primary¶
Changed in version 4.5.0: This was called master before 4.5.0.
- Boolean
- Default: no
Turn on operating as a primary. See Primary operation.
All PowerDNS Authoritative Server settings are listed here, excluding
those that originate from backends, which are documented in the relevant
chapters. These settings can be set inside pdns.conf or on the
commandline when invoking the pdns binary.
You can use += syntax to set some variables incrementally, but this
requires you to have at least one non-incremental setting for the
variable to act as base setting. This is mostly useful for
include-dir directive.
For boolean settings, specifying the name of the setting without a value
means yes.
allow-axfr-ips¶If set, only these IP addresses or netmasks will be able to perform AXFR without TSIG.
Warning
This setting only applies to AXFR without TSIG keys. If you allow a TSIG key to perform an AXFR, this setting will not be checked for that transfer, and the client will be able to perform the AXFR from everywhere.
allow-dnsupdate-from¶Allow DNS updates from these IP ranges. Set to empty string to honour ALLOW-DNSUPDATE-FROM in ALLOW-DNSUPDATE-FROM.
allow-notify-from¶Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string will drop all incoming notifies.
Note
IPs allowed by this setting, still go through the normal NOTIFY processing as described in Secondary operation The IP the NOTIFY is received from, still needs to be a nameserver for the secondary domain. Explicitly setting this parameter will not bypass those checks.
allow-unsigned-autoprimary¶Changed in version 4.5.0: This was called allow-unsigned-supermaster before 4.5.0.
Turning this off requires all autoprimary notifications to be signed by valid TSIG signature. It will accept any existing key on slave.
allow-unsigned-notify¶Turning this off requires all notifications that are received to be signed by valid TSIG signature for the zone.
allow-unsigned-supermaster¶Deprecated since version 4.5.0: Renamed to allow-unsigned-autoprimary. Removed in 4.9.0
also-notify¶When notifying a zone, also notify these nameservers. Example:
also-notify=192.0.2.1, 203.0.113.167. The IP addresses listed in
also-notify always receive a notification. Even if they do not match
the list in only-notify.
You may specify an alternate port by appending :port. Example:
also-notify=192.0.2.1:5300. If no port is specified, port 53
is used.
any-to-tcp¶Answer questions for the ANY on UDP with a truncated packet that refers the remote server to TCP. Useful for mitigating reflection attacks.
api-key¶Changed in version 4.6.0: This setting now accepts a hashed and salted version.
Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using pdnsutil hash-password instead of being stored in the configuration in plaintext, but the plaintext version is still supported.
autosecondary¶Changed in version 4.5.0: This was called superslave before 4.5.0.
Turn on autosecondary support. See Autoprimary: automatic provisioning of secondaries.
axfr-fetch-timeout¶New in version 4.3.0.
Maximum time in seconds for inbound AXFR to start or be idle after starting.
cache-ttl¶Seconds to store packets in the Packet Cache. A value of 0 will disable the cache.
carbon-instance¶Set the instance or third string of the metric key. Be careful not to include any dots in this setting, unless you know what you are doing. See Sending metrics to Graphite/Metronome over Carbon
carbon-interval¶If sending carbon updates, this is the interval between them in seconds. See Sending metrics to Graphite/Metronome over Carbon.
carbon-namespace¶Set the namespace or first string of the metric key. Be careful not to include any dots in this setting, unless you know what you are doing. See Sending metrics to Graphite/Metronome over Carbon
carbon-ourname¶If sending carbon updates, if set, this will override our hostname. Be careful not to include any dots in this setting, unless you know what you are doing. See Sending metrics to Graphite/Metronome over Carbon
carbon-server¶Send all available metrics to this server via the carbon protocol, which is used by graphite and metronome. It has to be an address (no hostnames). Moreover you can specify more than one server using a comma delimited list, ex: carbon-server=10.10.10.10,10.10.10.20. You may specify an alternate port by appending :port, ex: 127.0.0.1:2004. See Sending metrics to Graphite/Metronome over Carbon.
chroot¶If set, chroot to this directory for more security. See Security of PowerDNS. This is not recommended; instead, we recommend containing PowerDNS using operating system features. We ship systemd unit files with our packages to make this easy.
Make sure that /dev/log is available from within the chroot. Logging
will silently fail over time otherwise (on logrotate).
When setting chroot, all other paths in the config (except for
config-dir and module-dir)
set in the configuration are relative to the new root.
When running on a system where systemd manages services, chroot does
not work out of the box, as PowerDNS cannot use the NOTIFY_SOCKET.
Either don’t chroot on these systems or set the ‘Type’ of the
service to ‘simple’ instead of ‘notify’ (refer to the systemd
documentation on how to modify unit-files).
secondary-check-signature-freshness¶New in version 4.7.0.
Enabled by default, freshness checks for secondary zones will set the DO flag on SOA queries. PowerDNS can detect (signature) changes on the primary server without serial number bumps using the DNSSEC signatures in the SOA response.
In some problematic scenarios, primary servers send truncated SOA responses. As a workaround, this setting can be turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional drift, primary servers must then always increase the zone serial when it updates signatures.
It is strongly recommended to keep this setting enabled (yes).
config-dir¶Location of configuration directory (the directory containing pdns.conf). Usually
/etc/powerdns, but this depends on SYSCONFDIR during
compile-time.
config-name¶Name of this virtual configuration - will rename the binary image. See Running Virtual Instances.
consistent-backends¶New in version 4.4.0.
When this is set, PowerDNS assumes that any single zone lives in only one backend.
This allows PowerDNS to send ANY lookups to its backends, instead of sometimes requesting the exact needed type.
This reduces the load on backends by retrieving all the types for a given name at once, adding all of them to the cache.
It improves performance significantly for latency-sensitive backends, like SQL ones, where a round-trip takes serious time.
Warning
This behaviour is only a meaningful optimization if the returned response to the ANY query can actually be cached,
which is not the case if it contains at least one record with a non-zero scope. For this reason consistent-backends
should be disabled when at least one of the backends in use returns location-based records, like the GeoIP backend.
Note
Pre 4.5.0 the default was no.
control-console¶Debugging switch - don’t use.
default-api-rectify¶The value of API-RECTIFY if it is not set on the zone.
Note
Pre 4.2.0 the default was always no.
default-catalog-zone¶New in version 4.8.3.
When a primary zone is created via the API, and the request does not specify a catalog zone, the name given here will be used.
default-ksk-algorithm¶The algorithm that should be used for the KSK when running pdnsutil secure-zone or using the Zone API endpoint to enable DNSSEC. Must be one of:
Note
Actual supported algorithms depend on the crypto-libraries
PowerDNS was compiled against. To check the supported DNSSEC algorithms
in your build of PowerDNS, run pdnsutil list-algorithms.
default-ksk-size¶The default keysize for the KSK generated with pdnsutil secure-zone. Only relevant for algorithms with non-fixed keysizes (like RSA).
default-publish-cdnskey¶New in version 4.3.0.
The default PUBLISH-CDNSKEY value for zones that do not have one individually specified. See the PUBLISH-CDNSKEY, PUBLISH-CDS docs for more information.
default-publish-cds¶New in version 4.3.0.
The default PUBLISH-CDS value for zones that do not have one individually specified. See the PUBLISH-CDNSKEY, PUBLISH-CDS docs for more information.
default-soa-content¶New in version 4.4.0.
This value is used when a zone is created without providing a SOA record. @ is replaced by the zone name.
default-soa-edit¶Use this soa-edit value for all zones if no SOA-EDIT metadata value is set.
default-soa-edit-signed¶Use this soa-edit value for all signed zones if no SOA-EDIT metadata value is set. Overrides default-soa-edit
default-soa-mail¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Mail address to insert in the SOA record if none set in the backend.
default-soa-name¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Name to insert in the SOA record if none set in the backend.
default-zsk-algorithm¶The algorithm that should be used for the ZSK when running pdnsutil secure-zone or using the Zone API endpoint to enable DNSSEC. Must be one of:
Note
Actual supported algorithms depend on the crypto-libraries
PowerDNS was compiled against. To check the supported DNSSEC algorithms
in your build of PowerDNS, run pdnsutil list-algorithms.
default-zsk-size¶The default keysize for the ZSK generated with pdnsutil secure-zone. Only relevant for algorithms with non-fixed keysizes (like RSA).
delay-notifications¶Configure a delay to send out notifications, no delay by default.
direct-dnskey¶Read additional DNSKEY, CDS and CDNSKEY records from the records table/your BIND zonefile. If not set, DNSKEY, CDS and CDNSKEY records in the zonefiles are ignored.
disable-axfr-rectify¶Disable the rectify step during an outgoing AXFR. Only required for regression testing.
disable-syslog¶Do not log to syslog, only to stderr. Use this setting when running inside a supervisor that handles logging (like systemd).
Warning
Do not use this setting in combination with daemon as all logging will disappear.
distributor-threads¶Number of Distributor (backend) threads to start per receiver thread. See Performance and Tuning.
dname-processing¶Turn on DNAME processing (DNAME substitution, CNAME synthesis). This approximately doubles query load.
If this is turned off, DNAME records are treated as any other and served only when queried explicitly.
dnsproxy-udp-port-range¶If resolver enables the DNS Proxy, this setting limits the port range the DNS Proxy’s UDP port is chosen from.
Default should be fine on most installs, but if you have conflicting local services, you may choose to limit the range.
dnssec-key-cache-ttl¶Seconds to cache DNSSEC keys from the database. A value of 0 disables caching.
dnsupdate¶Enable/Disable DNS update (RFC2136) support. See Dynamic DNS Update (RFC 2136) for more.
dnsupdate-require-tsig¶New in version 5.0.0.
Requires DNS updates to be signed by a valid TSIG signature even if the zone has no associated keys.
do-ipv6-additional-processing¶Changed in version 4.4.0: This setting has been removed
Perform AAAA additional processing. This sends AAAA records in the ADDITIONAL section when sending a referral.
domain-metadata-cache-ttl¶Deprecated since version 4.5.0: Renamed to zone-metadata-cache-ttl.
Seconds to cache zone metadata from the database. A value of 0 disables caching.
edns-cookie-secret¶New in version 4.6.0.
When set, PowerDNS will respond with RFC 9018 EDNS Cookies to queries that have the EDNS0 Cookie option. PowerDNS will also respond with BADCOOKIE to clients that have sent only a client cookie, or a bad server cookie (section 5.2.3 and 5.2.4 of RFC 7873).
This setting MUST be 32 hexadecimal characters, as the siphash algorithm’s key used to create the cookie requires a 128-bit key.
edns-subnet-processing¶Enables EDNS subnet processing, for backends that support it.
enable-gss-tsig¶Enable accepting GSS-TSIG signed messages. In addition to this setting, see TSIG.
enable-lua-records¶no, yes (or empty), or shared, StringGlobally enable the LUA records feature.
To use shared LUA states, set this to shared, see Shared Lua state model.
expand-alias¶If this is enabled, ALIAS records are expanded (synthesized to their A/AAAA).
If this is disabled (the default), ALIAS records will not be expanded and the server will return NODATA for A/AAAA queries for such names.
Note
resolver must also be set for ALIAS expansion to work!
Note
In PowerDNS Authoritative Server 4.0.x, this setting did not exist and ALIAS was always expanded.
resolve-across-zones¶New in version 5.0.0.
If this is enabled, CNAME records and other referrals will be resolved as long as their targets exist in any local backend. Can be disabled to allow for different authorities managing zones in the same server instance.
Referrals not available in local backends are never resolved. SVCB referrals are never resolved across zones. ALIAS is not impacted by this setting.
forward-notify¶IP addresses to forward received notifications to regardless of master or slave settings.
Note
The intended use is in anycast environments where it might be necessary for a proxy server to perform the AXFR. The usual checks are performed before any received notification is forwarded.
ignore-unknown-settings¶New in version 4.5.0.
Names of settings to be ignored while parsing configuration files, if the setting name is unknown to PowerDNS.
Useful during upgrade testing.
include-dir¶Directory to scan for additional config files. All files that end with
.conf are loaded in order using POSIX as locale.
launch¶Which backends to launch and order to query them in. Launches backends. In its most simple form, supply all backends that need to be launched. e.g.
launch=bind,gmysql,remote
If you find that you need to query a backend multiple times with different configuration, you can specify a name for later instantiations. e.g.:
launch=gmysql,gmysql:server2
In this case, there are 2 instances of the gmysql backend, one by the
normal name and the second one is called ‘server2’. The backend
configuration item names change: e.g. gmysql-host is available to
configure the host setting of the first or main instance, and
gmysql-server2-host for the second one.
Running multiple instances of the BIND backend is not allowed.
load-modules¶If backends are available in nonstandard directories, specify their location here. Multiple files can be loaded if separated by commas. Only available in non-static distributions.
local-address¶Changed in version 4.3.0: now also accepts IPv6 addresses
Changed in version 4.3.0: Before 4.3.0, this setting only supported IPv4 addresses.
0.0.0.0, ::Local IP addresses to which we bind. Each address specified can include a port number; if no port is included then the local-port port will be used for that address. If a port number is specified, it must be separated from the address with a ‘:’; for an IPv6 address the address must be enclosed in square brackets.
Examples:
local-address=127.0.0.1 ::1
local-address=0.0.0.0:5353
local-address=[::]:8053
local-address=127.0.0.1:53, [::1]:5353
local-address-nonexist-fail¶Fail to start if one or more of the local-address’s do not exist on this server.
local-ipv6¶Deprecated since version 4.5.0: Use local-address instead
local-ipv6-nonexist-fail¶Changed in version 4.3.0: This setting has been removed, use local-address-nonexist-fail
Fail to start if one or more of the local-ipv6 addresses do not exist on this server.
local-port¶Local port to bind to. If an address in local-address does not have an explicit port, this port is used.
log-dns-details¶If set to ‘no’, informative-only DNS details will not even be sent to syslog, improving performance.
log-dns-queries¶Tell PowerDNS to log all incoming DNS queries. This will lead to a lot of logging! Only enable for debugging! Set loglevel to at least 5 to see the logs.
log-timestamp¶When printing log lines to stderr, prefix them with timestamps. Disable this if the process supervisor timestamps these lines already.
Note
The systemd unit file supplied with the source code already disables timestamp printing
logging-facility¶If set to a digit, logging is performed under this LOCAL facility. See Logging to syslog. Do not pass names like ‘local0’!
loglevel¶Amount of logging. The higher the number, the more lines logged. Corresponds to “syslog” level values (e.g. 0 = emergency, 1 = alert, 2 = critical, 3 = error, 4 = warning, 5 = notice, 6 = info, 7 = debug). Each level includes itself plus the lower levels before it. Not recommended to set this below 3.
loglevel-show¶New in version 4.9.0.
When enabled, log messages are formatted like structured logs, including their log level/priority: msg="Unable to launch, no backends configured for querying" prio="Error"
lua-axfr-script¶Script to be used to edit incoming AXFRs, see Modifying a secondary zone using a script
lua-consistent-hashes-cleanup-interval¶New in version 4.9.0.
Amount of time (in seconds) between subsequent cleanup routines for pre-computed hashes related to pickchashed().
lua-consistent-hashes-expire-delay¶New in version 4.9.0.
Amount of time (in seconds) a pre-computed hash entry will be considered as expired when unused. See pickchashed().
lua-global-include-dir¶/etc/pdns/lua-global/New in version 5.0.0.
When creating a Lua context, scan this directory for additional lua files. All files that end with
.lua are loaded in order using POSIX as locale with Lua scripts.
lua-health-checks-expire-delay¶New in version 4.3.0.
Amount of time (in seconds) to expire (remove) a LUA monitoring check when the record isn’t used any more (either deleted or modified).
lua-health-checks-interval¶New in version 4.3.0.
Amount of time (in seconds) between subsequent monitoring health checks. Does nothing if the checks take more than that time to execute.
lua-prequery-script¶Lua script to run before answering a query. This is a feature used internally for regression testing. The API of this functionality is not guaranteed to be stable, and is in fact likely to change.
lua-records-exec-limit¶Limit LUA records scripts to lua-records-exec-limit instructions.
Setting this to any value less than or equal to 0 will set no limit.
lua-records-insert-whitespace¶New in version 4.9.1.
When combining the " delimited chunks of a LUA record, whether to insert whitespace between each chunk.
master¶Deprecated since version 4.5.0: Renamed to primary. Removed in 4.9.0.
Turn on master support. See Primary operation.
max-cache-entries¶Maximum number of entries in the query cache. 1 million (the default) will generally suffice for most installations.
max-ent-entries¶Maximum number of empty non-terminals to add to a zone. This is a protection measure to avoid database explosion due to long names.
max-include-depth¶Maximum number of nested $INCLUDE directives while processing a zone file.
Zero mean no $INCLUDE directives will be accepted.
max-generate-steps¶Maximum number of steps for a ‘$GENERATE’ directive when parsing a zone file. This is a protection measure to prevent consuming a lot of CPU and memory when untrusted zones are loaded. Default to 0 which means unlimited.
max-nsec3-iterations¶Limit the number of NSEC3 hash iterations for zone configurations. For more information see Setting the NSEC modes and parameters.
Note
Pre 4.5.0 the default was 500.
max-packet-cache-entries¶Maximum number of entries in the packet cache. 1 million (the default) will generally suffice for most installations.
max-queue-length¶If this many packets are waiting for database attention, consider the situation hopeless and respawn the server process. This limit is per receiver thread.
max-signature-cache-entries¶Maximum number of DNSSEC signature cache entries. This cache is automatically reset once per week or when the cache is full. If you use NSEC narrow mode, this cache can grow large.
max-tcp-connection-duration¶Maximum time in seconds that a TCP DNS connection is allowed to stay open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR are not affected by this setting.
max-tcp-connections¶Allow this many incoming TCP DNS connections simultaneously.
max-tcp-connections-per-client¶Maximum number of simultaneous TCP connections per client. 0 means unlimited.
max-tcp-transactions-per-conn¶Allow this many DNS queries in a single TCP transaction. 0 means unlimited. Note that exchanges related to an AXFR or IXFR are not affected by this setting.
negquery-cache-ttl¶Seconds to store queries with no answer in the Query Cache. See Query Cache.
no-config¶Do not attempt to read the configuration file. Useful for configuration by parameters from the command line only.
no-shuffle¶Do not attempt to shuffle query results, used for regression testing.
non-local-bind¶Bind to addresses even if one or more of the local-address’s do not exist on this server. Setting this option will enable the needed socket options to allow binding to non-local addresses. This feature is intended to facilitate ip-failover setups, but it may also mask configuration issues and for this reason it is disabled by default.
only-notify¶For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
PowerDNS automatically sends NOTIFYs to the name servers specified in
the NS records. By specifying networks/mask as whitelist, the targets
can be limited. The default is to notify the world. To completely
disable these NOTIFYs set only-notify to an empty value. Independent
of this setting, the IP addresses or netmasks configured with
also-notify and ALSO-NOTIFY zone metadata
always receive AXFR NOTIFYs.
IP addresses and netmasks can be excluded by prefixing them with a !.
To notify all IP addresses apart from the 192.168.0.0/24 subnet use the following:
only-notify=0.0.0.0/0, ::/0, !192.168.0.0/24
Note
Even if NOTIFYs are limited by a netmask, PowerDNS first has to resolve all the hostnames to check their IP addresses against the specified whitelist. The resolving may take considerable time, especially if those hostnames are slow to resolve. If you do not need to NOTIFY the slaves defined in the NS records (e.g. you are using another method to distribute the zone data to the slaves), then set only-notify to an empty value and specify the notification targets explicitly using also-notify and/or ALSO-NOTIFY zone metadata to avoid this potential bottleneck.
Note
If your slaves support an Internet Protocol version, which your master does not,
then set only-notify to include only supported protocol version.
Otherwise there will be error trying to resolve address.
For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
so allow only IPv4 with only-notify:
only-notify=0.0.0.0/0
outgoing-axfr-expand-alias¶no, yes, or ignore-errors, StringChanged in version 4.9.0: Option ignore-errors added.
If this is enabled, ALIAS records are expanded (synthesized to their A/AAAA) during outgoing AXFR. This means slaves will not automatically follow changes in those A/AAAA records unless you AXFR regularly!
If this is disabled (the default), ALIAS records are sent verbatim during outgoing AXFR. Note that if your slaves do not support ALIAS, they will return NODATA for A/AAAA queries for such names.
If the ALIAS target cannot be resolved during AXFR the AXFR will fail. To allow outgoing AXFR also if the ALIAS targets are broken set this setting to ignore-errors. Be warned, this will lead to inconsistent zones between Primary and Secondary name servers.
overload-queue-length¶If this many packets are waiting for database attention, answer any new questions strictly from the packet cache. Packets not in the cache will be dropped, and overload-drops will be incremented.
prevent-self-notification¶PowerDNS Authoritative Server attempts to not send out notifications to itself in master mode. In very complicated situations we could guess wrong and not notify a server that should be notified. In that case, set prevent-self-notification to “no”.
primary¶Changed in version 4.5.0: This was called master before 4.5.0.
Turn on operating as a primary. See Primary operation.
proxy-protocol-from¶New in version 4.6.0.
Ranges that are required to send a Proxy Protocol version 2 header in front of UDP and TCP queries, to pass the original source and destination addresses and ports to the Authoritative. Queries that are not prefixed with such a header will not be accepted from clients in these ranges. Queries prefixed by headers from clients that are not listed in these ranges will be dropped.
Note that once a Proxy Protocol header has been received, the source address from the proxy header instead of the address of the proxy will be checked against primary addresses sending NOTIFYs, and the ACLs for any client requesting AXFRs. When using this setting combined with trusted-notification-proxy, please be aware that the trusted address will also be checked against the source address in the PROXY header.
The dnsdist docs have more information about the PROXY protocol.
proxy-protocol-maximum-size¶New in version 4.6.0.
The maximum size, in bytes, of a Proxy Protocol payload (header, addresses and ports, and TLV values). Queries with a larger payload will be dropped.
query-cache-ttl¶Seconds to store queries with an answer in the Query Cache. See Query Cache.
query-local-address¶Changed in version 4.4.0: Accepts both IPv4 and IPv6 addresses. Also accept more than one address per address family.
The IP addresses to use as a source address for sending queries. Useful if you have multiple IPs and PowerDNS is not bound to the IP address your operating system uses by default for outgoing packets.
PowerDNS will pick the correct address family based on the remote’s address (v4 for outgoing v4, v6 for outgoing v6). However, addresses are selected at random without taking into account ip subnet reachability. It is highly recommended to use the defaults in that case (the kernel will pick the right source address for the network).
query-local-address6¶Deprecated since version 4.5.0: Removed. Use query-local-address.
query-logging¶Boolean, hints to a backend that it should log a textual representation of queries it performs. Can be set at runtime.
queue-limit¶Maximum number of milliseconds to queue a query. See Performance and Tuning.
receiver-threads¶Number of receiver (listening) threads to start. See Performance and Tuning.
resolver¶Recursive DNS server to use for ALIAS lookups and the internal stub resolver. Only one address can be given.
It is assumed that the specified recursive DNS server, and the network path to it, are trusted.
Examples:
resolver=127.0.0.1
resolver=[::1]:5300
reuseport¶On Linux 3.9 and some BSD kernels the SO_REUSEPORT option allows
each receiver-thread to open a new socket on the same port which allows
for much higher performance on multi-core boxes. Setting this option
will enable use of SO_REUSEPORT when available and seamlessly fall
back to a single socket when it is not available. A side-effect is that
you can start multiple servers on the same IP/port combination which may
or may not be a good idea. You could use this to enable transparent
restarts, but it may also mask configuration issues and for this reason
it is disabled by default.
rng¶Specify which random number generator to use. Permissible choices are:
randombytes_uniformRAND_bytesarc4random_uniform/dev/urandomNote
Not all choices are available on all systems.
secondary¶Changed in version 4.5.0: This was called slave before 4.5.0.
Turn on operating as a secondary. See Secondary operation.
secondary-do-renotify¶Changed in version 4.5.0: This was called slave-renotify before 4.5.0.
This setting will make PowerDNS renotify the secondaries after an AXFR is received from a primary. This is useful, among other situations, when running a signing secondary.
See SLAVE-RENOTIFY to set this per-zone.
security-poll-suffix¶Zone name from which to query security update notifications. Setting this to an empty string disables secpoll.
send-signed-notify¶If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone. If there are multiple TSIG keys configured for a zone, PowerDNS will use the first one retrieved from the backend, which may not be the correct one for the respective slave. Hence, in setups with multiple slaves with different TSIG keys it may be required to send NOTIFYs unsigned.
server-id¶This is the server ID that will be returned on an EDNS NSID query.
signing-threads¶Tell PowerDNS how many threads to use for signing. It might help improve signing speed by changing this number.
slave-cycle-interval¶Deprecated since version 4.5.0: Renamed to xfr-cycle-interval. Removed in 4.9.0.
slave-renotify¶Deprecated since version 4.5.0: Renamed to secondary-do-renotify. Removed in 4.9.0.
This setting will make PowerDNS renotify the slaves after an AXFR is received from a master. This is useful when running a signing-slave.
See SLAVE-RENOTIFY to set this per-zone.
soa-expire-default¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Default SOA expire.
soa-minimum-ttl¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Default SOA minimum ttl.
soa-refresh-default¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Default SOA refresh.
soa-retry-default¶Deprecated since version 4.2.0: This setting has been removed in 4.4.0
Default SOA retry.
socket-dir¶Where the controlsocket will live. The default depends on
LOCALSTATEDIR during compile-time (usually /var/run or
/run). See Control Socket.
This path will also contain the pidfile for this instance of PowerDNS
called pdns.pid by default. See config-name
and Virtual Hosting how this can differ.
superslave¶Deprecated since version 4.5.0: Renamed to autosecondary. Removed in 4.9.0.
Turn on supermaster support. See Autoprimary: automatic provisioning of secondaries.
svc-autohints¶New in version 4.5.0.
Whether or not to enable IPv4 and IPv6 autohints.
tcp-control-range¶Limit TCP control to a specific client range.
tcp-fast-open¶Enable TCP Fast Open support, if available, on the listening sockets. The numerical value supplied is used as the queue size, 0 meaning disabled.
tcp-idle-timeout¶Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle, meaning without PowerDNS receiving or sending even a single byte.
trusted-notification-proxy¶Changed in version 4.4.0: This option now accepts a comma-separated list of IP ranges. This was a list of IP addresses before.
IP ranges of incoming notification proxies.
udp-truncation-threshold¶EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however also have downsides in terms of reflection attacks. Maximum value is 65535, but values above 4096 should probably not be attempted.
Note
Why 1232?
1232 is the largest number of payload bytes that can fit in the smallest IPv6 packet. IPv6 has a minimum MTU of 1280 bytes (RFC 8200, section 5), minus 40 bytes for the IPv6 header, minus 8 bytes for the UDP header gives 1232, the maximum payload size for the DNS response.
upgrade-unknown-types¶New in version 4.4.0.
Transparently upgrade records stored as TYPE#xxx and RFC 3597 (hex format) contents, if the type is natively supported. When this is disabled, records stored in this format cannot be served.
Recommendation: keep disabled for better performance. Enable for testing PowerDNS upgrades, without changing stored records. Enable for upgrading record content on secondaries, or when using the API (see upgrade notes). Disable after record contents have been upgraded.
This option is supported by the bind and Generic SQL backends.
Note
When using a generic SQL backend, records with an unknown record type (see Supported Record Types) can be identified with the following SQL query:
SELECT * from records where type like 'TYPE%';
version-string¶anonymous, powerdns, full, StringWhen queried for its version over DNS
(dig chaos txt version.bind @pdns.ip.address), PowerDNS normally
responds truthfully. With this setting you can overrule what will be
returned. Set the version-string to full to get the default
behaviour, to powerdns to just make it state
Served by PowerDNS - https://www.powerdns.com/. The anonymous
setting will return a ServFail, much like Microsoft nameservers do. You
can set this response to a custom value as well.
webserver-allow-from¶Webserver/API access is only allowed from these subnets.
webserver-hash-plaintext-credentials¶New in version 4.6.0.
Whether passwords and API keys supplied in the configuration as plaintext should be hashed during startup, to prevent the plaintext versions from staying in memory. Doing so increases significantly the cost of verifying credentials and is thus disabled by default. Note that this option only applies to credentials stored in the configuration as plaintext, but hashed credentials are supported without enabling this option.
webserver-loglevel¶The amount of logging the webserver must do. “none” means no useful webserver information will be logged. When set to “normal”, the webserver will log a line per request that should be familiar:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
When set to “detailed”, all information about the request and response are logged:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Request Details:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-encoding: gzip, deflate
[webserver] e235780e-a5cf-415e-9326-9d33383e739e accept-language: en-US,en;q=0.5
[webserver] e235780e-a5cf-415e-9326-9d33383e739e connection: keep-alive
[webserver] e235780e-a5cf-415e-9326-9d33383e739e dnt: 1
[webserver] e235780e-a5cf-415e-9326-9d33383e739e host: 127.0.0.1:8081
[webserver] e235780e-a5cf-415e-9326-9d33383e739e upgrade-insecure-requests: 1
[webserver] e235780e-a5cf-415e-9326-9d33383e739e user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
[webserver] e235780e-a5cf-415e-9326-9d33383e739e No body
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Response details:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Headers:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Connection: close
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Length: 49
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Content-Type: text/html; charset=utf-8
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Server: PowerDNS/0.0.15896.0.gaba8bab3ab
[webserver] e235780e-a5cf-415e-9326-9d33383e739e Full body:
[webserver] e235780e-a5cf-415e-9326-9d33383e739e <!html><title>Not Found</title><h1>Not Found</h1>
[webserver] e235780e-a5cf-415e-9326-9d33383e739e 127.0.0.1:55376 "GET /api/v1/servers/localhost/bla HTTP/1.1" 404 196
The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
Note
The webserver logs these line on the NOTICE level. The loglevel setting must be 5 or higher for these lines to end up in the log.
webserver-connection-timeout¶New in version 4.8.5.
Request/response timeout in seconds.
webserver-password¶Changed in version 4.6.0: This setting now accepts a hashed and salted version.
Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using pdnsutil hash-password instead of being present in the configuration in plaintext, but the plaintext version is still supported.
workaround-11804¶Workaround for issue #11804 (outgoing AXFR may try to overfill a chunk and fail).
Default of no implies the pre-4.8 behaviour of up to 100 RRs per AXFR chunk.
If enabled, only a single RR will be put into each AXFR chunk, making some zones transferable when they were not otherwise.
xfr-cycle-interval¶Changed in version 4.5.0: This was called slave-cycle-interval before 4.5.0.
On a primary, this is the amount of seconds between the primary checking the SOA serials in its database to determine to send out NOTIFYs to the secondaries. On secondaries, this is the number of seconds between the secondary checking for updates to zones.
xfr-max-received-mbytes¶Specifies the maximum number of received megabytes allowed on an incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0 means no restriction.
zone-cache-refresh-interval¶Seconds to cache a list of all known zones. A value of 0 will disable the cache.
If your backends do not respond to unknown or dynamically generated zones, it is suggested to enable consistent-backends (default since 4.5) and leave this option at its default of 300.
zone-metadata-cache-ttl¶Changed in version 4.5.0: This was called domain-metadata-cache-ttl before 4.5.0.
Seconds to cache zone metadata from the database. A value of 0 disables caching.