Disallow data modification through the REST API when set.
+.. _setting-axfr-fetch-timeout:
+
+``axfr-fetch-timeout``
+----------------------
+
+- Integer
+- Default: 10
+
+.. versionadded:: 4.3.0
+
+Maximum time in seconds for inbound AXFR to start or be idle after starting.
+
.. _setting-axfr-lower-serial:
``axfr-lower-serial``
The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
Only relevant for algorithms with non-fixed keysizes (like RSA).
+.. _setting-default-publish-cdnskey:
+
+``default-publish-cdnskey``
+---------------------------
+- Integer
+- Default: empty
+
+.. versionadded:: 4.3.0
+
+The default PUBLISH-CDNSKEY value for zones that do not have one individually specified.
+See the :ref:`metadata-publish-cdnskey-publish-cds` docs for more information.
+
+.. _setting-default-publish-cds:
+
+``default-publish-cds``
+-----------------------
+
+- Comma-separated integers
+- Default: empty
+
+.. versionadded:: 4.3.0
+
+The default PUBLISH-CDS value for zones that do not have one individually specified.
+See the :ref:`metadata-publish-cdnskey-publish-cds` docs for more information.
+
.. _setting-default-soa-edit:
``default-soa-edit``
``local-address``
-----------------
+.. versionchanged:: 4.3.0
+ now also takes your IPv6 addresses
+
+.. versionchanged:: 4.3.0
+ Before 4.3.0, this setting only supported IPv4.
- IPv4 Addresses, separated by commas or whitespace
-- Default: 0.0.0.0
+- Default: 0.0.0.0, ``::``
-Local IP address to which we bind. It is highly advised to bind to
+Local IP addresses to which we bind. It is highly advised to bind to
specific interfaces and not use the default 'bind to any'. This causes
big problems if you have multiple IP addresses. Unix does not provide a
way of figuring out what IP address a packet was sent to when binding to
``local-ipv6``
--------------
+.. versionchanged:: 4.3.0
+ removed, use :ref:`setting-local-address`
+
+.. deprecated:: 4.3.0
+ This setting has been removed, use :ref:`setting-localaddress`
- IPv6 Addresses, separated by commas or whitespace
- Default: '::'
``local-ipv6-nonexist-fail``
----------------------------
+.. deprecated:: 4.3.0
+ This setting has been removed, use :ref:`setting-localaddress-nonexist-fail`
+
- Boolean
- Default: no
Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
+.. _setting-lua-health-checks-expire-delay:
+
+``lua-health-checks-expire-delay``
+----------------------------------
+
+- Integer
+- Default: 3600
+
+.. versionadded:: 4.3.0
+
+Amount of time (in seconds) to expire (remove) a LUA monitoring check when the record
+isn't used any more (either deleted or modified).
+
+.. _setting-lua-health-checks-interval:
+
+``lua-health-checks-interval``
+------------------------------
+
+- Integer
+- Default: 5
+
+.. versionadded:: 4.3.0
+
+Amount of time (in seconds) between subsequent monitoring health checks. Does nothing
+if the checks take more than that time to execute.
+
.. _setting-lua-prequery-script:
``lua-prequery-script``
Maximum number of empty non-terminals to add to a zone. This is a
protection measure to avoid database explosion due to long names.
+.. _setting-max-generate-steps:
+
+``max-generate-steps``
+----------------------
+
+.. versionadded:: 4.3.0
+
+- Integer
+- Default: 0
+
+Maximum number of steps for a '$GENERATE' directive when parsing a
+zone file. This is a protection measure to prevent consuming a lot of
+CPU and memory when untrusted zones are loaded. Default to 0 which
+means unlimited.
+
.. _setting-max-nsec3-iterations:
``max-nsec3-iterations``
*received* from a master. This is useful when using when running a
signing-slave.
+See :ref:`metadata-slave-renotify` to set this per-zone.
+
.. _setting-soa-expire-default:
``soa-expire-default``