1 Authoritative Server Settings
2 =============================
4 All PowerDNS Authoritative Server settings are listed here, excluding
5 those that originate from backends, which are documented in the relevant
6 chapters. These settings can be set inside ``pdns.conf`` or on the
7 commandline when invoking the ``pdns`` binary.
9 You can use ``+=`` syntax to set some variables incrementally, but this
10 requires you to have at least one non-incremental setting for the
11 variable to act as base setting. This is mostly useful for
12 :ref:`setting-include-dir` directive.
14 For boolean settings, specifying the name of the setting without a value
25 .. versionadded:: 4.0.0
27 Allow 8 bit DNS queries.
29 .. _setting-allow-axfr-ips:
34 - IP ranges, separated by commas
35 - Default: 127.0.0.0/8,::1
37 If set, only these IP addresses or netmasks will be able to perform
40 .. _setting-allow-dnsupdate-from:
42 ``allow-dnsupdate-from``
43 ------------------------
45 - IP ranges, separated by commas
46 - Default: 127.0.0.0/8,::1
48 Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DNSUPDATE-FROM`` in :ref:`metadata-allow-dnsupdate-from`.
50 .. _setting-allow-notify-from:
55 - IP ranges, separated by commas
56 - Default: 0.0.0.0/0,::/0
58 Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
59 will drop all incoming notifies.
61 .. _setting-allow-recursion:
66 - IP ranges, separated by commas
70 Recursion has been removed, see :doc:`guides/recursion`
72 By specifying ``allow-recursion``, recursion can be restricted to
73 netmasks specified. The default is to allow recursion from everywhere.
74 Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
76 .. _setting-allow-unsigned-notify:
78 ``allow-unsigned-notify``
79 -------------------------
84 .. versionadded:: 4.0.0
86 Turning this off requires all notifications that are received to be
87 signed by valid TSIG signature for the zone.
89 .. _setting-allow-unsigned-supermaster:
91 ``allow-unsigned-supermaster``
92 ------------------------------
97 .. versionadded:: 4.0.0
99 Turning this off requires all supermaster notifications to be signed by
100 valid TSIG signature. It will accept any existing key on slave.
102 .. _setting-also-notify:
107 - IP addresses, separated by commas
109 When notifying a domain, also notify these nameservers. Example:
110 ``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in
111 ``also-notify`` always receive a notification. Even if they do not match
112 the list in :ref:`setting-only-notify`.
114 .. _setting-any-to-tcp:
122 .. versionchanged:: 4.0.1
125 Answer questions for the ANY on UDP with a truncated packet that refers
126 the remote server to TCP. Useful for mitigating reflection attacks.
136 Enable/disable the :doc:`http-api/index`.
145 .. versionadded:: 4.0.0
147 Static pre-shared authentication key for access to the REST API.
149 .. _setting-api-readonly:
157 .. versionadded:: 4.0.0
158 .. versionchanged:: 4.2.0
159 This setting has been removed in 4.2.0.
161 Disallow data modification through the REST API when set.
163 .. _setting-axfr-fetch-timeout:
165 ``axfr-fetch-timeout``
166 ----------------------
171 .. versionadded:: 4.3.0
173 Maximum time in seconds for inbound AXFR to start or be idle after starting.
175 .. _setting-axfr-lower-serial:
177 ``axfr-lower-serial``
178 ---------------------
183 .. versionadded:: 4.0.4
185 Also AXFR a zone from a master with a lower serial.
187 .. _setting-cache-ttl:
195 Seconds to store packets in the :ref:`packet-cache`. A value of 0 will disable the cache.
197 .. _setting-carbon-instance:
205 .. versionadded:: 4.2.0
207 Set the instance or third string of the metric key. Be careful not to include
208 any dots in this setting, unless you know what you are doing.
209 See :ref:`metricscarbon`
211 .. _setting-carbon-interval:
219 If sending carbon updates, this is the interval between them in seconds.
220 See :ref:`metricscarbon`.
222 .. _setting-carbon-namespace:
230 .. versionadded:: 4.2.0
232 Set the namespace or first string of the metric key. Be careful not to include
233 any dots in this setting, unless you know what you are doing.
234 See :ref:`metricscarbon`
236 .. _setting-carbon-ourname:
242 - Default: the hostname of the server
244 If sending carbon updates, if set, this will override our hostname. Be
245 careful not to include any dots in this setting, unless you know what
246 you are doing. See :ref:`metricscarbon`
248 .. _setting-carbon-server:
255 Send all available metrics to this server via the carbon protocol, which
256 is used by graphite and metronome. It has to be an address (no
257 hostnames). Moreover you can specify more than one server using a comma delimited list, ex:
258 carbon-server=10.10.10.10,10.10.10.20.
259 You may specify an alternate port by appending :port, ex:
260 127.0.0.1:2004. See :ref:`metricscarbon`.
269 If set, chroot to this directory for more security. See :doc:`security`.
271 Make sure that ``/dev/log`` is available from within the chroot. Logging
272 will silently fail over time otherwise (on logrotate).
274 When setting ``chroot``, all other paths in the config (except for
275 :ref:`setting-config-dir` and :ref:`setting-module-dir`)
276 set in the configuration are relative to the new root.
278 When running on a system where systemd manages services, ``chroot`` does
279 not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
280 Either don't ``chroot`` on these systems or set the 'Type' of the this
281 service to 'simple' instead of 'notify' (refer to the systemd
282 documentation on how to modify unit-files)
284 .. _setting-config-dir:
291 Location of configuration directory (``pdns.conf``). Usually
292 ``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during
295 .. _setting-config-name:
302 Name of this virtual configuration - will rename the binary image. See
303 :doc:`guides/virtual-instances`.
305 .. _setting-control-console:
310 Debugging switch - don't use.
322 .. _setting-default-api-rectify:
324 ``default-api-rectify``
325 -----------------------
329 .. versionadded:: 4.2.0
331 The value of :ref:`metadata-api-rectify` if it is not set on the zone.
334 Pre 4.2.0 the default was always no.
336 .. _setting-default-ksk-algorithms:
337 .. _setting-default-ksk-algorithm:
339 ``default-ksk-algorithm``
340 -------------------------
345 .. versionchanged:: 4.1.0
346 Renamed from ``default-ksk-algorithms``. No longer supports multiple algorithm names.
348 The algorithm that should be used for the KSK when running
349 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
350 to enable DNSSEC. Must be one of:
355 * ecdsa256 (ECDSA P-256 with SHA256)
356 * ecdsa384 (ECDSA P-384 with SHA384)
361 Actual supported algorithms depend on the crypto-libraries
362 PowerDNS was compiled against. To check the supported DNSSEC algoritms
363 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
365 .. _setting-default-ksk-size:
371 - Default: whichever is default for `default-ksk-algorithm`_
373 The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
374 Only relevant for algorithms with non-fixed keysizes (like RSA).
376 .. _setting-default-publish-cdnskey:
378 ``default-publish-cdnskey``
379 ---------------------------
383 .. versionadded:: 4.3.0
385 The default PUBLISH-CDNSKEY value for zones that do not have one individually specified.
386 See the :ref:`metadata-publish-cdnskey-publish-cds` docs for more information.
388 .. _setting-default-publish-cds:
390 ``default-publish-cds``
391 -----------------------
393 - Comma-separated integers
396 .. versionadded:: 4.3.0
398 The default PUBLISH-CDS value for zones that do not have one individually specified.
399 See the :ref:`metadata-publish-cdnskey-publish-cds` docs for more information.
401 .. _setting-default-soa-edit:
409 Use this soa-edit value for all zones if no
410 :ref:`metadata-soa-edit` metadata value is set.
412 .. _setting-default-soa-edit-signed:
414 ``default-soa-edit-signed``
415 ---------------------------
420 Use this soa-edit value for all signed zones if no
421 :ref:`metadata-soa-edit` metadata value is set.
422 Overrides :ref:`setting-default-soa-edit`
424 .. _setting-default-soa-mail:
431 .. deprecated:: 4.2.0
432 This setting has been deprecated and will be removed in 4.3.0
434 Mail address to insert in the SOA record if none set in the backend.
436 .. _setting-default-soa-name:
442 - Default: a.misconfigured.powerdns.server
444 .. deprecated:: 4.2.0
445 This setting has been deprecated and will be removed in 4.3.0
447 Name to insert in the SOA record if none set in the backend.
449 .. _setting-default-ttl:
457 TTL to use when none is provided.
459 .. _setting-default-zsk-algorithms:
460 .. _setting-default-zsk-algorithm:
462 ``default-zsk-algorithm``
463 --------------------------
468 .. versionchanged:: 4.1.0
469 Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names.
471 The algorithm that should be used for the ZSK when running
472 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
473 to enable DNSSEC. Must be one of:
478 * ecdsa256 (ECDSA P-256 with SHA256)
479 * ecdsa384 (ECDSA P-384 with SHA384)
484 Actual supported algorithms depend on the crypto-libraries
485 PowerDNS was compiled against. To check the supported DNSSEC algoritms
486 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
488 .. _setting-default-zsk-size:
494 - Default: 0 (automatic default for `default-zsk-algorithm`_)
496 The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
497 Only relevant for algorithms with non-fixed keysizes (like RSA).
499 .. _setting-direct-dnskey:
507 Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not
508 set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored.
510 .. _setting-disable-axfr:
518 Do not allow zone transfers.
520 .. _setting-disable-axfr-rectify:
522 ``disable-axfr-rectify``
523 ------------------------
528 Disable the rectify step during an outgoing AXFR. Only required for
531 .. _setting-disable-syslog:
539 Do not log to syslog, only to stdout. Use this setting when running
540 inside a supervisor that handles logging (like systemd).
543 Do not use this setting in combination with :ref:`setting-daemon` as all
544 logging will disappear.
546 .. _setting-disable-tcp:
554 .. versionchanged:: 4.2.0
555 This setting has been removed
557 Do not listen to TCP queries. Breaks RFC compliance.
559 .. _setting-distributor-threads:
561 ``distributor-threads``
562 -----------------------
567 Number of Distributor (backend) threads to start per receiver thread.
568 See :doc:`performance`.
570 .. _setting-dname-processing:
578 Synthesise CNAME records from DNAME records as required. This
579 approximately doubles query load. **Do not combine with DNSSEC!**
581 .. _setting-dnssec-key-cache-ttl:
583 ``dnssec-key-cache-ttl``
584 ------------------------
589 Seconds to cache DNSSEC keys from the database. A value of 0 disables
592 .. _setting-dnsupdate:
600 Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
602 .. _setting-do-ipv6-additional-processing:
604 ``do-ipv6-additional-processing``
605 ---------------------------------
610 Perform AAAA additional processing. This sends AAAA records in the
611 ADDITIONAL section when sending a referral.
613 .. _setting-domain-metadata-cache-ttl:
615 ``domain-metadata-cache-ttl``
616 -----------------------------
621 Seconds to cache domain metadata from the database. A value of 0
624 .. _setting-edns-subnet-processing:
626 ``edns-subnet-processing``
627 --------------------------
632 Enables EDNS subnet processing, for backends that support it.
634 .. _setting-enable-lua-records:
636 ``enable-lua-records``
637 ----------------------
639 - One of ``no``, ``yes`` (or empty), or ``shared``, String
642 .. versionadded:: 4.2.0
644 Globally enable the :doc:`LUA records <lua-records/index>` feature.
646 To use shared LUA states, set this to ``shared``, see :ref:`lua-records-shared-state`.
648 .. _setting-entropy-source:
654 - Default: /dev/urandom
656 Entropy source file to use.
658 .. _setting-expand-alias:
666 .. versionadded:: 4.1.0
668 If this is enabled, ALIAS records are expanded (synthesised to their
671 If this is disabled (the default), ALIAS records will not be expanded and
672 the server will will return NODATA for A/AAAA queries for such names.
675 :ref:`setting-resolver` must also be set for ALIAS expansion to work!
678 In PowerDNS Authoritative Server 4.0.x, this setting did not exist and
679 ALIAS was always expanded.
681 .. _setting-forward-dnsupdate:
683 ``forward-dnsupdate``
684 ---------------------
689 Forward DNS updates sent to a slave to the master.
691 .. _setting-forward-notify:
696 - IP addresses, separated by commas
698 IP addresses to forward received notifications to regardless of master
702 The intended use is in anycast environments where it might be
703 necessary for a proxy server to perform the AXFR. The usual checks are
704 performed before any received notification is forwarded.
706 .. _setting-guardian:
714 Run within a guardian process. See :ref:`running-guardian`.
716 .. _setting-include-dir:
723 Directory to scan for additional config files. All files that end with
724 .conf are loaded in order using ``POSIX`` as locale.
731 - Backend names, separated by commas
733 Which backends to launch and order to query them in. Launches backends.
734 In its most simple form, supply all backends that need to be launched.
739 launch=bind,gmysql,remote
741 If you find that you need to query a backend multiple times with
742 different configuration, you can specify a name for later
743 instantiations. e.g.:
747 launch=gmysql,gmysql:server2
749 In this case, there are 2 instances of the gmysql backend, one by the
750 normal name and the second one is called 'server2'. The backend
751 configuration item names change: e.g. ``gmysql-host`` is available to
752 configure the ``host`` setting of the first or main instance, and
753 ``gmysql-server2-host`` for the second one.
755 Running multiple instances of the BIND backend is not allowed.
757 .. _setting-load-modules:
762 - Paths, separated by commas
764 If backends are available in nonstandard directories, specify their
765 location here. Multiple files can be loaded if separated by commas. Only
766 available in non-static distributions.
768 .. _setting-local-address:
772 .. versionchanged:: 4.3.0
773 now also takes your IPv6 addresses
775 .. versionchanged:: 4.3.0
776 Before 4.3.0, this setting only supported IPv4.
778 - IPv4 Addresses, separated by commas or whitespace
779 - Default: 0.0.0.0, ``::``
781 Local IP addresses to which we bind. It is highly advised to bind to
782 specific interfaces and not use the default 'bind to any'. This causes
783 big problems if you have multiple IP addresses. Unix does not provide a
784 way of figuring out what IP address a packet was sent to when binding to
787 .. _setting-local-address-nonexist-fail:
789 ``local-address-nonexist-fail``
790 -------------------------------
795 Fail to start if one or more of the
796 :ref:`setting-local-address`'s do not exist on this server.
798 .. _setting-local-ipv6:
802 .. versionchanged:: 4.3.0
803 removed, use :ref:`setting-local-address`
805 .. deprecated:: 4.3.0
806 This setting has been removed, use :ref:`setting-localaddress`
808 - IPv6 Addresses, separated by commas or whitespace
811 Local IPv6 address to which we bind. It is highly advised to bind to
812 specific interfaces and not use the default 'bind to any'. This causes
813 big problems if you have multiple IP addresses.
815 .. _setting-local-ipv6-nonexist-fail:
817 ``local-ipv6-nonexist-fail``
818 ----------------------------
820 .. deprecated:: 4.3.0
821 This setting has been removed, use :ref:`setting-localaddress-nonexist-fail`
826 Fail to start if one or more of the :ref:`setting-local-ipv6`
827 addresses do not exist on this server.
829 .. _setting-local-port:
837 The port on which we listen. Only one port possible.
839 .. _setting-log-dns-details:
847 If set to 'no', informative-only DNS details will not even be sent to
848 syslog, improving performance.
850 .. _setting-log-dns-queries:
858 Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
859 of logging! Only enable for debugging! Set :ref:`setting-loglevel`
860 to at least 5 to see the logs.
862 .. _setting-log-timestamp:
870 .. versionadded:: 4.1.0
872 When printing log lines to stdout, prefix them with timestamps.
873 Disable this if the process supervisor timestamps these lines already.
876 The systemd unit file supplied with the source code already disables timestamp printing
878 .. _setting-logging-facility:
883 If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`.
884 Do not pass names like 'local0'!
886 .. _setting-loglevel:
894 Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
895 e.g. error = 3, warning = 4, notice = 5, info = 6
897 .. _setting-lua-axfr-script:
905 .. versionadded:: 4.1.0
907 Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
909 .. _setting-lua-health-checks-expire-delay:
911 ``lua-health-checks-expire-delay``
912 ----------------------------------
917 .. versionadded:: 4.3.0
919 Amount of time (in seconds) to expire (remove) a LUA monitoring check when the record
920 isn't used any more (either deleted or modified).
922 .. _setting-lua-health-checks-interval:
924 ``lua-health-checks-interval``
925 ------------------------------
930 .. versionadded:: 4.3.0
932 Amount of time (in seconds) between subsequent monitoring health checks. Does nothing
933 if the checks take more than that time to execute.
935 .. _setting-lua-prequery-script:
937 ``lua-prequery-script``
938 -----------------------
942 Lua script to run before answering a query. This is a feature used
943 internally for regression testing. The API of this functionality is not
944 guaranteed to be stable, and is in fact likely to change.
946 .. _setting-lua-records-exec-limit:
948 ``lua-records-exec-limit``
949 -----------------------------
954 Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
955 Setting this to any value less than or equal to 0 will set no limit.
965 Turn on master support. See :ref:`master-operation`.
967 .. _setting-max-cache-entries:
969 ``max-cache-entries``
970 ---------------------
975 .. versionchanged:: 4.1.0
976 The packet and query caches are distinct. Previously, this setting was used for
977 both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for
978 the packet-cache setting.
980 Maximum number of entries in the query cache. 1 million (the default)
981 will generally suffice for most installations.
983 .. _setting-max-ent-entries:
991 Maximum number of empty non-terminals to add to a zone. This is a
992 protection measure to avoid database explosion due to long names.
994 .. _setting-max-generate-steps:
996 ``max-generate-steps``
997 ----------------------
999 .. versionadded:: 4.3.0
1004 Maximum number of steps for a '$GENERATE' directive when parsing a
1005 zone file. This is a protection measure to prevent consuming a lot of
1006 CPU and memory when untrusted zones are loaded. Default to 0 which
1009 .. _setting-max-nsec3-iterations:
1011 ``max-nsec3-iterations``
1012 ------------------------
1017 Limit the number of NSEC3 hash iterations for zone configurations.
1018 For more information see :ref:`dnssec-operational-nsec-modes-params`.
1020 .. _setting-max-packet-cache-entries:
1022 ``max-packet-cache-entries``
1023 ----------------------------
1028 .. versionadded:: 4.1.0
1030 Maximum number of entries in the packet cache. 1 million (the default)
1031 will generally suffice for most installations.
1033 .. _setting-max-queue-length:
1035 ``max-queue-length``
1036 --------------------
1041 If this many packets are waiting for database attention, consider the
1042 situation hopeless and respawn.
1044 .. _setting-max-signature-cache-entries:
1046 ``max-signature-cache-entries``
1047 -------------------------------
1050 - Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems)
1052 Maximum number of signatures cache entries
1054 .. _setting-max-tcp-connection-duration:
1056 ``max-tcp-connection-duration``
1057 -------------------------------
1062 Maximum time in seconds that a TCP DNS connection is allowed to stay
1063 open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR
1064 are not affected by this setting.
1066 .. _setting-max-tcp-connections:
1068 ``max-tcp-connections``
1069 -----------------------
1074 Allow this many incoming TCP DNS connections simultaneously.
1076 .. _setting-max-tcp-connections-per-client:
1078 ``max-tcp-connections-per-client``
1079 ----------------------------------
1084 Maximum number of simultaneous TCP connections per client. 0 means
1087 .. _setting-max-tcp-transactions-per-conn:
1089 ``max-tcp-transactions-per-conn``
1090 ---------------------------------
1095 Allow this many DNS queries in a single TCP transaction. 0 means
1096 unlimited. Note that exchanges related to an AXFR or IXFR are not
1097 affected by this setting.
1099 .. _setting-module-dir:
1106 Directory for modules. Default depends on ``PKGLIBDIR`` during
1109 .. _setting-negquery-cache-ttl:
1111 ``negquery-cache-ttl``
1112 ----------------------
1117 Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`.
1119 .. _setting-no-config:
1127 Do not attempt to read the configuration file. Useful for configuration
1128 by parameters from the command line only.
1130 .. _setting-no-shuffle:
1138 Do not attempt to shuffle query results, used for regression testing.
1140 .. _setting-non-local-bind:
1148 Bind to addresses even if one or more of the
1149 :ref:`setting-local-address`'s do not exist on this server.
1150 Setting this option will enable the needed socket options to allow
1151 binding to non-local addresses. This feature is intended to facilitate
1152 ip-failover setups, but it may also mask configuration issues and for
1153 this reason it is disabled by default.
1155 .. _setting-only-notify:
1160 - IP Ranges, separated by commas or whitespace
1161 - Default: 0.0.0.0/0, ::/0
1163 For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
1164 PowerDNS automatically sends NOTIFYs to the name servers specified in
1165 the NS records. By specifying networks/mask as whitelist, the targets
1166 can be limited. The default is to notify the world. To completely
1167 disable these NOTIFYs set ``only-notify`` to an empty value. Independent
1168 of this setting, the IP addresses or netmasks configured with
1169 :ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata
1170 always receive AXFR NOTIFYs.
1172 IP addresses and netmasks can be excluded by prefixing them with a ``!``.
1173 To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following::
1175 only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24
1178 Even if NOTIFYs are limited by a netmask, PowerDNS first has to
1179 resolve all the hostnames to check their IP addresses against the
1180 specified whitelist. The resolving may take considerable time,
1181 especially if those hostnames are slow to resolve. If you do not need to
1182 NOTIFY the slaves defined in the NS records (e.g. you are using another
1183 method to distribute the zone data to the slaves), then set
1184 :ref:`setting-only-notify` to an empty value and specify the notification targets
1185 explicitly using :ref:`setting-also-notify` and/or
1186 :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
1189 If your slaves support an Internet Protocol version, which your master does not,
1190 then set ``only-notify`` to include only supported protocol version.
1191 Otherwise there will be error trying to resolve address.
1193 For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
1194 so allow only IPv4 with ``only-notify``:
1198 only-notify=0.0.0.0/0
1200 .. _setting-out-of-zone-additional-processing:
1202 ``out-of-zone-additional-processing``
1203 -------------------------------------
1208 .. deprecated:: 4.2.0
1209 This setting has been removed.
1211 Do out of zone additional processing. This means that if a malicious
1212 user adds a '.com' zone to your server, it is not used for other domains
1213 and will not contaminate answers. Do not enable this setting if you run
1214 a public DNS service with untrusted users.
1216 The docs had previously indicated that the default was "no", but the
1217 default has been "yes" since 2005.
1219 .. _setting-outgoing-axfr-expand-alias:
1221 ``outgoing-axfr-expand-alias``
1222 ------------------------------
1227 If this is enabled, ALIAS records are expanded (synthesised to their
1228 A/AAAA) during outgoing AXFR. This means slaves will not automatically
1229 follow changes in those A/AAAA records unless you AXFR regularly!
1231 If this is disabled (the default), ALIAS records are sent verbatim
1232 during outgoing AXFR. Note that if your slaves do not support ALIAS,
1233 they will return NODATA for A/AAAA queries for such names.
1235 .. _setting-overload-queue-length:
1237 ``overload-queue-length``
1238 -------------------------
1241 - Default: 0 (disabled)
1243 If this many packets are waiting for database attention, answer any new
1244 questions strictly from the packet cache.
1246 .. _setting-prevent-self-notification:
1248 ``prevent-self-notification``
1249 -----------------------------
1254 PowerDNS Authoritative Server attempts to not send out notifications to
1255 itself in master mode. In very complicated situations we could guess
1256 wrong and not notify a server that should be notified. In that case, set
1257 prevent-self-notification to "no".
1259 .. _setting-query-cache-ttl:
1267 Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`.
1269 .. _setting-query-local-address:
1271 ``query-local-address``
1272 -----------------------
1277 The IP address to use as a source address for sending queries. Useful if
1278 you have multiple IPs and PowerDNS is not bound to the IP address your
1279 operating system uses by default for outgoing packets.
1281 .. _setting-query-local-address6:
1283 ``query-local-address6``
1284 ------------------------
1289 Source IP address for sending IPv6 queries.
1291 .. _setting-query-logging:
1299 Boolean, hints to a backend that it should log a textual representation
1300 of queries it performs. Can be set at runtime.
1302 .. _setting-queue-limit:
1310 Maximum number of milliseconds to queue a query. See :doc:`performance`.
1312 .. _setting-receiver-threads:
1314 ``receiver-threads``
1315 --------------------
1320 Number of receiver (listening) threads to start. See :doc:`performance`.
1322 .. _setting-recursive-cache-ttl:
1324 ``recursive-cache-ttl``
1325 -----------------------
1330 .. deprecated:: 4.1.0
1331 Recursion has been removed, see :doc:`guides/recursion`
1333 Seconds to store recursive packets in the :ref:`packet-cache`.
1335 .. _setting-recursor:
1342 .. deprecated:: 4.1.0
1343 Recursion has been removed, see :doc:`guides/recursion`
1345 If set, recursive queries will be handed to the recursor specified here.
1347 .. _setting-resolver:
1352 - IP Addresses with optional port, separated by commas
1354 .. versionadded:: 4.1.0
1356 Use these resolver addresses for ALIAS and the internal stub resolver.
1357 If this is not set, ``/etc/resolv.conf`` is parsed for upstream
1360 .. _setting-retrieval-threads:
1362 ``retrieval-threads``
1363 ---------------------
1368 Number of AXFR slave threads to start.
1370 .. _setting-reuseport:
1378 On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
1379 each receiver-thread to open a new socket on the same port which allows
1380 for much higher performance on multi-core boxes. Setting this option
1381 will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
1382 back to a single socket when it is not available. A side-effect is that
1383 you can start multiple servers on the same IP/port combination which may
1384 or may not be a good idea. You could use this to enable transparent
1385 restarts, but it may also mask configuration issues and for this reason
1386 it is disabled by default.
1396 Specify which random number generator to use. Permissible choises are:
1398 - auto - choose automatically
1399 - sodium - Use libsodium ``randombytes_uniform``
1400 - openssl - Use libcrypto ``RAND_bytes``
1401 - getrandom - Use libc getrandom, falls back to urandom if it does not really work
1402 - arc4random - Use BSD ``arc4random_uniform``
1403 - urandom - Use ``/dev/urandom``
1404 - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
1407 Not all choises are available on all systems.
1409 .. _setting-security-poll-suffix:
1411 ``security-poll-suffix``
1412 ------------------------
1415 - Default: secpoll.powerdns.com.
1417 Domain name from which to query security update notifications. Setting
1418 this to an empty string disables secpoll.
1420 .. _setting-send-signed-notify:
1422 ``send-signed-notify``
1423 ----------------------
1428 If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone.
1429 If there are multiple TSIG keys configured for a domain, PowerDNS will use the
1430 first one retrieved from the backend, which may not be the correct one for the
1431 respective slave. Hence, in setups with multiple slaves with different TSIG keys
1432 it may be required to send NOTIFYs unsigned.
1434 .. _setting-server-id:
1440 - Default: The hostname of the server
1442 This is the server ID that will be returned on an EDNS NSID query.
1451 If set, change group id to this gid for more security. See :doc:`security`.
1460 If set, change user id to this uid for more security. See :doc:`security`.
1462 .. _setting-signing-threads:
1470 Tell PowerDNS how many threads to use for signing. It might help improve
1471 signing speed by changing this number.
1481 Turn on slave support. See :ref:`slave-operation`.
1483 .. _setting-slave-cycle-interval:
1485 ``slave-cycle-interval``
1486 ------------------------
1491 On a master, this is the amount of seconds between the master checking
1492 the SOA serials in its database to determine to send out NOTIFYs to the
1493 slaves. On slaves, this is the number of seconds between the slave
1494 checking for updates to zones.
1496 .. _setting-slave-renotify:
1504 This setting will make PowerDNS renotify the slaves after an AXFR is
1505 *received* from a master. This is useful when using when running a
1508 See :ref:`metadata-slave-renotify` to set this per-zone.
1510 .. _setting-soa-expire-default:
1512 ``soa-expire-default``
1513 ----------------------
1518 .. deprecated:: 4.2.0
1519 This setting has been deprecated and will be removed in 4.3.0
1521 Default :ref:`types-soa` expire.
1523 .. _setting-soa-minimum-ttl:
1531 .. deprecated:: 4.2.0
1532 This setting has been deprecated and will be removed in 4.3.0
1534 Default :ref:`types-soa` minimum ttl.
1536 .. _setting-soa-refresh-default:
1538 ``soa-refresh-default``
1539 -----------------------
1544 .. deprecated:: 4.2.0
1545 This setting has been deprecated and will be removed in 4.3.0
1547 Default :ref:`types-soa` refresh.
1549 .. _setting-soa-retry-default:
1551 ``soa-retry-default``
1552 ---------------------
1557 .. deprecated:: 4.2.0
1558 This setting has been deprecated and will be removed in 4.3.0
1560 Default :ref:`types-soa` retry.
1562 .. _setting-socket-dir:
1569 Where the controlsocket will live. The default depends on
1570 ``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or
1571 ``/run``). See :ref:`control-socket`.
1573 This path will also contain the pidfile for this instance of PowerDNS
1574 called ``pdns.pid`` by default. See :ref:`setting-config-name`
1575 and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
1577 .. _setting-superslave:
1585 .. versionadded:: 4.1.9
1586 In versions before 4.1.9, this setting did not exist and supermaster support
1587 was enabled by default.
1589 .. versionchanged:: 4.2.0
1590 Before 4.2.0, the default was yes.
1592 Turn on supermaster support. See :ref:`supermaster-operation`.
1594 .. _setting-tcp-control-address:
1596 ``tcp-control-address``
1597 -----------------------
1601 Address to bind to for TCP control.
1603 .. _setting-tcp-control-port:
1605 ``tcp-control-port``
1606 --------------------
1611 Port to bind to for TCP control.
1613 .. _setting-tcp-control-range:
1615 ``tcp-control-range``
1616 ---------------------
1618 - IP Ranges, separated by commas or whitespace
1620 Limit TCP control to a specific client range.
1622 .. _setting-tcp-control-secret:
1624 ``tcp-control-secret``
1625 ----------------------
1629 Password for TCP control.
1631 .. _setting-tcp-fast-open:
1637 - Default: 0 (Disabled)
1639 .. versionadded:: 4.1.0
1641 Enable TCP Fast Open support, if available, on the listening sockets.
1642 The numerical value supplied is used as the queue size, 0 meaning
1645 .. _setting-tcp-idle-timeout:
1647 ``tcp-idle-timeout``
1648 --------------------
1653 Maximum time in seconds that a TCP DNS connection is allowed to stay
1654 open while being idle, meaning without PowerDNS receiving or sending
1657 .. _setting-traceback-handler:
1659 ``traceback-handler``
1660 ---------------------
1665 Enable the Linux-only traceback handler.
1667 .. _setting-trusted-notification-proxy:
1669 ``trusted-notification-proxy``
1670 ------------------------------
1674 IP address of incoming notification proxy
1676 .. _setting-udp-truncation-threshold:
1678 ``udp-truncation-threshold``
1679 ----------------------------
1680 .. versionchanged:: 4.2.0
1681 Before 4.2.0, the default was 1680
1686 EDNS0 allows for large UDP response datagrams, which can potentially
1687 raise performance. Large responses however also have downsides in terms
1688 of reflection attacks. Maximum value is 65535, but values above
1689 4096 should probably not be attempted.
1693 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet.
1694 IPv6 has a minimum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
1696 .. _setting-version-string:
1701 - Any of: ``anonymous``, ``powerdns``, ``full``, String
1704 When queried for its version over DNS
1705 (``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally
1706 responds truthfully. With this setting you can overrule what will be
1707 returned. Set the ``version-string`` to ``full`` to get the default
1708 behaviour, to ``powerdns`` to just make it state
1709 ``Served by PowerDNS - https://www.powerdns.com/``. The ``anonymous``
1710 setting will return a ServFail, much like Microsoft nameservers do. You
1711 can set this response to a custom value as well.
1713 .. _setting-webserver:
1721 Start a webserver for monitoring. See :doc:`performance`".
1723 .. versionchanged:: 4.1.0
1724 It was necessary to enable the webserver to use the REST API, this is no longer the case.
1726 .. _setting-webserver-address:
1728 ``webserver-address``
1729 ---------------------
1732 - Default: 127.0.0.1
1734 IP Address for webserver/API to listen on.
1736 .. _setting-webserver-allow-from:
1738 ``webserver-allow-from``
1739 ------------------------
1741 - IP ranges, separated by commas or whitespace
1742 - Default: 127.0.0.1,::1
1744 .. versionchanged:: 4.1.0
1746 Default is now 127.0.0.1,::1, was 0.0.0.0/0,::/0 before.
1748 Webserver/API access is only allowed from these subnets.
1750 .. _setting-webserver-loglevel:
1752 ``webserver-loglevel``
1753 ----------------------
1754 .. versionadded:: 4.2.0
1756 - String, one of "none", "normal", "detailed"
1758 The amount of logging the webserver must do. "none" means no useful webserver information will be logged.
1759 When set to "normal", the webserver will log a line per request that should be familiar::
1761 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
1763 When set to "detailed", all information about the request and response are logged::
1765 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Request Details:
1766 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1767 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1768 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-encoding: gzip, deflate
1769 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-language: en-US,en;q=0.5
1770 [webserver] e235780e-a5cf-415e-9326-9d33383e739e connection: keep-alive
1771 [webserver] e235780e-a5cf-415e-9326-9d33383e739e dnt: 1
1772 [webserver] e235780e-a5cf-415e-9326-9d33383e739e host: 127.0.0.1:8081
1773 [webserver] e235780e-a5cf-415e-9326-9d33383e739e upgrade-insecure-requests: 1
1774 [webserver] e235780e-a5cf-415e-9326-9d33383e739e user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
1775 [webserver] e235780e-a5cf-415e-9326-9d33383e739e No body
1776 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Response details:
1777 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1778 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Connection: close
1779 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Length: 49
1780 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Type: text/html; charset=utf-8
1781 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Server: PowerDNS/0.0.15896.0.gaba8bab3ab
1782 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Full body:
1783 [webserver] e235780e-a5cf-415e-9326-9d33383e739e <!html><title>Not Found</title><h1>Not Found</h1>
1784 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
1786 The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
1789 The webserver logs these line on the NOTICE level. The :ref:`setting-loglevel` seting must be 5 or higher for these lines to end up in the log.
1791 .. _setting-webserver-max-bodysize:
1793 ``webserver-max-bodysize``
1794 --------------------------
1795 .. versionadded:: 4.2.0
1800 Maximum request/response body size in megabytes.
1802 .. _setting-webserver-password:
1804 ``webserver-password``
1805 ----------------------
1809 The plaintext password required for accessing the webserver.
1811 .. _setting-webserver-port:
1819 The port where webserver/API will listen on.
1821 .. _setting-webserver-print-arguments:
1823 ``webserver-print-arguments``
1824 -----------------------------
1829 If the webserver should print arguments.
1831 .. _setting-write-pid:
1839 If a PID file should be written.
1841 .. _setting-xfr-max-received-mbytes:
1843 ``xfr-max-received-mbytes``
1844 ---------------------------
1849 Specifies the maximum number of received megabytes allowed on an
1850 incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0
1851 means no restriction.