]> git.ipfire.org Git - thirdparty/pdns.git/blame - docs/domainmetadata.rst
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #7677 from rgacogne/dnsdist-logging-facility
[thirdparty/pdns.git] / docs / domainmetadata.rst
CommitLineData
0e2063c3
PL		 1Per zone settings: Domain Metadata
2==================================
3
4Each served zone can have "metadata". Such metadata determines how this
5zone behaves in certain circumstances.
6
7.. warning::
8 Domain metadata is only available for DNSSEC capable
9 backends! Make sure to enable the proper '-dnssec' setting to benefit.
10
11For the BIND backend, this information is either stored in the
12:ref:`setting-bind-dnssec-db` or the hybrid database,
13depending on your settings.
14
15For the implementation in non-sql backends, please review your backend's
16documentation.
17
18Apart from raw SQL statements, setting domain metadata can be done with
19``pdnsutil set-meta`` and retrieving metadata is done with ``pdnsutil get-meta``.
20
21.. _metadata-allow-axfr-from:
22
23ALLOW-AXFR-FROM
24---------------
25
26Per-zone AXFR ACLs can be stored in the domainmetadata table.
27
28Each ACL specifies one subnet (v4 or v6), or the magical value 'AUTO-NS'
29that tries to allow all potential slaves in.
30
31Example:
32
33::
34
35 pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
36
37Each ACL has its own row in the database:
38
39::
40
41 select id from domains where name='example.com';
42 7
43 insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
44 insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
45
46To disallow all IP's, except those explicitly allowed by domainmetadata
47records, add ``allow-axfr-ips=`` to ``pdns.conf``.
48
986e4858
PL		 49.. _metadata-api-rectify:
50
51API-RECTIFY
52-----------
690bd03e 53.. versionadded:: 4.1.0
986e4858
PL		 54
55This metadata item controls whether or not a zone is fully rectified on changes
56to the contents of a zone made through the :doc:`API <http-api/index>`.
57
58When the ``API-RECTIFY`` value is "1", the zone will be rectified on changes.
b8cd24cc
SH		 59Any other other value means that it will not be rectified. If this is not set
60at all, rectifying of the zone depends on the config variable
61:ref:`setting-default-api-rectify`.
986e4858 62
0e2063c3
PL		 63.. _metadata-axfr-source:
64
65AXFR-SOURCE
66-----------
67
68The IP address to use as a source address for sending AXFR and IXFR
69requests.
70
71ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE, NOTIFY-DNSUPDATE
72---------------------------------------------------------------------------------------------------
73
74See the documentation on :ref:`Dynamic DNS update <dnsupdate-metadata>`.
75
76.. _metadata-also-notify:
77
78ALSO-NOTIFY
79-----------
80
81When notifying this domain, also notify this nameserver (can occur
82multiple times). The nameserver may have contain an optional port
83number. e.g.:
84
85::
86
87 pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
88 pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
89
90Or in SQL:
91
92::
93
94 insert into domainmetadata (domain_id, kind, content) values (7,'ALSO-NOTIFY','192.0.2.1:5300');
95 insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8:53::1');
96
97AXFR-MASTER-TSIG
98----------------
99
100Use this named TSIG key to retrieve this zone from its master, see :ref:`tsig-provision-signed-notify-axfr`.
101
102GSS-ALLOW-AXFR-PRINCIPAL
103------------------------
104
105Allow this GSS principal to perform AXFR retrieval. Most commonly it is
106``host/something@REALM``, ``DNS/something@REALM`` or ``user@REALM``.
107(See :ref:`tsig-gss-tsig`).
108
109GSS-ACCEPTOR-PRINCIPAL
110----------------------
111
112Use this principal for accepting GSS context.
113(See :ref:`tsig-gss-tsig`).
114
115IXFR
116----
117
118If set to 1, attempt IXFR when retrieving zone updates. Otherwise IXFR
119is not attempted.
120
121LUA-AXFR-SCRIPT
122---------------
123
124Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`.
125This value will override the :ref:`setting-lua-axfr-script` setting. Use
126'NONE' to remove a global script.
127
128NSEC3NARROW
129-----------
130
131Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode.
132See ``set-nsec3`` for :doc:`pdnsutil <dnssec/pdnsutil>`.
133
134NSEC3PARAM
135----------
136
137NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the
138NSEC3PARAM record. If present, NSEC3 is used, if not present, zones
139default to NSEC. See ``set-nsec3`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
140Example content: "1 0 1 ab".
141
142.. _metadata-presigned:
143
144PRESIGNED
145---------
146
147This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS
148sets this flag automatically upon incoming zone transfers (AXFR) if it
149detects DNSSEC records in the zone. However, if you import a presigned
150zone using ``zone2sql`` or ``pdnsutil load-zone`` you must explicitly
151set the zone to be ``PRESIGNED``. Note that PowerDNS will not be able to
152correctly serve the zone if the imported data is bogus or incomplete.
153Also see ``set-presigned`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
154
155If a zone is presigned, the content of the metadata must be "1" (without
156the quotes). Any other value will not signal presignedness.
157
158PUBLISH-CDNSKEY, PUBLISH-CDS
159----------------------------
160
161Whether to publish CDNSKEY and/or CDS recording defined in :rfc:`7344`.
162
163To publish CDNSKEY records of the KSKs for the zone, set
164``PUBLISH-CDNSKEY`` to ``1``.
165
166To publish CDS records for the KSKs in the zone, set ``PUBLISH-CDS`` to
167a comma- separated list of `signature algorithm
168numbers <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__.
169
170This metadata can also be set using the
171:doc:`pdnsutil <dnssec/pdnsutil>` commands ``set-publish-cdnskey``
172and ``set-publish-cds``. For an example for an :rfc:`7344` key rollover,
173see the :doc:`guides/kskrollcdnskey`.
174
175.. _metadata-soa-edit:
176
177SOA-EDIT
178--------
179
180When serving this zone, modify the SOA serial number in one of several
181ways. Mostly useful to get slaves to re-transfer a zone regularly to get
cabb2e9a 182fresh RRSIGs. See the :ref:`DNSSEC
0e2063c3
PL		 183documentation <soa-edit-ensure-signature-freshness-on-slaves>`
184for more information.
185
cd46fc6c
PL		 186.. _metadata-soa-edit-api:
187
188SOA-EDIT-API
189------------
190
191On changes to the contents of a zone made through the :doc:`API <http-api/index>`,
192the SOA record will be edited according to the SOA-EDIT-API rules. These rules
193are the same as the :ref:`SOA-EDIT-DNSUPDATE <dnsupdate-soa-serial-updates>` rules.
194If not set during zone creation, a SOA-EDIT-API metadata record is created and set to ``DEFAULT``.
195If this record is removed from the backend, the default behaviour is to not do any SOA editing based on this setting.
196This is different from setting ``DEFAULT``.
197
198
0e2063c3
PL		 199TSIG-ALLOW-AXFR
200---------------
201
202Allow these named TSIG keys to AXFR this zone, see :ref:`tsig-provision-signed-notify-axfr`.
203
204TSIG-ALLOW-DNSUPDATE
205--------------------
206
207This setting allows you to set the TSIG key required to do an :doc:`dnsupdate`.
208If :ref:`GSS-TSIG <tsig-gss-tsig>` is enabled, you can put kerberos principals here as well.
209
210Extra metadata
211--------------
212
213Through the API and on the ``pdnsutil set-meta`` commandline, metadata
214unused by PowerDNS can be added. It is mandatory to prefix this extra
215metadata with "X-" and the name of the external application; the API
216will only allow this metadata if it starts with "X-".
Unnamed repository; edit this file 'description' to name the repository.