Chapter 15. Per zone settings aka Domain Metadata

Starting with the PowerDNS Authoritative Server 3.0, each served zone can have "metadata". Such metadata determines how this zone behaves in certain circumstances.

[Warning]Warning

Domain metadata is only available for DNSSEC capable backends! Make sure to enable the proper '-dnssec' setting to benefit, and to have performed the DNSSEC schema update.

Most of these metadata items are described elsewhere in the documentation. The following settings are available:

ALLOW-AXFR-FROM

Per-zone AXFR ACLs (see Chapter 14, AXFR ACLs).

AXFR-MASTER-TSIG

Use this named TSIG key to retrieve this zone from its master (see Section 2, “Provisioning signed notification and AXFR requests”).

LUA-AXFR-SCRIPT

Script to be used to edit incoming AXFRs (see Section 2.2, “Modifying a slave zone using a script”).

NSEC3NARROW

Determines if this zone operates in NSEC3 'narrow' mode (see 'set-nsec3' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).

NSEC3PARAM

NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC (see 'set-nsec3' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).

PRESIGNED

This zone carries DNSSEC RRSIGs (signatures), and is presigned (see 'set-presigned' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).

SOA-EDIT

When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs.

Available modes are: INCEPTION (which sets the SOA Serial to the current two-week signing period start in seconds since the UNIX epoch), INCEPTION-WEEK (number of weeks since the epoch), INCREMENT-WEEKS (which increments the serial with the number of weeks since the epoch), EPOCH (number of seconds since the epoch). Finally, INCEPTION-EPOCH (available since 3.1) is special and sets the new SOA serial number to the maximum of the old SOA serial number, and age in seconds of the start of the current signing period.

TSIG-ALLOW-AXFR

Allow these named TSIG keys to AXFR this zone (see Section 1, “Provisioning outbound AXFR access”).