Skip to content
Snippets Groups Projects
Select Git revision
  • doc-update-acls
  • debhelper11
  • dbus
  • knotd-quic
  • edns_expire_addenda
  • xdp_tcp_evo2
  • master default protected
  • sem_checks_dnssec
  • edns_expire
  • changeset_mm
  • 3.1
  • multi_signer1
  • check-spelling
  • kdig-quic
  • pkg-xenial
  • 3.0
  • catalog_purge
  • auto_reverse_zone
  • xdp_busy
  • tls_rebased_wip2
  • v3.1.5
  • v3.0.10
  • v3.1.4
  • v3.1.3
  • v3.0.9
  • v3.1.2
  • v3.1.1
  • v3.2.dev
  • v3.1.0
  • v3.0.8
  • v3.0.7
  • v3.0.6
  • v2.9.9
  • v3.0.5
  • v3.0.4
  • v2.9.8
  • v3.0.3
  • v3.0.2
  • v3.0.1
  • v2.9.7
40 results
Blame History Permalink
Forked from Knot projects / Knot DNS
2208 commits behind, 1 commit ahead of the upstream repository.
configuration.rst 30.86 KiB

Configuration

Simple configuration

The following example presents a simple configuration file which can be used as a base for your Knot DNS setup:

# Example of a very simple Knot DNS configuration.

server:
    listen: 0.0.0.0@53
    listen: ::@53

zone:
  - domain: example.com
    storage: /var/lib/knot/zones/
    file: example.com.zone

log:
  - target: syslog
    any: info

Now let's walk through this configuration step by step:

  • The :ref:`server_listen` statement in the :ref:`server section<Server section>` defines where the server will listen for incoming connections. We have defined the server to listen on all available IPv4 and IPv6 addresses, all on port 53.
  • The :ref:`zone section<Zone section>` defines the zones that the server will serve. In this case, we defined one zone named example.com which is stored in the zone file :file:`/var/lib/knot/zones/example.com.zone`.
  • The :ref:`log section<Logging section>` defines the log facilities for the server. In this example, we told Knot DNS to send its log messages with the severity info or more serious to the syslog (or systemd journal).

For detailed description of all configuration items see :ref:`Configuration Reference`.

Zone templates

A zone template allows a single zone configuration to be shared among several zones. There is no inheritance between templates; they are exclusive. The default template identifier is reserved for the default template:

template:
  - id: default
    storage: /var/lib/knot/master
    semantic-checks: on

  - id: signed
    storage: /var/lib/knot/signed
    dnssec-signing: on
    semantic-checks: on
    master: [master1, master2]

  - id: slave
    storage: /var/lib/knot/slave

zone:
  - domain: example1.com     # Uses default template

  - domain: example2.com     # Uses default template
    semantic-checks: off     # Override default settings

  - domain: example.cz
    template: signed
    master: master3          # Override masters to just master3

  - domain: example1.eu
    template: slave
    master: master1

  - domain: example2.eu
    template: slave
    master: master2

Note

Each template option can be explicitly overridden in zone-specific configuration.

Access control list (ACL)

The Access control list is a list of rules specifying remotes which are allowed to send certain types of requests to the server. Remotes can be specified by a single IP address or a network subnet. A TSIG key can also be assigned (see :doc:`keymgr<man_keymgr>` on how to generate a TSIG key).

Without any ACL rules, all the actions are denied for the zone. Each ACL rule can allow one or more actions for a given address/subnet/TSIG, or deny them.

If there are multiple ACL rules for a single zone, they are applied in the order of appearance in the :ref:`zone_acl` configuration item of a zone or a template. The first one to match the given remote is applied, the rest is ignored.

For dynamic updates, additional rules may be specified, which will allow or deny updates according to the type or owner of Resource Records in the update.

See the following examples and :ref:`ACL section`.