bionic (5) knot.conf.5.gz

Provided by: knot_2.6.5-3_amd64 bug

NAME

       knot.conf - Knot DNS configuration file

DESCRIPTION

       Configuration  files  for  Knot  DNS  use  simplified  YAML  format. Simplified means that not all of the
       features are supported.

       For the description of configuration items, we have to declare a meaning of the following symbols:

       • INT – Integer

       • STR – Textual string

       • HEXSTR – Hexadecimal string (with 0x prefix)

       • BOOL – Boolean value (on/off or true/false)

       • TIME – Number of seconds, an integer with possible time multiplier suffix (s ~ 1, m ~ 60, h ~ 3600 or d
         ~ 24 * 3600)

       • SIZE – Number of bytes, an integer with possible size multiplier suffix (B ~ 1, K ~ 1024, M ~ 1024^2 or
         G ~ 1024^3)

       • BASE64 – Base64 encoded string

       • ADDR – IPv4 or IPv6 address

       • DNAME – Domain name

       • … – Multi-valued item, order of the values is preserved

       • [ ] – Optional value

       • | – Choice

       There are 12 main sections (module, server, control, log, statistics, keystore, policy, key, acl, remote,
       template,  and  zone)  and module sections with the mod- prefix.  Most of the sections (excluding server,
       control, and statistics) are sequences of settings blocks. Each  settings  block  begins  with  a  unique
       identifier,  which  can  be  used  as a reference from other sections (such identifier must be defined in
       advance).

       A multi-valued item can be specified either as a YAML sequence:

          address: [10.0.0.1, 10.0.0.2]

       or as more single-valued items each on an extra line:

          address: 10.0.0.1
          address: 10.0.0.2

       If an item value contains spaces or other special characters, it  is  necessary  to  enclose  such  value
       within double quotes " ".

COMMENTS

       A comment begins with a # character and is ignored during processing.  Also each configuration section or
       sequence block allows a permanent comment using the comment item which is stored in the server beside the
       configuration.

INCLUDES

       Another  configuration file or files, matching a pattern, can be included at the top level in the current
       file. If the path is not absolute, then it is considered to be relative to the current file. The  pattern
       can  be  an  arbitrary  string  meeting  POSIX  glob  requirements,  e.g. dir/*.conf.  Matching files are
       processed in sorted order.

          include: STR

MODULE SECTION

       Dynamic modules loading configuration.

       NOTE:
          If configured with non-empty `--with-moduledir=path` parameter, all shared modules in  this  directory
          will be automatically loaded.

          module:
            - id: STR
              file: STR

   id
       A module identifier in the form of the mod- prefix and module name suffix.

   file
       A path to a shared library file with the module implementation.

       Default:  ${libdir}/knot/modules-${version}/module_name.so  (or ${path}/module_name.so if configured with
       --with-moduledir=path)

       WARNING:
          If the path is not absolute, the library is searched in the set of system directories. See man  dlopen
          for more details.

SERVER SECTION

       General options related to the server.

          server:
              identity: [STR]
              version: [STR]
              nsid: [STR|HEXSTR]
              rundir: STR
              user: STR[:STR]
              pidfile: STR
              udp-workers: INT
              tcp-workers: INT
              background-workers: INT
              async-start: BOOL
              tcp-handshake-timeout: TIME
              tcp-idle-timeout: TIME
              tcp-reply-timeout: TIME
              max-tcp-clients: INT
              max-udp-payload: SIZE
              max-ipv4-udp-payload: SIZE
              max-ipv6-udp-payload: SIZE
              listen: ADDR[@INT] ...

   identity
       An  identity  of  the  server  returned  in  the  response  to  the  query  for  TXT record id.server. or
       hostname.bind. in the CHAOS class (RFC 4892).  Set empty value to disable.

       Default: FQDN hostname

   version
       A version of the server software returned in the response to the query for TXT record version.server.  or
       version.bind. in the CHAOS class (RFC 4892). Set empty value to disable.

       Default: server version

   nsid
       A DNS name server identifier (RFC 5001). Set empty value to disable.

       Default: FQDN hostname

   rundir
       A path for storing run-time data (PID file, unix sockets, etc.).

       Default: ${localstatedir}/run/knot (configured with --with-rundir=path)

   user
       A system user with an optional system group (user:group) under which the server is run after starting and
       binding to interfaces. Linux capabilities are employed if supported.

       Default: root:root

   pidfile
       A PID file location.

       Default: rundir/knot.pid

   udp-workers
       A number of UDP workers (threads) used to process incoming queries over UDP.

       Default: auto-estimated optimal value based on the number of online CPUs

   tcp-workers
       A number of TCP workers (threads) used to process incoming queries over TCP.

       Default: auto-estimated optimal value based on the number of online CPUs

   background-workers
       A number of workers (threads) used to execute background operations (zone loading, zone updates, etc.).

       Default: auto-estimated optimal value based on the number of online CPUs

   async-start
       If enabled, server doesn’t wait for the zones  to  be  loaded  and  starts  responding  immediately  with
       SERVFAIL answers until the zone loads.

       Default: off

   tcp-handshake-timeout
       Maximum  time  between  newly  accepted TCP connection and the first query.  This is useful to disconnect
       inactive connections faster than connections that already made at least 1 meaningful query.

       Default: 5

   tcp-idle-timeout
       Maximum idle time between requests on a TCP connection. This also limits receiving  of  a  single  query,
       each query must be received in this time limit.

       Default: 20

   tcp-reply-timeout
       Maximum time to wait for an outgoing connection or for a reply to an issued request (SOA, NOTIFY, AXFR…).

       Default: 10

   max-tcp-clients
       A  maximum number of TCP clients connected in parallel, set this below the file descriptor limit to avoid
       resource exhaustion.

       Default: 100

   max-udp-payload
       Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.

       Default: 4096

   max-ipv4-udp-payload
       Maximum EDNS0 UDP payload size for IPv4.

       Default: 4096

   max-ipv6-udp-payload
       Maximum EDNS0 UDP payload size for IPv6.

       Default: 4096

   listen
       One or more IP addresses where the server listens for  incoming  queries.   Optional  port  specification
       (default  is  53)  can be appended to each address using @ separator. Use 0.0.0.0 for all configured IPv4
       addresses or :: for all configured IPv6 addresses.

       Default: not set

KEY SECTION

       Shared TSIG keys used to authenticate communication with the server.

          key:
            - id: DNAME
              algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
              secret: BASE64

   id
       A key name identifier.

       NOTE:
          This value MUST be exactly the same as  the  name  of  the  TSIG  key  on  the  opposite  master/slave
          server(s).

   algorithm
       A key algorithm.

       Default: not set

   secret
       Shared key secret.

       Default: not set

ACL SECTION

       Access  control  list  rule definitions. The ACLs are used to match incoming connections to allow or deny
       requested operation (zone transfer request, DDNS update, etc.).

          acl:
            - id: STR
              address: ADDR[/INT] | ADDR-ADDR ...
              key: key_id ...
              action: notify | transfer | update ...
              deny: BOOL

   id
       An ACL rule identifier.

   address
       An ordered list of IP addresses, network subnets, or network ranges. The query must match  one  of  them.
       Empty value means that address match is not required.

       Default: not set

   key
       An  ordered  list  of  references  to TSIG keys. The query must match one of them. Empty value means that
       transaction authentication is not used.

       Default: not set

   action
       An ordered list of allowed (or denied) actions.

       Possible values:

       • transfer – Allow zone transfer

       • notify – Allow incoming notify

       • update – Allow zone updates

       Default: not set

   deny
       If enabled, instead of allowing, deny the specified action, address, key, or combination if these  items.
       If no action is specified, deny all actions.

       Default: off

CONTROL SECTION

       Configuration of the server control interface.

          control:
              listen: STR
              timeout: TIME

   listen
       A UNIX socket path where the server listens for control commands.

       Default: rundir/knot.sock

   timeout
       Maximum time the control socket operations can take. Set 0 for infinity.

       Default: 5

STATISTICS SECTION

       Periodic server statistics dumping.

          statistics:
              timer: TIME
              file: STR
              append: BOOL

   timer
       A period after which all available statistics metrics will by written to the file.

       Default: not set

   file
       A file path of statistics output in the YAML format.

       Default: rundir/stats.yaml

   append
       If enabled, the output will be appended to the file instead of file replacement.

       Default: off

KEYSTORE SECTION

       DNSSEC keystore configuration.

          keystore:
            - id: STR
              backend: pem | pkcs11
              config: STR

   id
       A keystore identifier.

   backend
       A key storage backend type. A directory with PEM files or a PKCS #11 storage.

       Default: pem

   config
       A  backend  specific  configuration.  A directory with PEM files (the path can be specified as a relative
       path to kasp-db) or a configuration string for PKCS #11 storage.

       NOTE:
          Example configuration string for PKCS #11:

              "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"

       Default: kasp-db/keys

SUBMISSION SECTION

       Parameters of KSK submission checks.

          submission:
            - id: STR
              parent: remote_id ...
              check-interval: TIME
              timeout: TIME

   id
       A submission identifier.

   parent
       A list of references to parent’s DNS servers to be checked for presence of corresponding  DS  records  in
       the  case  of  KSK  submission. All of them must have a corresponding DS for the rollover to continue. If
       none is specified, the rollover must be pushed forward manually.

       Default: not set

   check-interval
       Interval for periodic checks of DS presence on parent’s DNS servers, in the case of the KSK submission.

       Default: 1 hour

   timeout
       After this period, the KSK submission is automatically considered successful, even if all the checks were
       negative or no parents are configured. Set 0 for infinity.

       Default: 0

POLICY SECTION

       DNSSEC policy configuration.

          policy:
            - id: STR
              keystore: STR
              manual: BOOL
              single-type-signing: BOOL
              algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
              ksk-size: SIZE
              zsk-size: SIZE
              ksk-shared: BOOL
              dnskey-ttl: TIME
              zsk-lifetime: TIME
              ksk-lifetime: TIME
              propagation-delay: TIME
              rrsig-lifetime: TIME
              rrsig-refresh: TIME
              nsec3: BOOL
              nsec3-iterations: INT
              nsec3-opt-out: BOOL
              nsec3-salt-length: INT
              nsec3-salt-lifetime: TIME
              ksk-submission: submission_id
              cds-cdnskey-publish: none | delete-dnssec | always

   id
       A policy identifier.

   keystore
       A reference to a keystore holding private key material for zones. A special default value can be used for
       the default keystore settings.

       Default: default

   manual
       If enabled, automatic key management is not used.

       Default: off

   single-type-signing
       If enabled, Single-Type Signing Scheme is used in the automatic key management mode.

       NOTE:
          Because key rollover is not supported yet, just one combined signing  key  is  generated  if  none  is
          available.

       Default: off

   algorithm
       An algorithm of signing keys and issued signatures.

       Default: ecdsap256sha256

       NOTE:
          Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+.

   ksk-size
       A length of newly generated KSK or CSK keys.

       Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)

   zsk-size
       A length of newly generated ZSK keys.

       Default: see default for ksk-size

   ksk-shared
       If enabled, all zones with this policy assigned will share one KSK.

       Default: off

   dnskey-ttl
       A TTL value for DNSKEY records added into zone apex.

       Default: zone SOA TTL

       NOTE:
          has infuence over ZSK key lifetime

   zsk-lifetime
       A period between ZSK publication and the next rollover initiation.

       Default: 30 days

       NOTE:
          ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl

          Zero (aka infinity) value causes no ZSK rollover as a result.

   ksk-lifetime
       A period between KSK publication and the next rollover initiation.

       Default: 0

       NOTE:
          KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl, and KSK submission delay.

          Zero (aka infinity) value causes no KSK rollover as a result.

          This applies for CSK lifetime if single-type-signing is enabled.

   propagation-delay
       An extra delay added for each key rollover step. This value should be high enough to cover propagation of
       data from the master server to all slaves.

       Default: 1 day

       NOTE:
          has infuence over ZSK key lifetime

   rrsig-lifetime
       A validity period of newly issued signatures.

       Default: 14 days

   rrsig-refresh
       A period how long before a signature expiration the signature will be refreshed.

       Default: 7 days

   nsec3
       Specifies if NSEC3 will be used instead of NSEC.

       Default: off

   nsec3-iterations
       A number of additional times the hashing is performed.

       Default: 5

   nsec3-opt-out
       If set, NSEC3 records won’t be created for insecure delegations.  This speeds up  the  zone  signing  and
       reduces overall zone size.

       WARNING:
          NSEC3 with the Opt-Out bit set no longer works as a proof of non-existence in this zone.

       Default: off

   nsec3-salt-length
       A length of a salt field in octets, which is appended to the original owner name before hashing.

       Default: 8

   nsec3-salt-lifetime
       A validity period of newly issued salt field.

       Default: 30 days

   ksk-submission
       A reference to submission section holding parameters of KSK submittion checks.

       Default: not set

   cds-cdnskey-publish
       Controls if and how shall the CDS and CDNSKEY be published in the zone.

       NOTE:
          This only applies if the zone keys are automatically managed by the server.

       Possible values:

       • none - never publish any CDS or CDNSKEY records in the zone

       • delete-dnssec - publish special CDS and CDNSKEY records indicating turning off DNSSEC

       • always - always publish CDS and CDNSKEY records for the current KSK

       Default: always

REMOTE SECTION

       Definitions  of  remote  servers  for  outgoing  connections  (source  of  a  zone transfer, target for a
       notification, etc.).

          remote:
            - id: STR
              address: ADDR[@INT] ...
              via: ADDR[@INT] ...
              key: key_id

   id
       A remote identifier.

   address
       An ordered list of destination IP addresses which are used for communication with the remote server.  The
       addresses are tried in sequence unless the operation is successful. Optional destination port (default is
       53) can be appended to the address using @ separator.

       Default: not set

   via
       An ordered list of source IP addresses. The first address with the same family as the destination address
       is used. Optional source port (default is random) can be appended to the address using @ separator.

       Default: not set

   key
       A reference to the TSIG key which is used to authenticate the communication with the remote server.

       Default: not set

TEMPLATE SECTION

       A  template is a shareable zone setting which can be used for configuration of many zones in one place. A
       special default template (with the default identifier) can be used for global querying  configuration  or
       as an implicit configuration if a zone doesn’t have another template specified.

          template:
            - id: STR
              timer-db: STR
              max-timer-db-size: SIZE
              journal-db: STR
              journal-db-mode: robust | asynchronous
              max-journal-db-size: SIZE
              kasp-db: STR
              max-kasp-db-size: SIZE
              global-module: STR/STR ...
              # All zone options (excluding 'template' item)

   id
       A template identifier.

   timer-db
       Specifies  a  path  of the persistent timer database. The path can be specified as a relative path to the
       default template storage.

       NOTE:
          This option is only available in the default template.

       Default: storage/timers

   max-timer-db-size
       Hard limit for the timer database maximum size.

       NOTE:
          This option is only available in the default template.

       Default: 100 MiB

   journal-db
       Specifies a path of the persistent journal database. The path can be specified as a relative path to  the
       default template storage.

       NOTE:
          This option is only available in the default template.

       Default: storage/journal

   journal-db-mode
       Specifies journal LMDB backend configuration, which influences performance and durability.

       Possible values:

       • robust – The journal DB disk sychronization ensures DB durability but is generally slower

       • asynchronous  –  The journal DB disk synchronization is optimized for better perfomarnce at the expense
         of lower DB durability; this mode is recommended only on slave nodes with many zones

       NOTE:
          This option is only available in the default template.

       Default: robust

   max-journal-db-size
       Hard limit for the common journal DB. There is no cleanup logic in journal to recover from reaching  this
       limit:  journal  simply  starts refusing changes across all zones. Decreasing this value has no effect if
       lower than actual DB file size.

       It is recommended to limit max-journal-usage per-zone instead of max-journal-size in most  cases.  Please
       keep  this  value  larger  than  the  sum  of all zones’ journal usage limits. See more details regarding
       journal behaviour.

       This value also influences server’s usage of virtual memory.

       NOTE:
          This option is only available in the default template.

       Default: 20 GiB (1 GiB for 32-bit)

   kasp-db
       A KASP database path. Non-absolute path is relative to storage.

       Default: storage/keys

       NOTE:
          This option is only available in the default template.

   max-kasp-db-size
       Hard limit for the KASP database maximum size.

       NOTE:
          This option is only available in the default template.

       Default: 500 MiB

   global-module
       An ordered list of references to query modules in the form of module_name or module_name/module_id. These
       modules apply to all queries.

       NOTE:
          This option is only available in the default template.

       Default: not set

ZONE SECTION

       Definition of zones served by the server.

          zone:
            - domain: DNAME
              template: template_id
              storage: STR
              file: STR
              master: remote_id ...
              ddns-master: remote_id
              notify: remote_id ...
              acl: acl_id ...
              semantic-checks: BOOL
              disable-any: BOOL
              zonefile-sync: TIME
              zonefile-load: none | difference | whole
              journal-content: none | changes | all
              max-journal-usage: SIZE
              max-journal-depth: INT
              max-zone-size : SIZE
              dnssec-signing: BOOL
              dnssec-policy: STR
              request-edns-option: INT:[HEXSTR]
              serial-policy: increment | unixtime
              min-refresh-interval: TIME
              max-refresh-interval: TIME
              module: STR/STR ...

   domain
       A zone name identifier.

   template
       A reference to a configuration template.

       Default: not set or default (if the template exists)

   storage
       A data directory for storing zone files, journal database, and timers database.

       Default: ${localstatedir}/lib/knot (configured with --with-storage=path)

   file
       A  path  to  the  zone  file.  Non-absolute  path  is relative to storage. It is also possible to use the
       following formatters:

       • %c[N] or %c[N-M] – means the Nth character or a sequence of  characters  beginning  from  the  Nth  and
         ending  with  the  Mth character of the textual zone name (see %s). The indexes are counted from 0 from
         the left. All dots (including the terminal one) are considered. If the character is not available,  the
         formatter has no effect.

       • %l[N]  –  means  the  Nth label of the textual zone name (see %s). The index is counted from 0 from the
         right (0 ~ TLD).  If the label is not available, the formatter has no effect.

       • %s – means the current zone name in the textual representation.  The  zone  name  doesn’t  include  the
         terminating dot (the result for the root zone is the empty string!).

       • %% – means the % character

       WARNING:
          Beware  of special characters which are escaped or encoded in the \DDD form where DDD is corresponding
          decimal ASCII code.

       Default: storage/%s.zone

   master
       An ordered list of references to zone master servers.

       Default: not set

   ddns-master
       A reference to zone primary master server.  If not specified, the first master server is used.

       Default: not set

   notify
       An ordered list of references to remotes to which notify message is sent if the zone changes.

       Default: not set

   acl
       An ordered list of references to ACL rules which  can  allow  or  disallow  zone  transfers,  updates  or
       incoming notifies.

       Default: not set

   semantic-checks
       If enabled, extra zone file semantic checks are turned on.

       Several  checks are enabled by default and cannot be turned off. An error in mandatory checks causes zone
       not to be loaded. An error in extra checks is logged only.

       Mandatory checks:

       • SOA record missing in the zone (RFC 1034)

       • An extra record together with CNAME record except for RRSIG and DS (RFC 1034)

       • Multiple CNAME record with the same owner

       • DNAME record having a record under it (RFC 2672)

       Extra checks:

       • Missing NS record at the zone apex

       • Missing glue A or AAAA record

       • Invalid DNSKEY, DS, or NSEC3PARAM record

       • CDS or CDNSKEY inconsistency

       • Missing, invalid, or unverifiable RRSIG record

       • Invalid NSEC(3) record

       • Broken or non-cyclic NSEC(3) chain

       Default: off

   disable-any
       If enabled, all authoritative ANY queries sent over UDP will be answered with an empty response and  with
       the TC bit set. Use this option to minimize the risk of DNS reflection attack.

       Default: off

   zonefile-sync
       The  time  after which the current zone in memory will be synced with a zone file on the disk (see file).
       The server will serve the latest zone even after a restart using zone journal, but the zone file  on  the
       disk  will  only  be  synced  after  zonefile-sync time has expired (or after manual zone flush). This is
       applicable when the zone is updated via IXFR, DDNS or automatic DNSSEC signing. In  order  to  completely
       disable  automatic  zonefile  synchronization, set the value to -1. In that case, it is still possible to
       force a manual zone flush using the -f option.

       NOTE:
          If you are serving large zones with frequent updates where the immediate sync with a zone file is  not
          desirable, increase the value.

       Default: 0 (immediate)

   zonefile-load
       Selects how the zonefile contents are applied during zone load.

       Possible values:

       • none – The zonefile is not used at all.

       • difference  –  If  the  zone  contents  are  available during server start or reload, the difference is
         computed between them and the zonefile, checked and applied afterwards.

       • whole – Zone contents are loaded from zonefile.

       When difference is configured and there are no zone contents yet (cold start of Knot and no zone contents
       in journal), it behaves the same way like whole.

       Default: whole

   journal-content
       Selects how the journal shall be used to store zone and its changes.

       Possible values:

       • none – The journal is not used at all.

       • changes – Zone changes history is stored in journal.

       • all – Zone contents and history is stored in journal.

       Default: changes

   max-journal-usage
       Policy how much space in journal DB will the zone’s journal occupy.

       Default: 100 MiB

       NOTE:
          Journal  DB may grow far above the sum of max-journal-usage across all zones, because of DB free space
          fragmentation.

   max-journal-depth
       Maximum history length of journal.

       Minimum: 2

       Default: 2^64

   max-zone-size
       Maximum size of the zone. The size is measured as size  of  the  zone  records  in  wire  format  without
       compression. The limit is enforced for incoming zone transfers and dynamic updates.

       For  incremental  transfers (IXFR), the effective limit for the total size of the records in the transfer
       is twice the configured value. However the final size of the zone must satisfy the configured value.

       Default: 2^64

   dnssec-signing
       If enabled, automatic DNSSEC signing for the zone is turned on.

       NOTE:
          Cannot be enabled on a slave zone.

       Default: off

   dnssec-policy
       A reference to DNSSEC signing policy. A special  default  value  can  be  used  for  the  default  policy
       settings.

       Required

   request-edns-option
       An arbitrary EDNS0 option which is included into a server request (AXFR, IXFR, SOA, or NOTIFY). The value
       is in the option_code:option_data format.

       Default: not set

   serial-policy
       Specifies how the zone serial is updated after a dynamic update  or  automatic  DNSSEC  signing.  If  the
       serial is changed by the dynamic update, no change is made.

       Possible values:

       • increment – The serial is incremented according to serial number arithmetic

       • unixtime – The serial is set to the current unix time

       NOTE:
          If  your  serial  was in other than unix time format, be careful with the transition to unix time.  It
          may happen that the new serial will be ‘lower’ than the old one. If this is the case,  the  transition
          should be done by hand (RFC 1982).

       Default: increment

   min-refresh-interval
       Forced minimum zone refresh interval to avoid flooding master.

       Default: 2

   max-refresh-interval
       Forced maximum zone refresh interval.

       Default: not set

   module
       An ordered list of references to query modules in the form of module_name or module_name/module_id. These
       modules apply only to the current zone queries.

       Default: not set

LOGGING SECTION

       Server can be configured to log to the standard output, standard error output, syslog (or systemd journal
       if systemd is enabled) or into an arbitrary file.

       There are 6 logging severity levels:

       • critical – Non-recoverable error resulting in server shutdown

       • error – Recoverable error, action should be taken

       • warning – Warning that might require user action

       • notice – Server notice or hint

       • info – Informational message

       • debug – Debug messages (must be turned on at compile time)

       In  the  case  of  missing  log section, warning or more serious messages will be logged to both standard
       error output and syslog. The info and notice messages will be logged to standard output.

          log:
            - target: stdout | stderr | syslog | STR
              server: critical | error | warning | notice | info | debug
              control: critical | error | warning | notice | info | debug
              zone: critical | error | warning | notice | info | debug
              any: critical | error | warning | notice | info | debug

   target
       A logging output.

       Possible values:

       • stdout – Standard output

       • stderr – Standard error output

       • syslog – Syslog

       • file_name – File

   server
       Minimum severity level for messages related to general operation of the server that are logged.

       Default: not set

   control
       Minimum severity level for messages related to server control that are logged.

       Default: not set

   zone
       Minimum severity level for messages related to zones that are logged.

       Default: not set

   any
       Minimum severity level for all message types that are logged.

       Default: not set

AUTHOR

       CZ.NIC Labs <http://www.knot-dns.cz>

       Copyright 2010–2018, CZ.NIC, z.s.p.o.