Chapter 20. Index of all Authoritative Server settings

All PDNS Authoritative Server settings are listed here, excluding those that originate from backends, which are documented in the relevant chapters.

allow-axfr-ips=...

Behaviour pre 2.9.10: When not allowing AXFR (disable-axfr), DO allow from these IP addresses or netmasks.

Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR.

allow-recursion=...

By specifying allow-recursion, recursion can be restricted to netmasks specified. The default is to allow recursion from everywhere. Example: allow-recursion=192.168.0.0/24, 10.0.0.0/8, 1.2.3.4.

allow-recursion-override=on|off

By specifying allow-recursion-override, local data even about hosts that don't exist will override the internet. This allows you to generate zones that don't really exist on the internet. Does increase the number of SQL queries for hosts that truly don't exist, also not in your database. (Setting did nothing in 3.0 and 3.1, removed in 3.1.1).

cache-ttl=...

Seconds to store packets in the PacketCache. See Section 3.1, “Packet Cache”.

chroot=...

If set, chroot to this directory for more security. See Chapter 7, Security settings & considerations.

config-dir=...

Location of configuration directory (pdns.conf)

config-name=...

Name of this virtual configuration - will rename the binary image. See Chapter 8, Virtual hosting.

control-console=...

Debugging switch - don't use.

daemon=...

Operate as a daemon

default-soa-name=...

name to insert in the SOA record if none set in the backend

disable-axfr=...

Do not allow zone transfers. Before 2.9.10, this could be overridden by allow-axfr-ips.

disable-tcp=...

Do not listen to TCP queries. Breaks RFC compliance.

distributor-threads=...

Default number of Distributor (backend) threads to start. See Chapter 9, Authoritative Server Performance.

do-ipv6-additional-processing=...

Perform AAAA additional processing.

fancy-records=...

Process URL and MBOXFW records. See Chapter 19, Fancy records for seamless email and URL integration.

guardian | --guardian=yes | --guardian=no

Run within a guardian process. See Section 2, “Guardian”.

help

Provide a helpful message

launch=...

Which backends to launch and order to query them in. See Section 3, “Modules & Backends”.

lazy-recursion=...

On by default as of 2.1. Checks local data first before recursing. See Chapter 16, Recursion.

load-modules=...

Load this module - supply absolute or relative path. See Section 3, “Modules & Backends”.

local-address=...

Local IP address to which we bind. You can specify multiple addresses separated by commas or whitespace. It is highly advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple IP addresses. Unix does not provide a way of figuring out what IP address a packet was sent to when binding to any.

local-ipv6=...

Local IPv6 address to which we bind. You can specify multiple addresses separated by commas or whitespace.

local-port=...

The port on which we listen. Only one port possible.

log-failed-updates=...

If set to 'no', failed Windows Dynamic Updates will not be logged.

log-dns-details=...

If set to 'no', informative-only DNS details will not even be sent to syslog, improving performance. Available from 2.5 and onwards.

logging-facility=...

If set to a digit, logging is performed under this LOCAL facility. See Section 3, “Operational logging using syslog”. Available from 1.99.9 and onwards. Do not pass names like 'local0'!

loglevel=...

Amount of logging. Higher is more. Do not set below 3

master [,=on].

Turn on master support. Boolean.

max-cache-entries

Maximum number of cache entries. 1 million will generally suffice for most installations. Available since 2.9.22.

max-queue-length=...

If this many packets are waiting for database attention, consider the situation hopeless and respawn.

max-tcp-connections=...

Allow this many incoming TCP DNS connections simultaneously.

module-dir=...

Default directory for modules. See Section 3, “Modules & Backends”.

negquery-cache-ttl=...

Seconds to store queries with no answer in the Query Cache. See Section 3.2, “Query Cache”.

no-config

Do not attempt to read the configuration file.

no-shuffle

Do not attempt to shuffle query results.

server-id

This is the server ID that will be returned on an EDNS NSID query. Defaults to the host name.

out-of-zone-additional-processing | --out-of-zone-additional-processing=yes | --out-of-zone-additional-processing=no

Do out of zone additional processing. This means that if a malicious user adds a '.com' zone to your server, it is not used for other domains and will not contaminate answers. Do not enable this setting if you run a public DNS service with untrusted users. Off by default.

query-cache-ttl=...

Seconds to store queries with an answer in the Query Cache. See Section 3.2, “Query Cache”.

query-local-address=...

The IP address to use as a source address for sending queries. Useful if you have multiple IPs and pdns is not bound to the IP address your operating system uses by default for outgoing packets.

query-local-address6=...

Source IP address for sending IPv6 queries.

query-logging | query-logging=yes | query-logging=no

Hints to a backend that it should log a textual representation of queries it performs. Can be set at runtime.

queue-limit=...

Maximum number of milliseconds to queue a query. See Chapter 9, Authoritative Server Performance.

recursive-cache-ttl=...

Seconds to store recursive packets in the PacketCache. See Section 3.1, “Packet Cache”.

recursor=...

If set, recursive queries will be handed to the recursor specified here. See Chapter 16, Recursion.

send-root-referral | --send-root-referral=yes | --send-root-referral=no | --send-root-referral=lean

If set, PowerDNS will send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken recursors. Available since 2.9.19.

Since 2.9.21, it is possible to specify 'lean' root referrals, which waste less bandwidth.

setgid=...

If set, change group id to this gid for more security. See Chapter 7, Security settings & considerations.

setuid=...

If set, change user id to this uid for more security. See Chapter 7, Security settings & considerations.

slave-cycle-interval=60

Schedule slave up-to-date checks of domains whose status is unknown every .. seconds.

smtpredirector=...

Our smtpredir MX host. See Chapter 19, Fancy records for seamless email and URL integration.

soa-expire-default=604800

Default SOA expire.

soa-minimum-ttl=3600

Default SOA minimum ttl.

soa-refresh-default=10800

Default SOA refresh.

soa-retry-default=3600

Default SOA retry.

soa-serial-offset=...

If your database contains single-digit SOA serials and you need to host .DE domains, this setting can help placate their 6-digit SOA serial requirements. Suggested value is to set this to 1000000 which adds 1000000 to all SOA Serials under that offset.

socket-dir=...

Where the controlsocket will live. See Section 1, “Controlsocket”.

strict-rfc-axfrs | --strict-rfc-axfrs=yes | --strict-rfc-axfrs=no

Perform strictly RFC-conforming AXFRs, which are slow, but may be necessary to placate some old client tools.

urlredirector=...

Where we send hosts to that need to be url redirected. See Chapter 19, Fancy records for seamless email and URL integration.

version-string=anonymous|powerdns|full|custom

When queried for its version over DNS (dig chaos txt version.bind @pdns.ip.address), PowerDNS normally responds truthfully. With this setting you can overrule what will be returned. Set the version-string to 'full' to get the default behaviour, to 'powerdns' to just make it state 'served by PowerDNS - http://www.powerdns.com'. The 'anonymous' setting will return a ServFail, much like Microsoft nameservers do. You can set this response to a custom value as well.

webserver | --webserver=yes | --webserver=no

Start a webserver for monitoring. See Chapter 6, Logging & Monitoring Authoritative Server performance.

webserver-address=...

IP Address of webserver to listen on. See Chapter 6, Logging & Monitoring Authoritative Server performance.

webserver-password=...

Password required for accessing the webserver. See Chapter 6, Logging & Monitoring Authoritative Server performance.

webserver-port=...

Port of webserver to listen on. See Chapter 6, Logging & Monitoring Authoritative Server performance.

wildcard-url=...

Check for wildcard URL records.

wildcards=...

Honor wildcards in the database. On by default. Turning this off has performance implications, see Chapter 9, Authoritative Server Performance.