Provided by: nsd_4.1.17-1build1_amd64 bug

NAME

       nsd.conf - NSD configuration file

SYNOPSIS

       nsd.conf

DESCRIPTION

       Nsd.conf  is  used  to  configure  nsd(8). The file format has attributes and values. Some
       attributes have attributes inside them. The notation is: attribute: value.

       Comments start with # and last to  the  end  of  line.  Empty  lines  are  ignored  as  is
       whitespace  at  the  beginning  of  a line. Quotes can be used, for names with spaces, eg.
       "file name.zone".

       Nsd.conf specifies options for the nsd server, zone files, primaries and secondaries.

EXAMPLE

       An example of a short nsd.conf file is below.

       # Example.com nsd.conf file
       # This is a comment.

       server:
            server-count: 1 # use this number of cpu cores
            database: ""  # or use "/var/lib/nsd/nsd.db"
            zonelistfile: "/var/lib/nsd/zone.list"
            username: nsd
            logfile: "/var/log/nsd.log"
            pidfile: "/run/nsd/nsd.pid"
            xfrdfile: "/var/lib/nsd/xfrd.state"

       zone:
            name: example.com
            zonefile: /etc/nsd/example.com.zone

       zone:
            # this server is master, 192.0.2.1 is the secondary.
            name: masterzone.com
            zonefile: /etc/nsd/masterzone.com.zone
            notify: 192.0.2.1 NOKEY
            provide-xfr: 192.0.2.1 NOKEY

       zone:
            # this server is secondary, 192.0.2.2 is master.
            name: secondzone.com
            zonefile: /etc/nsd/secondzone.com.zone
            allow-notify: 192.0.2.2 NOKEY
            request-xfr: 192.0.2.2 NOKEY

       Then, use kill -HUP to reload changes from master zone files.  And use kill -TERM to  stop
       the server.

FILE FORMAT

       There  must  be  whitespace  between keywords. Attribute keywords end with a colon ':'. An
       attribute is followed by its containing attributes, or a value.

       At the top level only server: and key: and pattern:  and  zone:  are  allowed.  These  are
       followed  by  their  attributes or the start of a new server: or key: or pattern: or zone:
       clause. The zone: attribute is followed by zone options. The server: attribute is followed
       by  global  options  for  the  NSD  server.  A  key:  attribute is used to define keys for
       authentication. The pattern: attribute is followed by the zone options for zones that  use
       the pattern.

       Files  can  be  included using the include: directive. It can appear anywhere, and takes a
       single filename as an argument. Processing continues as if the text from the included file
       was  copied  into the config file at that point.  If a chroot is used an absolute filename
       is needed (with the chroot prepended), so that the include can be parsed before and  after
       application  of the chroot (and the knowledge of what that chroot is).  You can use '*' to
       include a wildcard match of files, eg. "foo/nsd.d/*.conf".  Also '?', '{}', '[]', and  '~'
       work, see glob(7).  If no files match the pattern, this is not an error.

   Server Options
       The global options (if not overridden from the NSD commandline) are taken from the server:
       clause. There may only be one server: clause.

       ip-address: <ip4 or ip6>[@port]
              NSD will bind to the listed ip-address. Can be give multiple times to bind multiple
              ip-addresses.  Optionally,  a  port  number  can  be  given.  If none are given NSD
              listens to the wildcard interface. Same as commandline option -a.  For servers with
              multiple  IP  addresses that can be used to send traffic to the internet, list them
              one by one, or the source address of replies could be wrong.  This  is  because  if
              the  udp socket associates a source address of 0.0.0.0 then the kernel picks an ip-
              address with which to send to the internet, and it picks the wrong one.   Typically
              needed for anycast instances.  Use ip-transparent to be able to list addresses that
              turn on later (typical for certain load-balancing).

       interface: <ip4 or ip6>[@port]
              Same as ip-address (for easy of compatibility with unbound.conf).

       ip-transparent: <yes or no>
              Allows NSD to bind to non local addresses. This is useful to have NSD listen to  IP
              addresses  that are not (yet) added to the network interface, so that it can answer
              immediately when the address is added. Default is no.

       ip-freebind: <yes or no>
              Set the IP_FREEBIND option to bind to nonlocal addresses and  interfaces  that  are
              down.  Similar to ip-transparent.  Default is no.

       reuseport: <yes or no>
              Use the SO_REUSEPORT socket option, and create file descriptors for every server in
              the server-count.  This improves performance of the  network  stack.   Only  really
              useful  if  you  also configure a server-count higher than 1 (such as, equal to the
              number of cpus).  The default is no.  It works on  Linux,  but  does  not  work  on
              FreeBSD, and likely does not work on other systems.

       debug-mode: <yes or no>
              Turns  on  debugging  mode for nsd, does not fork a daemon process.  Default is no.
              Same as commandline option -d.  If set to yes it does not fork  and  stays  in  the
              foreground,  which  can  be  helpful for commandline debugging, but is also used by
              certain server supervisor processes to ascertain that the server is running.

       do-ip4: <yes or no>
              If yes, NSD listens to IPv4 connections.  Default yes.

       do-ip6: <yes or no>
              If yes, NSD listens to IPv6 connections.  Default yes.

       database: <filename>
              By default '/var/lib/nsd/nsd.db' is used. The specified file is used to  store  the
              compiled  zone  information.  Same  as commandline option -f.  If set to "" then no
              database is used.  This uses less memory but zone  updates  are  not  (immediately)
              spooled to disk.

       zonelistfile: <filename>
              By  default /var/lib/nsd/zone.list is used. The specified file is used to store the
              dynamically added list of zones.  The list is written to by NSD to add  and  delete
              zones.   It  is  a  text file with a zone-name and pattern-name on each line.  This
              file is used for the nsd-control addzone and delzone commands.

       identity: <string>
              Returns the specified identity when asked for CH TXT  ID.SERVER.   Default  is  the
              name as returned by gethostname(3). Same as commandline option -i.

       version: <string>
              Returns  the  specified  version  string  when asked for CH TXT version.server, and
              version.bind queries.  Default is the compiled package version.   See  hide-version
              to set the server to not respond to such queries.

       nsid: <string>
              Add  the specified nsid to the EDNS section of the answer when queried with an NSID
              EDNS enabled packet.  As a sequence of hex characters or  with  ascii_  prefix  and
              then an ascii string.  Same as commandline option -I.

       logfile: <filename>
              Log  messages  to  the  logfile.  The  default is to log to stderr and syslog (with
              facility LOG_DAEMON). Same as commandline option -l.

       server-count: <number>
              Start this many NSD servers. Default is 1. Same as commandline option -N.

       tcp-count: <number>
              The maximum number of concurrent, active TCP connections by each  server.   Default
              is 100. Same as commandline option -n.

       tcp-query-count: <number>
              The  maximum  number  of  queries served on a single TCP connection.  Default is 0,
              meaning there is no maximum.

       tcp-timeout: <number>
              Overrides the default TCP timeout. This also affects zone transfers over TCP.

       tcp-mss: <number>
              Maximum segment size (MSS) of TCP socket on which the server responds  to  queries.
              Value  lower  than  common MSS on Ethernet (1220 for example) will address path MTU
              problem.   Note  that  not  all  platform  supports  socket  option  to   set   MSS
              (TCP_MAXSEG).   Default  is  system  default  MSS  determined  by interface MTU and
              negotiation between server and client.

       outgoing-tcp-mss: <number>
              Maximum segment size (MSS)  of  TCP  socket  for  outgoing  XFR  request  to  other
              namesevers. Value lower than common MSS on Ethernet (1220 for example) will address
              path MTU problem.  Note that not all platform supports socket  option  to  set  MSS
              (TCP_MAXSEG).   Default  is  system  default  MSS  determined  by interface MTU and
              negotiation between NSD and other servers.

       ipv4-edns-size: <number>
              Preferred EDNS buffer size for IPv4.  Default 4096.

       ipv6-edns-size: <number>
              Preferred EDNS buffer size for IPv6.  Default 4096.

       pidfile: <filename>
              Use  the  pid  file   instead   of   the   platform   specific   default,   usually
              /run/nsd/nsd.pid.  Same as commandline option -P.

       port: <number>
              Answer queries on the specified port. Default is 53. Same as commandline option -p.

       statistics: <number>
              If  not  present  no  statistics  are  dumped. Statistics are produced every number
              seconds. Same as commandline option -s.

       chroot: <directory>
              NSD will chroot on startup to the specified directory. Note that  if  elsewhere  in
              the configuration you specify an absolute pathname to a file inside the chroot, you
              have to prepend the chroot path. That way, you can switch the chroot option on  and
              off  without  having to modify anything else in the configuration. Set the value to
              "" (the empty string) to disable the  chroot.  By  default  ""  is  used.  Same  as
              commandline option -t.

       username: <username>
              After  binding  the  socket,  drop  user privileges and assume the username. Can be
              username, id or id.gid. Same as commandline option -u.

       zonesdir: <directory>
              Change the working directory to  the  specified  directory  before  accessing  zone
              files.  Also,  NSD  will access database, zonelistfile, logfile, pidfile, xfrdfile,
              xfrdir, server-key-file, server-cert-file, control-key-file  and  control-cert-file
              relative  to  this directory. Set the value to "" (the empty string) to disable the
              change of working directory. By default "/etc/nsd" is used.

       difffile: <filename>
              Ignored, for compatibility with NSD3 config files.

       xfrdfile: <filename>
              The soa timeout and zone transfer daemon in NSD will save its state to  this  file.
              State  is read back after a restart. The state file can be deleted without too much
              harm, but timestamps of zones will be gone.  If it is configured as "",  the  state
              file  is  not used, all slave zones are checked for updates upon startup.  For more
              details  see  the  section  on  zone   expiry   behavior   of   NSD.   Default   is
              /var/lib/nsd/xfrd.state.

       xfrdir: <directory>
              The  zone  transfers  are  stored  here  before they are processed.  A directory is
              created here that is removed when NSD exits.  Default is /tmp.

       xfrd-reload-timeout: <number>
              If this value is -1, xfrd will not trigger a  reload  after  a  zone  transfer.  If
              positive  xfrd  will  trigger a reload after a zone transfer, then it will wait for
              the number of seconds before it will trigger  a  new  reload.  Setting  this  value
              throttles the reloads to once per the number of seconds. The default is 1 second.

       verbosity: <level>
              This  value specifies the verbosity level for (non-debug) logging.  Default is 0. 1
              gives more information about incoming notifies and zone  transfers.  2  lists  soft
              warnings that are encountered. 3 prints more information.

              Verbosity  0 will print warnings and errors, and other events that are important to
              keep NSD running.

              Verbosity  1  prints  additionally  messages  of  interest.   Successful  notifies,
              successful  incoming  zone  transfer  (the  zone  is updated), failed incoming zone
              transfers or the inability to process zone updates.

              Verbosity 2 prints additionally soft errors, like connection resets over TCP.   And
              notify refusal, and axfr request refusals.

       hide-version: <yes or no>
              Prevent  NSD from replying with the version string on CHAOS class queries.  Default
              is no.

       log-time-ascii: <yes or no>
              Log time in ascii, if "no" then in seconds epoch.  Default is  yes.   This  chooses
              the format when logging to file.  The printout via syslog has a timestamp formatted
              by syslog.

       round-robin: <yes or no>
              Enable round robin rotation of records in the answer.  This changes  the  order  of
              records in the answer and this may balance load across them.  The default is no.

       minimal-responses: <yes or no>
              Enable  minimal  responses for smaller answers.  This makes packets smaller.  Extra
              data is only added for referrals, when it is really necessary.  This  is  different
              from  the  --enable-minimal-responses  configure time option, that reduces packets,
              but exactly to the fragmentation length, the nsd.conf  option  reduces  packets  as
              small as possible.  The default is no.

       zonefiles-check: <yes or no>
              Make  NSD  check the mtime of zone files on start and sighup.  If you disable it it
              starts faster (less disk activity in case of a lot of zones).  The default is  yes.
              The nsd-control reload command reloads zone files regardless of this option.

       zonefiles-write: <seconds>
              Write  changed  secondary  zones  to  their  zonefile every N seconds.  If the zone
              (pattern) configuration has "" zonefile,  it  is  not  written.   Zones  that  have
              received  zone  transfer  updates  are  written  to  their  zonefile.  Default is 0
              (disabled) when there is a database, and 3600 (1 hour) when database  is  "".   The
              database  also  commits zone transfer contents.  You can configure it away from the
              default by putting the config statement for zonefiles-write:  after  the  database:
              statement in the config file.

       rrl-size: <numbuckets>
              This option gives the size of the hashtable. Default 1000000. More buckets use more
              memory, and reduce the chance of hash collisions.

       rrl-ratelimit: <qps>
              The max qps allowed (from one query source). Default is on (with  a  suggested  200
              qps).   If   set  to  0  then  it  is  disabled  (unlimited  rate),  also  set  the
              whitelist-ratelimit to 0 to disable ratelimit processing.  If you set verbosity  to
              2  the  blocked  and unblocked subnets are logged.  Blocked queries are blocked and
              some receive TCP fallback replies.  Once the rate  limit  is  reached,  NSD  begins
              dropping  responses.  However,  one  in  every  "rrl-slip"  number  of responses is
              allowed, with the TC bit set. If slip is set to 2, the outgoing response rate  will
              be  halved.  If it's set to 3, the outgoing response rate will be one-third, and so
              on.  If you set rrl-slip to 10, traffic is reduced to  1/10th.   Ratelimit  options
              rrl-ratelimit,  rrl-size  and  rrl-whitelist-ratelimit are updated when nsd-control
              reconfig is done (also the zone-specific ratelimit options are updated).

       rrl-slip: <numpackets>
              This option controls the number of packets discarded before we  send  back  a  SLIP
              response  (a  response  with "truncated" bit set to one). 0 disables the sending of
              SLIP packets, 1 means every query will get a SLIP response.   Default  is  2,  cuts
              traffic in half and legit users have a fair chance to get a +TC response.

       rrl-ipv4-prefix-length: <subnet>
              IPv4 prefix length. Addresses are grouped by netblock.  Default 24.

       rrl-ipv6-prefix-length: <subnet>
              IPv6 prefix length. Addresses are grouped by netblock.  Default 64.

       rrl-whitelist-ratelimit: <qps>
              The  max  qps for query sorts for a source, which have been whitelisted. Default on
              (with a suggested 2000 qps). With the rrl-whitelist option  you  can  set  specific
              queries  to  receive  this qps limit instead of the normal limit.  With the value 0
              the rate is unlimited.

   Remote Control
       The remote-control: clause is used to set options for using  the  nsd-control(8)  tool  to
       give  commands  to  the  running  NSD  server.  It is disabled by default, and listens for
       localhost by default.  It uses TLS over TCP where the server and  client  authenticate  to
       each  other  with self-signed certificates.  The self-signed certificates can be generated
       with the nsd-control-setup tool.  The key files are read by  NSD  before  the  chroot  and
       before  dropping  user  permissions, so they can be outside the chroot and readable by the
       superuser only.

       control-enable: <yes or no>
              Enable remote control, default is no.

       control-interface: <ip4 or ip6>
              NSD will bind to the listed addresses to service control requests (on TCP).  Can be
              given multiple times to bind multiple ip-addresses.  Use 0.0.0.0 and ::0 to service
              the wildcard interface.  If none are given NSD listens to the  localhost  127.0.0.1
              and ::1 interfaces for control, if control is enabled with control-enable.

       control-port: <number>
              The port number for remote control service. 8952 by default.

       server-key-file: <filename>
              Path  to  the server private key, by default /etc/nsd/nsd_server.key.  This file is
              generated by the nsd-control-setup utility.  This file is used by the  nsd  server,
              but not by nsd-control.

       server-cert-file: <filename>
              Path  to  the  server  self signed certificate, by default /etc/nsd/nsd_server.pem.
              This file is generated by the nsd-control-setup utility.  This file is used by  the
              nsd server, and also by nsd-control.

       control-key-file: <filename>
              Path  to the control client private key, by default /etc/nsd/nsd_control.key.  This
              file is  generated  by  the  nsd-control-setup  utility.   This  file  is  used  by
              nsd-control.

       control-cert-file: <filename>
              Path  to the control client certificate, by default /etc/nsd/nsd_control.pem.  This
              certificate has to be signed with the server certificate.  This file  is  generated
              by the nsd-control-setup utility.  This file is used by nsd-control.

   Pattern Options
       The  pattern:  clause is used to denote a set of options to apply to some zones.  The same
       zone options as for a zone are allowed.

       name: <string>
              The name of the pattern.  This is a (case sensitive)  string.   The  pattern  names
              that  start  with  "_implicit_"  are used internally for zones that have no pattern
              (they are defined in nsd.conf directly).

       include-pattern: <pattern-name>
              The options from the given pattern are included at this point in this pattern.  The
              referenced pattern must be defined above this one.

       <zone option>: <value>
              The  zone options such as zonefile, allow-notify, request-xfr, allow-axfr-fallback,
              notify, notify-retry, provide-xfr, zonestats, and outgoing-interface can be  given.
              They are applied to the patterns and zones that include this pattern.

   Zone Options
       For  every  zone  the options need to be specified in one zone: clause. The access control
       list elements can be given multiple times to add multiple servers. These elements need  to
       be added explicitly.

       For zones that are configured in the nsd.conf config file their settings are hardcoded (in
       an implicit pattern for themselves only) and they  cannot  be  deleted  via  delzone,  but
       remove them from the config file and repattern.

       name: <string>
              The name of the zone. This is the domain name of the apex of the zone. May end with
              a '.' (in FQDN  notation).  For  example  "example.com",  "sub.example.net.".  This
              attribute must be present in each zone.

       zonefile: <filename>
              The  file  containing the zone information. If this attribute is present it is used
              to read and write the zone contents. If the attribute is absent it prevents writing
              out of the zone.

              The  string is processed so that one string can be used (in a pattern) for a lot of
              different zones.  If the label or character does not exist the percent-character is
              replaced  with  a  period  for output (i.e. for the third character in a two letter
              domain name).

              %s is replaced with the zone name.

              %1 is replaced with the first character of the zone name.

              %2 is replaced with the second character of the zone name.

              %3 is replaced with the third character of the zone name.

              %z is replaced with the toplevel domain name of the zone.

              %y is replaced with the next label under the toplevel domain.

              %x is replaced with the next-next label under the toplevel domain.

       allow-notify: <ip-spec> <key-name | NOKEY | BLOCKED>
              Access control list. The listed (primary) address is allowed to  send  notifies  to
              this  (secondary)  server. Notifies from unlisted or specifically BLOCKED addresses
              are discarded. If NOKEY is given no TSIG signature is required.  BLOCKED supersedes
              other  entries,  other  entries  are  scanned  for  a  match  in  the  order of the
              statements.

              The ip-spec is either a plain IP address (IPv4 or IPv6), or can be a subnet of  the
              form  1.2.3.4/24,  or  masked  like  1.2.3.4&255.255.255.0  or  a range of the form
              1.2.3.4-1.2.3.25.  A port number can be  added  using  a  suffix  of  @number,  for
              example  1.2.3.4@5300 or 1.2.3.4/24@5300 for port 5300.  Note the ip-spec ranges do
              not use spaces around the /, &, @ and - symbols.

       request-xfr: [AXFR|UDP] <ip-address> <key-name | NOKEY>
              Access control list. The listed address (the master) is queried  for  AXFR/IXFR  on
              update.  A  port  number  can  be  added  using  a  suffix  of @number, for example
              1.2.3.4@5300. The specified key is used during AXFR/IXFR.

              If the AXFR option is given, the server will not be contacted with IXFR queries but
              only AXFR requests will be made to the server. This allows an NSD secondary to have
              a master server that runs NSD. If the AXFR option is left out then  both  IXFR  and
              AXFR requests are made to the master server.

              If  the  UDP  option  is  given,  the  secondary  will use UDP to transmit the IXFR
              requests. You should deploy TSIG  when  allowing  UDP  transport,  to  authenticate
              notifies  and  zone transfers. Otherwise, NSD is more vulnerable for Kaminsky-style
              attacks. If the UDP option is left out then IXFR will be transmitted using TCP.

       allow-axfr-fallback: <yes or no>
              This option should be accompanied by request-xfr. It (dis)allows NSD (as secondary)
              to  fallback  to  AXFR if the primary name server does not support IXFR. Default is
              yes.

       size-limit-xfr: <number>
              This option should be accompanied by request-xfr. It specifies XFR  temporary  file
              size limit.  It can be used to stop very large zone retrieval, that could otherwise
              use up a lot of memory and disk space.  If this option  is  0,  unlimited.  Default
              value is 0.

       notify: <ip-address> <key-name | NOKEY>
              Access  control  list.  The  listed address (a secondary) is notified of updates to
              this zone. A port number can be added  using  a  suffix  of  @number,  for  example
              1.2.3.4@5300.  The  specified  key  is  used  to sign the notify. Only on secondary
              configurations will NSD be able to detect zone updates (as it gets notified itself,
              or refreshes after a time).

       notify-retry: <number>
              This  option  should  be  accompanied by notify. It sets the number of retries when
              sending notifies.

       provide-xfr: <ip-spec> <key-name | NOKEY | BLOCKED>
              Access control list. The listed address (a secondary) is allowed  to  request  AXFR
              from  this  server. Zone data will be provided to the address. The specified key is
              used during AXFR. For unlisted or BLOCKED addresses no data is  provided,  requests
              are  discarded.   BLOCKED supersedes other entries, other entries are scanned for a
              match in the order of the statements.  NSD provides AXFR for its  secondaries,  but
              IXFR  is  not  implemented  (IXFR  is  implemented  for  request-xfr,  but  not for
              provide-xfr).

              The ip-spec is either a plain IP address (IPv4 or IPv6), or can be a subnet of  the
              form  1.2.3.4/24,  or  masked  like  1.2.3.4&255.255.255.0  or  a range of the form
              1.2.3.4-1.2.3.25.  A port number can be  added  using  a  suffix  of  @number,  for
              example  1.2.3.4@5300  or 1.2.3.4/24@5300 for port 5300. Note the ip-spec ranges do
              not use spaces around the /, &, @ and - symbols.

       outgoing-interface: <ip-address>
              Access control list. The listed address is used to request AXFR|IXFR (in case of  a
              secondary) or used to send notifies (in case of a primary).

              The  ip-address  is  a plain IP address (IPv4 or IPv6).  A port number can be added
              using a suffix of @number, for example 1.2.3.4@5300.

       max-refresh-time: <seconds>
              Limit refresh time for secondary zones.  This is the timer which checks to  see  if
              the  zone  has  to  be  refetched when it expires.  Normally the value from the SOA
              record is used, but this option restricts that value.

       min-refresh-time: <seconds>
              Limit refresh time for secondary zones.

       max-retry-time: <seconds>
              Limit retry time for secondary zones.  This is the timeout  after  a  failed  fetch
              attempt  for  the  zone.   Normally the value from the SOA record is used, but this
              option restricts that value.

       min-retry-time: <seconds>
              Limit retry time for secondary zones.

       zonestats: <name>
              When compiled with --enable-zone-stats NSD can collect statistics per  zone.   This
              name  gives  the  group  where statistics are added to.  The groups are output from
              nsd-control stats and stats_noreset.  Default is "".  You can use "%s" to  use  the
              name  of  the  zone to track its statistics.  If not compiled in, the option can be
              given but is ignored.

       include-pattern: <pattern-name>
              The options from the given pattern are included  at  this  point.   The  referenced
              pattern must be defined above this zone.

       rrl-whitelist: <rrltype>
              This  option  causes queries of this rrltype to be whitelisted, for this zone. They
              receive the whitelist-ratelimit. You can give multiple lines, each  enables  a  new
              rrltype  to  be whitelisted for the zone. Default has none whitelisted. The rrltype
              is the query classification that the NSD RRL employs to make  different  types  not
              interfere  with one another.  The types are logged in the loglines when a subnet is
              blocked (in verbosity 2).  The  RRL  classification  types  are:  nxdomain,  error,
              referral, any, rrsig, wildcard, nodata, dnskey, positive, all.

       multi-master-check: <yes or no>
              Default  no.   If  enabled,  checks  all masters for the last version.  It uses the
              higher version of all the configured masters.  Useful if you have multiple  masters
              that have different version numbers served.

   Key Declarations
       The  key:  clause  establishes a key for use in access control lists. It has the following
       attributes.

       name: <string>
              The key name. Used to refer to this key in the access control list.  The  key  name
              has  to be correct for tsig to work.  This is because the key name is output on the
              wire.

       algorithm: <string>
              Authentication algorithm for this key.  Such as hmac-md5,  hmac-sha1,  hmac-sha224,
              hmac-sha256,  hmac-sha384  and  hmac-sha512.   Can  also  be abbreviated as 'sha1',
              'sha256'.  Default is  sha256.   Algorithms  are  only  available  when  they  were
              compiled in (available in the crypto library).

       secret: <base64 blob>
              The  base64  encoded  shared  secret. It is possible to put the secret: declaration
              (and base64 blob) into a different file, and then to include: that  file.  In  this
              way the key secret and the rest of the configuration file, which may have different
              security policies, can be split apart.  The content of the  secret  is  the  agreed
              base64  secret  content.   To  make  it  up, enter a password (its length must be a
              multiple of 4 characters, A-Za-z0-9), or use dev-random  output  through  a  base64
              encode filter.

NSD CONFIGURATION FOR BIND9 HACKERS

       BIND9   is   a  name  server  implementation  with  its  own  configuration  file  format,
       named.conf(5). BIND9 types zones as 'Master' or 'Slave'.

   Slave zones
       For a slave zone, the master servers are listed. The master servers are queried  for  zone
       data,  and  are listened to for update notifications.  In NSD these two properties need to
       be configured separately, by listing the master address in  allow-notify  and  request-xfr
       statements.

       In  BIND9  you  only  need  to  provide  allow-notify  elements  for  any extra sources of
       notifications (i.e. the operators), NSD needs to have allow-notify for  both  masters  and
       operators. BIND9 allows additional transfer sources, in NSD you list those as request-xfr.

       Here is an example of a slave zone in BIND9 syntax.

       # Config file for example.org options {
            dnssec-enable yes;
       };

       key tsig.example.org. {
            algorithm hmac-md5;
            secret "aaaaaabbbbbbccccccdddddd";
       };

       server 162.0.4.49 {
            keys { tsig.example.org. ; };
       };

       zone "example.org" {
            type slave;
            file "secondary/example.org.signed";
            masters { 162.0.4.49; };
       };

       For  NSD,  DNSSEC  is  enabled  automatically for zones that are signed. The dnssec-enable
       statement in the options clause is not needed. In NSD  keys  are  associated  with  an  IP
       address  in  the  access  control  list statement, therefore the server{} statement is not
       needed. Below is the same example in an NSD config file.

       # Config file for example.org
       key:
            name: tsig.example.org.
            algorithm: hmac-md5
            secret: "aaaaaabbbbbbccccccdddddd"

       zone:
            name: "example.org"
            zonefile: "secondary/example.org.signed"
            # the master is allowed to notify and will provide zone data.
            allow-notify: 162.0.4.49 NOKEY
            request-xfr: 162.0.4.49 tsig.example.org.

       Notice that the master is listed twice, once to allow it to send notifies  to  this  slave
       server  and  once  to  tell  the  slave  server  where to look for updates zone data. More
       allow-notify and request-xfr lines can be added to specify more masters.

       It is possible to specify extra allow-notify lines for addresses that are also allowed  to
       send notifications to this slave server.

   Master zones
       For  a  master  zone  in BIND9, the slave servers are listed. These slave servers are sent
       notifications of updated and are allowed to request transfer of  the  zone  data.  In  NSD
       these two properties need to be configured separately.

       Here is an example of a master zone in BIND9 syntax.

       zone "example.nl" {
            type master;
            file "example.nl";
       };

       In NSD syntax this becomes:

       zone:
            name: "example.nl"
            zonefile: "example.nl"
            # allow anybody to request xfr.
            provide-xfr: 0.0.0.0/0 NOKEY
            provide-xfr: ::0/0 NOKEY

            # to list a slave server you would in general give
            # provide-xfr: 1.2.3.4 tsig-key.name.
            # notify: 1.2.3.4 NOKEY

   Other
       NSD  is  an  authoritative  only  DNS  server. This means that it is meant as a primary or
       secondary server for zones, providing DNS data to DNS  resolvers  and  caches.  BIND9  can
       function  as  an authoritative DNS server, the configuration options for that are compared
       with those for NSD in this section. However, BIND9 can also  function  as  a  resolver  or
       cache.  The  configuration options that BIND9 has for the resolver or caching thus have no
       equivalents for NSD.

FILES

       "/var/lib/nsd/nsd.db"
              default NSD database

       /etc/nsd/nsd.conf
              default NSD configuration file

SEE ALSO

       nsd(8), nsd-checkconf(8), nsd-control(8)

AUTHORS

       NSD was written by NLnet Labs and RIPE NCC joint team. Please  see  CREDITS  file  in  the
       distribution for further details.

BUGS

       nsd.conf is parsed by a primitive parser, error messages may not be to the point.