#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#

# This is a comment.
# Sample configuration file

# options for the nsd server
server:
	# uncomment to specify specific interfaces to bind (default all).
	# ip-address: 1.2.3.4
	# ip-address: 12fe::8ef0

	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
	# hide-version: no

	# enable debug mode, does not fork daemon process into the background.
	# debug-mode: no

	# listen only on IPv4 connections
	# ip4-only: no

	# listen only on IPv6 connections
	# ip6-only: no
	
	# the database to use
	# database: "/var/lib/nsd/nsd.db"

	# identify the server (CH TXT ID.SERVER entry).
	# identity: "unidentified server"

	# log messages to file. Default to stderr and syslog.
	# logfile: "/var/log/nsd.log"

	# Number of NSD servers to fork.
	# server-count: 1

	# Maximum number of concurrent TCP connections per server.
	# tcp-count: 10

	# File to store pid for nsd in.
	# pidfile: "/var/run/nsd/nsd.pid"

	# port to answer queries on. default is 53.
	# port: 53

	# statistics are produced every number of seconds.
	# statistics: 3600

	# Run NSD in a chroot-jail.
	# make sure to have pidfile and database reachable from there.
	# by default, no chroot-jail is used.
	# chroot: "/etc/nsd"

	# After binding socket, drop user privileges.
	# can be a username, id or id.gid.
	# username: nsd

	# The directory for zonefile: files.
	# zonesdir: "/etc/nsd"

	# The file where incoming zone transfers are stored.
	# run nsd-patch to update zone files, then you can safely delete it.
	# difffile: "/var/lib/nsd/ixfr.db"

	# The file where secondary zone refresh and expire timeouts are kept.
	# If you delete this file, all secondary zones are forced to be 
	# 'refreshing' (as if nsd got a notify).
	# xfrdfile: "/var/lib/nsd/xfrd.state"

	# Number of seconds between reloads triggered by xfrd.
	# xfrd-reload-timeout: 10

	# Verbosity level.
	# verbosity: 0

# key for zone 1
key:
	name: mskey
	algorithm: hmac-md5
	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="

# Sample zone 1
zone:
	name: "example.com"
	zonefile: "example.com.zone"

	# This is a slave zone. Masters are listed below.

	# master 1
	allow-notify: 168.192.44.42 mskey
	request-xfr: 168.192.44.42 mskey

	# set local interface for sending zone transfer requests.
	outgoing-interface: 10.0.0.10

	# master 2
	allow-notify: 10.0.0.11 NOKEY
	request-xfr: 10.0.0.11 NOKEY

	# By default, a slave will request a zone transfer with IXFR/TCP.
	# If you want to make use of IXFR/UDP use
	allow-notify: 10.0.0.12 NOKEY
	request-xfr: UDP 10.0.0.12 NOKEY

	# for a master that only speaks AXFR (like NSD) use
	allow-notify: 10.0.0.13 NOKEY
	request-xfr: AXFR 10.0.0.13 NOKEY

	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
	# TCP. If you use UDP, we higly recommend you to deploy TSIG.

	# Allow AXFR fallback if the master does not support IXFR. Default
	# is yes.
	allow-axfr-fallback: "yes"

	# uncomment to provide AXFR to all the world
	# provide-xfr: 0.0.0.0/0 NOKEY
	# provide-xfr: ::0/0 NOKEY

# Sample zone 2
zone:
	name: "example.net"
	zonefile: "example.net.signed.zone"

	# This is a master zone. Slaves are listed below.

	# secondary 1. Uses port 5300.
	notify: 10.0.0.14@5300 sec1_key
	provide-xfr: 10.0.0.14@5300 sec1_key

	# set local interface for sending notifies
	outgoing-interface: 10.0.0.15

	# secondary 2. 
	notify: 10.11.12.14 sec2_key
	provide-xfr: 10.11.12.14 sec2_key

	# also provide xfr to operator's network.
	provide-xfr: 169.192.85.0/24 NOKEY
	# uncomment to disable xfr for the address.
	# provide-xfr: 169.192.85.66 BLOCKED

# keys for zone 2
key:
	name: "sec1_key"
	algorithm: hmac-md5
	secret: "6KM6qiKfwfEpamEq72HQdA=="

key:
	name: sec2_key
	algorithm: hmac-sha1
	secret: "m83H2x8R0zbDf3yRKhrqgw=="

key:
	name: sec3_key
	algorithm: hmac-sha256
	secret: "m83H2x8R0zbDf3yRKhrqgw=="