738 | ||
739 | If backends are available in nonstandard directories, specify their | |
740 | location here. Multiple files can be loaded if separated by commas. Only | |
741 | available in non-static distributions. | |
742 | ||
743 | .. _setting-local-address: | |
744 | ||
745 | ``local-address`` | |
746 | ----------------- | |
747 | ||
f5ad09dc PL |
748 | .. versionchanged:: 4.3.0 |
749 | Before 4.3.0, this setting only supported IPv4. | |
750 | ||
0e2063c3 | 751 | - IPv4 Addresses, separated by commas or whitespace |
f5ad09dc | 752 | - Default: 0.0.0.0, ``::`` |
0e2063c3 | 753 | |
f5ad09dc | 754 | Local IP addresses to which we bind. It is highly advised to bind to |
0e2063c3 PL |
755 | specific interfaces and not use the default 'bind to any'. This causes |
756 | big problems if you have multiple IP addresses. Unix does not provide a | |
757 | way of figuring out what IP address a packet was sent to when binding to | |
758 | any. | |
759 | ||
0e2063c3 PL |
760 | .. _setting-local-address-nonexist-fail: |
761 | ||
762 | ``local-address-nonexist-fail`` | |
763 | ------------------------------- | |
764 | ||
765 | - Boolean | |
766 | - Default: no | |
767 | ||
768 | Fail to start if one or more of the | |
769 | :ref:`setting-local-address`'s do not exist on this server. | |
770 | ||
771 | .. _setting-local-ipv6: | |
772 | ||
773 | ``local-ipv6`` | |
774 | -------------- | |
775 | ||
f5ad09dc PL |
776 | .. deprecated:: 4.3.0 |
777 | This setting has been removed, use :ref:`setting-localaddress` | |
778 | ||
0e2063c3 PL |
779 | - IPv6 Addresses, separated by commas or whitespace |
780 | - Default: '::' | |
781 | ||
782 | Local IPv6 address to which we bind. It is highly advised to bind to | |
783 | specific interfaces and not use the default 'bind to any'. This causes | |
784 | big problems if you have multiple IP addresses. | |
785 | ||
786 | .. _setting-local-ipv6-nonexist-fail: | |
787 | ||
788 | ``local-ipv6-nonexist-fail`` | |
789 | ---------------------------- | |
790 | ||
f5ad09dc PL |
791 | .. deprecated:: 4.3.0 |
792 | This setting has been removed, use :ref:`setting-localaddress-nonexist-fail` | |
793 | ||
0e2063c3 PL |
794 | - Boolean |
795 | - Default: no | |
796 | ||
797 | Fail to start if one or more of the :ref:`setting-local-ipv6` | |
798 | addresses do not exist on this server. | |
799 | ||
800 | .. _setting-local-port: | |
801 | ||
802 | ``local-port`` | |
803 | -------------- | |
804 | ||
805 | - Integer | |
806 | - Default: 53 | |
807 | ||
808 | The port on which we listen. Only one port possible. | |
809 | ||
810 | .. _setting-log-dns-details: | |
811 | ||
812 | ``log-dns-details`` | |
813 | ------------------- | |
814 | ||
815 | - Boolean | |
816 | - Default: no | |
817 | ||
818 | If set to 'no', informative-only DNS details will not even be sent to | |
819 | syslog, improving performance. | |
820 | ||
43f61934 GD |
821 | .. _setting-log-dns-queries: |
822 | ||
823 | ``log-dns-queries`` | |
824 | ------------------- | |
825 | ||
826 | - Boolean | |
827 | - Default: no | |
828 | ||
829 | Tell PowerDNS to log all incoming DNS queries. This will lead to a lot | |
830 | of logging! Only enable for debugging! Set :ref:`setting-loglevel` | |
831 | to at least 5 to see the logs. | |
832 | ||
833 | .. _setting-log-timestamp: | |
834 | ||
835 | ``log-timestamp`` | |
836 | ----------------- | |
837 | ||
838 | - Bool | |
839 | - Default: yes | |
840 | ||
841 | .. versionadded:: 4.1.0 | |
842 | ||
843 | When printing log lines to stdout, prefix them with timestamps. | |
844 | Disable this if the process supervisor timestamps these lines already. | |
845 | ||
846 | .. note:: | |
847 | The systemd unit file supplied with the source code already disables timestamp printing | |
848 | ||
0e2063c3 PL |
849 | .. _setting-logging-facility: |
850 | ||
851 | ``logging-facility`` | |
852 | -------------------- | |
853 | ||
854 | If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`. | |
855 | Do not pass names like 'local0'! | |
856 | ||
857 | .. _setting-loglevel: | |
858 | ||
859 | ``loglevel`` | |
860 | ------------ | |
861 | ||
862 | - Integer | |
863 | - Default: 4 | |
864 | ||
e7e225a7 PL |
865 | Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values, |
866 | e.g. error = 3, warning = 4, notice = 5, info = 6 | |
0e2063c3 | 867 | |
43f61934 | 868 | .. _setting-lua-axfr-script: |
0e2063c3 | 869 | |
43f61934 | 870 | ``lua-axfr-script`` |
0e2063c3 PL |
871 | ------------------- |
872 | ||
43f61934 GD |
873 | - String |
874 | - Default: empty | |
0e2063c3 | 875 | |
43f61934 GD |
876 | .. versionadded:: 4.1.0 |
877 | ||
878 | Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter` | |
0e2063c3 PL |
879 | |
880 | .. _setting-lua-prequery-script: | |
881 | ||
882 | ``lua-prequery-script`` | |
883 | ----------------------- | |
884 | ||
885 | - Path | |
886 | ||
887 | Lua script to run before answering a query. This is a feature used | |
888 | internally for regression testing. The API of this functionality is not | |
889 | guaranteed to be stable, and is in fact likely to change. | |
890 | ||
43f61934 GD |
891 | .. _setting-lua-records-exec-limit: |
892 | ||
893 | ``lua-records-exec-limit`` | |
894 | ----------------------------- | |
895 | ||
896 | - Integer | |
897 | - Default: 1000 | |
898 | ||
899 | Limit LUA records scripts to ``lua-records-exec-limit`` instructions. | |
900 | Setting this to any value less than or equal to 0 will set no limit. | |
901 | ||
0e2063c3 PL |
902 | .. _setting-master: |
903 | ||
904 | ``master`` | |
905 | ---------- | |
906 | ||
907 | - Boolean | |
908 | - Default: no | |
909 | ||
910 | Turn on master support. See :ref:`master-operation`. | |
911 | ||
912 | .. _setting-max-cache-entries: | |
913 | ||
914 | ``max-cache-entries`` | |
915 | --------------------- | |
916 | ||
917 | - Integer | |
918 | - Default: 1000000 | |
919 | ||
d99d1243 PL |
920 | .. versionchanged:: 4.1.0 |
921 | The packet and query caches are distinct. Previously, this setting was used for | |
9e461099 | 922 | both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for |
d99d1243 PL |
923 | the packet-cache setting. |
924 | ||
0e2063c3 | 925 | Maximum number of entries in the query cache. 1 million (the default) |
d99d1243 | 926 | will generally suffice for most installations. |
0e2063c3 PL |
927 | |
928 | .. _setting-max-ent-entries: | |
929 | ||
930 | ``max-ent-entries`` | |
931 | ------------------- | |
932 | ||
933 | - Integer | |
934 | - Default: 100000 | |
935 | ||
936 | Maximum number of empty non-terminals to add to a zone. This is a | |
937 | protection measure to avoid database explosion due to long names. | |
938 | ||
ba3d53d1 RG |
939 | .. _setting-max-generate-steps: |
940 | ||
941 | ``max-generate-steps`` | |
942 | ---------------------- | |
943 | ||
944 | .. versionadded:: 4.3.0 | |
945 | ||
946 | - Integer | |
947 | - Default: 0 | |
948 | ||
949 | Maximum number of steps for a '$GENERATE' directive when parsing a | |
950 | zone file. This is a protection measure to prevent consuming a lot of | |
951 | CPU and memory when untrusted zones are loaded. Default to 0 which | |
952 | means unlimited. | |
953 | ||
0e2063c3 PL |
954 | .. _setting-max-nsec3-iterations: |
955 | ||
956 | ``max-nsec3-iterations`` | |
957 | ------------------------ | |
958 | ||
959 | - Integer | |
960 | - Default: 500 | |
961 | ||
f02f619d GD |
962 | Limit the number of NSEC3 hash iterations for zone configurations. |
963 | For more information see :ref:`dnssec-operational-nsec-modes-params`. | |
0e2063c3 PL |
964 | |
965 | .. _setting-max-packet-cache-entries: | |
966 | ||
967 | ``max-packet-cache-entries`` | |
968 | ---------------------------- | |
969 | ||
970 | - Integer | |
971 | - Default: 1000000 | |
972 | ||
d99d1243 PL |
973 | .. versionadded:: 4.1.0 |
974 | ||
0e2063c3 | 975 | Maximum number of entries in the packet cache. 1 million (the default) |
d99d1243 | 976 | will generally suffice for most installations. |
0e2063c3 PL |
977 | |
978 | .. _setting-max-queue-length: | |
979 | ||
980 | ``max-queue-length`` | |
981 | -------------------- | |
982 | ||
983 | - Integer | |
984 | - Default: 5000 | |
985 | ||
986 | If this many packets are waiting for database attention, consider the | |
987 | situation hopeless and respawn. | |
988 | ||
989 | .. _setting-max-signature-cache-entries: | |
990 | ||
991 | ``max-signature-cache-entries`` | |
992 | ------------------------------- | |
993 | ||
994 | - Integer | |
57b16af7 | 995 | - Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems) |
0e2063c3 PL |
996 | |
997 | Maximum number of signatures cache entries | |
998 | ||
999 | .. _setting-max-tcp-connection-duration: | |
1000 | ||
1001 | ``max-tcp-connection-duration`` | |
1002 | ------------------------------- | |
1003 | ||
1004 | - Integer | |
1005 | - Default: 0 | |
1006 | ||
1007 | Maximum time in seconds that a TCP DNS connection is allowed to stay | |
1008 | open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR | |
1009 | are not affected by this setting. | |
1010 | ||
1011 | .. _setting-max-tcp-connections: | |
1012 | ||
1013 | ``max-tcp-connections`` | |
1014 | ----------------------- | |
1015 | ||
1016 | - Integer | |
1017 | - Default: 20 | |
1018 | ||
1019 | Allow this many incoming TCP DNS connections simultaneously. | |
1020 | ||
1021 | .. _setting-max-tcp-connections-per-client: | |
1022 | ||
1023 | ``max-tcp-connections-per-client`` | |
1024 | ---------------------------------- | |
1025 | ||
1026 | - Integer | |
1027 | - Default: 0 | |
1028 | ||
1029 | Maximum number of simultaneous TCP connections per client. 0 means | |
1030 | unlimited. | |
1031 | ||
1032 | .. _setting-max-tcp-transactions-per-conn: | |
1033 | ||
1034 | ``max-tcp-transactions-per-conn`` | |
1035 | --------------------------------- | |
1036 | ||
1037 | - Integer | |
1038 | - Default: 0 | |
1039 | ||
1040 | Allow this many DNS queries in a single TCP transaction. 0 means | |
1041 | unlimited. Note that exchanges related to an AXFR or IXFR are not | |
1042 | affected by this setting. | |
1043 | ||
1044 | .. _setting-module-dir: | |
1045 | ||
1046 | ``module-dir`` | |
1047 | -------------- | |
1048 | ||
1049 | - Path | |
1050 | ||
1051 | Directory for modules. Default depends on ``PKGLIBDIR`` during | |
1052 | compile-time. | |
1053 | ||
1054 | .. _setting-negquery-cache-ttl: | |
1055 | ||
1056 | ``negquery-cache-ttl`` | |
1057 | ---------------------- | |
1058 | ||
1059 | - Integer | |
1060 | - Default: 60 | |
1061 | ||
9e461099 | 1062 | Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`. |
0e2063c3 PL |
1063 | |
1064 | .. _setting-no-config: | |
1065 | ||
1066 | ``no-config`` | |
1067 | ------------- | |
1068 | ||
1069 | - Boolean | |
1070 | - Default: no | |
1071 | ||
3eee5ed0 GD |
1072 | Do not attempt to read the configuration file. Useful for configuration |
1073 | by parameters from the command line only. | |
0e2063c3 PL |
1074 | |
1075 | .. _setting-no-shuffle: | |
1076 | ||
1077 | ``no-shuffle`` | |
1078 | -------------- | |
1079 | ||
1080 | - Boolean | |
1081 | - Default: no | |
1082 | ||
1083 | Do not attempt to shuffle query results, used for regression testing. | |
1084 | ||
43f61934 | 1085 | .. _setting-non-local-bind: |
0e2063c3 | 1086 | |
43f61934 GD |
1087 | ``non-local-bind`` |
1088 | ------------------ | |
0e2063c3 PL |
1089 | |
1090 | - Boolean | |
43f61934 | 1091 | - Default: no |
0e2063c3 | 1092 | |
43f61934 GD |
1093 | Bind to addresses even if one or more of the |
1094 | :ref:`setting-local-address`'s do not exist on this server. | |
1095 | Setting this option will enable the needed socket options to allow | |
1096 | binding to non-local addresses. This feature is intended to facilitate | |
1097 | ip-failover setups, but it may also mask configuration issues and for | |
1098 | this reason it is disabled by default. | |
0e2063c3 PL |
1099 | |
1100 | .. _setting-only-notify: | |
1101 | ||
1102 | ``only-notify`` | |
1103 | --------------- | |
1104 | ||
1105 | - IP Ranges, separated by commas or whitespace | |
1106 | - Default: 0.0.0.0/0, ::/0 | |
1107 | ||
1108 | For type=MASTER zones (or SLAVE zones with slave-renotify enabled) | |
1109 | PowerDNS automatically sends NOTIFYs to the name servers specified in | |
1110 | the NS records. By specifying networks/mask as whitelist, the targets | |
1111 | can be limited. The default is to notify the world. To completely | |
1112 | disable these NOTIFYs set ``only-notify`` to an empty value. Independent | |
1113 | of this setting, the IP addresses or netmasks configured with | |
1114 | :ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata | |
1115 | always receive AXFR NOTIFYs. | |
1116 | ||
22928c2f PL |
1117 | IP addresses and netmasks can be excluded by prefixing them with a ``!``. |
1118 | To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following:: | |
1119 | ||
1120 | only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24 | |
1121 | ||
0e2063c3 PL |
1122 | .. note:: |
1123 | Even if NOTIFYs are limited by a netmask, PowerDNS first has to | |
1124 | resolve all the hostnames to check their IP addresses against the | |
1125 | specified whitelist. The resolving may take considerable time, | |
1126 | especially if those hostnames are slow to resolve. If you do not need to | |
1127 | NOTIFY the slaves defined in the NS records (e.g. you are using another | |
1128 | method to distribute the zone data to the slaves), then set | |
1129 | :ref:`setting-only-notify` to an empty value and specify the notification targets | |
1130 | explicitly using :ref:`setting-also-notify` and/or | |
1131 | :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck. | |
1132 | ||
f8d48529 | 1133 | .. note:: |
81b050b3 | 1134 | If your slaves support an Internet Protocol version, which your master does not, |
fd47d762 | 1135 | then set ``only-notify`` to include only supported protocol version. |
f8d48529 | 1136 | Otherwise there will be error trying to resolve address. |
fd47d762 S |
1137 | |
1138 | For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4, | |
633489be GD |
1139 | so allow only IPv4 with ``only-notify``: |
1140 | ||
1141 | .. code-block:: ini | |
fd47d762 | 1142 | |
f8d48529 AS |
1143 | only-notify=0.0.0.0/0 |
1144 | ||
0e2063c3 PL |
1145 | .. _setting-out-of-zone-additional-processing: |
1146 | ||
1147 | ``out-of-zone-additional-processing`` | |
1148 | ------------------------------------- | |
1149 | ||
1150 | - Boolean | |
1151 | - Default: yes | |
1152 | ||
76c250a6 GD |
1153 | .. deprecated:: 4.2.0 |
1154 | This setting has been removed. | |
1155 | ||
0e2063c3 PL |
1156 | Do out of zone additional processing. This means that if a malicious |
1157 | user adds a '.com' zone to your server, it is not used for other domains | |
1158 | and will not contaminate answers. Do not enable this setting if you run | |
1159 | a public DNS service with untrusted users. | |
1160 | ||
1161 | The docs had previously indicated that the default was "no", but the | |
1162 | default has been "yes" since 2005. | |
1163 | ||
1164 | .. _setting-outgoing-axfr-expand-alias: | |
1165 | ||
1166 | ``outgoing-axfr-expand-alias`` | |
1167 | ------------------------------ | |
1168 | ||
1169 | - Boolean | |
1170 | - Default: no | |
1171 | ||
1172 | If this is enabled, ALIAS records are expanded (synthesised to their | |
1173 | A/AAAA) during outgoing AXFR. This means slaves will not automatically | |
1174 | follow changes in those A/AAAA records unless you AXFR regularly! | |
1175 | ||
1176 | If this is disabled (the default), ALIAS records are sent verbatim | |
1177 | during outgoing AXFR. Note that if your slaves do not support ALIAS, | |
1178 | they will return NODATA for A/AAAA queries for such names. | |
1179 | ||
43f61934 GD |
1180 | .. _setting-overload-queue-length: |
1181 | ||
1182 | ``overload-queue-length`` | |
1183 | ------------------------- | |
1184 | ||
1185 | - Integer | |
1186 | - Default: 0 (disabled) | |
1187 | ||
1188 | If this many packets are waiting for database attention, answer any new | |
1189 | questions strictly from the packet cache. | |
1190 | ||
0e2063c3 PL |
1191 | .. _setting-prevent-self-notification: |
1192 | ||
1193 | ``prevent-self-notification`` | |
1194 | ----------------------------- | |
1195 | ||
1196 | - Boolean | |
1197 | - Default: yes | |
1198 | ||
1199 | PowerDNS Authoritative Server attempts to not send out notifications to | |
1200 | itself in master mode. In very complicated situations we could guess | |
1201 | wrong and not notify a server that should be notified. In that case, set | |
1202 | prevent-self-notification to "no". | |
1203 | ||
1204 | .. _setting-query-cache-ttl: | |
1205 | ||
1206 | ``query-cache-ttl`` | |
1207 | ------------------- | |
1208 | ||
1209 | - Integer | |
1210 | - Default: 20 | |
1211 | ||
1212 | Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`. | |
1213 | ||
1214 | .. _setting-query-local-address: | |
1215 | ||
1216 | ``query-local-address`` | |
1217 | ----------------------- | |
1218 | ||
1219 | - IPv4 Address | |
1220 | - Default: 0.0.0.0 | |
1221 | ||
1222 | The IP address to use as a source address for sending queries. Useful if | |
1223 | you have multiple IPs and PowerDNS is not bound to the IP address your | |
1224 | operating system uses by default for outgoing packets. | |
1225 | ||
1226 | .. _setting-query-local-address6: | |
1227 | ||
1228 | ``query-local-address6`` | |
1229 | ------------------------ | |
1230 | ||
1231 | - IPv6 Address | |
1232 | - Default: '::' | |
1233 | ||
1234 | Source IP address for sending IPv6 queries. | |
1235 | ||
1236 | .. _setting-query-logging: | |
1237 | ||
1238 | ``query-logging`` | |
1239 | ----------------- | |
1240 | ||
1241 | - Boolean | |
1242 | - Default: no | |
1243 | ||
1244 | Boolean, hints to a backend that it should log a textual representation | |
1245 | of queries it performs. Can be set at runtime. | |
1246 | ||
1247 | .. _setting-queue-limit: | |
1248 | ||
1249 | ``queue-limit`` | |
1250 | --------------- | |
1251 | ||
1252 | - Integer | |
1253 | - Default: 1500 | |
1254 | ||
1255 | Maximum number of milliseconds to queue a query. See :doc:`performance`. | |
1256 | ||
1257 | .. _setting-receiver-threads: | |
1258 | ||
1259 | ``receiver-threads`` | |
1260 | -------------------- | |
1261 | ||
1262 | - Integer | |
1263 | - Default: 1 | |
1264 | ||
1265 | Number of receiver (listening) threads to start. See :doc:`performance`. | |
1266 | ||
1267 | .. _setting-recursive-cache-ttl: | |
1268 | ||
1269 | ``recursive-cache-ttl`` | |
1270 | ----------------------- | |
1271 | ||
1272 | - Integer | |
1273 | - Default: 10 | |
d99d1243 PL |
1274 | |
1275 | .. deprecated:: 4.1.0 | |
1276 | Recursion has been removed, see :doc:`guides/recursion` | |
0e2063c3 PL |
1277 | |
1278 | Seconds to store recursive packets in the :ref:`packet-cache`. | |
1279 | ||
1280 | .. _setting-recursor: | |
1281 | ||
1282 | ``recursor`` | |
1283 | ------------ | |
1284 | ||
1285 | - IP Address | |
1286 | ||
1287 | .. deprecated:: 4.1.0 | |
d99d1243 | 1288 | Recursion has been removed, see :doc:`guides/recursion` |
0e2063c3 PL |
1289 | |
1290 | If set, recursive queries will be handed to the recursor specified here. | |
1291 | ||
1292 | .. _setting-resolver: | |
1293 | ||
1294 | ``resolver`` | |
1295 | ------------ | |
1296 | ||
1297 | - IP Addresses with optional port, separated by commas | |
d99d1243 PL |
1298 | |
1299 | .. versionadded:: 4.1.0 | |
0e2063c3 PL |
1300 | |
1301 | Use these resolver addresses for ALIAS and the internal stub resolver. | |
1302 | If this is not set, ``/etc/resolv.conf`` is parsed for upstream | |
1303 | resolvers. | |
1304 | ||
1305 | .. _setting-retrieval-threads: | |
1306 | ||
1307 | ``retrieval-threads`` | |
1308 | --------------------- | |
1309 | ||
1310 | - Integer | |
1311 | - Default: 2 | |
1312 | ||
1313 | Number of AXFR slave threads to start. | |
1314 | ||
43f61934 GD |
1315 | .. _setting-reuseport: |
1316 | ||
1317 | ``reuseport`` | |
1318 | ------------- | |
1319 | ||
1320 | - Boolean | |
1321 | - Default: No | |
1322 | ||
1323 | On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows | |
1324 | each receiver-thread to open a new socket on the same port which allows | |
1325 | for much higher performance on multi-core boxes. Setting this option | |
1326 | will enable use of ``SO_REUSEPORT`` when available and seamlessly fall | |
1327 | back to a single socket when it is not available. A side-effect is that | |
1328 | you can start multiple servers on the same IP/port combination which may | |
1329 | or may not be a good idea. You could use this to enable transparent | |
1330 | restarts, but it may also mask configuration issues and for this reason | |
1331 | it is disabled by default. | |
1332 | ||
1333 | .. _setting-rng: | |
1334 | ||
1335 | ``rng`` | |
1336 | ------- | |
1337 | ||
1338 | - String | |
1339 | - Default: auto | |
1340 | ||
1341 | Specify which random number generator to use. Permissible choises are: | |
1342 | ||
1343 | - auto - choose automatically | |
1344 | - sodium - Use libsodium ``randombytes_uniform`` | |
1345 | - openssl - Use libcrypto ``RAND_bytes`` | |
1346 | - getrandom - Use libc getrandom, falls back to urandom if it does not really work | |
1347 | - arc4random - Use BSD ``arc4random_uniform`` | |
1348 | - urandom - Use ``/dev/urandom`` | |
1349 | - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!** | |
1350 | ||
1351 | .. note:: | |
1352 | Not all choises are available on all systems. | |
1353 | ||
1354 | .. _setting-security-poll-suffix: | |
1355 | ||
1356 | ``security-poll-suffix`` | |
1357 | ------------------------ | |
1358 | ||
1359 | - String | |
1360 | - Default: secpoll.powerdns.com. | |
1361 | ||
1362 | Domain name from which to query security update notifications. Setting | |
1363 | this to an empty string disables secpoll. | |
1364 | ||
ac340505 KD |
1365 | .. _setting-send-signed-notify: |
1366 | ||
1367 | ``send-signed-notify`` | |
15d44156 | 1368 | ---------------------- |
ac340505 KD |
1369 | |
1370 | - Boolean | |
1371 | - Default: yes | |
1372 | ||
1373 | If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone. | |
1374 | If there are multiple TSIG keys configured for a domain, PowerDNS will use the | |
1375 | first one retrieved from the backend, which may not be the correct one for the | |
f3a29133 | 1376 | respective slave. Hence, in setups with multiple slaves with different TSIG keys |
ac340505 KD |
1377 | it may be required to send NOTIFYs unsigned. |
1378 | ||
43f61934 GD |
1379 | .. _setting-server-id: |
1380 | ||
1381 | ``server-id`` | |
1382 | ------------- | |
1383 | ||
1384 | - String | |
1385 | - Default: The hostname of the server | |
1386 | ||
1387 | This is the server ID that will be returned on an EDNS NSID query. | |
1388 | ||
0e2063c3 PL |
1389 | .. _setting-setgid: |
1390 | ||
1391 | ``setgid`` | |
1392 | ---------- | |
1393 | ||
1394 | - String | |
1395 | ||
1396 | If set, change group id to this gid for more security. See :doc:`security`. | |
1397 | ||
1398 | .. _setting-setuid: | |
1399 | ||
1400 | ``setuid`` | |
1401 | ---------- | |
1402 | ||
1403 | - String | |
1404 | ||
1405 | If set, change user id to this uid for more security. See :doc:`security`. | |
1406 | ||
43f61934 GD |
1407 | .. _setting-signing-threads: |
1408 | ||
1409 | ``signing-threads`` | |
1410 | ------------------- | |
1411 | ||
1412 | - Integer | |
1413 | - Default: 3 | |
1414 | ||
1415 | Tell PowerDNS how many threads to use for signing. It might help improve | |
1416 | signing speed by changing this number. | |
1417 | ||
0e2063c3 PL |
1418 | .. _setting-slave: |
1419 | ||
1420 | ``slave`` | |
1421 | --------- | |
1422 | ||
1423 | - Boolean | |
1424 | - Default: no | |
1425 | ||
1426 | Turn on slave support. See :ref:`slave-operation`. | |
1427 | ||
1428 | .. _setting-slave-cycle-interval: | |
1429 | ||
1430 | ``slave-cycle-interval`` | |
1431 | ------------------------ | |
1432 | ||
1433 | - Integer | |
9346d84f | 1434 | - Default: 60 |
0e2063c3 | 1435 | |
81b050b3 | 1436 | On a master, this is the amount of seconds between the master checking |
0e2063c3 PL |
1437 | the SOA serials in its database to determine to send out NOTIFYs to the |
1438 | slaves. On slaves, this is the number of seconds between the slave | |
1439 | checking for updates to zones. | |
1440 | ||
1441 | .. _setting-slave-renotify: | |
1442 | ||
1443 | ``slave-renotify`` | |
1444 | ------------------ | |
1445 | ||
1446 | - Boolean | |
1447 | - Default: no | |
1448 | ||
1449 | This setting will make PowerDNS renotify the slaves after an AXFR is | |
1450 | *received* from a master. This is useful when using when running a | |
1451 | signing-slave. | |
1452 | ||
7b4e8eed MH |
1453 | See :ref:`metadata-slave-renotify` to set this per-zone. |
1454 | ||
0e2063c3 PL |
1455 | .. _setting-soa-expire-default: |
1456 | ||
1457 | ``soa-expire-default`` | |
1458 | ---------------------- | |
1459 | ||
1460 | - Integer | |
1461 | - Default: 604800 | |
1462 | ||
d57f0fa6 KM |
1463 | .. deprecated:: 4.2.0 |
1464 | This setting has been deprecated and will be removed in 4.3.0 | |
1465 | ||
0e2063c3 PL |
1466 | Default :ref:`types-soa` expire. |
1467 | ||
1468 | .. _setting-soa-minimum-ttl: | |
1469 | ||
1470 | ``soa-minimum-ttl`` | |
1471 | ------------------- | |
1472 | ||
1473 | - Integer | |
1474 | - Default: 3600 | |
1475 | ||
d57f0fa6 KM |
1476 | .. deprecated:: 4.2.0 |
1477 | This setting has been deprecated and will be removed in 4.3.0 | |
1478 | ||
0e2063c3 PL |
1479 | Default :ref:`types-soa` minimum ttl. |
1480 | ||
1481 | .. _setting-soa-refresh-default: | |
1482 | ||
1483 | ``soa-refresh-default`` | |
1484 | ----------------------- | |
1485 | ||
1486 | - Integer | |
1487 | - Default: 10800 | |
1488 | ||
d57f0fa6 KM |
1489 | .. deprecated:: 4.2.0 |
1490 | This setting has been deprecated and will be removed in 4.3.0 | |
1491 | ||
0e2063c3 PL |
1492 | Default :ref:`types-soa` refresh. |
1493 | ||
1494 | .. _setting-soa-retry-default: | |
1495 | ||
1496 | ``soa-retry-default`` | |
1497 | --------------------- | |
1498 | ||
1499 | - Integer | |
1500 | - Default: 3600 | |
1501 | ||
d57f0fa6 KM |
1502 | .. deprecated:: 4.2.0 |
1503 | This setting has been deprecated and will be removed in 4.3.0 | |
1504 | ||
0e2063c3 PL |
1505 | Default :ref:`types-soa` retry. |
1506 | ||
1507 | .. _setting-socket-dir: | |
1508 | ||
1509 | ``socket-dir`` | |
1510 | -------------- | |
1511 | ||
1512 | - Path | |
1513 | ||
1514 | Where the controlsocket will live. The default depends on | |
1515 | ``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or | |
1516 | ``/run``). See :ref:`control-socket`. | |
1517 | ||
1518 | This path will also contain the pidfile for this instance of PowerDNS | |
1519 | called ``pdns.pid`` by default. See :ref:`setting-config-name` | |
1520 | and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ. | |
1521 | ||
d3dfd71e | 1522 | .. _setting-superslave: |
b8013977 | 1523 | |
d3dfd71e | 1524 | ``superslave`` |
d4033dc3 | 1525 | --------------- |
b8013977 KM |
1526 | |
1527 | - Boolean | |
1528 | - Default: no | |
1529 | ||
3fc2896d PD |
1530 | .. versionadded:: 4.1.9 |
1531 | In versions before 4.1.9, this setting did not exist and supermaster support | |
985a932c | 1532 | was enabled by default. |
b8013977 | 1533 | |
3fc2896d PD |
1534 | .. versionchanged:: 4.2.0 |
1535 | Before 4.2.0, the default was yes. | |
1536 | ||
d4033dc3 | 1537 | Turn on supermaster support. See :ref:`supermaster-operation`. |
b8013977 | 1538 | |
0e2063c3 PL |
1539 | .. _setting-tcp-control-address: |
1540 | ||
1541 | ``tcp-control-address`` | |
1542 | ----------------------- | |
1543 | ||
1544 | - IP Address | |
1545 | ||
1546 | Address to bind to for TCP control. | |
1547 | ||
1548 | .. _setting-tcp-control-port: | |
1549 | ||
1550 | ``tcp-control-port`` | |
1551 | -------------------- | |
1552 | ||
1553 | - Integer | |
1554 | - Default: 53000 | |
1555 | ||
1556 | Port to bind to for TCP control. | |
1557 | ||
1558 | .. _setting-tcp-control-range: | |
1559 | ||
1560 | ``tcp-control-range`` | |
1561 | --------------------- | |
1562 | ||
1563 | - IP Ranges, separated by commas or whitespace | |
1564 | ||
1565 | Limit TCP control to a specific client range. | |
1566 | ||
1567 | .. _setting-tcp-control-secret: | |
1568 | ||
1569 | ``tcp-control-secret`` | |
1570 | ---------------------- | |
1571 | ||
1572 | - String | |
1573 | ||
1574 | Password for TCP control. | |
1575 | ||
1576 | .. _setting-tcp-fast-open: | |
1577 | ||
1578 | ``tcp-fast-open`` | |
1579 | ----------------- | |
1580 | ||
1581 | - Integer | |
1582 | - Default: 0 (Disabled) | |
1583 | ||
1584 | .. versionadded:: 4.1.0 | |
1585 | ||
1586 | Enable TCP Fast Open support, if available, on the listening sockets. | |
1587 | The numerical value supplied is used as the queue size, 0 meaning | |
1588 | disabled. | |
1589 | ||
1590 | .. _setting-tcp-idle-timeout: | |
1591 | ||
1592 | ``tcp-idle-timeout`` | |
1593 | -------------------- | |
1594 | ||
1595 | - Integer | |
1596 | - Default: 5 | |
1597 | ||
1598 | Maximum time in seconds that a TCP DNS connection is allowed to stay | |
1599 | open while being idle, meaning without PowerDNS receiving or sending | |
1600 | even a single byte. | |
1601 | ||
1602 | .. _setting-traceback-handler: | |
1603 | ||
1604 | ``traceback-handler`` | |
1605 | --------------------- | |
1606 | ||
1607 | - Boolean | |
1608 | - Default: yes | |
1609 | ||
1610 | Enable the Linux-only traceback handler. | |
1611 | ||
1612 | .. _setting-trusted-notification-proxy: | |
1613 | ||
1614 | ``trusted-notification-proxy`` | |
1615 | ------------------------------ | |
1616 | ||
1617 | - String | |
1618 | ||
1619 | IP address of incoming notification proxy | |
1620 | ||
1621 | .. _setting-udp-truncation-threshold: | |
1622 | ||
1623 | ``udp-truncation-threshold`` | |
1624 | ---------------------------- | |
473c9aa3 PL |
1625 | .. versionchanged:: 4.2.0 |
1626 | Before 4.2.0, the default was 1680 | |
0e2063c3 PL |
1627 | |
1628 | - Integer | |
e77145bb | 1629 | - Default: 1232 |
0e2063c3 PL |
1630 | |
1631 | EDNS0 allows for large UDP response datagrams, which can potentially | |
1632 | raise performance. Large responses however also have downsides in terms | |
e77145bb | 1633 | of reflection attacks. Maximum value is 65535, but values above |
0e2063c3 PL |
1634 | 4096 should probably not be attempted. |
1635 | ||
e77145bb PL |
1636 | .. note:: Why 1232? |
1637 | ||
1638 | 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet. | |
6c90a075 | 1639 | IPv6 has a minimum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response. |
e77145bb | 1640 | |
0e2063c3 PL |
1641 | .. _setting-version-string: |
1642 | ||
1643 | ``version-string`` | |
1644 | ------------------ | |
1645 | ||
1646 | - Any of: ``anonymous``, ``powerdns``, ``full``, String | |
1647 | - Default: full | |
1648 | ||
1649 | When queried for its version over DNS | |
1650 | (``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally | |
1651 | responds truthfully. With this setting you can overrule what will be | |
1652 | returned. Set the ``version-string`` to ``full`` to get the default | |
1653 | behaviour, to ``powerdns`` to just make it state | |
620e780a | 1654 | ``Served by PowerDNS - https://www.powerdns.com/``. The ``anonymous`` |
0e2063c3 PL |
1655 | setting will return a ServFail, much like Microsoft nameservers do. You |
1656 | can set this response to a custom value as well. | |
1657 | ||
1658 | .. _setting-webserver: | |
1659 | ||
1660 | ``webserver`` | |
1661 | ------------- | |
1662 | ||
1663 | - Boolean | |
1664 | - Default: no | |
1665 | ||
1666 | Start a webserver for monitoring. See :doc:`performance`". | |
1667 | ||
1668 | .. versionchanged:: 4.1.0 | |
1669 | It was necessary to enable the webserver to use the REST API, this is no longer the case. | |
1670 | ||
1671 | .. _setting-webserver-address: | |
1672 | ||
1673 | ``webserver-address`` | |
1674 | --------------------- | |
1675 | ||
1676 | - IP Address | |
1677 | - Default: 127.0.0.1 | |
1678 | ||
1679 | IP Address for webserver/API to listen on. | |
1680 | ||
1681 | .. _setting-webserver-allow-from: | |
1682 | ||
1683 | ``webserver-allow-from`` | |
1684 | ------------------------ | |
1685 | ||
1686 | - IP ranges, separated by commas or whitespace | |
be3e1477 RG |
1687 | - Default: 127.0.0.1,::1 |
1688 | ||
1689 | .. versionchanged:: 4.1.0 | |
1690 | ||
d1594faf | 1691 | Default is now 127.0.0.1,::1, was 0.0.0.0/0,::/0 before. |
0e2063c3 PL |
1692 | |
1693 | Webserver/API access is only allowed from these subnets. | |
1694 | ||
64c08e25 PL |
1695 | .. _setting-webserver-loglevel: |
1696 | ||
1697 | ``webserver-loglevel`` | |
1698 | ---------------------- | |
1699 | .. versionadded:: 4.2.0 | |
1700 | ||
1701 | - String, one of "none", "normal", "detailed" | |
1702 | ||
1703 | The amount of logging the webserver must do. "none" means no useful webserver information will be logged. | |
1704 | When set to "normal", the webserver will log a line per request that should be familiar:: | |
1705 | ||
a0badc0b | 1706 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196 |
64c08e25 PL |
1707 | |
1708 | When set to "detailed", all information about the request and response are logged:: | |
1709 | ||
a0badc0b PL |
1710 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Request Details: |
1711 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers: | |
1712 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
1713 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-encoding: gzip, deflate | |
1714 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-language: en-US,en;q=0.5 | |
1715 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e connection: keep-alive | |
1716 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e dnt: 1 | |
1717 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e host: 127.0.0.1:8081 | |
1718 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e upgrade-insecure-requests: 1 | |
1719 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 | |
1720 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e No body | |
1721 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Response details: | |
1722 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers: | |
1723 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Connection: close | |
1724 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Length: 49 | |
1725 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Type: text/html; charset=utf-8 | |
1726 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Server: PowerDNS/0.0.15896.0.gaba8bab3ab | |
1727 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e Full body: | |
1728 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e <!html><title>Not Found</title><h1>Not Found</h1> | |
1729 | [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196 | |
64c08e25 PL |
1730 | |
1731 | The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request. | |
1732 | ||
1733 | .. note:: | |
0b9ef9e0 | 1734 | The webserver logs these line on the NOTICE level. The :ref:`setting-loglevel` seting must be 5 or higher for these lines to end up in the log. |
64c08e25 | 1735 | |
ca609038 PD |
1736 | .. _setting-webserver-max-bodysize: |
1737 | ||
1738 | ``webserver-max-bodysize`` | |
1739 | -------------------------- | |
1740 | .. versionadded:: 4.2.0 | |
1741 | ||
1742 | - Integer | |
1743 | - Default: 2 | |
1744 | ||
1745 | Maximum request/response body size in megabytes. | |
1746 | ||
0e2063c3 PL |
1747 | .. _setting-webserver-password: |
1748 | ||
1749 | ``webserver-password`` | |
1750 | ---------------------- | |
1751 | ||
1752 | - String | |
1753 | ||
1754 | The plaintext password required for accessing the webserver. | |
1755 | ||
1756 | .. _setting-webserver-port: | |
1757 | ||
1758 | ``webserver-port`` | |
1759 | ------------------ | |
1760 | ||
1761 | - Integer | |
8c9cb460 | 1762 | - Default: 8081 |
0e2063c3 PL |
1763 | |
1764 | The port where webserver/API will listen on. | |
1765 | ||
1766 | .. _setting-webserver-print-arguments: | |
1767 | ||
1768 | ``webserver-print-arguments`` | |
1769 | ----------------------------- | |
1770 | ||
1771 | - Boolean | |
1772 | - Default: no | |
1773 | ||
fd47d762 | 1774 | If the webserver should print arguments. |
0e2063c3 PL |
1775 | |
1776 | .. _setting-write-pid: | |
1777 | ||
1778 | ``write-pid`` | |
1779 | ------------- | |
1780 | ||
1781 | - Boolean | |
1782 | - Default: yes | |
1783 | ||
1784 | If a PID file should be written. | |
1785 | ||
1786 | .. _setting-xfr-max-received-mbytes: | |
1787 | ||
1788 | ``xfr-max-received-mbytes`` | |
1789 | --------------------------- | |
1790 | ||
1791 | - Integer | |
1792 | - Default: 100 | |
1793 | ||
1794 | Specifies the maximum number of received megabytes allowed on an | |
1795 | incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0 | |
1796 | means no restriction. |