This document is about PowerDNS 4.0. For other versions, please see the documentation index.

All Authoritative Server settings

All PowerDNS Authoritative Server settings are listed here, excluding those that originate from backends, which are documented in the relevant chapters. These settings can be set inside pdns.conf or on the commandline when invoking the pdns binary.

You can use += syntax to set some variables incrementally, but this requires you to have at least one non-incremental setting for the variable to act as base setting. This is mostly useful for include-dir directive.

For boolean settings, specifying the name of the setting without a value means yes.

8bit-dns

Allow 8 bit DNS queries.

allow-axfr-ips

If set, only these IP addresses or netmasks will be able to perform AXFR.

allow-dnsupdate-from

Allow DNS updates from these IP ranges.

allow-notify-from

Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string will drop all incoming notifies.

allow-unsigned-notify

Turning this off requires all notifications that are received to be signed by valid TSIG signature for the zone.

allow-unsigned-supermaster

Turning this off requires all supermaster notifications to be signed by valid TSIG signature. It will accept any existing key on slave.

allow-recursion

By specifying allow-recursion, recursion can be restricted to netmasks specified. The default is to allow recursion from everywhere. Example: allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4.

also-notify

When notifying a domain, also notify these nameservers. Example: also-notify=192.0.2.1, 203.0.113.167. The IP addresses listed in also-notify always receive a notification. Even if they do not match the list in only-notify.

any-to-tcp

Answer questions for the ANY on UDP with a truncated packet that refers the remote server to TCP. Useful for mitigating reflection attacks.

api

Enable/disable the REST API.

api-key

Static pre-shared authentication key for access to the REST API.

api-readonly

Disallow data modification through the REST API when set.

axfr-lower-serial

Also AXFR a zone from a master with a lower serial.

cache-ttl

Seconds to store packets in the PacketCache. See "Packet Cache".

carbon-ourname

If sending carbon updates, if set, this will override our hostname. Be careful not to include any dots in this setting, unless you know what you are doing. See "PowerDNS Metrics".

carbon-server

Send all available metrics to this server via the carbon protocol, which is used by graphite and metronome. It has to be an address (no hostnames). You may specify an alternate port by appending :port, ex: 127.0.0.1:2004. See "PowerDNS Metrics".

carbon-interval

If sending carbon updates, this is the interval between them in seconds. See "PowerDNS Metrics".

chroot

If set, chroot to this directory for more security. See "Security settings & considerations".

Make sure that /dev/log is available from within the chroot. Logging will silently fail over time otherwise (on logrotate).

When setting chroot, all other paths in the config (except for config-dir and module-dir) set in the configuration are relative to the new root.

When running on a system where systemd manages services, chroot does not work out of the box, as PowerDNS cannot use the NOTIFY_SOCKET. Either don't chroot on these systems or set the 'Type' of the this service to 'simple' instead of 'notify' (refer to the systemd documentation on how to modify unit-files)

config-dir

Location of configuration directory (pdns.conf). Usually /etc/powerdns, but this depends on SYSCONFDIR during compile-time.

config-name

Name of this virtual configuration - will rename the binary image. See "Virtual hosting".

control-console

Debugging switch - don't use.

daemon

Operate as a daemon.

default-ksk-algorithms

The algorithm that should be used for the KSK when running pdnsutil secure-zone. Must be one of:

default-ksk-size

The default keysize for the KSK generated with pdnsutil secure-zone.

default-soa-name

Name to insert in the SOA record if none set in the backend.

default-soa-edit

Use this soa-edit value for all zones if no SOA-EDIT metadata value is set.

default-soa-edit-signed

Use this soa-edit value for all signed zones if no SOA-EDIT metadata value is set. Overrides default-soa-edit

default-soa-mail

Mail address to insert in the SOA record if none set in the backend.

default-ttl

TTL to use when none is provided.

default-zsk-algorithms

The algorithm that should be used for the ZSK when running pdnsutil secure-zone. Must be one of:

default-zsk-size

The default keysize for the ZSK generated with pdnsutil secure-zone.

direct-dnskey

Read additional ZSKs from the records table/your BIND zonefile. If not set, DNSKEY records in the zonefiles are ignored.

disable-axfr

Do not allow zone transfers.

disable-axfr-rectify

Disable the rectify step during an outgoing AXFR. Only required for regression testing.

disable-syslog

Do not log to syslog, only to stdout. Use this setting when running inside a supervisor that handles logging (like systemd). Note: do not use this setting in combination with daemon as all logging will disappear.

disable-tcp

Do not listen to TCP queries. Breaks RFC compliance.

distributor-threads

Number of Distributor (backend) threads to start per receiver thread. See "Authoritative Server Performance".

dname-processing

Synthesise CNAME records from DNAME records as required. This approximately doubles query load. Do not combine with DNSSEC!

dnssec-key-cache-ttl

Seconds to cache DNSSEC keys from the database. A value of 0 disables caching.

dnsupdate

Enable/Disable DNS update (RFC2136) support.

do-ipv6-additional-processing

Perform AAAA additional processing. This sends AAAA records in the ADDITIONAL section when sending a referral.

domain-metadata-cache-ttl

Seconds to cache domain metadata from the database. A value of 0 disables caching.

edns-subnet-processing

Enables EDNS subnet processing, for backends that support it.

entropy-source

Entropy source file to use.

expand-alias

If this is enabled, ALIAS records are expanded (synthesised to their A/AAAA).

If this is disabled (the default), ALIAS records will not expanded and the server will will return NODATA for A/AAAA queries for such names.

note: resolver must also be set for ALIAS expansion to work!

note: In PowerDNS Authoritative Server 4.0.x, this setting did not exist and ALIAS was always expanded.

forward-dnsupdate

Forward DNS updates sent to a slave to the master.

forward-notify

IP addresses to forward received notifications to regardless of master or slave settings.

Note: The intended use is in anycast environments where it might be necessary for a proxy server to perform the AXFR. The usual checks are performed before any received notification is forwarded.

guardian

Run within a guardian process. See "Guardian".

include-dir

Directory to scan for additional config files. All files that end with .conf are loaded in order using POSIX as locale.

launch

Which backends to launch and order to query them in. Launches backends. In its most simple form, supply all backends that need to be launched. e.g.

launch=bind,gmysql,remote

If you find that you need to query a backend multiple times with different configuration, you can specify a name for later instantiations. e.g.:

launch=gmysql,gmysql:server2

In this case, there are 2 instances of the gmysql backend, one by the normal name and the second one is called 'server2'. The backend configuration item names change: e.g. gmysql-host is available to configure the host setting of the first or main instance, and gmysql-server2-host for the second one.

load-modules

If backends are available in nonstandard directories, specify their location here. Multiple files can be loaded if separated by commas. Only available in non-static distributions.

local-address

Local IP address to which we bind. It is highly advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple IP addresses. Unix does not provide a way of figuring out what IP address a packet was sent to when binding to any.

non-local-bind

Bind to addresses even if one or more of the local-address's do not exist on this server. Setting this option will enable the needed socket options to allow binding to non-local addresses. This feature is intended to facilitate ip-failover setups, but it may also mask configuration issues and for this reason it is disabled by default.

lua-axfr-script

Script to be used to edit incoming AXFRs, see Modifying a slave zone using a script.

local-address-nonexist-fail

Fail to start if one or more of the local-address's do not exist on this server.

local-ipv6

Local IPv6 address to which we bind. It is highly advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple IP addresses.

local-ipv6-nonexist-fail

Fail to start if one or more of the local-ipv6 addresses do not exist on this server.

local-port

The port on which we listen. Only one port possible.

log-dns-details

If set to 'no', informative-only DNS details will not even be sent to syslog, improving performance. Available from 2.5 and onwards.

logging-facility

If set to a digit, logging is performed under this LOCAL facility. See "Operational logging using syslog". Available from 1.99.9 and onwards. Do not pass names like 'local0'!

loglevel

Amount of logging. Higher is more. Do not set below 3

log-dns-queries

Tell PowerDNS to log all incoming DNS queries. This will lead to a lot of logging! Only enable for debugging! Set loglevel to at least 5 to see the logs.

lua-prequery-script

Lua script to run before answering a query. This is a feature used internally for regression testing. The API of this functionality is not guaranteed to be stable, and is in fact likely to change.

master

Turn on master support. See "Modes of operation".

max-cache-entries

Maximum number of entries in the query cache. 1 million (the default) will generally suffice for most installations. Starting with 4.1, the packet and query caches are distinct so you might also want to see max-packet-cache-entries.

max-ent-entries

Maximum number of empty non-terminals to add to a zone. This is a protection measure to avoid database explosion due to long names.

max-nsec3-iterations

Limit the number of NSEC3 hash iterations

max-packet-cache-entries

Maximum number of entries in the packet cache. 1 million (the default) will generally suffice for most installations. This setting has been introduced in 4.1, previous used the max-cache-entries setting for both the packet and query caches.

max-queue-length

If this many packets are waiting for database attention, consider the situation hopeless and respawn.

max-signature-cache-entries

Maximum number of signatures cache entries

max-tcp-connection-duration

Maximum time in seconds that a TCP DNS connection is allowed to stay open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR are not affected by this setting.

max-tcp-connections

Allow this many incoming TCP DNS connections simultaneously.

max-tcp-connections-per-client

Maximum number of simultaneous TCP connections per client. 0 means unlimited.

max-tcp-transactions-per-conn

Allow this many DNS queries in a single TCP transaction. 0 means unlimited. Note that exchanges related to an AXFR or IXFR are not affected by this setting.

module-dir

Directory for modules. Default depends on PKGLIBDIR during compile-time.

negquery-cache-ttl

Seconds to store queries with no answer in the Query Cache. See "Query Cache".

no-config

Do not attempt to read the configuration file.

no-shuffle

Do not attempt to shuffle query results, used for regression testing.

overload-queue-length

If this many packets are waiting for database attention, answer any new questions strictly from the packet cache.

reuseport

On Linux 3.9 and some BSD kernels the SO_REUSEPORT option allows each receiver-thread to open a new socket on the same port which allows for much higher performance on multi-core boxes. Setting this option will enable use of SO_REUSEPORT when available and seamlessly fall back to a single socket when it is not available. A side-effect is that you can start multiple servers on the same IP/port combination which may or may not be a good idea. You could use this to enable transparent restarts, but it may also mask configuration issues and for this reason it is disabled by default.

security-poll-suffix

Domain name from which to query security update notifications. Setting this to an empty string disables secpoll.

server-id

This is the server ID that will be returned on an EDNS NSID query.

only-notify

For type=MASTER zones (or SLAVE zones with slave-renotify enabled) PowerDNS automatically sends NOTIFYs to the name servers specified in the NS records. By specifying networks/mask as whitelist, the targets can be limited. The default is to notify the world. To completely disable these NOTIFYs set only-notify to an empty value. Independent of this setting, the IP addresses or netmasks configured with also-notify and ALSO-NOTIFY domain metadata always receive AXFR NOTIFYs.

Note: Even if NOTIFYs are limited by a netmask, PowerDNS first has to resolve all the hostnames to check their IP addresses against the specified whitelist. The resolving may take considerable time, especially if those hostnames are slow to resolve. If you do not need to NOTIFY the slaves defined in the NS records (e.g. you are using another method to distribute the zone data to the slaves), then set only-notify to an empty value and specify the notification targets explicitly using also-notify and/or ALSO-NOTIFY domain metadata to avoid this potential bottleneck.

out-of-zone-additional-processing

Do out of zone additional processing. This means that if a malicious user adds a '.com' zone to your server, it is not used for other domains and will not contaminate answers. Do not enable this setting if you run a public DNS service with untrusted users.

The docs had previously indicated that the default was "no", but the default has been "yes" since 2005.

outgoing-axfr-expand-alias

If this is enabled, ALIAS records are expanded (synthesised to their A/AAAA) during outgoing AXFR. This means slaves will not automatically follow changes in those A/AAAA records unless you AXFR regularly!

If this is disabled (the default), ALIAS records are sent verbatim during outgoing AXFR. Note that if your slaves do not support ALIAS, they will return NODATA for A/AAAA queries for such names.

prevent-self-notification

PowerDNS Authoritative Server attempts to not send out notifications to itself in master mode. In very complicated situations we could guess wrong and not notify a server that should be notified. In that case, set prevent-self-notification to "no".

query-cache-ttl

Seconds to store queries with an answer in the Query Cache. See "Query Cache".

query-local-address

The IP address to use as a source address for sending queries. Useful if you have multiple IPs and PowerDNS is not bound to the IP address your operating system uses by default for outgoing packets.

query-local-address6

Source IP address for sending IPv6 queries.

query-logging

Boolean, hints to a backend that it should log a textual representation of queries it performs. Can be set at runtime.

queue-limit

Maximum number of milliseconds to queue a query. See "Authoritative Server Performance".

receiver-threads

Number of receiver (listening) threads to start. See "Authoritative Server Performance" for tuning details.

recursive-cache-ttl

Seconds to store recursive packets in the PacketCache. See "Packet Cache".

recursor

If set, recursive queries will be handed to the recursor specified here. See "Recursion".

resolver

Use these resolver addresses for ALIAS and the internal stub resolver. If this is not set, /etc/resolv.conf is parsed for upstream resolvers.

retrieval-threads

Number of AXFR slave threads to start.

setgid

If set, change group id to this gid for more security. See "Security settings & considerations".

setuid

If set, change user id to this uid for more security. See "Security settings & considerations.

slave

Turn on slave support. See "Modes of operation".

slave-cycle-interval

On a master, this is the amounts of seconds between the master checking the SOA serials in its database to determine to send out NOTIFYs to the slaves. On slaves, this is the number of seconds between the slave checking for updates to zones.

slave-renotify

This setting will make PowerDNS renotify the slaves after an AXFR is received from a master. This is useful when using when running a signing-slave.

signing-threads

Tell PowerDNS how many threads to use for signing. It might help improve signing speed by changing this number.

soa-expire-default

Default SOA expire.

soa-minimum-ttl

Default SOA minimum ttl.

soa-refresh-default

Default SOA refresh.

soa-retry-default

Default SOA retry.

socket-dir

Where the controlsocket will live. The default depends on LOCALSTATEDIR during compile-time (usually /var/run or /run). See "Controlsocket".

This path will also contain the pidfile for this instance of PowerDNS called pdns.pid by default. See config-name and Virtual Hosting how this can differ.

tcp-control-address

Address to bind to for TCP control.

tcp-control-port

Port to bind to for TCP control.

tcp-control-range

Limit TCP control to a specific client range.

tcp-control-secret

Password for TCP control.

tcp-fast-open

Enable TCP Fast Open support, if available, on the listening sockets. The numerical value supplied is used as the queue size, 0 meaning disabled.

tcp-idle-timeout

Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle, meaning without PowerDNS receiving or sending even a single byte.

traceback-handler

Enable the Linux-only traceback handler.

trusted-notification-proxy

IP address of incoming notification proxy

udp-truncation-threshold

EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted.

version-string

When queried for its version over DNS (dig chaos txt version.bind @pdns.ip.address), PowerDNS normally responds truthfully. With this setting you can overrule what will be returned. Set the version-string to full to get the default behaviour, to powerdns to just make it state served by PowerDNS - http://www.powerdns.com. The anonymous setting will return a ServFail, much like Microsoft nameservers do. You can set this response to a custom value as well.

webserver

Start a webserver for monitoring. See "Performance Monitoring". Before 4.1.0, it was necessary to enable the webserver to use the REST API, this is no longer the case.

webserver-address

IP Address for webserver/API to listen on. See "Performance Monitoring".

webserver-allow-from

Webserver/API access is only allowed from these subnets.

webserver-password

The plaintext password required for accessing the webserver. See "Performance Monitoring".

webserver-port

The port where webserver/API will listen on. See "Performance Monitoring".

webserver-print-arguments

If the webserver should print arguments. See "Performance Monitoring".

write-pid

If a PID file should be written. Available since 4.0.

xfr-max-received-mbytes

Specifies the maximum number of received megabytes allowed on an incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0 means no restriction.