1 Authoritative Server Settings
2 =============================
4 All PowerDNS Authoritative Server settings are listed here, excluding
5 those that originate from backends, which are documented in the relevant
6 chapters. These settings can be set inside ``pdns.conf`` or on the
7 commandline when invoking the ``pdns`` binary.
9 You can use ``+=`` syntax to set some variables incrementally, but this
10 requires you to have at least one non-incremental setting for the
11 variable to act as base setting. This is mostly useful for
12 :ref:`setting-include-dir` directive.
14 For boolean settings, specifying the name of the setting without a value
22 - Allow 8 bit dns queries
25 .. versionadded:: 4.0.0
27 Allow 8 bit DNS queries.
29 .. _setting-allow-axfr-ips:
34 - IP ranges, separated by commas
35 - Default: 127.0.0.0/8,::1
37 If set, only these IP addresses or netmasks will be able to perform
40 .. _setting-allow-dnsupdate-from:
42 ``allow-dnsupdate-from``
43 ------------------------
45 - IP ranges, separated by commas
46 - Default: 127.0.0.0/8,::1
48 Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DNSUPDATE-FROM`` in :ref:`metadata-allow-dnsupdate-from`.
50 .. _setting-allow-notify-from:
55 - IP ranges, separated by commas
56 - Default: 0.0.0.0/0,::/0
58 Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
59 will drop all incoming notifies.
61 .. _setting-allow-unsigned-notify:
63 ``allow-unsigned-notify``
64 -------------------------
69 .. versionadded:: 4.0.0
71 Turning this off requires all notifications that are received to be
72 signed by valid TSIG signature for the zone.
74 .. _setting-allow-unsigned-supermaster:
76 ``allow-unsigned-supermaster``
77 ------------------------------
82 .. versionadded:: 4.0.0
84 Turning this off requires all supermaster notifications to be signed by
85 valid TSIG signature. It will accept any existing key on slave.
87 .. _setting-allow-recursion:
92 - IP ranges, separated by commas
96 Recursion has been removed, see :doc:`guides/recursion`
98 By specifying ``allow-recursion``, recursion can be restricted to
99 netmasks specified. The default is to allow recursion from everywhere.
100 Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
102 .. _setting-also-notify:
107 - IP addresses, separated by commas
109 When notifying a domain, also notify these nameservers. Example:
110 ``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in
111 ``also-notify`` always receive a notification. Even if they do not match
112 the list in :ref:`setting-only-notify`.
114 .. _setting-any-to-tcp:
122 .. versionchanged:: 4.0.1, was 'no' before.
124 Answer questions for the ANY on UDP with a truncated packet that refers
125 the remote server to TCP. Useful for mitigating reflection attacks.
135 Enable/disable the :doc:`http-api/index`.
144 .. versionadded:: 4.0.0
146 Static pre-shared authentication key for access to the REST API.
148 .. _setting-api-readonly:
156 .. versionadded:: 4.0.0
157 .. versionchanged:: 4.2.0
158 This setting has been removed in 4.2.0.
160 Disallow data modification through the REST API when set.
162 .. _setting-axfr-lower-serial:
164 ``axfr-lower-serial``
165 ---------------------
170 .. versionadded:: 4.0.4
172 Also AXFR a zone from a master with a lower serial.
174 .. _setting-cache-ttl:
182 Seconds to store packets in the :ref:`packet-cache`.
184 .. _setting-carbon-namespace:
192 .. versionadded:: 4.2.0
194 Set the namespace or first string of the metric key. Be careful not to include
195 any dots in this setting, unless you know what you are doing.
196 See :ref:`metricscarbon`
198 .. _setting-carbon-ourname:
204 - Default: the hostname of the server
206 If sending carbon updates, if set, this will override our hostname. Be
207 careful not to include any dots in this setting, unless you know what
208 you are doing. See :ref:`metricscarbon`
210 .. _setting-carbon-instance:
218 .. versionadded:: 4.2.0
220 Set the instance or third string of the metric key. Be careful not to include
221 any dots in this setting, unless you know what you are doing.
222 See :ref:`metricscarbon`
224 .. _setting-carbon-server:
231 Send all available metrics to this server via the carbon protocol, which
232 is used by graphite and metronome. It has to be an address (no
233 hostnames). Moreover you can specify more than one server using a comma delimited list, ex:
234 carbon-server=10.10.10.10,10.10.10.20.
235 You may specify an alternate port by appending :port, ex:
236 127.0.0.1:2004. See :ref:`metricscarbon`.
238 .. _setting-carbon-interval:
246 If sending carbon updates, this is the interval between them in seconds.
247 See :ref:`metricscarbon`.
256 If set, chroot to this directory for more security. See :doc:`security`.
258 Make sure that ``/dev/log`` is available from within the chroot. Logging
259 will silently fail over time otherwise (on logrotate).
261 When setting ``chroot``, all other paths in the config (except for
262 :ref:`setting-config-dir` and :ref:`setting-module-dir`)
263 set in the configuration are relative to the new root.
265 When running on a system where systemd manages services, ``chroot`` does
266 not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
267 Either don't ``chroot`` on these systems or set the 'Type' of the this
268 service to 'simple' instead of 'notify' (refer to the systemd
269 documentation on how to modify unit-files)
271 .. _setting-config-dir:
278 Location of configuration directory (``pdns.conf``). Usually
279 ``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during
282 .. _setting-config-name:
289 Name of this virtual configuration - will rename the binary image. See
290 :doc:`guides/virtual-instances`.
292 .. _setting-control-console:
297 Debugging switch - don't use.
309 .. _setting-default-api-rectify:
311 ``default-api-rectify``
312 -----------------------
316 .. versionadded:: 4.2.0
318 The value of :ref:`metadata-api-rectify` if it is not set on the zone.
321 Pre 4.2.0 the default was always no.
323 .. _setting-default-ksk-algorithms:
324 .. _setting-default-ksk-algorithm:
326 ``default-ksk-algorithm``
327 --------------------------
332 .. versionchanged:: 4.1.0
333 Renamed from ``default-ksk-algorithms``. No longer supports multiple algorithm names.
335 The algorithm that should be used for the KSK when running
336 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
337 to enable DNSSEC. Must be one of:
342 * ecdsa256 (ECDSA P-256 with SHA256)
343 * ecdsa384 (ECDSA P-384 with SHA384)
348 Actual supported algorithms depend on the crypto-libraries
349 PowerDNS was compiled against. To check the supported DNSSEC algoritms
350 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
352 .. _setting-default-ksk-size:
358 - Default: whichever is default for `default-ksk-algorithm`_
360 The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
361 Only relevant for algorithms with non-fixed keysizes (like RSA).
363 .. _setting-default-soa-name:
369 - Default: a.misconfigured.powerdns.server
371 Name to insert in the SOA record if none set in the backend.
373 .. _setting-default-soa-edit:
381 Use this soa-edit value for all zones if no
382 :ref:`metadata-soa-edit` metadata value is set.
384 .. _setting-default-soa-edit-signed:
386 ``default-soa-edit-signed``
387 ---------------------------
392 Use this soa-edit value for all signed zones if no
393 :ref:`metadata-soa-edit` metadata value is set.
394 Overrides :ref:`setting-default-soa-edit`
396 .. _setting-default-soa-mail:
403 Mail address to insert in the SOA record if none set in the backend.
405 .. _setting-default-ttl:
413 TTL to use when none is provided.
415 .. _setting-default-zsk-algorithms:
416 .. _setting-default-zsk-algorithm:
418 ``default-zsk-algorithm``
419 --------------------------
424 .. versionchanged:: 4.1.0
425 Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names.
427 The algorithm that should be used for the ZSK when running
428 :doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
429 to enable DNSSEC. Must be one of:
434 * ecdsa256 (ECDSA P-256 with SHA256)
435 * ecdsa384 (ECDSA P-384 with SHA384)
440 Actual supported algorithms depend on the crypto-libraries
441 PowerDNS was compiled against. To check the supported DNSSEC algoritms
442 in your build of PowerDNS, run ``pdnsutil list-algorithms``.
444 .. _setting-default-zsk-size:
450 - Default: 0 (automatic default for `default-zsk-algorithm`_)
452 The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
453 Only relevant for algorithms with non-fixed keysizes (like RSA).
455 .. _setting-direct-dnskey:
463 Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not
464 set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored.
466 .. _setting-disable-axfr:
474 Do not allow zone transfers.
476 .. _setting-disable-axfr-rectify:
478 ``disable-axfr-rectify``
479 ------------------------
484 Disable the rectify step during an outgoing AXFR. Only required for
487 .. _setting-disable-syslog:
495 Do not log to syslog, only to stdout. Use this setting when running
496 inside a supervisor that handles logging (like systemd).
499 Do not use this setting in combination with :ref:`setting-daemon` as all
500 logging will disappear.
502 .. _setting-disable-tcp:
510 Do not listen to TCP queries. Breaks RFC compliance.
512 .. _setting-distributor-threads:
514 ``distributor-threads``
515 -----------------------
520 Number of Distributor (backend) threads to start per receiver thread.
521 See :doc:`performance`.
523 .. _setting-dname-processing:
531 Synthesise CNAME records from DNAME records as required. This
532 approximately doubles query load. **Do not combine with DNSSEC!**
534 .. _setting-dnssec-key-cache-ttl:
536 ``dnssec-key-cache-ttl``
537 ------------------------
542 Seconds to cache DNSSEC keys from the database. A value of 0 disables
545 .. _setting-dnsupdate:
553 Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
555 .. _setting-do-ipv6-additional-processing:
557 ``do-ipv6-additional-processing``
558 ---------------------------------
563 Perform AAAA additional processing. This sends AAAA records in the
564 ADDITIONAL section when sending a referral.
566 .. _setting-domain-metadata-cache-ttl:
568 ``domain-metadata-cache-ttl``
569 -----------------------------
574 Seconds to cache domain metadata from the database. A value of 0
577 .. _setting-edns-subnet-processing:
579 ``edns-subnet-processing``
580 --------------------------
585 Enables EDNS subnet processing, for backends that support it.
587 .. _setting-enable-lua-records:
589 ``enable-lua-records``
590 ----------------------
595 Enable globally the LUA records feature
597 .. _setting-entropy-source:
603 - Default: /dev/urandom
605 Entropy source file to use.
607 .. _setting-expand-alias:
615 .. versionadded:: 4.1.0
617 If this is enabled, ALIAS records are expanded (synthesised to their
620 If this is disabled (the default), ALIAS records will not expanded and
621 the server will will return NODATA for A/AAAA queries for such names.
623 **note**: :ref:`setting-resolver` must also be set for ALIAS
626 **note**: In PowerDNS Authoritative Server 4.0.x, this setting did not
627 exist and ALIAS was always expanded.
629 .. _setting-forward-dnsupdate:
631 ``forward-dnsupdate``
632 ---------------------
637 Forward DNS updates sent to a slave to the master.
639 .. _setting-forward-notify:
644 - IP addresses, separated by commas
646 IP addresses to forward received notifications to regardless of master
650 The intended use is in anycast environments where it might be
651 necessary for a proxy server to perform the AXFR. The usual checks are
652 performed before any received notification is forwarded.
654 .. _setting-guardian:
662 Run within a guardian process. See :ref:`running-guardian`.
664 .. _setting-include-dir:
671 Directory to scan for additional config files. All files that end with
672 .conf are loaded in order using ``POSIX`` as locale.
679 - Backend names, separated by commas
681 Which backends to launch and order to query them in. Launches backends.
682 In its most simple form, supply all backends that need to be launched.
687 launch=bind,gmysql,remote
689 If you find that you need to query a backend multiple times with
690 different configuration, you can specify a name for later
691 instantiations. e.g.:
695 launch=gmysql,gmysql:server2
697 In this case, there are 2 instances of the gmysql backend, one by the
698 normal name and the second one is called 'server2'. The backend
699 configuration item names change: e.g. ``gmysql-host`` is available to
700 configure the ``host`` setting of the first or main instance, and
701 ``gmysql-server2-host`` for the second one.
703 Running multiple instances of the bind backend is not allowed.
705 .. _setting-load-modules:
710 - Paths, separated by commas
712 If backends are available in nonstandard directories, specify their
713 location here. Multiple files can be loaded if separated by commas. Only
714 available in non-static distributions.
716 .. _setting-local-address:
721 - IPv4 Addresses, separated by commas or whitespace
724 Local IP address to which we bind. It is highly advised to bind to
725 specific interfaces and not use the default 'bind to any'. This causes
726 big problems if you have multiple IP addresses. Unix does not provide a
727 way of figuring out what IP address a packet was sent to when binding to
730 .. _setting-log-timestamp:
735 .. versionadded:: 4.1.0
740 When printing log lines to stdout, prefix them with timestamps.
741 Disable this if the process supervisor timestamps these lines already.
744 The systemd unit file supplied with the source code already disables timestamp printing
746 .. _setting-lua-records-exec-limit:
748 ``lua-records-exec-limit``
749 -----------------------------
754 Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
755 Setting this to any value less than or equal to 0 will set no limit.
757 .. _setting-non-local-bind:
765 Bind to addresses even if one or more of the
766 :ref:`setting-local-address`'s do not exist on this server.
767 Setting this option will enable the needed socket options to allow
768 binding to non-local addresses. This feature is intended to facilitate
769 ip-failover setups, but it may also mask configuration issues and for
770 this reason it is disabled by default.
772 .. _setting-lua-axfr-script:
780 .. versionadded:: 4.1.0
782 Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
784 .. _setting-local-address-nonexist-fail:
786 ``local-address-nonexist-fail``
787 -------------------------------
792 Fail to start if one or more of the
793 :ref:`setting-local-address`'s do not exist on this server.
795 .. _setting-local-ipv6:
800 - IPv6 Addresses, separated by commas or whitespace
803 Local IPv6 address to which we bind. It is highly advised to bind to
804 specific interfaces and not use the default 'bind to any'. This causes
805 big problems if you have multiple IP addresses.
807 .. _setting-local-ipv6-nonexist-fail:
809 ``local-ipv6-nonexist-fail``
810 ----------------------------
815 Fail to start if one or more of the :ref:`setting-local-ipv6`
816 addresses do not exist on this server.
818 .. _setting-local-port:
826 The port on which we listen. Only one port possible.
828 .. _setting-log-dns-details:
836 If set to 'no', informative-only DNS details will not even be sent to
837 syslog, improving performance.
839 .. _setting-logging-facility:
844 If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`.
845 Do not pass names like 'local0'!
847 .. _setting-loglevel:
855 Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
856 e.g. error = 3, warning = 4, notice = 5, info = 6
858 .. _setting-log-dns-queries:
866 Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
867 of logging! Only enable for debugging! Set :ref:`setting-loglevel`
868 to at least 5 to see the logs.
870 .. _setting-lua-prequery-script:
872 ``lua-prequery-script``
873 -----------------------
877 Lua script to run before answering a query. This is a feature used
878 internally for regression testing. The API of this functionality is not
879 guaranteed to be stable, and is in fact likely to change.
889 Turn on master support. See :ref:`master-operation`.
891 .. _setting-max-cache-entries:
893 ``max-cache-entries``
894 ---------------------
899 .. versionchanged:: 4.1.0
900 The packet and query caches are distinct. Previously, this setting was used for
901 both the packet and query caches. See ref:`setting-max-packet-cache-entries` for
902 the packet-cache setting.
904 Maximum number of entries in the query cache. 1 million (the default)
905 will generally suffice for most installations.
907 .. _setting-max-ent-entries:
915 Maximum number of empty non-terminals to add to a zone. This is a
916 protection measure to avoid database explosion due to long names.
918 .. _setting-max-nsec3-iterations:
920 ``max-nsec3-iterations``
921 ------------------------
926 Limit the number of NSEC3 hash iterations
928 .. _setting-max-packet-cache-entries:
930 ``max-packet-cache-entries``
931 ----------------------------
936 .. versionadded:: 4.1.0
938 Maximum number of entries in the packet cache. 1 million (the default)
939 will generally suffice for most installations.
941 .. _setting-max-queue-length:
949 If this many packets are waiting for database attention, consider the
950 situation hopeless and respawn.
952 .. _setting-max-signature-cache-entries:
954 ``max-signature-cache-entries``
955 -------------------------------
958 - Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems)
960 Maximum number of signatures cache entries
962 .. _setting-max-tcp-connection-duration:
964 ``max-tcp-connection-duration``
965 -------------------------------
970 Maximum time in seconds that a TCP DNS connection is allowed to stay
971 open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR
972 are not affected by this setting.
974 .. _setting-max-tcp-connections:
976 ``max-tcp-connections``
977 -----------------------
982 Allow this many incoming TCP DNS connections simultaneously.
984 .. _setting-max-tcp-connections-per-client:
986 ``max-tcp-connections-per-client``
987 ----------------------------------
992 Maximum number of simultaneous TCP connections per client. 0 means
995 .. _setting-max-tcp-transactions-per-conn:
997 ``max-tcp-transactions-per-conn``
998 ---------------------------------
1003 Allow this many DNS queries in a single TCP transaction. 0 means
1004 unlimited. Note that exchanges related to an AXFR or IXFR are not
1005 affected by this setting.
1007 .. _setting-module-dir:
1014 Directory for modules. Default depends on ``PKGLIBDIR`` during
1017 .. _setting-negquery-cache-ttl:
1019 ``negquery-cache-ttl``
1020 ----------------------
1025 Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
1027 .. _setting-no-config:
1035 Do not attempt to read the configuration file.
1037 .. _setting-no-shuffle:
1045 Do not attempt to shuffle query results, used for regression testing.
1047 .. _setting-overload-queue-length:
1049 ``overload-queue-length``
1050 -------------------------
1053 - Default: 0 (disabled)
1055 If this many packets are waiting for database attention, answer any new
1056 questions strictly from the packet cache.
1058 .. _setting-reuseport:
1066 On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
1067 each receiver-thread to open a new socket on the same port which allows
1068 for much higher performance on multi-core boxes. Setting this option
1069 will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
1070 back to a single socket when it is not available. A side-effect is that
1071 you can start multiple servers on the same IP/port combination which may
1072 or may not be a good idea. You could use this to enable transparent
1073 restarts, but it may also mask configuration issues and for this reason
1074 it is disabled by default.
1084 Specify which random number generator to use. Permissible choises are
1085 - auto - choose automatically
1086 - sodium - Use libsodium ``randombytes_uniform``
1087 - openssl - Use libcrypto ``RAND_bytes``
1088 - getrandom - Use libc getrandom, falls back to urandom if it does not really work
1089 - arc4random - Use BSD ``arc4random_uniform``
1090 - urandom - Use ``/dev/urandom``
1091 - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
1094 Not all choises are available on all systems.
1096 .. _setting-security-poll-suffix:
1098 ``security-poll-suffix``
1099 ------------------------
1102 - Default: secpoll.powerdns.com.
1104 Domain name from which to query security update notifications. Setting
1105 this to an empty string disables secpoll.
1107 .. _setting-server-id:
1113 - Default: The hostname of the server
1115 This is the server ID that will be returned on an EDNS NSID query.
1117 .. _setting-only-notify:
1122 - IP Ranges, separated by commas or whitespace
1123 - Default: 0.0.0.0/0, ::/0
1125 For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
1126 PowerDNS automatically sends NOTIFYs to the name servers specified in
1127 the NS records. By specifying networks/mask as whitelist, the targets
1128 can be limited. The default is to notify the world. To completely
1129 disable these NOTIFYs set ``only-notify`` to an empty value. Independent
1130 of this setting, the IP addresses or netmasks configured with
1131 :ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata
1132 always receive AXFR NOTIFYs.
1134 IP addresses and netmasks can be excluded by prefixing them with a ``!``.
1135 To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following::
1137 only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24
1140 Even if NOTIFYs are limited by a netmask, PowerDNS first has to
1141 resolve all the hostnames to check their IP addresses against the
1142 specified whitelist. The resolving may take considerable time,
1143 especially if those hostnames are slow to resolve. If you do not need to
1144 NOTIFY the slaves defined in the NS records (e.g. you are using another
1145 method to distribute the zone data to the slaves), then set
1146 :ref:`setting-only-notify` to an empty value and specify the notification targets
1147 explicitly using :ref:`setting-also-notify` and/or
1148 :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
1151 If your slaves support Internet Protocol version, which your master does not,
1152 then set ``only-notify`` to include only supported protocol version.
1153 Otherwise there will be error trying to resolve address.
1155 For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
1156 so allow only IPv4 with ``only-notify``::
1158 only-notify=0.0.0.0/0
1160 .. _setting-out-of-zone-additional-processing:
1162 ``out-of-zone-additional-processing``
1163 -------------------------------------
1165 .. deprecated:: 4.2.0
1166 This setting has been removed.
1171 Do out of zone additional processing. This means that if a malicious
1172 user adds a '.com' zone to your server, it is not used for other domains
1173 and will not contaminate answers. Do not enable this setting if you run
1174 a public DNS service with untrusted users.
1176 The docs had previously indicated that the default was "no", but the
1177 default has been "yes" since 2005.
1179 .. _setting-outgoing-axfr-expand-alias:
1181 ``outgoing-axfr-expand-alias``
1182 ------------------------------
1187 If this is enabled, ALIAS records are expanded (synthesised to their
1188 A/AAAA) during outgoing AXFR. This means slaves will not automatically
1189 follow changes in those A/AAAA records unless you AXFR regularly!
1191 If this is disabled (the default), ALIAS records are sent verbatim
1192 during outgoing AXFR. Note that if your slaves do not support ALIAS,
1193 they will return NODATA for A/AAAA queries for such names.
1195 .. _setting-prevent-self-notification:
1197 ``prevent-self-notification``
1198 -----------------------------
1203 PowerDNS Authoritative Server attempts to not send out notifications to
1204 itself in master mode. In very complicated situations we could guess
1205 wrong and not notify a server that should be notified. In that case, set
1206 prevent-self-notification to "no".
1208 .. _setting-query-cache-ttl:
1216 Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`.
1218 .. _setting-query-local-address:
1220 ``query-local-address``
1221 -----------------------
1226 The IP address to use as a source address for sending queries. Useful if
1227 you have multiple IPs and PowerDNS is not bound to the IP address your
1228 operating system uses by default for outgoing packets.
1230 .. _setting-query-local-address6:
1232 ``query-local-address6``
1233 ------------------------
1238 Source IP address for sending IPv6 queries.
1240 .. _setting-query-logging:
1248 Boolean, hints to a backend that it should log a textual representation
1249 of queries it performs. Can be set at runtime.
1251 .. _setting-queue-limit:
1259 Maximum number of milliseconds to queue a query. See :doc:`performance`.
1261 .. _setting-receiver-threads:
1263 ``receiver-threads``
1264 --------------------
1269 Number of receiver (listening) threads to start. See :doc:`performance`.
1271 .. _setting-recursive-cache-ttl:
1273 ``recursive-cache-ttl``
1274 -----------------------
1279 .. deprecated:: 4.1.0
1280 Recursion has been removed, see :doc:`guides/recursion`
1282 Seconds to store recursive packets in the :ref:`packet-cache`.
1284 .. _setting-recursor:
1291 .. deprecated:: 4.1.0
1292 Recursion has been removed, see :doc:`guides/recursion`
1294 If set, recursive queries will be handed to the recursor specified here.
1296 .. _setting-resolver:
1301 - IP Addresses with optional port, separated by commas
1303 .. versionadded:: 4.1.0
1305 Use these resolver addresses for ALIAS and the internal stub resolver.
1306 If this is not set, ``/etc/resolv.conf`` is parsed for upstream
1309 .. _setting-retrieval-threads:
1311 ``retrieval-threads``
1312 ---------------------
1317 Number of AXFR slave threads to start.
1319 .. _setting-send-signed-notify:
1321 ``send-signed-notify``
1322 ----------------------
1327 If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone.
1328 If there are multiple TSIG keys configured for a domain, PowerDNS will use the
1329 first one retrieved from the backend, which may not be the correct one for the
1330 respective slave. Hence, in setups with multiple slaves with different TSIG keys
1331 it may be required to send NOTIFYs unsigned.
1340 If set, change group id to this gid for more security. See :doc:`security`.
1349 If set, change user id to this uid for more security. See :doc:`security`.
1359 Turn on slave support. See :ref:`slave-operation`.
1361 .. _setting-slave-cycle-interval:
1363 ``slave-cycle-interval``
1364 ------------------------
1369 On a master, this is the amounts of seconds between the master checking
1370 the SOA serials in its database to determine to send out NOTIFYs to the
1371 slaves. On slaves, this is the number of seconds between the slave
1372 checking for updates to zones.
1374 .. _setting-slave-renotify:
1382 This setting will make PowerDNS renotify the slaves after an AXFR is
1383 *received* from a master. This is useful when using when running a
1386 .. _setting-signing-threads:
1394 Tell PowerDNS how many threads to use for signing. It might help improve
1395 signing speed by changing this number.
1397 .. _setting-soa-expire-default:
1399 ``soa-expire-default``
1400 ----------------------
1405 Default :ref:`types-soa` expire.
1407 .. _setting-soa-minimum-ttl:
1415 Default :ref:`types-soa` minimum ttl.
1417 .. _setting-soa-refresh-default:
1419 ``soa-refresh-default``
1420 -----------------------
1425 Default :ref:`types-soa` refresh.
1427 .. _setting-soa-retry-default:
1429 ``soa-retry-default``
1430 ---------------------
1435 Default :ref:`types-soa` retry.
1437 .. _setting-socket-dir:
1444 Where the controlsocket will live. The default depends on
1445 ``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or
1446 ``/run``). See :ref:`control-socket`.
1448 This path will also contain the pidfile for this instance of PowerDNS
1449 called ``pdns.pid`` by default. See :ref:`setting-config-name`
1450 and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
1452 .. _setting-supermaster:
1460 .. versionadded:: 4.2.0
1462 Turn on supermaster support. See :ref:`supermaster-operation`.
1464 .. _setting-tcp-control-address:
1466 ``tcp-control-address``
1467 -----------------------
1471 Address to bind to for TCP control.
1473 .. _setting-tcp-control-port:
1475 ``tcp-control-port``
1476 --------------------
1481 Port to bind to for TCP control.
1483 .. _setting-tcp-control-range:
1485 ``tcp-control-range``
1486 ---------------------
1488 - IP Ranges, separated by commas or whitespace
1490 Limit TCP control to a specific client range.
1492 .. _setting-tcp-control-secret:
1494 ``tcp-control-secret``
1495 ----------------------
1499 Password for TCP control.
1501 .. _setting-tcp-fast-open:
1507 - Default: 0 (Disabled)
1509 .. versionadded:: 4.1.0
1511 Enable TCP Fast Open support, if available, on the listening sockets.
1512 The numerical value supplied is used as the queue size, 0 meaning
1515 .. _setting-tcp-idle-timeout:
1517 ``tcp-idle-timeout``
1518 --------------------
1523 Maximum time in seconds that a TCP DNS connection is allowed to stay
1524 open while being idle, meaning without PowerDNS receiving or sending
1527 .. _setting-traceback-handler:
1529 ``traceback-handler``
1530 ---------------------
1535 Enable the Linux-only traceback handler.
1537 .. _setting-trusted-notification-proxy:
1539 ``trusted-notification-proxy``
1540 ------------------------------
1544 IP address of incoming notification proxy
1546 .. _setting-udp-truncation-threshold:
1548 ``udp-truncation-threshold``
1549 ----------------------------
1554 EDNS0 allows for large UDP response datagrams, which can potentially
1555 raise performance. Large responses however also have downsides in terms
1556 of reflection attacks. Maximum value is 65535, but values above
1557 4096 should probably not be attempted.
1561 1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet.
1562 IPv6 has a minimum MTU of 1280 bytes (:rfc:`RFC 8200, section 5 <8200#section-5>`), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
1564 .. _setting-version-string:
1569 - Any of: ``anonymous``, ``powerdns``, ``full``, String
1572 When queried for its version over DNS
1573 (``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally
1574 responds truthfully. With this setting you can overrule what will be
1575 returned. Set the ``version-string`` to ``full`` to get the default
1576 behaviour, to ``powerdns`` to just make it state
1577 ``served by PowerDNS - http://www.powerdns.com``. The ``anonymous``
1578 setting will return a ServFail, much like Microsoft nameservers do. You
1579 can set this response to a custom value as well.
1581 .. _setting-webserver:
1589 Start a webserver for monitoring. See :doc:`performance`".
1591 .. versionchanged:: 4.1.0
1592 It was necessary to enable the webserver to use the REST API, this is no longer the case.
1594 .. _setting-webserver-address:
1596 ``webserver-address``
1597 ---------------------
1600 - Default: 127.0.0.1
1602 IP Address for webserver/API to listen on.
1604 .. _setting-webserver-allow-from:
1606 ``webserver-allow-from``
1607 ------------------------
1609 - IP ranges, separated by commas or whitespace
1610 - Default: 127.0.0.1,::1
1612 .. versionchanged:: 4.1.0
1614 Default is now 127.0.0.1,::1, was 0.0.0.0/0,::/0 before.
1616 Webserver/API access is only allowed from these subnets.
1618 .. _setting-webserver-loglevel:
1620 ``webserver-loglevel``
1621 ----------------------
1622 .. versionadded:: 4.2.0
1624 - String, one of "none", "normal", "detailed"
1626 The amount of logging the webserver must do. "none" means no useful webserver information will be logged.
1627 When set to "normal", the webserver will log a line per request that should be familiar::
1629 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
1631 When set to "detailed", all information about the request and response are logged::
1633 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Request Details:
1634 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1635 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1636 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-encoding: gzip, deflate
1637 [webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-language: en-US,en;q=0.5
1638 [webserver] e235780e-a5cf-415e-9326-9d33383e739e connection: keep-alive
1639 [webserver] e235780e-a5cf-415e-9326-9d33383e739e dnt: 1
1640 [webserver] e235780e-a5cf-415e-9326-9d33383e739e host: 127.0.0.1:8081
1641 [webserver] e235780e-a5cf-415e-9326-9d33383e739e upgrade-insecure-requests: 1
1642 [webserver] e235780e-a5cf-415e-9326-9d33383e739e user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
1643 [webserver] e235780e-a5cf-415e-9326-9d33383e739e No body
1644 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Response details:
1645 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
1646 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Connection: close
1647 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Length: 49
1648 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Type: text/html; charset=utf-8
1649 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Server: PowerDNS/0.0.15896.0.gaba8bab3ab
1650 [webserver] e235780e-a5cf-415e-9326-9d33383e739e Full body:
1651 [webserver] e235780e-a5cf-415e-9326-9d33383e739e <!html><title>Not Found</title><h1>Not Found</h1>
1652 [webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
1654 The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
1657 The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log.
1659 .. _setting-webserver-password:
1661 ``webserver-password``
1662 ----------------------
1666 The plaintext password required for accessing the webserver.
1668 .. _setting-webserver-port:
1676 The port where webserver/API will listen on.
1678 .. _setting-webserver-print-arguments:
1680 ``webserver-print-arguments``
1681 -----------------------------
1686 If the webserver should print arguments.
1688 .. _setting-write-pid:
1696 If a PID file should be written.
1698 .. _setting-xfr-max-received-mbytes:
1700 ``xfr-max-received-mbytes``
1701 ---------------------------
1706 Specifies the maximum number of received megabytes allowed on an
1707 incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0
1708 means no restriction.