/
example.toml
139 lines (119 loc) · 5.3 KB
/
example.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
##
## This is an example configuration file for the Hickory DNS named server.
##
## The format is in TOML: https://github.com/toml-lang/toml which was chosen
## as the configuration format for Hickory DNS. While Hickory DNS is intended to
## be a drop-in replacement for BIND9, it will not support the named.conf files
## directly. At some point, there will be a binary tool for converting the
## BIND9 configuration files over to Hickory DNS TOML.
##
## Many of these options are available as both command line options and
## configuration options in these files. In that case, the command line option
## will take precedence.
##
## Comments with two hash marks, ##, document the config parameter
## Comments with one hash mark, #, is an example line and should be the default
##
## The root options are similar to the options in 'options { .. }' in named.conf
## listen_addrs: address on which to listen for incoming connections
## this can be a list of ipv4 or ipv6 addresses
# listen_addrs_ipv4 = ["0.0.0.0"]
# listen_addrs_ipv6 = ["::0"]
## listen_port: port on which to list, default 53
# listen_port = 53
## tcp_request_timeout: TCP request timeout in seconds. Allows TCP connections
## to timeout if there are no requests from a client in the specified amount of
## time. This is not a socket level timeout, so trickles of data will not count,
## a full request must be received for it to not count against the timeout.
## Specifying a timeout of 0 will disable it.
# tcp_request_timeout = 5
## DNS over TLS certificate information.
# tls_cert = { path = "path/to/some.pkcs12", password = "if_encrypted" }
## port on which to listen, default 853 (should not be 53)
# tls_listen_port = 853
## directory: path on the host filesystem to where zone files are stored.
# directory = "/var/named"
## Denied networks, a list of CIDRs in IPv4 or IPv6 formats,
## any request that does not originate from the specified networks will be allowed
# deny_networks = ["127.0.0.0/8", "::1/128"]
## Allowed networks, a list of CIDRs in IPv4 or IPv6 formats,
## any request that does not originate from the specified networks will be denied, unless
## there are deny_networks specified, in that case, the allow list will be processed as
## an override to the deny_networks. That is, if there is a deny_list and the network does
## not appear there, even if does not appear in the allow list the request will be allowd.
# allow_networks = ["127.0.0.0/8", "::1/128"]
## Default zones, these should be present on all nameservers, except in rare
## configuration cases
[[zones]]
zone = "localhost"
zone_type = "Primary"
file = "default/localhost.zone"
[[zones]]
zone = "0.0.127.in-addr.arpa"
zone_type = "Primary"
file = "default/127.0.0.1.zone"
[[zones]]
zone = "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
zone_type = "Primary"
file = "default/ipv6_1.zone"
[[zones]]
zone = "255.in-addr.arpa"
zone_type = "Primary"
file = "default/255.zone"
[[zones]]
zone = "0.in-addr.arpa"
zone_type = "Primary"
file = "default/0.zone"
[[zones]]
## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
zone = "example.com"
## zone_type: Primary, Secondary, Hint, Forward
zone_type = "Primary"
## file: this is relative to the directory above
file = "example.com.zone"
## if false, updates will not be allowed, default false
# allow_update = false
## if false, AXFRs requests will result in Refused responses
# allow_axfr = false
## if true, looks to see if a chained pem file exists at $file.pem (see
## supported_algorithms below).
## these keys will also be registered as authorities for update,
## meaning that SIG(0) updates can be established by initially using these
## keys. the zone will be signed with all specified keys, it may be desirable
## to limit this set for performance reasons.
# enable_dnssec = false
## set of DNSSEC algorithms to use to sign the zone. enable_dnssec must be true.
## these will be lookedup by $file.{key_name}.pem, for backward compatibility
## with previous versions of Hickory DNS, if enable_dnssec is enabled but
## supported_algorithms is not specified, it will default to "RSASHA256" and
## look for the $file.pem for the key. To control key length, or other options
## keys of the specified formats can be generated in PEM format. Instructions
## for custom keys can be found elsewhere.
##
## supported extensions are 'der', 'pem'. ED25519 keys are only supported
## with 'pk8'.
##
## the currently supported set of supported_algorithms are
## ["RSASHA256", "RSASHA512", "ECDSAP256SHA256", "ECDSAP384SHA384", "ED25519"]
##
## keys are listed in pairs of key_name and algorithm, the search path is the
## same directory has the zone $file (this section would be relative to the
## example.com zone):
# [[zones.keys]]
## relative to the zone $file
# key_path = "my_rsa_2048.pem"
## the password used to encrypt/decrypt the file (must be PEM), blank for none
# password = ""
## specify the algorithm
# algorithm = "RSASHA256"
## this key should be used to sign the zone
# is_zone_signing_key = true
## this key is authorized for dynamic update access to the zone via SIG0
# is_zone_update_auth = true
#
# [[zones.keys]]
# key_path = "/path/to/my_ed25519.pk8"
# algorithm = "ED25519"
## for keys that are not zone signing, the pem need only include the pubic_key
# is_zone_signing_key = false
# is_zone_update_auth = true