[thirdparty/pdns.git] / pdns / recursordist / settings / docs-new-preamble-in.rst

PowerDNS Recursor New Style (YAML) Settings
===========================================

Each setting can appear on the command line, prefixed by ``--`` and using the old style name, or in configuration files.
Settings on the command line are processed after the file-based settings are processed.

.. note::
   Starting with version 5.0.0., :program:`Recursor` supports a new YAML syntax for configuration files
   as described here.
   A configuration using the old style syntax can be converted to a YAML configuration using the instructions in :doc:`appendices/yamlconversion`.
   In a future release support for the "old-style" settings will be dropped.


YAML settings file
------------------
Please refer to e.g. `<https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html>`_
for a description of YAML syntax.

A :program:`Recursor` configuration file has several sections. For example, ``incoming`` for
settings related to receiving queries and ``dnssec`` for settings related to DNSSEC processing.

An example :program:`Recursor` YAML configuration file looks like:

.. code-block:: yaml

  dnssec:
    log_bogus: true
  incoming:
    listen:
      - 0.0.0.0:5301
      - '[::]:5301'
  recursor:
    extended_resolution_errors: true
    forward_zones:
      - zone: example.com
        forwarders:
          - 127.0.0.1:5301
  outgoing:
    query_local_address:
      - 0.0.0.0
      - '::'
  logging:
    loglevel: 6

Take care when listing IPv6 addresses, as characters used for these are special to YAML.
If in doubt, quote any string containing ``:``, ``[`` or ``]`` and use (online) tools to check your YAML syntax.
Specify an empty sequence using ``[]``.

The main setting file is called ``recursor.yml`` and will be processed first.
This settings file might refer to other files via the `recursor.include_dir`_ setting.
The next section will describe how settings specified in multiple files are merged.

Merging multiple setting files
------------------------------
If `recursor.include_dir`_ is set, all ``.yml`` files in it will be processed in alphabetical order, modifying the  settings processed so far.

For simple values like an boolean or number setting, a value in the processed file will overwrite an existing setting.

For values of type sequence, the new value will *replace* the existing value if the existing value is equal to the ``default`` or if the new value is marked with the ``!override`` tag.
Otherwise, the existing value will be *extended* with the new value by appending the new sequence to the existing.

For example, with the above example ``recursor.yml`` and an include directory containing a file ``extra.yml``:

.. code-block:: yaml

  dnssec:
    log_bogus: false
  recursor:
    forward_zones:
      - zone: example.net
        forwarders:
          - '::1'
  outgoing:
     query_local_address: !override
       - 0.0.0.0
     dont_query: []

After merging, ``dnssec.log_bogus`` will be ``false``, the sequence of ``recursor.forward_zones`` will contain 2 zones and the ``outgoing`` addresses used will contain one entry, as the ``extra.yml`` entry has overwritten the existing one.

``outgoing.dont-query`` has a non-empty sequence as default value. The main ``recursor.yml`` did not set it, so before processing ``extra.yml`` had the default value.
After processing ``extra.yml`` the value will be set to the empty sequence, as existing default values are overwritten by new values.

.. warning::
   The merging process does not process values deeper than the second level.
   For example if the main ``recursor.yml`` specified a forward zone

   .. code-block:: yaml

     forward_zones:
       - zone: example.net
         forwarders:
           - '::1'

   and another settings file contains

   .. code-block:: yaml

     forward_zones:
       - zone: example.net
         forwarders:
           - '::2'

   The result will *not* be a a single forward with two IP addresses, but two entries for ``example.net``.
   It depends on the specific setting how the sequence is processed and interpreted further.

Socket Address
^^^^^^^^^^^^^^
A socket address is either an IP or and IP:port combination
For example:

.. code-block:: yaml

   some_key: 127.0.0.1
   another_key: '[::1]:8080'

Subnet
^^^^^^
A subnet is a single IP address or an IP address followed by a slash and a prefix length.
If no prefix length is specified, ``/32`` or ``/128`` is assumed, indicating a single IP address.
Subnets can also be prefixed with a ``!``, specifying negation.
This can be used to deny addresses from a previously allowed range.

For example, ``alow-from`` takes a sequence of subnets:

.. code-block:: yaml

   allow_from:
     - '2001:DB8::/32'
     - 128.66.0.0/16
     - !128.66.1.2

In this case the address ``128.66.1.2`` is excluded from the addresses allowed access.

Forward Zone
^^^^^^^^^^^^
A forward zone is defined as:

.. code-block:: yaml

  zone: zonename
  forwarders:
    - Socket Address
    - ...
  recurse: Boolean, default false
  allow_notify:  Boolean, default false

An example of a ``forward_zones`` entry, which consists of a sequence of forward zone entries:

.. code-block:: yaml

  - zone: example1.com
    forwarders:
      - 127.0.0.1
      - 127.0.0.1:5353
      - '[::1]53'
  - zone: example2.com
    forwarders:
      - '::1'
    recurse: true
    notify_allowed: true


Auth Zone
^^^^^^^^^
A auth zone is defined as:

.. code-block:: yaml

  zone: name
  file: filename

An example of a ``auth_zones`` entry, consisting of a sequence of auth zones:

.. code-block:: yaml

   auth_zones:
     - zone: example.com
       file: zones/example.com.zone
     - zone: example.net
       file: zones/example.net.zone

The YAML settings
-----------------
Commit	Line	Data
9883d3f9 OM	1	PowerDNS Recursor New Style (YAML) Settings
	2	===========================================
	3
	4	Each setting can appear on the command line, prefixed by ``--`` and using the old style name, or in configuration files.
	5	Settings on the command line are processed after the file-based settings are processed.
	6
	7	.. note::
	8	Starting with version 5.0.0., :program:`Recursor` supports a new YAML syntax for configuration files
	9	as described here.
	10	A configuration using the old style syntax can be converted to a YAML configuration using the instructions in :doc:`appendices/yamlconversion`.
	11	In a future release support for the "old-style" settings will be dropped.
	12
	13
	14	YAML settings file
	15	------------------
	16	Please refer to e.g. `<https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html>`_
	17	for a description of YAML syntax.
	18
	19	A :program:`Recursor` configuration file has several sections. For example, ``incoming`` for
	20	settings related to receiving queries and ``dnssec`` for settings related to DNSSEC processing.
	21
	22	An example :program:`Recursor` YAML configuration file looks like:
	23
	24	.. code-block:: yaml
	25
	26	dnssec:
	27	log_bogus: true
	28	incoming:
	29	listen:
	30	- 0.0.0.0:5301
	31	- '[::]:5301'
	32	recursor:
	33	extended_resolution_errors: true
	34	forward_zones:
	35	- zone: example.com
	36	forwarders:
	37	- 127.0.0.1:5301
	38	outgoing:
	39	query_local_address:
	40	- 0.0.0.0
	41	- '::'
	42	logging:
	43	loglevel: 6
	44
	45	Take care when listing IPv6 addresses, as characters used for these are special to YAML.
	46	If in doubt, quote any string containing ``:``, ``[`` or ``]`` and use (online) tools to check your YAML syntax.
	47	Specify an empty sequence using ``[]``.
	48
	49	The main setting file is called ``recursor.yml`` and will be processed first.
	50	This settings file might refer to other files via the `recursor.include_dir`_ setting.
	51	The next section will describe how settings specified in multiple files are merged.
	52
	53	Merging multiple setting files
	54	------------------------------
	55	If `recursor.include_dir`_ is set, all ``.yml`` files in it will be processed in alphabetical order, modifying the settings processed so far.
	56
	57	For simple values like an boolean or number setting, a value in the processed file will overwrite an existing setting.
	58
	59	For values of type sequence, the new value will replace the existing value if the existing value is equal to the ``default`` or if the new value is marked with the ``!override`` tag.
	60	Otherwise, the existing value will be extended with the new value by appending the new sequence to the existing.
	61
	62	For example, with the above example ``recursor.yml`` and an include directory containing a file ``extra.yml``:
	63
	64	.. code-block:: yaml
65
66	dnssec:
67	log_bogus: false
68	recursor:
69	forward_zones:
70	- zone: example.net
71	forwarders:
72	- '::1'
73	outgoing:
74	query_local_address: !override
75	- 0.0.0.0
76	dont_query: []
77
78	After merging, ``dnssec.log_bogus`` will be ``false``, the sequence of ``recursor.forward_zones`` will contain 2 zones and the ``outgoing`` addresses used will contain one entry, as the ``extra.yml`` entry has overwritten the existing one.
79
80	``outgoing.dont-query`` has a non-empty sequence as default value. The main ``recursor.yml`` did not set it, so before processing ``extra.yml`` had the default value.
81	After processing ``extra.yml`` the value will be set to the empty sequence, as existing default values are overwritten by new values.
82
83	.. warning::
84	The merging process does not process values deeper than the second level.
85	For example if the main ``recursor.yml`` specified a forward zone
86
87	.. code-block:: yaml
88
89	forward_zones:
90	- zone: example.net
91	forwarders:
92	- '::1'
93
94	and another settings file contains
95
96	.. code-block:: yaml
97
98	forward_zones:
99	- zone: example.net
100	forwarders:
101	- '::2'
102
103	The result will not be a a single forward with two IP addresses, but two entries for ``example.net``.
7de4ef91	104	It depends on the specific setting how the sequence is processed and interpreted further.
9883d3f9 OM	105
	106	Socket Address
	107	^^^^^^^^^^^^^^
	108	A socket address is either an IP or and IP:port combination
	109	For example:
	110
	111	.. code-block:: yaml
	112
	113	some_key: 127.0.0.1
	114	another_key: '[::1]:8080'
	115
	116	Subnet
	117	^^^^^^
	118	A subnet is a single IP address or an IP address followed by a slash and a prefix length.
	119	If no prefix length is specified, ``/32`` or ``/128`` is assumed, indicating a single IP address.
	120	Subnets can also be prefixed with a ``!``, specifying negation.
	121	This can be used to deny addresses from a previously allowed range.
	122
	123	For example, ``alow-from`` takes a sequence of subnets:
	124
	125	.. code-block:: yaml
	126
	127	allow_from:
	128	- '2001:DB8::/32'
	129	- 128.66.0.0/16
	130	- !128.66.1.2
	131
	132	In this case the address ``128.66.1.2`` is excluded from the addresses allowed access.
	133
	134	Forward Zone
	135	^^^^^^^^^^^^
	136	A forward zone is defined as:
	137
	138	.. code-block:: yaml
	139
	140	zone: zonename
	141	forwarders:
	142	- Socket Address
	143	- ...
	144	recurse: Boolean, default false
	145	allow_notify: Boolean, default false
	146
	147	An example of a ``forward_zones`` entry, which consists of a sequence of forward zone entries:
	148
	149	.. code-block:: yaml
	150
	151	- zone: example1.com
	152	forwarders:
	153	- 127.0.0.1
	154	- 127.0.0.1:5353
	155	- '[::1]53'
	156	- zone: example2.com
	157	forwarders:
	158	- '::1'
	159	recurse: true
	160	notify_allowed: true
	161
	162
	163	Auth Zone
	164	^^^^^^^^^
	165	A auth zone is defined as:
	166
	167	.. code-block:: yaml
	168
169	zone: name
170	file: filename
171
172	An example of a ``auth_zones`` entry, consisting of a sequence of auth zones:
173
174	.. code-block:: yaml
175
176	auth_zones:
177	- zone: example.com
178	file: zones/example.com.zone
179	- zone: example.net
180	file: zones/example.net.zone
181
182	The YAML settings
183	-----------------
184