1 Authoritative Server Settings
2 =============================
4 All PowerDNS Authoritative Server settings are listed here, excluding
5 those that originate from backends, which are documented in the relevant
6 chapters. These settings can be set inside ``pdns.conf`` or on the
7 commandline when invoking the ``pdns`` binary.
9 You can use ``+=`` syntax to set some variables incrementally, but this
10 requires you to have at least one non-incremental setting for the
11 variable to act as base setting. This is mostly useful for
12 :ref:`setting-include-dir` directive.
14 For boolean settings, specifying the name of the setting without a value
22 - Allow 8 bit dns queries
25 .. versionadded:: 4.0.0
27 Allow 8 bit DNS queries.
29 .. _setting-allow-axfr-ips:
34 - IP ranges, separated by commas
35 - Default: 127.0.0.0/8,::1
37 If set, only these IP addresses or netmasks will be able to perform
40 .. _setting-allow-dnsupdate-from:
42 ``allow-dnsupdate-from``
43 ------------------------
45 - IP ranges, separated by commas
46 - Default: 127.0.0.0/8,::1
48 Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DNSUPDATE-FROM`` in :ref:`metadata-allow-dnsupdate-from`.
50 .. _setting-allow-notify-from:
55 - IP ranges, separated by commas
56 - Default: 0.0.0.0/0,::/0
58 Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
59 will drop all incoming notifies.
61 .. _setting-allow-unsigned-notify:
63 ``allow-unsigned-notify``
64 -------------------------
69 .. versionadded:: 4.0.0
71 Turning this off requires all notifications that are received to be
72 signed by valid TSIG signature for the zone.
74 .. _setting-allow-unsigned-supermaster:
76 ``allow-unsigned-supermaster``
77 ------------------------------
82 .. versionadded:: 4.0.0
84 Turning this off requires all supermaster notifications to be signed by
85 valid TSIG signature. It will accept any existing key on slave.
87 .. _setting-allow-recursion:
92 - IP ranges, separated by commas
96 By specifying ``allow-recursion``, recursion can be restricted to
97 netmasks specified. The default is to allow recursion from everywhere.
98 Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
100 .. _setting-also-notify:
105 - IP addresses, separated by commas
107 When notifying a domain, also notify these nameservers. Example:
108 ``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in
109 ``also-notify`` always receive a notification. Even if they do not match
110 the list in :ref:`setting-only-notify`.
112 .. _setting-any-to-tcp:
120 .. versionchanged:: 4.0.1, was 'no' before.
122 Answer questions for the ANY on UDP with a truncated packet that refers
123 the remote server to TCP. Useful for mitigating reflection attacks.
133 Enable/disable the :doc:`http-api/index`.
142 .. versionadded:: 4.0.0
144 Static pre-shared authentication key for access to the REST API.
146 .. _setting-api-readonly:
154 .. versionadded:: 4.0.0
156 Disallow data modification through the REST API when set.
158 .. _setting-axfr-lower-serial:
160 ``axfr-lower-serial``
161 ---------------------
166 .. versionadded:: 4.0.4
168 Also AXFR a zone from a master with a lower serial.
170 .. _setting-cache-ttl:
178 Seconds to store packets in the :ref:`packet-cache`.
180 .. _setting-carbon-namespace:
188 .. versionadded:: 4.2.0
190 Set the namespace or first string of the metric key. Be careful not to include
191 any dots in this setting, unless you know what you are doing.
192 See :ref:`metricscarbon`
194 .. _setting-carbon-ourname:
200 - Default: the hostname of the server
202 If sending carbon updates, if set, this will override our hostname. Be
203 careful not to include any dots in this setting, unless you know what
204 you are doing. See :ref:`metricscarbon`
206 .. _setting-carbon-instance:
214 .. versionadded:: 4.2.0
216 Set the instance or third string of the metric key. Be careful not to include
217 any dots in this setting, unless you know what you are doing.
218 See :ref:`metricscarbon`
220 .. _setting-carbon-server:
227 Send all available metrics to this server via the carbon protocol, which
228 is used by graphite and metronome. It has to be an address (no
229 hostnames). You may specify an alternate port by appending :port, ex:
230 127.0.0.1:2004. See :ref:`metricscarbon`.
232 .. _setting-carbon-interval:
240 If sending carbon updates, this is the interval between them in seconds.
241 See :ref:`metricscarbon`.
250 If set, chroot to this directory for more security. See :doc:`security`.
252 Make sure that ``/dev/log`` is available from within the chroot. Logging
253 will silently fail over time otherwise (on logrotate).
255 When setting ``chroot``, all other paths in the config (except for
256 :ref:`setting-config-dir` and :ref:`setting-module-dir`)
257 set in the configuration are relative to the new root.
259 When running on a system where systemd manages services, ``chroot`` does
260 not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
261 Either don't ``chroot`` on these systems or set the 'Type' of the this
262 service to 'simple' instead of 'notify' (refer to the systemd
263 documentation on how to modify unit-files)
265 .. _setting-config-dir:
272 Location of configuration directory (``pdns.conf``). Usually
273 ``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during
276 .. _setting-config-name:
283 Name of this virtual configuration - will rename the binary image. See
284 :doc:`guides/virtual-instances`.
286 .. _setting-control-console:
291 Debugging switch - don't use.
303 .. _setting-default-api-rectify:
305 ``default-api-rectify``
306 -----------------------
310 .. versionadded:: 4.2.0
312 The value of :ref:`metadata-api-rectify` if it is not set on the zone.
315 Pre 4.2.0 the default was always no.
317 .. _setting-default-ksk-algorithms:
318 .. _setting-default-ksk-algorithm:
320 ``default-ksk-algorithm``
321 --------------------------
326 .. versionchanged:: 4.1.0
327 Renamed from ``default-ksk-algorithms``. No longer supports multiple algorithm names.
329 The algorithm that should be used for the KSK when running
330 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
331 to enable DNSSEC. Must be one of:
336 * ecdsa256 (ECDSA P-256 with SHA256)
337 * ecdsa384 (ECDSA P-384 with SHA384)
342 Actual supported algorithms depend on the crypto-libraries
343 PowerDNS was compiled against. To check the supported DNSSEC algoritms
344 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
346 .. _setting-default-ksk-size:
352 - Default: whichever is default for `default-ksk-algorithm`_
354 The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
355 Only relevant for algorithms with non-fixed keysizes (like RSA).
357 .. _setting-default-soa-name:
363 - Default: a.misconfigured.powerdns.server
365 Name to insert in the SOA record if none set in the backend.
367 .. _setting-default-soa-edit:
375 Use this soa-edit value for all zones if no
376 :ref:`metadata-soa-edit` metadata value is set.
378 .. _setting-default-soa-edit-signed:
380 ``default-soa-edit-signed``
381 ---------------------------
386 Use this soa-edit value for all signed zones if no
387 :ref:`metadata-soa-edit` metadata value is set.
388 Overrides :ref:`setting-default-soa-edit`
390 .. _setting-default-soa-mail:
397 Mail address to insert in the SOA record if none set in the backend.
399 .. _setting-default-ttl:
407 TTL to use when none is provided.
409 .. _setting-default-zsk-algorithms:
410 .. _setting-default-zsk-algorithm:
412 ``default-zsk-algorithm``
413 --------------------------
418 .. versionchanged:: 4.1.0
419 Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names.
421 The algorithm that should be used for the ZSK when running
422 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
423 to enable DNSSEC. Must be one of:
428 * ecdsa256 (ECDSA P-256 with SHA256)
429 * ecdsa384 (ECDSA P-384 with SHA384)
434 Actual supported algorithms depend on the crypto-libraries
435 PowerDNS was compiled against. To check the supported DNSSEC algoritms
436 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
438 .. _setting-default-zsk-size:
444 - Default: 0 (automatic default for `default-zsk-algorithm`_)
446 The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
447 Only relevant for algorithms with non-fixed keysizes (like RSA).
449 .. _setting-direct-dnskey:
457 Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not
458 set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored.
460 .. _setting-disable-axfr:
468 Do not allow zone transfers.
470 .. _setting-disable-axfr-rectify:
472 ``disable-axfr-rectify``
473 ------------------------
478 Disable the rectify step during an outgoing AXFR. Only required for
481 .. _setting-disable-syslog:
489 Do not log to syslog, only to stdout. Use this setting when running
490 inside a supervisor that handles logging (like systemd).
493 Do not use this setting in combination with :ref:`setting-daemon` as all
494 logging will disappear.
496 .. _setting-disable-tcp:
504 Do not listen to TCP queries. Breaks RFC compliance.
506 .. _setting-distributor-threads:
508 ``distributor-threads``
509 -----------------------
514 Number of Distributor (backend) threads to start per receiver thread.
515 See :doc:`performance`.
517 .. _setting-dname-processing:
525 Synthesise CNAME records from DNAME records as required. This
526 approximately doubles query load. **Do not combine with DNSSEC!**
528 .. _setting-dnssec-key-cache-ttl:
530 ``dnssec-key-cache-ttl``
531 ------------------------
536 Seconds to cache DNSSEC keys from the database. A value of 0 disables
539 .. _setting-dnsupdate:
547 Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
549 .. _setting-do-ipv6-additional-processing:
551 ``do-ipv6-additional-processing``
552 ---------------------------------
557 Perform AAAA additional processing. This sends AAAA records in the
558 ADDITIONAL section when sending a referral.
560 .. _setting-domain-metadata-cache-ttl:
562 ``domain-metadata-cache-ttl``
563 -----------------------------
568 Seconds to cache domain metadata from the database. A value of 0
571 .. _setting-edns-subnet-processing:
573 ``edns-subnet-processing``
574 --------------------------
579 Enables EDNS subnet processing, for backends that support it.
581 .. _setting-enable-lua-records:
583 ``enable-lua-records``
584 ----------------------
589 Enable globally the LUA records feature
591 .. _setting-entropy-source:
597 - Default: /dev/urandom
599 Entropy source file to use.
601 .. _setting-expand-alias:
610 If this is enabled, ALIAS records are expanded (synthesised to their
613 If this is disabled (the default), ALIAS records will not expanded and
614 the server will will return NODATA for A/AAAA queries for such names.
616 **note**: :ref:`setting-resolver` must also be set for ALIAS
619 **note**: In PowerDNS Authoritative Server 4.0.x, this setting did not
620 exist and ALIAS was always expanded.
622 .. _setting-forward-dnsupdate:
624 ``forward-dnsupdate``
625 ---------------------
630 Forward DNS updates sent to a slave to the master.
632 .. _setting-forward-notify:
637 - IP addresses, separated by commas
639 IP addresses to forward received notifications to regardless of master
643 The intended use is in anycast environments where it might be
644 necessary for a proxy server to perform the AXFR. The usual checks are
645 performed before any received notification is forwarded.
647 .. _setting-guardian:
655 Run within a guardian process. See :ref:`running-guardian`.
657 .. _setting-include-dir:
664 Directory to scan for additional config files. All files that end with
665 .conf are loaded in order using ``POSIX`` as locale.
672 - Backend names, separated by commas
674 Which backends to launch and order to query them in. Launches backends.
675 In its most simple form, supply all backends that need to be launched.
680 launch=bind,gmysql,remote
682 If you find that you need to query a backend multiple times with
683 different configuration, you can specify a name for later
684 instantiations. e.g.:
688 launch=gmysql,gmysql:server2
690 In this case, there are 2 instances of the gmysql backend, one by the
691 normal name and the second one is called 'server2'. The backend
692 configuration item names change: e.g. ``gmysql-host`` is available to
693 configure the ``host`` setting of the first or main instance, and
694 ``gmysql-server2-host`` for the second one.
696 Running multiple instances of the bind backend is not allowed.
698 .. _setting-load-modules:
703 - Paths, separated by commas
705 If backends are available in nonstandard directories, specify their
706 location here. Multiple files can be loaded if separated by commas. Only
707 available in non-static distributions.
709 .. _setting-local-address:
714 - IPv4 Addresses, separated by commas or whitespace
717 Local IP address to which we bind. It is highly advised to bind to
718 specific interfaces and not use the default 'bind to any'. This causes
719 big problems if you have multiple IP addresses. Unix does not provide a
720 way of figuring out what IP address a packet was sent to when binding to
723 .. _setting-log-timestamp:
728 .. versionadded:: 4.1.0
733 When printing log lines to stdout, prefix them with timestamps.
734 Disable this if the process supervisor timestamps these lines already.
737 The systemd unit file supplied with the source code already disables timestamp printing
739 .. _setting-lua-records-exec-limit:
741 ``lua-records-exec-limit``
742 -----------------------------
747 Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
748 Setting this to any value less than or equal to 0 will set no limit.
750 .. _setting-non-local-bind:
758 Bind to addresses even if one or more of the
759 :ref:`setting-local-address`'s do not exist on this server.
760 Setting this option will enable the needed socket options to allow
761 binding to non-local addresses. This feature is intended to facilitate
762 ip-failover setups, but it may also mask configuration issues and for
763 this reason it is disabled by default.
765 .. _setting-lua-axfr-script:
773 .. versionadded:: 4.1.0
775 Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
777 .. _setting-local-address-nonexist-fail:
779 ``local-address-nonexist-fail``
780 -------------------------------
785 Fail to start if one or more of the
786 :ref:`setting-local-address`'s do not exist on this server.
788 .. _setting-local-ipv6:
793 - IPv6 Addresses, separated by commas or whitespace
796 Local IPv6 address to which we bind. It is highly advised to bind to
797 specific interfaces and not use the default 'bind to any'. This causes
798 big problems if you have multiple IP addresses.
800 .. _setting-local-ipv6-nonexist-fail:
802 ``local-ipv6-nonexist-fail``
803 ----------------------------
808 Fail to start if one or more of the :ref:`setting-local-ipv6`
809 addresses do not exist on this server.
811 .. _setting-local-port:
819 The port on which we listen. Only one port possible.
821 .. _setting-log-dns-details:
829 If set to 'no', informative-only DNS details will not even be sent to
830 syslog, improving performance.
832 .. _setting-logging-facility:
837 If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`.
838 Do not pass names like 'local0'!
840 .. _setting-loglevel:
848 Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
849 e.g. error = 3, warning = 4, notice = 5, info = 6
851 .. _setting-log-dns-queries:
859 Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
860 of logging! Only enable for debugging! Set :ref:`setting-loglevel`
861 to at least 5 to see the logs.
863 .. _setting-lua-prequery-script:
865 ``lua-prequery-script``
866 -----------------------
870 Lua script to run before answering a query. This is a feature used
871 internally for regression testing. The API of this functionality is not
872 guaranteed to be stable, and is in fact likely to change.
882 Turn on master support. See :ref:`master-operation`.
884 .. _setting-max-cache-entries:
886 ``max-cache-entries``
887 ---------------------
892 Maximum number of entries in the query cache. 1 million (the default)
893 will generally suffice for most installations. Starting with 4.1, the
894 packet and query caches are distinct so you might also want to see
895 ``max-packet-cache-entries``.
897 .. _setting-max-ent-entries:
905 Maximum number of empty non-terminals to add to a zone. This is a
906 protection measure to avoid database explosion due to long names.
908 .. _setting-max-nsec3-iterations:
910 ``max-nsec3-iterations``
911 ------------------------
916 Limit the number of NSEC3 hash iterations
918 .. _setting-max-packet-cache-entries:
920 ``max-packet-cache-entries``
921 ----------------------------
926 Maximum number of entries in the packet cache. 1 million (the default)
927 will generally suffice for most installations. This setting has been
928 introduced in 4.1, previous used the ``max-cache-entries`` setting for
929 both the packet and query caches.
931 .. _setting-max-queue-length:
939 If this many packets are waiting for database attention, consider the
940 situation hopeless and respawn.
942 .. _setting-max-signature-cache-entries:
944 ``max-signature-cache-entries``
945 -------------------------------
948 - Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems)
950 Maximum number of signatures cache entries
952 .. _setting-max-tcp-connection-duration:
954 ``max-tcp-connection-duration``
955 -------------------------------
960 Maximum time in seconds that a TCP DNS connection is allowed to stay
961 open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR
962 are not affected by this setting.
964 .. _setting-max-tcp-connections:
966 ``max-tcp-connections``
967 -----------------------
972 Allow this many incoming TCP DNS connections simultaneously.
974 .. _setting-max-tcp-connections-per-client:
976 ``max-tcp-connections-per-client``
977 ----------------------------------
982 Maximum number of simultaneous TCP connections per client. 0 means
985 .. _setting-max-tcp-transactions-per-conn:
987 ``max-tcp-transactions-per-conn``
988 ---------------------------------
993 Allow this many DNS queries in a single TCP transaction. 0 means
994 unlimited. Note that exchanges related to an AXFR or IXFR are not
995 affected by this setting.
997 .. _setting-module-dir:
1004 Directory for modules. Default depends on ``PKGLIBDIR`` during
1007 .. _setting-negquery-cache-ttl:
1009 ``negquery-cache-ttl``
1010 ----------------------
1015 Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
1017 .. _setting-no-config:
1025 Do not attempt to read the configuration file.
1027 .. _setting-no-shuffle:
1035 Do not attempt to shuffle query results, used for regression testing.
1037 .. _setting-overload-queue-length:
1039 ``overload-queue-length``
1040 -------------------------
1043 - Default: 0 (disabled)
1045 If this many packets are waiting for database attention, answer any new
1046 questions strictly from the packet cache.
1048 .. _setting-reuseport:
1056 On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
1057 each receiver-thread to open a new socket on the same port which allows
1058 for much higher performance on multi-core boxes. Setting this option
1059 will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
1060 back to a single socket when it is not available. A side-effect is that
1061 you can start multiple servers on the same IP/port combination which may
1062 or may not be a good idea. You could use this to enable transparent
1063 restarts, but it may also mask configuration issues and for this reason
1064 it is disabled by default.
1074 Specify which random number generator to use. Permissible choises are
1075 - auto - choose automatically
1076 - sodium - Use libsodium ``randombytes_uniform``
1077 - openssl - Use libcrypto ``RAND_bytes``
1078 - getrandom - Use libc getrandom, falls back to urandom if it does not really work
1079 - arc4random - Use BSD ``arc4random_uniform``
1080 - urandom - Use ``/dev/urandom``
1081 - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
1084 Not all choises are available on all systems.
1086 .. _setting-security-poll-suffix:
1088 ``security-poll-suffix``
1089 ------------------------
1092 - Default: secpoll.powerdns.com.
1094 Domain name from which to query security update notifications. Setting
1095 this to an empty string disables secpoll.
1097 .. _setting-server-id:
1103 - Default: The hostname of the server
1105 This is the server ID that will be returned on an EDNS NSID query.
1107 .. _setting-only-notify:
1112 - IP Ranges, separated by commas or whitespace
1113 - Default: 0.0.0.0/0, ::/0
1115 For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
1116 PowerDNS automatically sends NOTIFYs to the name servers specified in
1117 the NS records. By specifying networks/mask as whitelist, the targets
1118 can be limited. The default is to notify the world. To completely
1119 disable these NOTIFYs set ``only-notify`` to an empty value. Independent
1120 of this setting, the IP addresses or netmasks configured with
1121 :ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata
1122 always receive AXFR NOTIFYs.
1124 IP addresses and netmasks can be excluded by prefixing them with a ``!``.
1125 To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following::
1127 only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24
1130 Even if NOTIFYs are limited by a netmask, PowerDNS first has to
1131 resolve all the hostnames to check their IP addresses against the
1132 specified whitelist. The resolving may take considerable time,
1133 especially if those hostnames are slow to resolve. If you do not need to
1134 NOTIFY the slaves defined in the NS records (e.g. you are using another
1135 method to distribute the zone data to the slaves), then set
1136 :ref:`setting-only-notify` to an empty value and specify the notification targets
1137 explicitly using :ref:`setting-also-notify` and/or
1138 :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
1141 If your slaves support Internet Protocol version, which your master does not,
1142 then set ``only-notify`` to include only supported protocol version.
1143 Otherwise there will be error trying to resolve address.
1145 For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
1146 so allow only IPv4 with ``only-notify``::
1148 only-notify=0.0.0.0/0
1150 .. _setting-out-of-zone-additional-processing:
1152 ``out-of-zone-additional-processing``
1153 -------------------------------------
1155 .. versionchanged:: 4.2.0
1156 This setting has been removed.
1161 Do out of zone additional processing. This means that if a malicious
1162 user adds a '.com' zone to your server, it is not used for other domains
1163 and will not contaminate answers. Do not enable this setting if you run
1164 a public DNS service with untrusted users.
1166 The docs had previously indicated that the default was "no", but the
1167 default has been "yes" since 2005.
1169 .. _setting-outgoing-axfr-expand-alias:
1171 ``outgoing-axfr-expand-alias``
1172 ------------------------------
1177 If this is enabled, ALIAS records are expanded (synthesised to their
1178 A/AAAA) during outgoing AXFR. This means slaves will not automatically
1179 follow changes in those A/AAAA records unless you AXFR regularly!
1181 If this is disabled (the default), ALIAS records are sent verbatim
1182 during outgoing AXFR. Note that if your slaves do not support ALIAS,
1183 they will return NODATA for A/AAAA queries for such names.
1185 .. _setting-prevent-self-notification:
1187 ``prevent-self-notification``
1188 -----------------------------
1193 PowerDNS Authoritative Server attempts to not send out notifications to
1194 itself in master mode. In very complicated situations we could guess
1195 wrong and not notify a server that should be notified. In that case, set
1196 prevent-self-notification to "no".
1198 .. _setting-query-cache-ttl:
1206 Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`.
1208 .. _setting-query-local-address:
1210 ``query-local-address``
1211 -----------------------
1216 The IP address to use as a source address for sending queries. Useful if
1217 you have multiple IPs and PowerDNS is not bound to the IP address your
1218 operating system uses by default for outgoing packets.
1220 .. _setting-query-local-address6:
1222 ``query-local-address6``
1223 ------------------------
1228 Source IP address for sending IPv6 queries.
1230 .. _setting-query-logging:
1238 Boolean, hints to a backend that it should log a textual representation
1239 of queries it performs. Can be set at runtime.
1241 .. _setting-queue-limit:
1249 Maximum number of milliseconds to queue a query. See :doc:`performance`.
1251 .. _setting-receiver-threads:
1253 ``receiver-threads``
1254 --------------------
1259 Number of receiver (listening) threads to start. See :doc:`performance`.
1261 .. _setting-recursive-cache-ttl:
1263 ``recursive-cache-ttl``
1264 -----------------------
1270 Seconds to store recursive packets in the :ref:`packet-cache`.
1272 .. _setting-recursor:
1279 .. deprecated:: 4.1.0
1281 If set, recursive queries will be handed to the recursor specified here.
1283 .. _setting-resolver:
1288 - IP Addresses with optional port, separated by commas
1291 Use these resolver addresses for ALIAS and the internal stub resolver.
1292 If this is not set, ``/etc/resolv.conf`` is parsed for upstream
1295 .. _setting-retrieval-threads:
1297 ``retrieval-threads``
1298 ---------------------
1303 Number of AXFR slave threads to start.
1305 .. _setting-send-signed-notify:
1307 ``send-signed-notify``
1308 ----------------------
1313 If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone.
1314 If there are multiple TSIG keys configured for a domain, PowerDNS will use the
1315 first one retrieved from the backend, which may not be the correct one for the
1316 respective slave. Hence, in setups with multiple slaves with different TSIG keys
1317 it may be required to send NOTIFYs unsigned.
1326 If set, change group id to this gid for more security. See :doc:`security`.
1335 If set, change user id to this uid for more security. See :doc:`security`.
1345 Turn on slave support. See :ref:`slave-operation`.
1347 .. _setting-slave-cycle-interval:
1349 ``slave-cycle-interval``
1350 ------------------------
1355 On a master, this is the amounts of seconds between the master checking
1356 the SOA serials in its database to determine to send out NOTIFYs to the
1357 slaves. On slaves, this is the number of seconds between the slave
1358 checking for updates to zones.
1360 .. _setting-slave-renotify:
1368 This setting will make PowerDNS renotify the slaves after an AXFR is
1369 *received* from a master. This is useful when using when running a
1372 .. _setting-signing-threads:
1380 Tell PowerDNS how many threads to use for signing. It might help improve
1381 signing speed by changing this number.
1383 .. _setting-soa-expire-default:
1385 ``soa-expire-default``
1386 ----------------------
1391 Default :ref:`types-soa` expire.
1393 .. _setting-soa-minimum-ttl:
1401 Default :ref:`types-soa` minimum ttl.
1403 .. _setting-soa-refresh-default:
1405 ``soa-refresh-default``
1406 -----------------------
1411 Default :ref:`types-soa` refresh.
1413 .. _setting-soa-retry-default:
1415 ``soa-retry-default``
1416 ---------------------
1421 Default :ref:`types-soa` retry.
1423 .. _setting-socket-dir:
1430 Where the controlsocket will live. The default depends on
1431 ``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or
1432 ``/run``). See :ref:`control-socket`.
1434 This path will also contain the pidfile for this instance of PowerDNS
1435 called ``pdns.pid`` by default. See :ref:`setting-config-name`
1436 and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
1438 .. _setting-supermaster:
1446 .. versionadded:: 4.2.0
1448 Turn on supermaster support. See :ref:`supermaster-operation`.
1450 .. _setting-tcp-control-address:
1452 ``tcp-control-address``
1453 -----------------------
1457 Address to bind to for TCP control.
1459 .. _setting-tcp-control-port:
1461 ``tcp-control-port``
1462 --------------------
1467 Port to bind to for TCP control.
1469 .. _setting-tcp-control-range:
1471 ``tcp-control-range``
1472 ---------------------
1474 - IP Ranges, separated by commas or whitespace
1476 Limit TCP control to a specific client range.
1478 .. _setting-tcp-control-secret:
1480 ``tcp-control-secret``
1481 ----------------------
1485 Password for TCP control.
1487 .. _setting-tcp-fast-open:
1493 - Default: 0 (Disabled)
1495 .. versionadded:: 4.1.0
1497 Enable TCP Fast Open support, if available, on the listening sockets.
1498 The numerical value supplied is used as the queue size, 0 meaning
1501 .. _setting-tcp-idle-timeout:
1503 ``tcp-idle-timeout``
1504 --------------------
1509 Maximum time in seconds that a TCP DNS connection is allowed to stay
1510 open while being idle, meaning without PowerDNS receiving or sending
1513 .. _setting-traceback-handler:
1515 ``traceback-handler``
1516 ---------------------
1521 Enable the Linux-only traceback handler.
1523 .. _setting-trusted-notification-proxy:
1525 ``trusted-notification-proxy``
1526 ------------------------------
1530 IP address of incoming notification proxy
1532 .. _setting-udp-truncation-threshold:
1534 ``udp-truncation-threshold``
1535 ----------------------------
1540 EDNS0 allows for large UDP response datagrams, which can potentially
1541 raise performance. Large responses however also have downsides in terms
1542 of reflection attacks. Maximum value is 65535, but values above
1543 4096 should probably not be attempted.
1547 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet.
1548 IPv6 has a minimum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
1550 .. _setting-version-string:
1555 - Any of: ``anonymous``, ``powerdns``, ``full``, String
1558 When queried for its version over DNS
1559 (``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally
1560 responds truthfully. With this setting you can overrule what will be
1561 returned. Set the ``version-string`` to ``full`` to get the default
1562 behaviour, to ``powerdns`` to just make it state
1563 ``served by PowerDNS - http://www.powerdns.com``. The ``anonymous``
1564 setting will return a ServFail, much like Microsoft nameservers do. You
1565 can set this response to a custom value as well.
1567 .. _setting-webserver:
1575 Start a webserver for monitoring. See :doc:`performance`".
1577 .. versionchanged:: 4.1.0
1578 It was necessary to enable the webserver to use the REST API, this is no longer the case.
1580 .. _setting-webserver-address:
1582 ``webserver-address``
1583 ---------------------
1586 - Default: 127.0.0.1
1588 IP Address for webserver/API to listen on.
1590 .. _setting-webserver-allow-from:
1592 ``webserver-allow-from``
1593 ------------------------
1595 - IP ranges, separated by commas or whitespace
1596 - Default: 127.0.0.1,::1
1598 .. versionchanged:: 4.1.0
1600 Default is now 127.0.0.1,::1, was 0.0.0.0/0,::/0 before.
1602 Webserver/API access is only allowed from these subnets.
1604 .. _setting-webserver-password:
1606 ``webserver-password``
1607 ----------------------
1611 The plaintext password required for accessing the webserver.
1613 .. _setting-webserver-port:
1621 The port where webserver/API will listen on.
1623 .. _setting-webserver-print-arguments:
1625 ``webserver-print-arguments``
1626 -----------------------------
1631 If the webserver should print arguments.
1633 .. _setting-write-pid:
1641 If a PID file should be written.
1643 .. _setting-xfr-max-received-mbytes:
1645 ``xfr-max-received-mbytes``
1646 ---------------------------
1651 Specifies the maximum number of received megabytes allowed on an
1652 incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0
1653 means no restriction.