#
# credns.conf -- the CREDNS(8) configuration file, credns.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#

# This is a comment.
# Sample configuration file

# options for the credns server
server:
	# uncomment to specify specific interfaces to bind
	# (default wildcard interface).
	# ip-address: 1.2.3.4
	# ip-address: 1.2.3.4@5678
	# ip-address: 12fe::8ef0

	# how many verifiers may be run concurrently?
	# verifier-count: 1

	# should a by IXFR or AXFR  updated zone be fed to the standard input
	# (stdin) of a verifier?
	# verifier-feed-zone: yes

	# should a by IXFR or AXFR  updated zone be served to a verifier?
	# uncomment to enable and specify on what ip-addresses the updated
	# zone will be served.
	# verify-ip-address: 127.0.0.1
	# verify-ip-address: 127.0.0.1@5347
	# verify-ip-address: ::1
	
	# on which port will the by IXFR or AXFR  updated zone be served to 
	# the verifier.
	# verify-port: 5347
	
	# how long may any verifier take (0 is forever)
	# verifier-timeout: 0

	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
	# hide-version: no

	# enable debug mode, does not fork daemon process into the background.
	# debug-mode: no

	# listen only on IPv4 connections
	# ip4-only: no

	# listen only on IPv6 connections
	# ip6-only: no
	
	# the database to use
	# database: "/var/db/credns/credns.db"

	# identify the server (CH TXT ID.SERVER entry).
	# identity: "unidentified server"

	# NSID identity (hex string). default disabled.
	# nsid: "aabbccdd"

	# log messages to file. Default to stderr and syslog
	# (with facility LOG_DAEMON).
	# logfile: "/var/log/credns.log"

	# Number of credns servers to fork.
	# server-count: 1

	# Maximum number of concurrent TCP connections per server.
	# This option should have a value below 1000.
	# tcp-count: 10

	# Maximum number of queries served on a single TCP connection.
	# By default 0, which means no maximum.
	# tcp-query-count: 0

	# Override the default (120 seconds) TCP timeout.
	# tcp-timeout: 120

	# Preferred EDNS buffer size for IPv4.
	# ipv4-edns-size: 4096

	# Preferred EDNS buffer size for IPv6.
	# ipv6-edns-size: 4096

	# File to store pid for credns in.
	# pidfile: "/var/run/credns.pid"

	# port to answer queries on. default is 53.
	# port: 53

	# statistics are produced every number of seconds.
	# statistics: 3600

	# Run credns in a chroot-jail.
	# make sure to have pidfile and database reachable from there.
	# by default, no chroot-jail is used.
	# chroot: "/etc/credns"

	# After binding socket, drop user privileges.
	# can be a username, id or id.gid.
	# username: credns

	# The directory for zonefile: files.
	# zonesdir: "/etc/credns"

	# The file where incoming zone transfers are stored.
	# run credns-patch to update zone files, then you can safely delete it.
	# difffile: "/var/db/credns/ixfr.db"

	# The file where secondary zone refresh and expire timeouts are kept.
	# If you delete this file, all secondary zones are forced to be 
	# 'refreshing' (as if credns got a notify).
	# xfrdfile: "/var/db/credns/xfrd.state"

	# Number of seconds between reloads triggered by xfrd.
	# xfrd-reload-timeout: 10

	# Verbosity level.
	# verbosity: 0

# key for requesting the zone from the 
key:
	name: mskey
	algorithm: hmac-md5
	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="

# keys providing the zone to the (public) slaves
key:
	name: "sec1_key"
	algorithm: hmac-md5
	secret: "6KM6qiKfwfEpamEq72HQdA=="

key:
	name: sec2_key
	algorithm: hmac-sha1
	secret: "m83H2x8R0zbDf3yRKhrqgw=="

# Example zone
zone:
	name: "example.com"
	zonefile: "example.com.zone"

	# The (hidden) masters are listed below
	# If no access control elements are provided, this zone
	# will not be served to/from other servers.

	# (hidden) master 1
	allow-notify: 168.192.44.42 mskey
	request-xfr: 168.192.44.42 mskey

	# (hidden) master 2
	allow-notify: 10.0.0.11 NOKEY
	request-xfr: 10.0.0.11 NOKEY

	# By default, a (credns) slave will request a zone transfer with
	# IXFR/TCP.
	# If you want to make use of IXFR/UDP use
	allow-notify: 10.0.0.12 NOKEY
	request-xfr: UDP 10.0.0.12 NOKEY

	# for a (hidden) master that only speaks AXFR (like NSD) use
	allow-notify: 10.0.0.13 NOKEY
	request-xfr: AXFR 10.0.0.13 NOKEY

	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
	# TCP. If you use UDP, we higly recommend you to deploy TSIG.

	# Allow AXFR fallback if the master does not support IXFR. Default
	# is yes.
	allow-axfr-fallback: "yes"

	# uncomment to provide AXFR to all the world
	# provide-xfr: 0.0.0.0/0 NOKEY
	# provide-xfr: ::0/0 NOKEY

	# set local interface for sending zone transfer requests and notifies.
	outgoing-interface: 10.0.0.10

	# the verifier program that assessed by IXFR or AXFR received updates
	# verifier: ldns-verify-zone
	# verifier: validns -
	# verifier: drill -k  @127.0.0.1 -p 5347 example.com SOA

	# should a by IXFR or AXFR  updated zone be fed to the standard input
	# (stdin) of a verifier? defaults to take value from server: section
	# verifier-feed-zone: inherit

	# how long may any verifier take (0 is forever). defaults to take the
	# value from the server: section
	# verifier-timeout: inherit

	# The public slaves are listed below.
	# If no access control elements are provided, this zone
	# will not be served to other servers.

	# (public) slave 1. Uses port 5300.
	notify: 10.0.0.14@5300 sec1_key
	provide-xfr: 10.0.0.14@5300 sec1_key

	# (pubic) slave 2. 
	notify: 10.11.12.14 sec2_key
	provide-xfr: 10.11.12.14 sec2_key

	# also provide xfr to operator's network.
	provide-xfr: 169.192.85.0/24 NOKEY
	# uncomment to disable xfr for the address.
	# provide-xfr: 169.192.85.66 BLOCKED

	# set the number of retries for notify.
	notify-retry: 5

←Credns

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.