summarylogtreecommitdiffstats
path: root/trust-dns.toml
blob: b98ed95021be9ee38b9cdee91843cb8d741dbcc5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

##
## This is an example configuration file for the Trust-DNS named server.
##
## The format is in TOML: https://github.com/toml-lang/toml which was chosen
##  as the configuration format for Trust-DNS. While Trust-DNS is intended to
##  be a drop-in replacement for BIND9, it will not support the named.conf files
##  directly. At some point, there will be a binary tool for converting the
##  BIND9 configuration files over to Trust-DNS TOML.
##
## Many of these options are available as both command line options and
##  configuration options in these files. In that case, the command line option
##  will take precedence.
##
## Comments with two hash marks, ##, document the config parameter
## Comments with one hash mark, #, is an example line and should be the default
##
## The root options are similar to the options in 'options { .. }' in named.conf

## listen_addrs: address on which to listen for incoming connections
##  this can be a list of ipv4 or ipv6 addresses
listen_addrs_ipv4 = ["0.0.0.0"]
# listen_addrs_ipv6 = ["::0"]

## listen_port: port on which to list, default 53
# listen_port = 53

## tcp_request_timeout: TCP request timeout in seconds. Allows TCP connections
##  to timeout if there are no requests from a client in the specified amount of
##  time. This is not a socket level timeout, so trickles of data will not count,
##  a full request must be received for it to not count against the timeout.
##  Specifying a timeout of 0 will disable it.
# tcp_request_timeout = 5

## DNS over TLS certificate information.
# tls_cert = { path = "sec/example.p12", endpoint_name = "ns.example.com", password = "mypass" }

## DNS over QUIC certificate information.
tls_cert = { path = "sec/example.cert.pem", endpoint_name = "ns.example.com", cert_type = "pem", private_key = "sec/example.key" }

## port on which to listen, default 853 (should not be 53)
tls_listen_port = 853

## directory: path on the host filesystem to where zone files are stored.
directory = "/var/lib/trust-dns"

## Default zones, these should be present on all nameservers, except in rare
##  configuration cases
[[zones]]
zone = "localhost"
zone_type = "Primary"
file = "default/localhost.zone"

[[zones]]
zone = "0.0.127.in-addr.arpa"
zone_type = "Primary"
file = "default/127.0.0.1.zone"

[[zones]]
zone = "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
zone_type = "Primary"
file = "default/ipv6_1.zone"

[[zones]]
zone = "255.in-addr.arpa"
zone_type = "Primary"
file = "default/255.zone"

[[zones]]
zone = "0.in-addr.arpa"
zone_type = "Primary"
file = "default/0.zone"

[[zones]]
## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
zone = "example.com"

## zone_type: Primary, Secondary, Hint, Forward
zone_type = "Primary"

## file: this is relative to the directory above
file = "example.com.zone"

## if false, updates will not be allowed, default false
# allow_update = false

## if false, AXFRs requests will result in Refused responses
# allow_axfr = false

## if true, looks to see if a chained pem file exists at $file.pem (see
## supported_algorithms below).
## these keys will also be registered as authorities for update,
## meaning that SIG(0) updates can be established by initially using these
## keys. the zone will be signed with all specified keys, it may be desirable
## to limit this set for performance reasons.
# enable_dnssec = false

## set of DNSSEC algorithms to use to sign the zone. enable_dnssec must be true.
## these will be lookedup by $file.{key_name}.pem, for backward compatibility
## with previous versions of Trust-DNS, if enable_dnssec is enabled but
## supported_algorithms is not specified, it will default to "RSASHA256" and
## look for the $file.pem for the key. To control key length, or other options
## keys of the specified formats can be generated in PEM format. Instructions
## for custom keys can be found elsewhere.
##
## supported extensions are 'der', 'pem'. ED25519 keys are only supported
## with 'pk8'.
##
## the currently supported set of supported_algorithms are
## ["RSASHA256", "RSASHA512", "ECDSAP256SHA256", "ECDSAP384SHA384", "ED25519"]
##
## keys are listed in pairs of key_name and algorithm, the search path is the
## same directory has the zone $file (this section would be relative to the
## example.com zone):
# [[zones.keys]]
## relative to the zone $file
# key_path = "my_rsa_2048.pem"
## the password used to encrypt/decrypt the file (must be PEM), blank for none
# password = ""
## specify the algorithm
# algorithm = "RSASHA256"
## this key should be used to sign the zone
# is_zone_signing_key = true
## this key is authorized for dynamic update access to the zone via SIG0
# is_zone_update_auth = true
#
# [[zones.keys]]
# key_path = "/path/to/my_ed25519.pk8"
# algorithm = "ED25519"
## for keys that are not zone signing, the pem need only include the pubic_key
# is_zone_signing_key = false
# is_zone_update_auth = true