# Autogenerated configuration file template ################################# # ignore-unknown-settings Configuration settings to ignore if they are unknown # # ignore-unknown-settings= ################################# # 8bit-dns Allow 8bit dns queries # # 8bit-dns=no ################################# # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1 ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies. # # allow-notify-from=0.0.0.0/0,::/0 ################################# # allow-unsigned-autoprimary Allow autoprimaries to create zones without TSIG signed NOTIFY # # allow-unsigned-autoprimary=yes ################################# # allow-unsigned-notify Allow unsigned notifications for TSIG secured zones # # allow-unsigned-notify=yes ################################# # also-notify When notifying a zone, also notify these nameservers # # also-notify= ################################# # any-to-tcp Answer ANY queries with tc=1, shunting to TCP # # any-to-tcp=yes ################################# # api Enable/disable the REST API (including HTTP listener) # # api=no ################################# # api-key Static pre-shared authentication key for access to the REST API # # api-key= ################################# # autosecondary Act as an autosecondary # # autosecondary=no ################################# # axfr-fetch-timeout Maximum time in seconds for inbound AXFR to start or be idle after starting # # axfr-fetch-timeout=10 ################################# # axfr-lower-serial Also AXFR a zone from a primary with a lower serial # # axfr-lower-serial=no ################################# # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 ################################# # carbon-instance If set overwrites the instance name default # # carbon-instance=auth ################################# # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 ################################# # carbon-namespace If set overwrites the first part of the carbon string # # carbon-namespace=pdns ################################# # carbon-ourname If set, overrides our reported hostname for carbon stats # # carbon-ourname= ################################# # carbon-server If set, send metrics in carbon (graphite) format to this server IP address # # carbon-server= ################################# # chroot If set, chroot to this directory for more security # # chroot= ################################# # config-dir Location of configuration directory (pdns.conf) # # config-dir=/etc/pdns ################################# # config-name Name of this virtual configuration - will rename the binary image # # config-name= ################################# # consistent-backends Assume individual zones are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups # # consistent-backends=yes ################################# # control-console Debugging switch - don't use # # control-console=no ################################# # daemon Operate as a daemon # # daemon=no ################################# # default-api-rectify Default API-RECTIFY value for zones # # default-api-rectify=yes ################################# # default-catalog-zone Catalog zone to assign newly created primary zones (via the API) to # # default-catalog-zone= ################################# # default-ksk-algorithm Default KSK algorithm # # default-ksk-algorithm=ecdsa256 ################################# # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 ################################# # default-publish-cdnskey Default value for PUBLISH-CDNSKEY # # default-publish-cdnskey= ################################# # default-publish-cds Default value for PUBLISH-CDS # # default-publish-cds= ################################# # default-soa-content Default SOA content # # default-soa-content=a.misconfigured.dns.server.invalid hostmaster.@ 0 10800 3600 604800 3600 ################################# # default-soa-edit Default SOA-EDIT value # # default-soa-edit= ################################# # default-soa-edit-signed Default SOA-EDIT value for signed zones # # default-soa-edit-signed= ################################# # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 ################################# # default-zsk-algorithm Default ZSK algorithm # # default-zsk-algorithm= ################################# # default-zsk-size Default ZSK size (0 means default) # # default-zsk-size=0 ################################# # delay-notifications Configure a delay to send out notifications, no delay by default # # delay-notifications=0 ################################# # direct-dnskey Fetch DNSKEY, CDS and CDNSKEY RRs from backend during DNSKEY or CDS/CDNSKEY synthesis # # direct-dnskey=no ################################# # disable-axfr Disable zonetransfers but do allow TCP queries # # disable-axfr=no ################################# # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. # # disable-axfr-rectify=no ################################# # disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stderr # # disable-syslog=no ################################# # distributor-threads Default number of Distributor (backend) threads to start # # distributor-threads=3 ################################# # dname-processing If we should support DNAME records # # dname-processing=no ################################# # dnssec-key-cache-ttl Seconds to cache DNSSEC keys from the database # # dnssec-key-cache-ttl=30 ################################# # dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # # dnsupdate=no ################################# # dnsupdate-require-tsig Require TSIG secured DNS updates. Default is no. # # dnsupdate-require-tsig=no ################################# # domain-metadata-cache-ttl Seconds to cache zone metadata from the database # # domain-metadata-cache-ttl= ################################# # edns-cookie-secret When set, set a server cookie when responding to a query with a Client cookie (in hex) # # edns-cookie-secret= ################################# # edns-subnet-processing If we should act on EDNS Subnet options # # edns-subnet-processing=no ################################# # enable-lua-records Process LUA records for all zones (metadata overrides this) # # enable-lua-records=no ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # expand-alias Expand ALIAS records # # expand-alias=no ################################# # forward-dnsupdate A global setting to allow DNS update packages that are for a Secondary zone, to be forwarded to the primary. # # forward-dnsupdate=yes ################################# # forward-notify IP addresses to forward received notifications to regardless of primary or secondary settings # # forward-notify= ################################# # guardian Run within a guardian process # # guardian=no ################################# # include-dir Include *.conf files from this directory # # include-dir= ################################# # launch Which backends to launch and order to query them in # # launch= ################################# # load-modules Load this module - supply absolute or relative path # # load-modules= ################################# # local-address Local IP addresses to which we bind # # local-address=0.0.0.0, :: ################################# # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server # # local-address-nonexist-fail=yes ################################# # local-port The port on which we listen # # local-port=53 ################################# # log-dns-details If PDNS should log DNS non-erroneous details # # log-dns-details=no ################################# # log-dns-queries If PDNS should log all incoming DNS queries # # log-dns-queries=no ################################# # log-timestamp Print timestamps in log lines # # log-timestamp=yes ################################# # logging-facility Log under a specific facility # # logging-facility= ################################# # loglevel Amount of logging. Higher is more. Do not set below 3 # # loglevel=4 ################################# # loglevel-show Include log level indicator in log output # # loglevel-show=no ################################# # lua-axfr-script Script to be used to edit incoming AXFRs # # lua-axfr-script= ################################# # lua-consistent-hashes-cleanup-interval Pre-computed hashes cleanup interval (in seconds) # # lua-consistent-hashes-cleanup-interval=3600 ################################# # lua-consistent-hashes-expire-delay Cleanup pre-computed hashes that haven't been used for the given delay (in seconds). See pickchashed() LUA function # # lua-consistent-hashes-expire-delay=86400 ################################# # lua-dnsupdate-policy-script Lua script with DNS update policy handler # # lua-dnsupdate-policy-script= ################################# # lua-health-checks-expire-delay Stops doing health checks after the record hasn't been used for that delay (in seconds) # # lua-health-checks-expire-delay=3600 ################################# # lua-health-checks-interval LUA records health checks monitoring interval in seconds # # lua-health-checks-interval=5 ################################# # lua-prequery-script Lua script with prequery handler (DO NOT USE) # # lua-prequery-script= ################################# # lua-records-exec-limit LUA records scripts execution limit (instructions count). Values <= 0 mean no limit # # lua-records-exec-limit=1000 ################################# # lua-records-insert-whitespace Insert whitespace when combining LUA chunks # # lua-records-insert-whitespace=no ################################# # max-cache-entries Maximum number of entries in the query cache # # max-cache-entries=1000000 ################################# # max-ent-entries Maximum number of empty non-terminals in a zone # # max-ent-entries=100000 ################################# # max-generate-steps Maximum number of $GENERATE steps when loading a zone from a file # # max-generate-steps=0 ################################# # max-include-depth Maximum number of nested $INCLUDE directives while processing a zone file # # max-include-depth=20 ################################# # max-nsec3-iterations Limit the number of NSEC3 hash iterations # # max-nsec3-iterations=100 ################################# # max-packet-cache-entries Maximum number of entries in the packet cache # # max-packet-cache-entries=1000000 ################################# # max-queue-length Maximum queuelength before considering situation lost # # max-queue-length=5000 ################################# # max-signature-cache-entries Maximum number of signatures cache entries # # max-signature-cache-entries= ################################# # max-tcp-connection-duration Maximum time in seconds that a TCP DNS connection is allowed to stay open. # # max-tcp-connection-duration=0 ################################# # max-tcp-connections Maximum number of TCP connections # # max-tcp-connections=20 ################################# # max-tcp-connections-per-client Maximum number of simultaneous TCP connections per client # # max-tcp-connections-per-client=0 ################################# # max-tcp-transactions-per-conn Maximum number of subsequent queries per TCP connection # # max-tcp-transactions-per-conn=0 ################################# # module-dir Default directory for modules # # module-dir=/usr/lib/pdns/pdns ################################# # negquery-cache-ttl Seconds to store negative query results in the QueryCache # # negquery-cache-ttl=60 ################################# # no-shuffle Set this to prevent random shuffling of answers - for regression testing # # no-shuffle=off ################################# # non-local-bind Enable binding to non-local addresses by using FREEBIND / BINDANY socket options # # non-local-bind=no ################################# # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # # only-notify=0.0.0.0/0,::/0 ################################# # outgoing-axfr-expand-alias Expand ALIAS records during outgoing AXFR # # outgoing-axfr-expand-alias=no ################################# # overload-queue-length Maximum queuelength moving to packetcache only # # overload-queue-length=0 ################################# # prevent-self-notification Don't send notifications to what we think is ourself # # prevent-self-notification=yes ################################# # primary Act as a primary # # primary=no ################################# # proxy-protocol-from A Proxy Protocol header is only allowed from these subnets, and is mandatory then too. # # proxy-protocol-from= ################################# # proxy-protocol-maximum-size The maximum size of a proxy protocol payload, including the TLV values # # proxy-protocol-maximum-size=512 ################################# # query-cache-ttl Seconds to store query results in the QueryCache # # query-cache-ttl=20 ################################# # query-local-address Source IP addresses for sending queries # # query-local-address=0.0.0.0 :: ################################# # query-logging Hint backends that queries should be logged # # query-logging=no ################################# # queue-limit Maximum number of milliseconds to queue a query # # queue-limit=1500 ################################# # receiver-threads Default number of receiver threads to start # # receiver-threads=1 ################################# # resolver Use this resolver for ALIAS and the internal stub resolver # # resolver=no ################################# # retrieval-threads Number of AXFR-retrieval threads for secondary operation # # retrieval-threads=2 ################################# # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket # # reuseport=no ################################# # rng Specify the random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom. # # rng=auto ################################# # secondary Act as a secondary # # secondary=no ################################# # secondary-check-signature-freshness Check signatures in SOA freshness check. Sets DO flag on SOA queries. Outside some very problematic scenarios, say yes here. # # secondary-check-signature-freshness=yes ################################# # secondary-do-renotify If this secondary should send out notifications after receiving zone transfers from a primary # # secondary-do-renotify=no ################################# # security-poll-suffix Zone name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. ################################# # send-signed-notify Send TSIG secured NOTIFY if TSIG key is configured for a zone # # send-signed-notify=yes ################################# # server-id Returned when queried for 'id.server' TXT or NSID, defaults to hostname - disabled or custom # # server-id= ################################# # setgid If set, change group id to this gid for more security # # setgid= ################################# # setuid If set, change user id to this uid for more security # # setuid= ################################# # signing-threads Default number of signer threads to start # # signing-threads=3 ################################# # socket-dir Where the controlsocket will live, /var/run/pdns when unset and not chrooted. Set to the RUNTIME_DIRECTORY environment variable when that variable has a value (e.g. under systemd). # # socket-dir= ################################# # svc-autohints Transparently fill ipv6hint=auto ipv4hint=auto SVC params with AAAA/A records for the target name of the record (if within the same zone) # # svc-autohints=no ################################# # tcp-control-address If set, PowerDNS can be controlled over TCP on this address # # tcp-control-address= ################################# # tcp-control-port If set, PowerDNS can be controlled over TCP on this address # # tcp-control-port=53000 ################################# # tcp-control-range If set, remote control of PowerDNS is possible over these networks only # # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret # # tcp-control-secret= ################################# # tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size # # tcp-fast-open=0 ################################# # tcp-idle-timeout Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle # # tcp-idle-timeout=5 ################################# # traceback-handler Enable the traceback handler (Linux only) # # traceback-handler=yes ################################# # trusted-notification-proxy IP address of incoming notification proxy # # trusted-notification-proxy= ################################# # udp-truncation-threshold Maximum UDP response size before we truncate # # udp-truncation-threshold=1232 ################################# # upgrade-unknown-types Transparently upgrade known TYPExxx records. Recommended to keep off, except for PowerDNS upgrades until data sources are cleaned up # # upgrade-unknown-types=no ################################# # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # # version-string=full ################################# # webserver Start a webserver for monitoring (api=yes also enables the HTTP listener) # # webserver=no ################################# # webserver-address IP Address of webserver/API to listen on # # webserver-address=127.0.0.1 ################################# # webserver-allow-from Webserver/API access is only allowed from these subnets # # webserver-allow-from=127.0.0.1,::1 ################################# # webserver-hash-plaintext-credentials Whether to hash passwords and api keys supplied in plaintext, to prevent keeping the plaintext version in memory at runtime # # webserver-hash-plaintext-credentials=no ################################# # webserver-loglevel Amount of logging in the webserver (none, normal, detailed) # # webserver-loglevel=normal ################################# # webserver-max-bodysize Webserver/API maximum request/response body size in megabytes # # webserver-max-bodysize=2 ################################# # webserver-password Password required for accessing the webserver # # webserver-password= ################################# # webserver-port Port of webserver/API to listen on # # webserver-port=8081 ################################# # webserver-print-arguments If the webserver should print arguments # # webserver-print-arguments=no ################################# # workaround-11804 Workaround for issue 11804: send single RR per AXFR chunk # # workaround-11804=no ################################# # write-pid Write a PID file # # write-pid=yes ################################# # xfr-cycle-interval Schedule primary/secondary SOA freshness checks once every .. seconds # # xfr-cycle-interval=60 ################################# # xfr-max-received-mbytes Maximum number of megabytes received from an incoming XFR # # xfr-max-received-mbytes=100 ################################# # zone-cache-refresh-interval Seconds to cache list of known zones # # zone-cache-refresh-interval=300 ################################# # zone-metadata-cache-ttl Seconds to cache zone metadata from the database # # zone-metadata-cache-ttl=60 setuid=pdns setgid=pdns