From 7dfd0128734d363b68542e2a8da705fa3b59773d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 6 Sep 2017 15:26:38 +1000 Subject: [PATCH] sync option order with master --- bin/named/config.c | 241 ++++++++++++++++++++++----------------------- 1 file changed, 117 insertions(+), 124 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 631d5605d9..3293e0ad10 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -53,17 +53,18 @@ options {\n\ #endif #ifndef WIN32 " coresize default;\n\ - datasize default;\n\ - files unlimited;\n\ - stacksize default;\n" + datasize default;\n" #endif -"# session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\ - session-keyname local-ddns;\n\ - session-keyalg hmac-sha256;\n\ +"\ # deallocate-on-exit ;\n\ # directory \n\ dump-file \"named_dump.db\";\n\ -# fake-iquery ;\n\ + edns-udp-size 4096;\n\ +# fake-iquery ;\n" +#ifndef WIN32 +" files unlimited;\n" +#endif +"\ # has-old-clients ;\n\ heartbeat-interval 60;\n\ # host-statistics ;\n\ @@ -71,190 +72,182 @@ options {\n\ # keep-response-order {none;};\n\ listen-on {any;};\n\ listen-on-v6 {any;};\n\ +# lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\ match-mapped-addresses no;\n\ max-rsa-exponent-size 0; /* no limit */\n\ + max-udp-size 4096;\n\ memstatistics-file \"named.memstats\";\n\ # multiple-cnames ;\n\ # named-xfer ;\n\ + nocookie-udp-size 4096;\n\ + notify-rate 20;\n\ nta-lifetime 3600;\n\ nta-recheck 300;\n\ - notify-rate 20;\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ -# lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\ port 53;\n\ - prefetch 2 9;\n\ - recursing-file \"named.recursing\";\n\ - secroots-file \"named.secroots\";\n\ -" + prefetch 2 9;\n" #ifdef PATH_RANDOMDEV -"\ - random-device \"" PATH_RANDOMDEV "\";\n\ -" +" random-device \"" PATH_RANDOMDEV "\";\n" #endif -"\ +" recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ + request-nsid false;\n\ + reserved-sockets 512;\n\ resolver-query-timeout 10;\n\ rrset-order { order random; };\n\ + secroots-file \"named.secroots\";\n\ + send-cookie true;\n\ # serial-queries ;\n\ serial-query-rate 20;\n\ server-id none;\n\ - startup-notify-rate 20;\n\ + session-keyalg hmac-sha256;\n\ +# session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\ + session-keyname local-ddns;\n" +#ifndef WIN32 +" stacksize default;\n" +#endif +" startup-notify-rate 20;\n\ statistics-file \"named.stats\";\n\ # statistics-interval ;\n\ tcp-clients 150;\n\ tcp-listen-queue 10;\n\ # tkey-dhkey \n\ -# tkey-gssapi-credential \n\ # tkey-domain \n\ +# tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ - transfers-per-ns 2;\n\ transfers-in 10;\n\ transfers-out 10;\n\ + transfers-per-ns 2;\n\ # treat-cr-as-space ;\n\ trust-anchor-telemetry yes;\n\ # use-id-pool ;\n\ # use-ixfr ;\n\ - edns-udp-size 4096;\n\ - max-udp-size 4096;\n\ - nocookie-udp-size 4096;\n\ - send-cookie true;\n\ - request-nsid false;\n\ - reserved-sockets 512;\n\ \n\ /* DLV */\n\ dnssec-lookaside . trust-anchor dlv.isc.org;\n\ \n\ /* view */\n\ + acache-cleaning-interval 60;\n\ + acache-enable no;\n\ + additional-from-auth true;\n\ + additional-from-cache true;\n\ + allow-new-zones no;\n\ allow-notify {none;};\n\ - allow-update-forwarding {none;};\n\ allow-query-cache { localnets; localhost; };\n\ allow-query-cache-on { any; };\n\ allow-recursion { localnets; localhost; };\n\ allow-recursion-on { any; };\n\ + allow-update-forwarding {none;};\n\ # allow-v6-synthesis ;\n\ -# sortlist \n\ -# topology \n\ auth-nxdomain false;\n\ - minimal-any false;\n\ - minimal-responses false;\n\ - recursion true;\n\ - provide-ixfr true;\n\ - request-ixfr true;\n\ - request-expire true;\n\ -# fetch-glue ;\n\ -# rfc2308-type1 ;\n\ - additional-from-auth true;\n\ - additional-from-cache true;\n\ - query-source address *;\n\ - query-source-v6 address *;\n\ - notify-source *;\n\ - notify-source-v6 *;\n\ - cleaning-interval 0; /* now meaningless */\n\ -# min-roots ;\n\ - lame-ttl 600;\n\ - servfail-ttl 1;\n\ - max-ncache-ttl 10800; /* 3 hours */\n\ - max-cache-ttl 604800; /* 1 week */\n\ - transfer-format many-answers;\n\ - max-cache-size 90%;\n\ - check-names master fail;\n\ - check-names slave warn;\n\ - check-names response ignore;\n\ check-dup-records warn;\n\ check-mx warn;\n\ + check-names master fail;\n\ + check-names response ignore;\n\ + check-names slave warn;\n\ check-spf warn;\n\ - acache-enable no;\n\ - acache-cleaning-interval 60;\n\ - max-acache-size 16M;\n\ - dnssec-enable yes;\n\ - dnssec-validation yes; \n\ - dnssec-accept-expired no;\n\ - fetches-per-zone 0;\n\ - fetch-quota-params 100 0.1 0.3 0.7;\n\ + cleaning-interval 0; /* now meaningless */\n\ clients-per-query 10;\n\ - max-clients-per-query 100;\n\ - max-recursion-depth 7;\n\ - max-recursion-queries 75;\n\ - zero-no-soa-ttl-cache no;\n\ - nsec3-test-zone no;\n\ - allow-new-zones no;\n\ -" -#ifdef HAVE_LMDB -"\ - lmdb-mapsize 32M;\n\ -" -#endif -"\ - fetches-per-server 0;\n\ - require-server-cookie no;\n\ - v6-bias 50;\n\ - message-compression yes;\n\ -" + dnssec-accept-expired no;\n\ + dnssec-enable yes;\n\ + dnssec-validation yes; \n" #ifdef HAVE_DNSTAP -"\ - dnstap-identity hostname;\n\ -" +" dnstap-identity hostname;\n" #endif -#ifdef HAVE_GEOIP "\ - geoip-use-ecs yes;\n\ -" -#endif +# fetch-glue ;\n\ + fetch-quota-params 100 0.1 0.3 0.7;\n\ + fetches-per-server 0;\n\ + fetches-per-zone 0;\n" #ifdef ALLOW_FILTER_AAAA " filter-aaaa-on-v4 no;\n\ filter-aaaa-on-v6 no;\n\ - filter-aaaa { any; };\n\ -" + filter-aaaa { any; };\n" #endif - -" /* zone */\n\ +#ifdef HAVE_GEOIP +" geoip-use-ecs yes;\n" +#endif +" lame-ttl 600;\n" +#ifdef HAVE_LMDB +" lmdb-mapsize 32M;\n" +#endif +" max-acache-size 16M;\n\ + max-cache-size 90%;\n\ + max-cache-ttl 604800; /* 1 week */\n\ + max-clients-per-query 100;\n\ + max-ncache-ttl 10800; /* 3 hours */\n\ + max-recursion-depth 7;\n\ + max-recursion-queries 75;\n\ + message-compression yes;\n\ +# min-roots ;\n\ + minimal-any false;\n\ + minimal-responses false;\n\ + notify-source *;\n\ + notify-source-v6 *;\n\ + nsec3-test-zone no;\n\ + provide-ixfr true;\n\ + query-source address *;\n\ + query-source-v6 address *;\n\ + recursion true;\n\ + request-expire true;\n\ + request-ixfr true;\n\ + require-server-cookie no;\n\ +# rfc2308-type1 ;\n\ + servfail-ttl 1;\n\ +# sortlist \n\ +# topology \n\ + transfer-format many-answers;\n\ + v6-bias 50;\n\ + zero-no-soa-ttl-cache no;\n\ +\n\ + /* zone */\n\ allow-query {any;};\n\ allow-query-on {any;};\n\ allow-transfer {any;};\n\ - notify yes;\n\ # also-notify \n\ - notify-delay 5;\n\ - notify-to-soa no;\n\ - dialup no;\n\ -# forward \n\ -# forwarders \n\ -# maintain-ixfr-base ;\n\ -# max-ixfr-log-size \n\ - transfer-source *;\n\ - transfer-source-v6 *;\n\ alt-transfer-source *;\n\ alt-transfer-source-v6 *;\n\ - max-transfer-time-in 120;\n\ - max-transfer-time-out 120;\n\ + check-integrity yes;\n\ + check-mx-cname warn;\n\ + check-sibling yes;\n\ + check-srv-cname warn;\n\ + check-wildcard yes;\n\ + dialup no;\n\ + dnssec-dnskey-kskonly no;\n\ + dnssec-loadkeys-interval 60;\n\ + dnssec-secure-to-insecure no;\n\ + dnssec-update-mode maintain;\n\ +# forward \n\ +# forwarders \n\ + inline-signing no;\n\ + ixfr-from-differences false;\n\ +# maintain-ixfr-base ;\n\ +# max-ixfr-log-size \n\ + max-journal-size unlimited;\n\ + max-records 0;\n\ + max-refresh-time 2419200; /* 4 weeks */\n\ + max-retry-time 1209600; /* 2 weeks */\n\ max-transfer-idle-in 60;\n\ max-transfer-idle-out 60;\n\ - max-records 0;\n\ - max-retry-time 1209600; /* 2 weeks */\n\ - min-retry-time 500;\n\ - max-refresh-time 2419200; /* 4 weeks */\n\ + max-transfer-time-in 120;\n\ + max-transfer-time-out 120;\n\ min-refresh-time 300;\n\ + min-retry-time 500;\n\ multi-master no;\n\ - dnssec-secure-to-insecure no;\n\ - sig-validity-interval 30; /* days */\n\ + notify yes;\n\ + notify-delay 5;\n\ + notify-to-soa no;\n\ + serial-update-method increment;\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ sig-signing-type 65534;\n\ - inline-signing no;\n\ - zone-statistics terse;\n\ - max-journal-size unlimited;\n\ - ixfr-from-differences false;\n\ - check-wildcard yes;\n\ - check-sibling yes;\n\ - check-integrity yes;\n\ - check-mx-cname warn;\n\ - check-srv-cname warn;\n\ - zero-no-soa-ttl yes;\n\ - update-check-ksk yes;\n\ - serial-update-method increment;\n\ - dnssec-update-mode maintain;\n\ - dnssec-dnskey-kskonly no;\n\ - dnssec-loadkeys-interval 60;\n\ + sig-validity-interval 30; /* days */\n\ + transfer-source *;\n\ + transfer-source-v6 *;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ + update-check-ksk yes;\n\ + zero-no-soa-ttl yes;\n\ + zone-statistics terse;\n\ };\n\ "