summaryrefslogtreecommitdiffstats
path: root/doc/man/knot.conf.5
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/man/knot.conf.5 (renamed from doc/man/knot.conf.5in)120
1 files changed, 95 insertions, 25 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5
index d091d15..dc6fe4a 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOT.CONF" "5" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knot.conf \- Knot DNS configuration file
.SH DESCRIPTION
@@ -47,10 +47,11 @@ the following symbols:
.IP \(bu 2
\fBBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
.IP \(bu 2
-\fBTIME\fP – Number of seconds, an integer with possible time multiplier suffix
-(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
+\fBTIME\fP – Number of seconds, an integer with a possible time multiplier suffix
+(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600, \fBd\fP ~ 24 * 3600, \fBw\fP ~ 7 * 24 * 3600,
+\fBM\fP ~ 30 * 24 * 3600, \fBy\fP ~ 365 * 24 * 3600)
.IP \(bu 2
-\fBSIZE\fP – Number of bytes, an integer with possible size multiplier suffix
+\fBSIZE\fP – Number of bytes, an integer with a possible size multiplier suffix
(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
.IP \(bu 2
\fBBASE64\fP – Base64 encoded string
@@ -268,6 +269,7 @@ server:
dbus\-init\-delay: TIME
listen: ADDR[@INT] | STR ...
listen\-quic: ADDR[@INT] ...
+ listen\-tls: ADDR[@INT] ...
.ft P
.fi
.UNINDENT
@@ -531,19 +533,15 @@ Maximum EDNS0 UDP payload size for IPv6.
\fIDefault:\fP \fB1232\fP
.SS key\-file
.sp
-Path to a server key PEM file which is used for DNS over QUIC communication.
+Path to a server key PEM file which is used for DNS over QUIC/TLS communication.
A non\-absolute path of a user specified key file is relative to the
-\fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+\fB/usr/local/etc/knot\fP directory.
.sp
\fIDefault:\fP auto\-generated key
.SS cert\-file
.sp
-Path to a server certificate PEM file which is used for DNS over QUIC communication.
-A non\-absolute path is relative to the \fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+Path to a server certificate PEM file which is used for DNS over QUIC/TLS communication.
+A non\-absolute path is relative to the \fB/usr/local/etc/knot\fP directory.
.sp
\fIDefault:\fP one\-time in\-memory certificate
.SS edns\-client\-subnet
@@ -604,20 +602,21 @@ catalog zones and their members) are loaded or successfully bootstrapped.
the signal parameters are \fIzone name\fP and \fIzone SOA serial\fP\&.
.IP \(bu 2
\fBkeys\-updated\fP \- The signal \fBkeys_updated\fP is emitted when a DNSSEC key set
-of this zone is updated.
+is updated; the signal parameter is \fIzone name\fP\&.
.IP \(bu 2
\fBksk\-submission\fP – The signal \fBzone_ksk_submission\fP is emitted if there is
a ready KSK present when the zone is signed; the signal parameters are
\fIzone name\fP, \fIKSK keytag\fP, and \fIKSK KASP id\fP\&.
.IP \(bu 2
\fBdnssec\-invalid\fP – The signal \fBzone_dnssec_invalid\fP is emitted when DNSSEC
-validation fails; the signal parameter is \fIzone name\fP\&.
+validation fails; the signal parameters are \fIzone name\fP, and \fIremaining seconds\fP
+until an RRSIG expires.
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
-This function requires systemd version at least 221.
+This function requires systemd version at least 221 or libdbus.
.UNINDENT
.UNINDENT
.sp
@@ -655,14 +654,14 @@ for incoming queries over QUIC protocol.
Change of this parameter requires restart of the Knot server to take effect.
.sp
\fIDefault:\fP not set
+.SS listen\-tls
.sp
-\fBNOTE:\fP
-.INDENT 0.0
-.INDENT 3.5
-Incoming \fI\%DDNS\fP over QUIC isn\(aqt supported.
-The server always responds with SERVFAIL.
-.UNINDENT
-.UNINDENT
+One or more IP addresses (and optionally ports) where the server listens
+for incoming queries over TLS protocol (DoT).
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP not set
.SH XDP SECTION
.sp
Various options related to XDP listening, especially TCP.
@@ -684,6 +683,9 @@ xdp:
tcp\-idle\-reset\-timeout: TIME
tcp\-resend\-timeout: TIME
route\-check: BOOL
+ ring\-size: INT
+ busypoll\-budget: INT
+ busypoll\-timeout: INT
.ft P
.fi
.UNINDENT
@@ -849,6 +851,63 @@ Only VLAN 802.1Q is supported.
.UNINDENT
.sp
\fIDefault:\fP \fBoff\fP
+.SS ring\-size
+.sp
+Size of RX, FQ, TX, and CQ rings.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value should be at least as high as the configured RX size of the
+network device in the XDP mode.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB2048\fP
+.SS busypoll\-budget
+.sp
+If set to a positive value, preferred busy polling is enabled with the
+specified budget.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Preferred busy polling also requires setting \fBnapi_defer_hard_irqs\fP and
+\fBgro_flush_timeout\fP for the appropriate network interface. E.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+echo 2 | sudo tee /sys/class/net/<interface>/napi_defer_hard_irqs
+echo 200000 | sudo tee /sys/class/net/<interface>/gro_flush_timeout
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+A recommended value is between 8 and 64.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0\fP (disabled)
+.SS busypoll\-timeout
+.sp
+Timeout in microseconds of preferrred busy polling if enabled by
+\fI\%busypoll\-budget\fP\&.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB20\fP (20 microseconds)
.SH CONTROL SECTION
.sp
Configuration of the server control interface.
@@ -1266,6 +1325,7 @@ remote:
address: ADDR[@INT] | STR ...
via: ADDR[@INT] ...
quic: BOOL
+ tls: BOOL
key: key_id
cert\-key: BASE64 ...
block\-notify\-after\-transfer: BOOL
@@ -1356,6 +1416,12 @@ queried remotes.
.UNINDENT
.sp
\fIDefault:\fP \fBoff\fP
+.SS tls
+.sp
+If this option is set, the TLS (DoT) protocol will be used for outgoing communication
+with this remote.
+.sp
+\fIDefault:\fP \fBoff\fP
.SS key
.sp
A \fI\%reference\fP to the TSIG key which is used to authenticate
@@ -1787,8 +1853,6 @@ Possible values:
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
-Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
-.sp
Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
.UNINDENT
.UNINDENT
@@ -1955,6 +2019,10 @@ will be refreshed, in order to prevent expired RRSIGs on secondary servers or
resolvers\(aq caches.
.sp
\fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP
+.sp
+If \fI\%dnssec\-validation\fP is enabled:
+.sp
+\fIDefault:\fP \fB1d\fP (1 day)
.SS rrsig\-pre\-refresh
.sp
A period (in seconds) how long at most before a signature refresh time the signature
@@ -2638,7 +2706,9 @@ Every NSEC(3) RR is linked to the lexicographically next one.
.sp
The validation is not affected by \fI\%dnssec\-policy\fP configuration,
except for \fI\%signing\-threads\fP option, which specifies the number
-of threads for parallel validation.
+of threads for parallel validation, and \fI\%rrsig\-refresh\fP, which
+defines minimal allowed remaining RRSIG validity (otherwise a warning is
+logged).
.sp
\fBNOTE:\fP
.INDENT 0.0
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-20 10:23:41 +0000