3 Configuration Reference
4 =======================
6 This page lists all configuration options for dnsdist.
10 When an IPv6 IP:PORT combination is needed, the bracketed syntax from :rfc:`RFC 3986 <3986#section-3.2.2>` should be used.
11 e.g. "[2001:DB8:14::C0FF:FEE]:5300".
16 Within dnsdist several core object types exist:
18 * :class:`Server`: generated with :func:`newServer`, represents a downstream server
19 * :class:`ComboAddress`: represents an IP address and port
20 * :class:`DNSName`: represents a domain name
21 * :class:`NetmaskGroup`: represents a group of netmasks
22 * :class:`QPSLimiter`: implements a QPS-based filter
23 * :class:`SuffixMatchNode`: represents a group of domain suffixes for rapid testing of membership
24 * :class:`DNSHeader`: represents the header of a DNS packet
25 * :class:`ClientState`: sometimes also called Bind or Frontend, represents the addresses and ports dnsdist is listening on
27 The existence of most of these objects can mostly be ignored, unless you plan to write your own hooks and policies, but it helps to understand an expressions like:
31 getServer(0).order=12 -- set order of server 0 to 12
32 getServer(0):addPool("abuse") -- add this server to the abuse pool
34 The ``.`` means ``order`` is a data member, while the ``:`` means ``addPool`` is a member function.
39 .. function:: includeDirectory(path)
41 Include configuration files from ``path``.
43 :param str path: The directory to load the configuration from
48 .. function:: addLocal(address[, options])
50 .. versionadded:: 1.2.0
52 Add to the list of listen addresses.
54 :param str address: The IP Address with an optional port to listen on.
55 The default port is 53.
56 :param table options: A table with key: value pairs with listen options.
60 * ``doTCP=true``: bool - Also bind on TCP on ``address``.
61 * ``reusePort=false``: bool - Set the ``SO_REUSEPORT`` socket option.
62 * ``tcpFastOpenSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0.
63 * ``interface=""``: str - Set the network interface to use.
64 * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
68 addLocal('0.0.0.0:5300', { doTCP=true, reusePort=true })
70 This will bind to both UDP and TCP on port 5300 with SO_REUSEPORT enabled.
72 .. function:: addLocal(address[[[,do_tcp], so_reuseport], tcp_fast_open_qsize])
76 Add to the list of addresses listened on.
78 :param str address: The IP Address with an optional port to listen on.
79 The default port is 53.
80 :param bool do_tcp: Also bind a TCP port on ``address``, defaults to true.
81 :param bool so_reuseport: Use ``SO_REUSEPORT`` if it is available, defaults to false
82 :param int tcp_fast_open_qsize: The size of the TCP Fast Open queue. Set to a number
83 higher than 0 to enable TCP Fast Open when available.
86 .. function:: addTLSLocal(address, certFile, keyFile[, options])
88 .. versionadded:: 1.3.0
90 Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
92 :param str address: The IP Address with an optional port to listen on.
93 The default port is 853.
94 :param str certFile: The path to a X.509 certificate file in PEM format.
95 :param str keyFile: The path to the private key file corresponding to the certificate.
96 :param table options: A table with key: value pairs with listen options.
100 * ``doTCP=true``: bool - Also bind on TCP on ``address``.
101 * ``reusePort=false``: bool - Set the ``SO_REUSEPORT`` socket option.
102 * ``tcpFastOpenSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0.
103 * ``interface=""``: str - Set the network interface to use.
104 * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
105 * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time.
106 * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used.
107 * ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
108 * ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
109 * ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
111 .. function:: setLocal(address[, options])
113 .. versionadded:: 1.2.0
115 Remove the list of listen addresses and add a new one.
117 :param str address: The IP Address with an optional port to listen on.
118 The default port is 53.
119 :param table options: A table with key: value pairs with listen options.
121 The options that can be set are the same as :func:`addLocal`.
123 .. function:: setLocal(address[[[,do_tcp], so_reuseport], tcp_fast_open_qsize])
125 .. deprecated:: 1.2.0
127 Remove the list of listen addresses and add a new one.
129 :param str address: The IP Address with an optional port to listen on.
130 The default port is 53.
131 :param bool do_tcp: Also bind a TCP port on ``address``, defaults to true.
132 :param bool so_reuseport: Use ``SO_REUSEPORT`` if it is available, defaults to false
133 :param int tcp_fast_open_qsize: The size of the TCP Fast Open queue. Set to a number
134 higher than 0 to enable TCP Fast Open when available.
137 Control Socket, Console and Webserver
138 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
140 .. function:: controlSocket(address)
142 Bind to ``addr`` and listen for a connection for the console
144 :param str address: An IP address with optional port. By default, the port is 5199.
146 .. function:: inClientStartup()
148 Returns true while the console client is parsing the configuration.
150 .. function:: makeKey()
152 Generate and print an encryption key.
154 .. function:: setConsoleConnectionsLogging(enabled)
156 .. versionadded:: 1.2.0
158 Whether to log the opening and closing of console connections.
160 :param bool enabled: Default to true.
162 .. function:: setKey(key)
164 Use ``key`` as shared secret between the client and the server
166 :param str key: An encoded key, as generated by :func:`makeKey`
168 .. function:: testCrypto()
170 Test the crypto code, will report errors when something is not ok.
175 .. function:: webServer(listen_address, password[, apikey[, custom_headers]])
177 Launch the :doc:`../guides/webserver` with statistics and the API.
179 :param str listen_address: The IP address and Port to listen on
180 :param str password: The password required to access the webserver
181 :param str apikey: The key required to access the API
182 :param {[str]=str,...} custom_headers: Allows setting custom headers and removing the defaults
184 .. function:: setAPIWritable(allow [,dir])
186 Allow modifications via the API.
187 Optionally saving these changes to disk.
188 Modifications done via the API will not be written to the configuration by default and will not persist after a reload
190 :param bool allow: Set to true to allow modification through the API
191 :param str dir: A valid directory where the configuration files will be written by the API.
196 .. function:: addACL(netmask)
198 Add a netmask to the existing ACL
200 :param str netmask: A CIDR netmask, e.g. ``"192.0.2.0/24"``. Without a subnetmask, only the specific address is allowed.
202 .. function:: setACL(netmasks)
204 Remove the existing ACL and add the netmasks from the table.
206 :param {str} netmasks: A table of CIDR netmask, e.g. ``{"192.0.2.0/24", "2001:DB8:14::/56"}``. Without a subnetmask, only the specific address is allowed.
211 .. function:: setECSSourcePrefixV4(prefix)
213 When ``useClientSubnet`` in :func:`newServer` is set and dnsdist adds an EDNS Client Subnet Client option to the query, truncate the requestors IPv4 address to ``prefix`` bits
215 :param int prefix: The prefix length
217 .. function:: setECSSourcePrefixV6(prefix)
219 When ``useClientSubnet`` in :func:`newServer` is set and dnsdist adds an EDNS Client Subnet Client option to the query, truncate the requestor's IPv6 address to bits
221 :param int prefix: The prefix length
226 .. function:: setRingBuffersSize(num)
228 Set the capacity of the ringbuffers used for live traffic inspection to ``num``
230 :param int num: The maximum amount of queries to keep in the ringbuffer. Defaults to 10000
235 .. function:: newServer(server_string)
236 newServer(server_table)
238 Add a new backend server. Call this function with either a string::
241 "IP:PORT" -- IP and PORT of the backend server
247 address="IP:PORT", -- IP and PORT of the backend server (mandatory)
248 qps=NUM, -- Limit the number of queries per second to NUM, when using the `firstAvailable` policy
249 order=NUM, -- The order of this server, used by the `leastOustanding` and `firstAvailable` policies
250 weight=NUM, -- The weight of this server, used by the `wrandom` and `whashed` policies
251 pool=STRING|{STRING}, -- The pools this server belongs to (unset or empty string means default pool) as a string or table of strings
252 retries=NUM, -- The number of TCP connection attempts to the backend, for a given query
253 tcpConnectTimeout=NUM, -- The timeout (in seconds) of a TCP connection attempt
254 tcpSendTimeout=NUM, -- The timeout (in seconds) of a TCP write attempt
255 tcpRecvTimeout=NUM, -- The timeout (in seconds) of a TCP read attempt
256 tcpFastOpen=BOOL, -- Whether to enable TCP Fast Open
257 ipBindAddrNoPort=BOOL, -- Whether to enable IP_BIND_ADDRESS_NO_PORT if available, default: true
258 name=STRING, -- The name associated to this backend, for display purpose
259 checkClass=NUM, -- Use NUM as QCLASS in the health-check query, default: DNSClass.IN
260 checkName=STRING, -- Use STRING as QNAME in the health-check query, default: "a.root-servers.net."
261 checkType=STRING, -- Use STRING as QTYPE in the health-check query, default: "A"
262 setCD=BOOL, -- Set the CD (Checking Disabled) flag in the health-check query, default: false
263 maxCheckFailures=NUM, -- Allow NUM check failures before declaring the backend down, default: false
264 mustResolve=BOOL, -- Set to true when the health check MUST return a NOERROR RCODE and an answer
265 useClientSubnet=BOOL, -- Add the client's IP address in the EDNS Client Subnet option when forwarding the query to this backend
266 source=STRING -- The source address or interface to use for queries to this backend, by default this is left to the kernel's address selection
267 -- The following formats are supported:
268 -- "address", e.g. "192.0.2.2"
269 -- "interface name", e.g. "eth0"
270 -- "address@interface", e.g. "192.0.2.2@eth0"
273 :param str server_string: A simple IP:PORT string.
274 :param table server_table: A table with at least a 'name' key
276 .. function:: getServer(index) -> Server
278 Get a :class:`Server`
280 :param int index: The number of the server (as seen in :func:`showServers`).
281 :returns: The :class:`Server` object or nil
283 .. function:: getServers()
285 Returns a table with all defined servers.
287 .. function:: rmServer(index)
290 Remove a backend server.
292 :param int index: The number of the server (as seen in :func:`showServers`).
293 :param Server server: A :class:`Server` object as returned by e.g. :func:`getServer`.
297 A server object returned by :func:`getServer` can be manipulated with these functions.
301 This object represents a backend server. It has several methods.
303 .. classmethod:: Server:addPool(pool)
305 Add this server to a pool.
307 :param str pool: The pool to add the server to
309 .. classmethod:: Server:getName() -> string
311 Get the name of this server.
313 :returns: The name of the server, or an empty string if it does not have one
315 .. classmethod:: Server:getNameWithAddr() -> string
317 Get the name plus IP address and port of the server
319 :returns: A string containing the server name if any plus the server address and port
321 .. classmethod:: Server:getOutstanding() -> int
323 Get the number of outstanding queries for this server.
325 :returns: The number of outstanding queries
327 .. classmethod:: Server:isUp() -> bool
329 Returns the up status of the server
331 :returns: true when the server is up, false otherwise
333 .. classmethod:: Server:rmPool(pool)
335 Removes the server from the named pool
337 :param str pool: The pool to remove the server from
339 .. classmethod:: Server:setAuto([status])
341 .. versionchanged:: 1.3.0
342 ``status`` optional parameter added.
344 Set the server in the default auto state.
345 This will enable health check queries that will set the server ``up`` and ``down`` appropriately.
347 :param bool status: Set the initial status of the server to ``up`` (true) or ``down`` (false) instead of using the last known status
349 .. classmethod:: Server:setQPS(limit)
351 Limit the queries per second for this server.
353 :param int limit: The maximum number of queries per second
355 .. classmethod:: Server:setDown()
357 Set the server in an ``DOWN`` state.
358 The server will not receive queries and the health checks are disabled
360 .. classmethod:: Server:setUp()
362 Set the server in an ``UP`` state.
363 This server will still receive queries and health checks are disabled
368 .. attribute:: Server.name
370 The name of the server
372 .. attribute:: Server.upStatus
374 Whether or not this server is up or down
376 .. attribute:: Server.order
378 The order of the server
380 .. attribute:: Server.weight
382 The weight of the server
387 :class:`Server`\ s can be part of any number of pools.
388 Pools are automatically created when a server is added to a pool (with :func:`newServer`), or can be manually created with :func:`addPool`.
390 .. function:: addPool(name) -> ServerPool
392 Returns a :class:`ServerPool`.
394 :param string name: The name of the pool to create
396 .. function:: getPool(name) -> ServerPool
398 Returns a :class:`ServerPool` or nil.
400 :param string name: The name of the pool
402 .. function:: rmPool(name)
404 Remove the pool named `name`.
406 :param string name: The name of the pool to remove
408 .. function:: getPoolServers(name) -> [ Server ]
410 Returns a list of :class:`Server`\ s or nil.
412 :param string name: The name of the pool
414 .. class:: ServerPool
416 This represents the pool where zero or more servers are part of.
418 .. classmethod:: ServerPool:getCache() -> PacketCache
420 Returns the :class:`PacketCache` for this pool or nil.
422 .. classmethod:: ServerPool:setCache(cache)
424 Adds ``cache`` as the pool's cache.
426 :param PacketCache cache: The new cache to add to the pool
428 .. classmethod:: ServerPool:unsetCache()
430 Removes the cache from this pool.
435 A Pool can have a packet cache to answer queries directly in stead of going to the backend.
436 See :doc:`../guides/cache` for a how to.
438 .. function:: newPacketCache(maxEntries[, maxTTL=86400[, minTTL=0[, temporaryFailureTTL=60[, staleTTL=60[, dontAge=false[, numberOfShards=1[, deferrableInsertLock=true]]]]]]]) -> PacketCache
440 .. versionchanged:: 1.2.0
441 ``numberOfShard`` and ``deferrableInsertLock`` parameters added.
443 Creates a new :class:`PacketCache` with the settings specified.
445 :param int maxEntries: The maximum number of entries in this cache
446 :param int maxTTL: Cap the TTL for records to his number
447 :param int minTTL: Don't cache entries with a TTL lower than this
448 :param int temporaryFailureTTL: On a SERVFAIL or REFUSED from the backend, cache for this amount of seconds
449 :param int staleTTL: When the backend servers are not reachable, send responses if the cache entry is expired at most this amount of seconds
450 :param bool dontAge: Don't reduce TTLs when serving from the cache. Use this when :program:`dnsdist` fronts a cluster of authoritative servers
451 :param int numberOfShards: Number of shards to divide the cache into, to reduce lock contention
452 :param bool deferrableInsertLock: Whether the cache should give up insertion if the lock is held by another thread, or simply wait to get the lock
454 .. class:: PacketCache
456 Represents a cache that can be part of :class:`ServerPool`.
458 .. classmethod:: PacketCache:expunge(n)
460 Remove entries from the cache, leaving at most ``n`` entries
462 :param int n: Number of entries to keep
464 .. classmethod:: PacketCache:expungeByName(name [, qtype=dnsdist.ANY[, suffixMatch=false]])
466 .. versionchanged:: 1.2.0
467 ``suffixMatch`` parameter added.
469 Remove entries matching ``name`` and type from the cache.
471 :param DNSName name: The name to expunge
472 :param int qtype: The type to expunge
473 :param bool suffixMatch: When set to true, remove al entries under ``name``
475 .. classmethod:: PacketCache:isFull() -> bool
477 Return true if the cache has reached the maximum number of entries.
479 .. classmethod:: PacketCache:printStats()
481 Print the cache stats (hits, misses, deferred lookups and deferred inserts).
483 .. classmethod:: PacketCache:purgeExpired(n)
485 Remove expired entries from the cache until there is at most ``n`` entries remaining in the cache.
487 :param int n: Number of entries to keep
489 .. classmethod:: PacketCache:toString() -> string
491 Return the number of entries in the Packet Cache, and the maximum number of entries
496 Also called frontend or bind, the Client State object returned by :func:`getBind` and listed with :func:`showBinds` represents an address and port dnsdist is listening on.
498 .. function:: getBind(index) -> ClientState
500 Return a ClientState object.
502 :param int index: The object index
504 ClientState functions
505 ~~~~~~~~~~~~~~~~~~~~~
507 .. class:: ClientState
509 This object represents an address and port dnsdist is listening on. When ``reuseport`` is in use, several ClientState objects can be present for the same address and port.
511 .. classmethod:: Server:addPool(pool)
513 Add this server to a pool.
515 :param str pool: The pool to add the server to
517 .. classmethod:: ClientState:attachFilter(filter)
519 Attach a BPF filter to this frontend.
521 :param BPFFilter filter: The filter to attach to this frontend
523 .. classmethod:: ClientState:detachFilter()
525 Remove the BPF filter associated to this frontend, if any.
527 .. classmethod:: ClientState:toString() -> string
529 Return the address and port this frontend is listening on.
531 :returns: The address and port this frontend is listening on
536 .. attribute:: ClientState.muted
538 If set to true, queries received on this frontend will be normally processed and sent to a backend if needed, but no response will be ever be sent to the client over UDP. TCP queries are processed normally and responses sent to the client.
540 Status, Statistics and More
541 ---------------------------
543 .. function:: dumpStats()
545 Print all statistics dnsdist gathers
547 .. function:: getTLSContext(idx)
548 .. versionadded:: 1.3.0
550 Return the TLSContext object for the context of index ``idx``.
552 .. function:: grepq(selector[, num])
553 grepq(selectors[, num])
555 Prints the last ``num`` queries matching ``selector`` or ``selectors``.
559 * a netmask (e.g. '192.0.2.0/24')
560 * a DNS name (e.g. 'dnsdist.org')
561 * a response time (e.g. '100ms')
563 :param str selector: Select queries based on this property.
564 :param {str} selectors: A lua table of selectors. Only queries matching all selectors are shown
565 :param int num: Show a maximum of ``num`` recent queries, default is 10.
567 .. function:: showACL()
569 Print a list of all allowed netmasks.
571 .. function:: showBinds()
573 Print a list of all the current addresses and ports dnsdist is listening on, also called ``frontends``
575 .. function:: showResponseLatency()
577 Show a plot of the response time latency distribution
579 .. function:: showServers()
581 This function shows all backend servers currently configured and some statistics.
582 These statics have the following fields:
584 * ``#`` - The number of the server, can be used as the argument for :func:`getServer`
585 * ``Address`` - The IP address and port of the server
586 * ``State`` - The current state of the server
587 * ``Qps`` - Current number of queries per second
588 * ``Qlim`` - Configured maximum number of queries per second
589 * ``Ord`` - The order number of the server
590 * ``Wt`` - The weight of the server
591 * ``Queries`` - Total amount of queries sent to this server
592 * ``Drops`` - Number of queries that were dropped by this server
593 * ``Drate`` - Number of queries dropped per second by this server
594 * ``Lat`` - The latency of this server in milliseconds
595 * ``Pools`` - The pools this server belongs to
597 .. function:: showTCPStats()
599 Show some statistics regarding TCP
601 .. function:: showTLSContexts()
602 .. versionadded:: 1.3.0
604 Print the list of all availables DNS over TLS contexts.
606 .. function:: showVersion()
608 Print the version of dnsdist
610 .. function:: topBandwidth([num])
612 Print the top ``num`` clients that consume the most bandwidth.
614 :param int num: Number to show, defaults to 10.
616 .. function:: topClients([num])
618 Print the top ``num`` clients sending the most queries over length of ringbuffer
620 :param int num: Number to show, defaults to 10.
622 .. function:: topQueries([num[, labels]])
624 Print the ``num`` most popular QNAMEs from queries.
625 Optionally grouped by the rightmost ``labels`` DNS labels.
627 :param int num: Number to show, defaults to 10
628 :param int label: Number of labels to cut down to
630 .. function:: topResponses([num[, rcode[, labels]]])
632 Print the ``num`` most seen responses with an RCODE of ``rcode``.
633 Optionally grouped by the rightmost ``labels`` DNS labels.
635 :param int num: Number to show, defaults to 10
636 :param int rcode: :ref:`Response code <DNSRCode>`, defaults to 0 (No Error)
637 :param int label: Number of labels to cut down to
639 .. function:: topSlow([num[, limit[, labels]]])
641 Print the ``num`` slowest queries that are slower than ``limit`` milliseconds.
642 Optionally grouped by the rightmost ``labels`` DNS labels.
644 :param int num: Number to show, defaults to 10
645 :param int limit: Show queries slower than this amount of milliseconds, defaults to 2000
646 :param int label: Number of labels to cut down to
653 .. function:: addDynBlocks(addresses, message[, seconds=10[, action]])
655 .. versionchanged:: 1.2.0
656 ``action`` parameter added.
658 Block a set of addresses with ``message`` for (optionally) a number of seconds.
659 The default number of seconds to block for is 10.
661 :param addresses: set of Addresses as returned by an exceed function
662 :param string message: The message to show next to the blocks
663 :param int seconds: The number of seconds this block to expire
664 :param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to the one set with :func:`setDynBlocksAction`)
666 .. function:: clearDynBlocks()
668 Remove all current dynamic blocks.
670 .. function:: showDynBlocks()
672 List all dynamic blocks in effect.
674 .. function:: setDynBlocksAction(action)
676 Set which action is performed when a query is blocked.
677 Only DNSAction.Drop (the default), DNSAction.Refused and DNSAction.Truncate are supported.
681 Getting addresses that exceeded parameters
682 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
684 .. function:: exceedServFails(rate, seconds)
686 Get set of addresses that exceed ``rate`` servfails/s over ``seconds`` seconds
688 :param int rate: Number of Servfails per second to exceed
689 :param int seconds: Number of seconds the rate has been exceeded
691 .. function:: exceedNXDOMAINs(rate, seconds)
693 get set of addresses that exceed ``rate`` NXDOMAIN/s over ``seconds`` seconds
695 :param int rate: Number of NXDOMAIN per second to exceed
696 :param int seconds: Number of seconds the rate has been exceeded
698 .. function:: exceedRespByterate(rate, seconds)
700 get set of addresses that exceeded ``rate`` bytes/s answers over ``seconds`` seconds
702 :param int rate: Number of bytes per second to exceed
703 :param int seconds: Number of seconds the rate has been exceeded
705 .. function:: exceedQRate(rate, seconds)
707 Get set of address that exceed ``rate`` queries/s over ``seconds`` seconds
709 :param int rate: Number of queries per second to exceed
710 :param int seconds: Number of seconds the rate has been exceeded
712 .. function:: exceedQTypeRate(type, rate, seconds)
714 Get set of address that exceed ``rate`` queries/s for queries of QType ``type`` over ``seconds`` seconds
716 :param int type: QType
717 :param int rate: Number of QType queries per second to exceed
718 :param int seconds: Number of seconds the rate has been exceeded
723 .. function:: maintenance()
725 If this function exists, it is called every second to so regular tasks.
726 This can be used for e.g. :doc:`Dynamic Blocks <../guides/dynblocks>`.
731 .. class:: TLSContext
732 .. versionadded:: 1.3.0
734 This object represents an address and port dnsdist is listening on for DNS over TLS queries.
736 .. classmethod:: TLSContext:rotateTicketsKey()
738 Replace the current TLS tickets key by a new random one.
740 .. classmethod:: TLSContext:loadTicketsKeys(ticketsKeysFile)
742 Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
744 :param str ticketsKeysFile: The path to a file from where TLS tickets keys should be loaded.