aboutsummaryrefslogtreecommitdiff
path: root/gerboweb/deploy/nsd.conf
diff options
context:
space:
mode:
authorjaseg <git@jaseg.net>2020-12-30 13:12:06 +0100
committerjaseg <git@jaseg.net>2020-12-30 13:12:06 +0100
commitc6b1c2225d1ac4ac647950be8667b5709b0033a1 (patch)
tree8db7a14649a277d236791e1c731d98af03a0af88 /gerboweb/deploy/nsd.conf
parente290ac758b02a9d03bacd511c87fc997db41d0a8 (diff)
downloadgerbolyze-master.tar.gz
gerbolyze-master.tar.bz2
gerbolyze-master.zip
remove ansible scripts, they are now in their own "infra" repoHEADmaster
Diffstat (limited to 'gerboweb/deploy/nsd.conf')
-rw-r--r--gerboweb/deploy/nsd.conf372
1 files changed, 0 insertions, 372 deletions
diff --git a/gerboweb/deploy/nsd.conf b/gerboweb/deploy/nsd.conf
deleted file mode 100644
index d4b577f..0000000
--- a/gerboweb/deploy/nsd.conf
+++ /dev/null
@@ -1,372 +0,0 @@
-#
-# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
-#
-# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
-#
-# See LICENSE for the license.
-#
-
-# This is a comment.
-# Sample configuration file
-# include: "file" # include that file's text over here. Globbed, "*.conf"
-
-# options for the nsd server
-server:
- # Number of NSD servers to fork. Put the number of CPUs to use here.
- server-count: 1
-
- # uncomment to specify specific interfaces to bind (default are the
- # wildcard interfaces 0.0.0.0 and ::0).
- # For servers with multiple IP addresses, list them one by one,
- # or the source address of replies could be wrong.
- # Use ip-transparent to be able to list addresses that turn on later.
- # ip-address: 1.2.3.4
- # ip-address: 1.2.3.4@5678
- # ip-address: 12fe::8ef0
-
- # Allow binding to non local addresses. Default no.
- # ip-transparent: no
-
- # Allow binding to addresses that are down. Default no.
- # ip-freebind: no
-
- # use the reuseport socket option for performance. Default no.
- reuseport: yes
-
- # override maximum socket send buffer size. Default of 0 results in
- # send buffer size being set to 1048576 (bytes).
- # send-buffer-size: 1048576
-
- # override maximum socket receive buffer size. Default of 0 results in
- # receive buffer size being set to 1048576 (bytes).
- # receive-buffer-size: 1048576
-
- # enable debug mode, does not fork daemon process into the background.
- # debug-mode: no
-
- # listen on IPv4 connections
- # do-ip4: yes
-
- # listen on IPv6 connections
- # do-ip6: yes
-
- # port to answer queries on. default is 53.
- # port: 53
-
- # Verbosity level.
- # verbosity: 0
-
- # After binding socket, drop user privileges.
- # can be a username, id or id.gid.
- # username: nsd
-
- # Run NSD in a chroot-jail.
- # make sure to have pidfile and database reachable from there.
- # by default, no chroot-jail is used.
- # chroot: "/etc/nsd"
-
- # The directory for zonefile: files. The daemon chdirs here.
- zonesdir: "/etc/nsd"
-
- # the list of dynamically added zones.
- # zonelistfile: "/var/lib/nsd/zone.list"
-
- # the database to use
- # if set to "" then no disk-database is used, less memory usage.
- database: ""
-
- # log messages to file. Default to stderr and syslog (with
- # facility LOG_DAEMON). stderr disappears when daemon goes to bg.
- # logfile: "/var/log/nsd.log"
-
- # File to store pid for nsd in.
- # pidfile: "/run/nsd/nsd.pid"
-
- # The file where secondary zone refresh and expire timeouts are kept.
- # If you delete this file, all secondary zones are forced to be
- # 'refreshing' (as if nsd got a notify). Set to "" to disable.
- # xfrdfile: "/var/lib/nsd/ixfr.state"
-
- # The directory where zone transfers are stored, in a subdir of it.
- # xfrdir: "/tmp"
-
- # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
- hide-version: yes
-
- # don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
- hide-identity: yes
-
- # version string the server responds with for chaos queries.
- # default is 'NSD x.y.z' with the server's version number.
- # version: "NSD"
-
- # identify the server (CH TXT ID.SERVER entry).
- # identity: "unidentified server"
-
- # NSID identity (hex string, or "ascii_somestring"). default disabled.
- # nsid: "aabbccdd"
-
- # Maximum number of concurrent TCP connections per server.
- # tcp-count: 100
-
- # Accept (and immediately close) TCP connections after maximum number
- # of connections is reached to prevent kernel connection queue from
- # growing.
- # tcp-reject-overflow: no
-
- # Maximum number of queries served on a single TCP connection.
- # By default 0, which means no maximum.
- # tcp-query-count: 0
-
- # Override the default (120 seconds) TCP timeout.
- # tcp-timeout: 120
-
- # Maximum segment size (MSS) of TCP socket on which the server
- # responds to queries. Default is 0, system default MSS.
- # tcp-mss: 0
-
- # Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
- # Default is 0, system default MSS.
- # outgoing-tcp-mss: 0
-
- # Preferred EDNS buffer size for IPv4.
- # ipv4-edns-size: 4096
-
- # Preferred EDNS buffer size for IPv6.
- # ipv6-edns-size: 4096
-
- # statistics are produced every number of seconds. Prints to log.
- # Default is 0, meaning no statistics are produced.
- # statistics: 3600
-
- # Number of seconds between reloads triggered by xfrd.
- # xfrd-reload-timeout: 1
-
- # log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
- # log-time-ascii: yes
-
- # round robin rotation of records in the answer.
- round-robin: yes
-
- # minimal-responses only emits extra data for referrals.
- minimal-responses: yes
-
- # Do not return additional information if the apex zone of the
- # additional information is configured but does not match the apex zone
- # of the initial query.
- # confine-to-zone: no
-
- # refuse queries of type ANY. For stopping floods.
- refuse-any: yes
-
- # check mtime of all zone files on start and sighup
- # zonefiles-check: yes
-
- # write changed zonefiles to disk, every N seconds.
- # default is 0(disabled) or 3600(if database is "").
- # zonefiles-write: 3600
-
- # RRLconfig
- # Response Rate Limiting, size of the hashtable. Default 1000000.
- # rrl-size: 1000000
-
- # Response Rate Limiting, maximum QPS allowed (from one query source).
- # If set to 0, ratelimiting is disabled. Also set
- # rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
- # Default is on.
- # rrl-ratelimit: 200
-
- # Response Rate Limiting, number of packets to discard before
- # sending a SLIP response (a truncated one, allowing an honest
- # resolver to retry with TCP). Default is 2 (one half of the
- # queries will receive a SLIP response, 0 disables SLIP (all
- # packets are discarded), 1 means every request will get a
- # SLIP response. When the ratelimit is hit the traffic is
- # divided by the rrl-slip value.
- # rrl-slip: 2
-
- # Response Rate Limiting, IPv4 prefix length. Addresses are
- # grouped by netblock.
- # rrl-ipv4-prefix-length: 24
-
- # Response Rate Limiting, IPv6 prefix length. Addresses are
- # grouped by netblock.
- # rrl-ipv6-prefix-length: 64
-
- # Response Rate Limiting, maximum QPS allowed (from one query source)
- # for whitelisted types. Default is on.
- # rrl-whitelist-ratelimit: 2000
- # RRLend
-
- # Optional local server config
- include: "/etc/nsd/server.d/*.conf"
-
-# Include optional local configs.
-include: "/etc/nsd/conf.d/*.conf"
-
-# Fedora: DNSTAP not yet enabled
-# dnstap:
- # set this to yes and set one or more of dnstap-log-..-messages to yes.
- # dnstap-enable: no
- # dnstap-socket-path: "/var/run/dnstap.sock"
- # dnstap-send-identity: no
- # dnstap-send-version: no
- # dnstap-identity: ""
- # dnstap-version: ""
- # dnstap-log-auth-query-messages: no
- # dnstap-log-auth-response-messages: no
-
- # Service clients over TLS (on the TCP sockets), with plain DNS inside
- # the TLS stream. Give the certificate to use and private key.
- # Default is "" (disabled). Requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
- # tls-service-ocsp: "path/to/ocsp.pem"
- # tls-port: 853
-
-# Remote control config section.
-remote-control:
- # Enable remote control with nsd-control(8) here.
- # set up the keys and certificates with nsd-control-setup.
- control-enable: yes
-
- # what interfaces are listened to for control, default is on localhost.
- # with an absolute path, a unix local named pipe is used for control
- # (and key and cert files are not needed, use directory permissions).
- # control-interface: 127.0.0.1
- # control-interface: ::1
- control-interface: /run/nsd/nsd.ctl
-
- # port number for remote control operations (uses TLS over TCP).
- # control-port: 8952
-
- # nsd server key file for remote control.
- # server-key-file: "/etc/nsd/nsd_server.key"
-
- # nsd server certificate file for remote control.
- # server-cert-file: "/etc/nsd/nsd_server.pem"
-
- # nsd-control key file.
- # control-key-file: "/etc/nsd/nsd_control.key"
-
- # nsd-control certificate file.
- # control-cert-file: "/etc/nsd/nsd_control.pem"
-
-
-# Secret keys for TSIGs that secure zone transfers.
-# You could include: "secret.keys" and put the 'key:' statements in there,
-# and give that file special access control permissions.
-#
-# key:
- # The key name is sent to the other party, it must be the same
- #name: "keyname"
- # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
- #algorithm: sha256
- # secret material, must be the same as the other party uses.
- # base64 encoded random number.
- # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
- #secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
-
-
-# Patterns have zone configuration and they are shared by one or more zones.
-#
-# pattern:
- # name by which the pattern is referred to
- #name: "myzones"
- # the zonefile for the zones that use this pattern.
- # if relative then from the zonesdir (inside the chroot).
- # the name is processed: %s - zone name (as appears in zone:name).
- # %1 - first character of zone name, %2 second, %3 third.
- # %z - topleveldomain label of zone, %y, %x next labels in name.
- # if label or character does not exist you get a dot '.'.
- # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
- #zonefile: "%s.zone"
-
- # If no master and slave access control elements are provided,
- # this zone will not be served to/from other servers.
-
- # A master zone needs notify: and provide-xfr: lists. A slave
- # may also allow zone transfer (for debug or other secondaries).
- # notify these slaves when the master zone changes, address TSIG|NOKEY
- # IP can be ipv4 and ipv6, with @port for a nondefault port number.
- #notify: 192.0.2.1 NOKEY
- # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
- # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
- #provide-xfr: 192.0.2.0/24 my_tsig_key_name
- # set the number of retries for notify.
- #notify-retry: 5
-
- # uncomment to provide AXFR to all the world
- # provide-xfr: 0.0.0.0/0 NOKEY
- # provide-xfr: ::0/0 NOKEY
-
- # A slave zone needs allow-notify: and request-xfr: lists.
- #allow-notify: 2001:db8::0/64 my_tsig_key_name
- # By default, a slave will request a zone transfer with IXFR/TCP.
- # If you want to make use of IXFR/UDP use: UDP addr tsigkey
- # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
- #request-xfr: 192.0.2.2 the_tsig_key_name
- # Attention: You cannot use UDP and AXFR together. AXFR is always over
- # TCP. If you use UDP, we higly recommend you to deploy TSIG.
- # Allow AXFR fallback if the master does not support IXFR. Default
- # is yes.
- #allow-axfr-fallback: yes
- # set local interface for sending zone transfer requests.
- # default is let the OS choose.
- #outgoing-interface: 10.0.0.10
- # limit the refresh and retry interval in seconds.
- #max-refresh-time: 2419200
- #min-refresh-time: 0
- #max-retry-time: 1209600
- #min-retry-time: 0
-
- # Slave server tries zone transfer to all masters and picks highest
- # zone version available, for when masters have different versions.
- #multi-master-check: no
-
- # limit the zone transfer size (in bytes), stops very large transfers
- # 0 is no limits enforced.
- # size-limit-xfr: 0
-
- # if compiled with --enable-zone-stats, give name of stat block for
- # this zone (or group of zones). Output from nsd-control stats.
- # zonestats: "%s"
-
- # if you give another pattern name here, at this point the settings
- # from that pattern are inserted into this one (as if it were a
- # macro). The statement can be given in between other statements,
- # because the order of access control elements can make a difference
- # (which master to request from first, which slave to notify first).
- #include-pattern: "common-masters"
-
-
-# Fixed zone entries. Here you can config zones that cannot be deleted.
-# Zones that are dynamically added and deleted are put in the zonelist file.
-#
-# zone:
- # name: "example.com"
- # you can give a pattern here, all the settings from that pattern
- # are then inserted at this point
- # include-pattern: "master"
- # You can also specify (additional) options directly for this zone.
- # zonefile: "example.com.zone"
- # request-xfr: 192.0.2.1 example.com.key
-
- # RRLconfig
- # Response Rate Limiting, whitelist types
- # rrl-whitelist: nxdomain
- # rrl-whitelist: error
- # rrl-whitelist: referral
- # rrl-whitelist: any
- # rrl-whitelist: rrsig
- # rrl-whitelist: wildcard
- # rrl-whitelist: nodata
- # rrl-whitelist: dnskey
- # rrl-whitelist: positive
- # rrl-whitelist: all
- # RRLend
-
-zone:
- name: "dyn.jaseg.de"
- zonefile: "/var/lib/dyndns/dyn.jaseg.de.zone"
-