]>
Commit | Line | Data |
---|---|---|
9883d3f9 OM |
1 | PowerDNS Recursor New Style (YAML) Settings |
2 | =========================================== | |
3 | ||
4 | Each setting can appear on the command line, prefixed by ``--`` and using the old style name, or in configuration files. | |
5 | Settings on the command line are processed after the file-based settings are processed. | |
6 | ||
7 | .. note:: | |
8 | Starting with version 5.0.0., :program:`Recursor` supports a new YAML syntax for configuration files | |
9 | as described here. | |
10 | A configuration using the old style syntax can be converted to a YAML configuration using the instructions in :doc:`appendices/yamlconversion`. | |
11 | In a future release support for the "old-style" settings will be dropped. | |
12 | ||
13 | ||
14 | YAML settings file | |
15 | ------------------ | |
16 | Please refer to e.g. `<https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html>`_ | |
17 | for a description of YAML syntax. | |
18 | ||
19 | A :program:`Recursor` configuration file has several sections. For example, ``incoming`` for | |
20 | settings related to receiving queries and ``dnssec`` for settings related to DNSSEC processing. | |
21 | ||
22 | An example :program:`Recursor` YAML configuration file looks like: | |
23 | ||
24 | .. code-block:: yaml | |
25 | ||
26 | dnssec: | |
27 | log_bogus: true | |
28 | incoming: | |
29 | listen: | |
30 | - 0.0.0.0:5301 | |
31 | - '[::]:5301' | |
32 | recursor: | |
33 | extended_resolution_errors: true | |
34 | forward_zones: | |
35 | - zone: example.com | |
36 | forwarders: | |
37 | - 127.0.0.1:5301 | |
38 | outgoing: | |
39 | query_local_address: | |
40 | - 0.0.0.0 | |
41 | - '::' | |
42 | logging: | |
43 | loglevel: 6 | |
44 | ||
45 | Take care when listing IPv6 addresses, as characters used for these are special to YAML. | |
46 | If in doubt, quote any string containing ``:``, ``[`` or ``]`` and use (online) tools to check your YAML syntax. | |
47 | Specify an empty sequence using ``[]``. | |
48 | ||
49 | The main setting file is called ``recursor.yml`` and will be processed first. | |
50 | This settings file might refer to other files via the `recursor.include_dir`_ setting. | |
51 | The next section will describe how settings specified in multiple files are merged. | |
52 | ||
53 | Merging multiple setting files | |
54 | ------------------------------ | |
55 | If `recursor.include_dir`_ is set, all ``.yml`` files in it will be processed in alphabetical order, modifying the settings processed so far. | |
56 | ||
57 | For simple values like an boolean or number setting, a value in the processed file will overwrite an existing setting. | |
58 | ||
59 | For values of type sequence, the new value will *replace* the existing value if the existing value is equal to the ``default`` or if the new value is marked with the ``!override`` tag. | |
60 | Otherwise, the existing value will be *extended* with the new value by appending the new sequence to the existing. | |
61 | ||
62 | For example, with the above example ``recursor.yml`` and an include directory containing a file ``extra.yml``: | |
63 | ||
64 | .. code-block:: yaml | |
65 | ||
66 | dnssec: | |
67 | log_bogus: false | |
68 | recursor: | |
69 | forward_zones: | |
70 | - zone: example.net | |
71 | forwarders: | |
72 | - '::1' | |
73 | outgoing: | |
74 | query_local_address: !override | |
75 | - 0.0.0.0 | |
76 | dont_query: [] | |
77 | ||
78 | After merging, ``dnssec.log_bogus`` will be ``false``, the sequence of ``recursor.forward_zones`` will contain 2 zones and the ``outgoing`` addresses used will contain one entry, as the ``extra.yml`` entry has overwritten the existing one. | |
79 | ||
80 | ``outgoing.dont-query`` has a non-empty sequence as default value. The main ``recursor.yml`` did not set it, so before processing ``extra.yml`` had the default value. | |
81 | After processing ``extra.yml`` the value will be set to the empty sequence, as existing default values are overwritten by new values. | |
82 | ||
83 | .. warning:: | |
84 | The merging process does not process values deeper than the second level. | |
85 | For example if the main ``recursor.yml`` specified a forward zone | |
86 | ||
87 | .. code-block:: yaml | |
88 | ||
89 | forward_zones: | |
90 | - zone: example.net | |
91 | forwarders: | |
92 | - '::1' | |
93 | ||
94 | and another settings file contains | |
95 | ||
96 | .. code-block:: yaml | |
97 | ||
98 | forward_zones: | |
99 | - zone: example.net | |
100 | forwarders: | |
101 | - '::2' | |
102 | ||
103 | The result will *not* be a a single forward with two IP addresses, but two entries for ``example.net``. | |
7de4ef91 | 104 | It depends on the specific setting how the sequence is processed and interpreted further. |
9883d3f9 OM |
105 | |
106 | Socket Address | |
107 | ^^^^^^^^^^^^^^ | |
108 | A socket address is either an IP or and IP:port combination | |
109 | For example: | |
110 | ||
111 | .. code-block:: yaml | |
112 | ||
113 | some_key: 127.0.0.1 | |
114 | another_key: '[::1]:8080' | |
115 | ||
116 | Subnet | |
117 | ^^^^^^ | |
118 | A subnet is a single IP address or an IP address followed by a slash and a prefix length. | |
119 | If no prefix length is specified, ``/32`` or ``/128`` is assumed, indicating a single IP address. | |
120 | Subnets can also be prefixed with a ``!``, specifying negation. | |
121 | This can be used to deny addresses from a previously allowed range. | |
122 | ||
123 | For example, ``alow-from`` takes a sequence of subnets: | |
124 | ||
125 | .. code-block:: yaml | |
126 | ||
127 | allow_from: | |
128 | - '2001:DB8::/32' | |
129 | - 128.66.0.0/16 | |
130 | - !128.66.1.2 | |
131 | ||
132 | In this case the address ``128.66.1.2`` is excluded from the addresses allowed access. | |
133 | ||
134 | Forward Zone | |
135 | ^^^^^^^^^^^^ | |
136 | A forward zone is defined as: | |
137 | ||
138 | .. code-block:: yaml | |
139 | ||
140 | zone: zonename | |
141 | forwarders: | |
142 | - Socket Address | |
143 | - ... | |
144 | recurse: Boolean, default false | |
145 | allow_notify: Boolean, default false | |
146 | ||
147 | An example of a ``forward_zones`` entry, which consists of a sequence of forward zone entries: | |
148 | ||
149 | .. code-block:: yaml | |
150 | ||
151 | - zone: example1.com | |
152 | forwarders: | |
153 | - 127.0.0.1 | |
154 | - 127.0.0.1:5353 | |
155 | - '[::1]53' | |
156 | - zone: example2.com | |
157 | forwarders: | |
158 | - '::1' | |
159 | recurse: true | |
160 | notify_allowed: true | |
161 | ||
162 | ||
163 | Auth Zone | |
164 | ^^^^^^^^^ | |
165 | A auth zone is defined as: | |
166 | ||
167 | .. code-block:: yaml | |
168 | ||
169 | zone: name | |
170 | file: filename | |
171 | ||
172 | An example of a ``auth_zones`` entry, consisting of a sequence of auth zones: | |
173 | ||
174 | .. code-block:: yaml | |
175 | ||
176 | auth_zones: | |
177 | - zone: example.com | |
178 | file: zones/example.com.zone | |
179 | - zone: example.net | |
180 | file: zones/example.net.zone | |
181 | ||
182 | The YAML settings | |
183 | ----------------- | |
184 |