credns − version 0.2.10.


credns −4 −6 −a ip−address[@port] −c configfile −d −f database −h −i identity −I nsid −l logfile −N server−count −n noncurrent−tcp−count −P pidfile −p port −s seconds −t chrootdir −u username −V level −v


Credns is a software program aimed at fortifying DNSSEC by performing validation in the DNS notify/transfer-chain. Currently credns is a fork of NSD(8) that has been extended with the possibility to asses zones - received or updated by AXFR or IXFR - by running an external verifier and only serve those zones when they are deemed correct by the verifier associated with that zone. The options for setting a verifier for a zone and all related options can be given in the credns.conf(5) configuration file.


All the options can be specified in the configfile ( −c argument), except for the −v and −h options. If options are specified on the commandline, the options on the commandline take precedence over the options in the configfile.

Normally credns should be started with the ‘crednsc(8) start‘ command invoked from a /etc/rc.d/ script or similar at the operating system startup.


Only listen to IPv4 connections.


Only listen to IPv6 connections.

−a ip−address@port

Listen to the specified ip−address. The ip−address must be specified in numeric format (using the standard IPv4 or IPv6 notation). Optionally, a port number can be given. This flag can be specified multiple times to listen to multiple IP addresses. If this flag is not specified, credns listens to the wildcard interface.

−c configfile

Read specified configfile instead of the default /etc/credns/credns.conf. For format description see credns.conf(5).


Turn on debugging mode, do not fork, stay in the foreground.

−f database

Use the specified database instead of the default of /var/db/credns/credns.db. If a zonesdir: is specified in the config file this path can be relative to that directory.


Print help information and exit.

−i identity

Return the specified identity when asked for CH TXT ID.SERVER (This option is used to determine which server is answering the queries when they are multicast). The default is the name returned by gethostname(3).

−I nsid

Add the specified nsid to the EDNS section of the answer when queried with an NSID EDNS enabled packet.

−l logfile

Log messages to the specified logfile. The default is to log to stderr and syslog. If a zonesdir: is specified in the config file this path can be relative to that directory.

−N count

Start count credns servers. The default is 1. Starting more than a single server is only useful on machines with multiple CPUs and/or network adapters.

−n number

The maximum number of concurrent TCP connection that can be handled by each server. The default is 10.

−P pidfile

Use the specified pidfile instead of the platform specific default, which is mostly /var/run/ If a zonesdir: is specified in the config file, this path can be relative to that directory.

−p port

Answer the queries on the specified port. Normally this is port 53.

−s seconds

Produce statistics dump every seconds seconds. This is equal to sending SIGUSR1 to the daemon periodically.

−t chroot

Specifies a directory to chroot to upon startup. This option requires you to ensure that appropriate syslogd(8) socket (e.g. chrootdir /dev/log) is available, otherwise credns won’t produce any log output.

−u username

Drop user and group privileges to those of username after binding the socket. The username must be one of: username, id, or id.gid. For example: credns, 80, or 80.80.

−V level

This value specifies the verbosity level for (non−debug) logging. Default is 0.


Print the version number of credns to standard error and exit.

Credns reacts to the following signals:

Stop answering queries, shutdown, and exit normally.


Reload the database.


Dump BIND8−style statistics into the log. Ignored otherwise.



default credns database


the process id of the name server.


default credns configuration file


will log all the problems via the standard syslog(8) daemon facility, unless the −d option is specified.


crednsc(8), credns.conf(5), credns−checkconf(8), credns−notify(8), credns−patch(8), credns−xfer(8)


Credns was written by NLnet Labs.

NSD was written by NLnet Labs and RIPE NCC joint team. Please see CREDITS file in the distribution for further details.


Credns is a fork of NSD(8) and inherits all its bugs.


Because of credns is implemented as a fork of NSD(8), it currently functions as a complete authoritative DNS namservers. However, this functionality is not strictly necessary of credns type operation and might disappear in future releases. Credns has a different orientation as NSD and might develop into an entirely different direction.


Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands, subsidised by NLnet and SIDN.