Skip to content

Instantly share code, notes, and snippets.

@vcunat

vcunat/schema.json

Created March 29, 2023 09:41
Show Gist options
  • Save vcunat/d7fed05d6ca8ea69717a9e64fef1a17d to your computer and use it in GitHub Desktop.
Save vcunat/d7fed05d6ca8ea69717a9e64fef1a17d to your computer and use it in GitHub Desktop.
Download ZIP
knot-resolver-config-schema
Raw
schema.json
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"description": "Knot Resolver declarative configuration.",
"type": "object",
"properties": {
"version": {
"type": "integer",
"description": "Version of the configuration schema. By default it is the latest supported by the resolver, but couple of versions back are be supported as well.",
"default": 1
},
"nsid": {
"type": [
"string",
"null"
],
"description": "Name Server Identifier (RFC 5001) which allows DNS clients to request resolver to send back its NSID along with the reply to a DNS request.",
"default": null
},
"hostname": {
"type": [
"string",
"null"
],
"description": "Internal DNS resolver hostname. Default is machine hostname.",
"default": null
},
"rundir": {
"type": "string",
"description": "Directory where the resolver can create files and which will be it's cwd.",
"default": "."
},
"workers": {
"anyOf": [
{
"type": "string",
"enum": [
"auto"
]
},
{
"type": "integer",
"minimum": 1
}
],
"description": "The number of running kresd (Knot Resolver daemon) workers. If set to 'auto', it is equal to number of CPUs available.",
"default": 1
},
"max-workers": {
"type": "integer",
"minimum": 1,
"description": "The maximum number of workers allowed. Cannot be changed in runtime.",
"default": 80
},
"management": {
"description": "Configuration of management HTTP API.",
"type": "object",
"properties": {
"unix-socket": {
"type": [
"string",
"null"
],
"description": "Path to unix domain socket to listen to.",
"default": null
},
"interface": {
"type": [
"string",
"null"
],
"description": "IP address and port number to listen to.",
"default": null
}
},
"default": {
"unix_socket": "./manager.sock",
"interface": null
}
},
"webmgmt": {
"description": "Configuration of legacy web management endpoint.",
"type": [
"object",
"null"
],
"properties": {
"unix-socket": {
"type": [
"string",
"null"
],
"description": "Path to unix domain socket to listen to.",
"default": null
},
"interface": {
"type": [
"string",
"null"
],
"description": "IP address or interface name with port number to listen to.",
"default": null
},
"tls": {
"type": "boolean",
"description": "Enable/disable TLS.",
"default": false
},
"cert-file": {
"type": [
"string",
"null"
],
"description": "Path to certificate file.",
"default": null
},
"key-file": {
"type": [
"string",
"null"
],
"description": "Path to certificate key.",
"default": null
}
},
"default": null
},
"options": {
"description": "Fine-tuning global parameters of DNS resolver operation.",
"type": "object",
"properties": {
"glue-checking": {
"type": "string",
"enum": [
"normal",
"strict",
"permissive"
],
"description": "Glue records scrictness checking level.",
"default": "normal"
},
"minimize": {
"type": "boolean",
"description": "Send minimum amount of information in recursive queries to enhance privacy.",
"default": true
},
"query-loopback": {
"type": "boolean",
"description": "Permits queries to loopback addresses.",
"default": false
},
"reorder-rrset": {
"type": "boolean",
"description": "Controls whether resource records within a RRSet are reordered each time it is served from the cache.",
"default": true
},
"query-case-randomization": {
"type": "boolean",
"description": "Randomize Query Character Case.",
"default": true
},
"priming": {
"type": "boolean",
"description": "Initializing DNS resolver cache with Priming Queries (RFC 8109)",
"default": true
},
"rebinding-protection": {
"type": "boolean",
"description": "Protection against DNS Rebinding attack.",
"default": false
},
"refuse-no-rd": {
"type": "boolean",
"description": "Queries without RD (recursion desired) bit set in query are answered with REFUSED.",
"default": true
},
"time-jump-detection": {
"type": "boolean",
"description": "Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.",
"default": true
},
"violators-workarounds": {
"type": "boolean",
"description": "Workarounds for known DNS protocol violators.",
"default": false
},
"serve-stale": {
"type": "boolean",
"description": "Allows using timed-out records in case DNS resolver is unable to contact upstream servers.",
"default": false
},
"prediction": {
"anyOf": [
{
"type": "boolean"
},
{
"description": "Helps keep the cache hot by prefetching expiring records and learning usage patterns and repetitive queries.",
"type": "object",
"properties": {
"window": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Sampling window length.",
"default": "15m"
},
"period": {
"type": "integer",
"minimum": 0,
"description": "Number of windows that can be kept in memory.",
"default": 24
}
}
}
],
"description": "Helps keep the cache hot by prefetching expiring records and learning usage patterns and repetitive queries.",
"default": false
}
},
"default": {
"glue_checking": "normal",
"minimize": true,
"query_loopback": false,
"reorder_rrset": true,
"query_case_randomization": true,
"priming": true,
"rebinding_protection": false,
"refuse_no_rd": true,
"time_jump_detection": true,
"violators_workarounds": false,
"serve_stale": false,
"prediction": false
}
},
"network": {
"description": "Network connections and protocols configuration.",
"type": "object",
"properties": {
"do-ipv4": {
"type": "boolean",
"description": "Enable/disable using IPv4 for contacting upstream nameservers.",
"default": true
},
"do-ipv6": {
"type": "boolean",
"description": "Enable/disable using IPv6 for contacting upstream nameservers.",
"default": true
},
"out-interface-v4": {
"type": [
"string",
"null"
],
"description": "IPv4 address used to perform queries. Not set by default, which lets the OS choose any address.",
"default": null
},
"out-interface-v6": {
"type": [
"string",
"null"
],
"description": "IPv6 address used to perform queries. Not set by default, which lets the OS choose any address.",
"default": null
},
"tcp-pipeline": {
"type": "integer",
"minimum": 0,
"maximum": 65535,
"description": "TCP pipeline limit. The number of outstanding queries that a single client connection can make in parallel.",
"default": 100
},
"edns-tcp-keepalive": {
"type": "boolean",
"description": "Allows clients to discover the connection timeout. (RFC 7828)",
"default": true
},
"edns-buffer-size": {
"description": "Maximum EDNS payload size advertised in DNS packets. Different values can be configured for communication downstream (towards clients) and upstream (towards other DNS servers).",
"type": "object",
"properties": {
"upstream": {
"type": "string",
"pattern": "^(\\d+)(B|K|M|G)$",
"description": "Maximum EDNS upstream (towards other DNS servers) payload size.",
"default": "1232B"
},
"downstream": {
"type": "string",
"pattern": "^(\\d+)(B|K|M|G)$",
"description": "Maximum EDNS downstream (towards clients) payload size for communication.",
"default": "1232B"
}
},
"default": {
"upstream": "1232B",
"downstream": "1232B"
}
},
"address-renumbering": {
"type": [
"array",
"null"
],
"items": {
"description": "Renumbers addresses in answers to different address space.",
"type": "object",
"properties": {
"source": {
"type": "string",
"description": "Source subnet."
},
"destination": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
],
"description": "Destination address prefix."
}
}
},
"description": "Renumbers addresses in answers to different address space.",
"default": null
},
"tls": {
"description": "TLS configuration, also affects DNS over TLS and DNS over HTTPS.",
"type": "object",
"properties": {
"cert-file": {
"type": [
"string",
"null"
],
"description": "Path to certificate file.",
"default": null
},
"key-file": {
"type": [
"string",
"null"
],
"description": "Path to certificate key file.",
"default": null
},
"sticket-secret": {
"type": [
"string",
"null"
],
"description": "Secret for TLS session resumption via tickets. (RFC 5077).",
"default": null
},
"sticket-secret-file": {
"type": [
"string",
"null"
],
"description": "Path to file with secret for TLS session resumption via tickets. (RFC 5077).",
"default": null
},
"auto-discovery": {
"type": "boolean",
"description": "Automatic discovery of authoritative servers supporting DNS-over-TLS.",
"default": false
},
"padding": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "integer",
"minimum": 0,
"maximum": 512
}
],
"description": "EDNS(0) padding of answers to queries that arrive over TLS transport.",
"default": true
}
},
"default": {
"cert_file": null,
"key_file": null,
"sticket_secret": null,
"sticket_secret_file": null,
"auto_discovery": false,
"padding": true
}
},
"proxy-protocol": {
"anyOf": [
{
"type": "string",
"enum": [
false
]
},
{
"description": "PROXYv2 protocol configuration.",
"type": "object",
"properties": {
"allow": {
"type": "array",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
},
{
"type": "string"
}
]
},
"description": "Allow usage of the PROXYv2 protocol headers by clients on the specified addresses."
}
}
}
],
"description": "PROXYv2 protocol configuration.",
"default": false
},
"listen": {
"type": "array",
"items": {
"description": "Configuration of listening interface.",
"type": "object",
"properties": {
"interface": {
"anyOf": [
{
"type": "null"
},
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
],
"description": "IP address or interface name with optional port number to listen to.",
"default": null
},
"unix-socket": {
"anyOf": [
{
"type": "null"
},
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
],
"description": "Path to unix domain socket to listen to.",
"default": null
},
"port": {
"type": [
"integer",
"null"
],
"minimum": 1,
"maximum": 65535,
"description": "Port number to listen to.",
"default": null
},
"kind": {
"type": "string",
"enum": [
"dns",
"xdp",
"dot",
"doh-legacy",
"doh2"
],
"description": "Specifies DNS query transport protocol.",
"default": "dns"
},
"freebind": {
"type": "boolean",
"description": "Used for binding to non-local address.",
"default": false
}
}
},
"description": "List of interfaces to listen to and its configuration.",
"default": [
{
"interface": "127.0.0.1",
"unix_socket": null,
"port": 53,
"kind": "dns",
"freebind": false
},
{
"interface": "::1",
"unix_socket": null,
"port": 53,
"kind": "dns",
"freebind": true
}
]
}
},
"default": {
"do_ipv4": true,
"do_ipv6": true,
"out_interface_v4": null,
"out_interface_v6": null,
"tcp_pipeline": 100,
"edns_tcp_keepalive": true,
"edns_buffer_size": {
"upstream": "1232B",
"downstream": "1232B"
},
"address_renumbering": null,
"tls": {
"cert_file": null,
"key_file": null,
"sticket_secret": null,
"sticket_secret_file": null,
"auto_discovery": false,
"padding": true
},
"proxy_protocol": false,
"listen": [
{
"interface": "127.0.0.1",
"unix_socket": null,
"port": 53,
"kind": "dns",
"freebind": false
},
{
"interface": "::1",
"unix_socket": null,
"port": 53,
"kind": "dns",
"freebind": true
}
]
}
},
"views": {
"type": [
"array",
"null"
],
"items": {
"description": "Configuration parameters that allow you to create personalized policy rules and other.",
"type": "object",
"properties": {
"subnets": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Identifies the client based on his subnet.",
"default": null
},
"tsig": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Identifies the client based on a TSIG key name (for testing purposes, TSIG signature is not verified!).",
"default": null
},
"options": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"enum": [
"no-minimize",
"no-ipv4",
"no-ipv6",
"tcp",
"resolved",
"await-ipv4",
"await-ipv6",
"await-cut",
"no-edns",
"cached",
"no-cache",
"expiring",
"allow_local",
"dnssec-want",
"dnssec-bogus",
"dnssec-insecure",
"dnssec-cd",
"stub",
"always-cut",
"dnssec-wexpand",
"permissive",
"strict",
"badcookie-again",
"cname",
"reorder-rr",
"trace",
"no-0x20",
"dnssec-nods",
"dnssec-optout",
"nonauth",
"forward",
"dns64-mark",
"cache-tried",
"no-ns-found",
"pkt-is-sane",
"dns64-disable"
]
},
"description": "Configuration flags for clients identified by the view.",
"default": null
},
"tags": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"pattern": "[a-zA-Z0-9]+"
},
"description": "Tags to link with other policy rules.",
"default": null
}
}
},
"description": "List of views and its configuration.",
"default": null
},
"local-data": {
"description": "Local data for forward records (A/AAAA) and reverse records (PTR).",
"type": "object",
"properties": {
"ttl": {
"type": [
"string",
"null"
],
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Default TTL value used for added local data/records.",
"default": null
},
"nodata": {
"type": "boolean",
"description": "Use NODATA synthesis. NODATA will be synthesised for matching name, but mismatching type(e.g. AAAA query when only A exists).",
"default": true
},
"addresses": {
"type": [
"object",
"null"
],
"additionalProperties": {
"anyOf": [
{
"type": "array",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
}
},
{
"type": "string"
},
{
"type": "string"
}
]
},
"description": "Direct addition of hostname and IP addresses pairs.",
"default": null
},
"addresses-files": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Direct addition of hostname and IP addresses pairs from files in '/etc/hosts' like format.",
"default": null
},
"records": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Direct addition of records in DNS zone file format.",
"default": null
},
"subtrees": {
"type": [
"array",
"null"
],
"items": {
"description": "Local data and configuration of subtree.",
"type": "object",
"properties": {
"tags": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"pattern": "[a-zA-Z0-9]+"
},
"description": "Tags to link with other policy rules.",
"default": null
}
}
},
"description": "Direct addition of subtrees.",
"default": null
}
},
"default": {
"ttl": null,
"nodata": true,
"addresses": null,
"addresses_files": null,
"records": null,
"subtrees": null
}
},
"slices": {
"type": [
"array",
"null"
],
"items": {
"description": "Split the entire DNS namespace into distinct slices.",
"type": "object",
"properties": {
"function": {
"type": "string",
"enum": [
"randomize-psl"
],
"description": "Slicing function that returns index based on query",
"default": "randomize-psl"
},
"views": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Use this Slice only for clients defined by views.",
"default": null
},
"actions": {
"type": "array",
"items": {
"description": "Configuration of policy action.",
"type": "object",
"properties": {
"action": {
"type": "string",
"enum": [
"pass",
"deny",
"drop",
"refuse",
"tc",
"reroute",
"answer",
"mirror",
"forward",
"stub",
"debug-always",
"debug-cache-miss",
"qtrace",
"reqtrace"
],
"description": "Policy action."
},
"message": {
"type": [
"string",
"null"
],
"description": "Deny message for 'deny' action.",
"default": null
},
"reroute": {
"type": [
"array",
"null"
],
"items": {
"description": "Renumbers addresses in answers to different address space.",
"type": "object",
"properties": {
"source": {
"type": "string",
"description": "Source subnet."
},
"destination": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
],
"description": "Destination address prefix."
}
}
},
"description": "Configuration for 'reroute' action.",
"default": null
},
"answer": {
"description": "Answer definition for 'answer' action.",
"type": [
"object",
"null"
],
"properties": {
"rtype": {
"type": "string",
"enum": [
"A",
"A6",
"AAAA",
"AFSDB",
"ANY",
"APL",
"ATMA",
"AVC",
"AXFR",
"CAA",
"CDNSKEY",
"CDS",
"CERT",
"CNAME",
"CSYNC",
"DHCID",
"DLV",
"DNAME",
"DNSKEY",
"DOA",
"DS",
"EID",
"EUI48",
"EUI64",
"GID",
"GPOS",
"HINFO",
"HIP",
"HTTPS",
"IPSECKEY",
"ISDN",
"IXFR",
"KEY",
"KX",
"L32",
"L64",
"LOC",
"LP",
"MAILA",
"MAILB",
"MB",
"MD",
"MF",
"MG",
"MINFO",
"MR",
"MX",
"NAPTR",
"NID",
"NIMLOC",
"NINFO",
"NS",
"NSAP",
"NSAP-PTR",
"NSEC",
"NSEC3",
"NSEC3PARAM",
"NULL",
"NXT",
"OPENPGPKEY",
"OPT",
"PTR",
"PX",
"RKEY",
"RP",
"RRSIG",
"RT",
"SIG",
"SINK",
"SMIMEA",
"SOA",
"SPF",
"SRV",
"SSHFP",
"SVCB",
"TA",
"TALINK",
"TKEY",
"TLSA",
"TSIG",
"TXT",
"UID",
"UINFO",
"UNSPEC",
"URI",
"WKS",
"X25",
"ZONEMD"
],
"description": "Type of DNS resource record."
},
"rdata": {
"type": "string",
"description": "Data of DNS resource record."
},
"ttl": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Time-to-live value for defined answer.",
"default": "1s"
},
"nodata": {
"type": "boolean",
"description": "Answer with NODATA If requested type is not configured in the answer. Otherwise policy rule is ignored.",
"default": false
}
},
"default": null
},
"servers": {
"anyOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "array",
"items": {
"description": "Forward server configuration options.",
"type": "object",
"properties": {
"address": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
],
"description": "IP address(es) of a forward server."
},
"transport": {
"type": [
"string",
"null"
],
"enum": [
"tls"
],
"description": "Transport protocol for a forward server.",
"default": null
},
"pin-sha256": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "null"
}
],
"description": "Hash of accepted CA certificate.",
"default": null
},
"hostname": {
"type": [
"string",
"null"
],
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$",
"description": "Hostname of the Forward server.",
"default": null
},
"ca-file": {
"type": [
"string",
"null"
],
"description": "Path to CA certificate file.",
"default": null
}
}
}
},
{
"type": "null"
}
],
"description": "Servers configuration for 'mirror', 'forward' and 'stub' action.",
"default": null
}
}
},
"description": "Actions for slice."
}
}
},
"description": "Split the entire DNS namespace into distinct slices.",
"default": null
},
"policy": {
"type": [
"array",
"null"
],
"items": {
"description": "Configuration of policy rule.",
"type": "object",
"properties": {
"action": {
"type": "string",
"enum": [
"pass",
"deny",
"drop",
"refuse",
"tc",
"reroute",
"answer",
"mirror",
"forward",
"stub",
"debug-always",
"debug-cache-miss",
"qtrace",
"reqtrace"
],
"description": "Policy rule action."
},
"priority": {
"type": [
"integer",
"null"
],
"description": "Policy rule priority.",
"default": null
},
"filter": {
"description": "Query filtering configuration.",
"type": [
"object",
"null"
],
"properties": {
"suffix": {
"type": [
"string",
"null"
],
"description": "Filter based on the suffix of the query name.",
"default": null
},
"pattern": {
"type": [
"string",
"null"
],
"description": "Filter based on the pattern that match query name.",
"default": null
},
"qtype": {
"type": [
"string",
"null"
],
"enum": [
"A",
"A6",
"AAAA",
"AFSDB",
"ANY",
"APL",
"ATMA",
"AVC",
"AXFR",
"CAA",
"CDNSKEY",
"CDS",
"CERT",
"CNAME",
"CSYNC",
"DHCID",
"DLV",
"DNAME",
"DNSKEY",
"DOA",
"DS",
"EID",
"EUI48",
"EUI64",
"GID",
"GPOS",
"HINFO",
"HIP",
"HTTPS",
"IPSECKEY",
"ISDN",
"IXFR",
"KEY",
"KX",
"L32",
"L64",
"LOC",
"LP",
"MAILA",
"MAILB",
"MB",
"MD",
"MF",
"MG",
"MINFO",
"MR",
"MX",
"NAPTR",
"NID",
"NIMLOC",
"NINFO",
"NS",
"NSAP",
"NSAP-PTR",
"NSEC",
"NSEC3",
"NSEC3PARAM",
"NULL",
"NXT",
"OPENPGPKEY",
"OPT",
"PTR",
"PX",
"RKEY",
"RP",
"RRSIG",
"RT",
"SIG",
"SINK",
"SMIMEA",
"SOA",
"SPF",
"SRV",
"SSHFP",
"SVCB",
"TA",
"TALINK",
"TKEY",
"TLSA",
"TSIG",
"TXT",
"UID",
"UINFO",
"UNSPEC",
"URI",
"WKS",
"X25",
"ZONEMD"
],
"description": "Filter based on the DNS query type.",
"default": null
}
},
"default": null
},
"views": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Use policy rule only for clients defined by views.",
"default": null
},
"options": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"enum": [
"no-minimize",
"no-ipv4",
"no-ipv6",
"tcp",
"resolved",
"await-ipv4",
"await-ipv6",
"await-cut",
"no-edns",
"cached",
"no-cache",
"expiring",
"allow_local",
"dnssec-want",
"dnssec-bogus",
"dnssec-insecure",
"dnssec-cd",
"stub",
"always-cut",
"dnssec-wexpand",
"permissive",
"strict",
"badcookie-again",
"cname",
"reorder-rr",
"trace",
"no-0x20",
"dnssec-nods",
"dnssec-optout",
"nonauth",
"forward",
"dns64-mark",
"cache-tried",
"no-ns-found",
"pkt-is-sane",
"dns64-disable"
]
},
"description": "Configuration flags for policy rule.",
"default": null
},
"message": {
"type": [
"string",
"null"
],
"description": "Deny message for 'deny' action.",
"default": null
},
"reroute": {
"type": [
"array",
"null"
],
"items": {
"description": "Renumbers addresses in answers to different address space.",
"type": "object",
"properties": {
"source": {
"type": "string",
"description": "Source subnet."
},
"destination": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
],
"description": "Destination address prefix."
}
}
},
"description": "Configuration for 'reroute' action.",
"default": null
},
"answer": {
"description": "Answer definition for 'answer' action.",
"type": [
"object",
"null"
],
"properties": {
"rtype": {
"type": "string",
"enum": [
"A",
"A6",
"AAAA",
"AFSDB",
"ANY",
"APL",
"ATMA",
"AVC",
"AXFR",
"CAA",
"CDNSKEY",
"CDS",
"CERT",
"CNAME",
"CSYNC",
"DHCID",
"DLV",
"DNAME",
"DNSKEY",
"DOA",
"DS",
"EID",
"EUI48",
"EUI64",
"GID",
"GPOS",
"HINFO",
"HIP",
"HTTPS",
"IPSECKEY",
"ISDN",
"IXFR",
"KEY",
"KX",
"L32",
"L64",
"LOC",
"LP",
"MAILA",
"MAILB",
"MB",
"MD",
"MF",
"MG",
"MINFO",
"MR",
"MX",
"NAPTR",
"NID",
"NIMLOC",
"NINFO",
"NS",
"NSAP",
"NSAP-PTR",
"NSEC",
"NSEC3",
"NSEC3PARAM",
"NULL",
"NXT",
"OPENPGPKEY",
"OPT",
"PTR",
"PX",
"RKEY",
"RP",
"RRSIG",
"RT",
"SIG",
"SINK",
"SMIMEA",
"SOA",
"SPF",
"SRV",
"SSHFP",
"SVCB",
"TA",
"TALINK",
"TKEY",
"TLSA",
"TSIG",
"TXT",
"UID",
"UINFO",
"UNSPEC",
"URI",
"WKS",
"X25",
"ZONEMD"
],
"description": "Type of DNS resource record."
},
"rdata": {
"type": "string",
"description": "Data of DNS resource record."
},
"ttl": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Time-to-live value for defined answer.",
"default": "1s"
},
"nodata": {
"type": "boolean",
"description": "Answer with NODATA If requested type is not configured in the answer. Otherwise policy rule is ignored.",
"default": false
}
},
"default": null
},
"servers": {
"anyOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "array",
"items": {
"description": "Forward server configuration options.",
"type": "object",
"properties": {
"address": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
],
"description": "IP address(es) of a forward server."
},
"transport": {
"type": [
"string",
"null"
],
"enum": [
"tls"
],
"description": "Transport protocol for a forward server.",
"default": null
},
"pin-sha256": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "null"
}
],
"description": "Hash of accepted CA certificate.",
"default": null
},
"hostname": {
"type": [
"string",
"null"
],
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$",
"description": "Hostname of the Forward server.",
"default": null
},
"ca-file": {
"type": [
"string",
"null"
],
"description": "Path to CA certificate file.",
"default": null
}
}
}
},
{
"type": "null"
}
],
"description": "Servers configuration for 'mirror', 'forward' and 'stub' action.",
"default": null
}
}
},
"description": "List of policy rules and its configuration.",
"default": null
},
"rpz": {
"type": [
"array",
"null"
],
"items": {
"description": "Configuration or Response Policy Zone (RPZ).",
"type": "object",
"properties": {
"action": {
"type": "string",
"enum": [
"pass",
"deny",
"drop",
"refuse",
"tc",
"reroute",
"answer",
"mirror",
"forward",
"stub",
"debug-always",
"debug-cache-miss",
"qtrace",
"reqtrace"
],
"description": "RPZ rule action, typically 'deny'."
},
"file": {
"type": "string",
"description": "Path to the RPZ zone file."
},
"watch": {
"type": "boolean",
"description": "Reload the file when it changes.",
"default": true
},
"views": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "Use RPZ rule only for clients defined by views.",
"default": null
},
"options": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"enum": [
"no-minimize",
"no-ipv4",
"no-ipv6",
"tcp",
"resolved",
"await-ipv4",
"await-ipv6",
"await-cut",
"no-edns",
"cached",
"no-cache",
"expiring",
"allow_local",
"dnssec-want",
"dnssec-bogus",
"dnssec-insecure",
"dnssec-cd",
"stub",
"always-cut",
"dnssec-wexpand",
"permissive",
"strict",
"badcookie-again",
"cname",
"reorder-rr",
"trace",
"no-0x20",
"dnssec-nods",
"dnssec-optout",
"nonauth",
"forward",
"dns64-mark",
"cache-tried",
"no-ns-found",
"pkt-is-sane",
"dns64-disable"
]
},
"description": "Configuration flags for RPZ rule.",
"default": null
},
"message": {
"type": [
"string",
"null"
],
"description": "Deny message for 'deny' action.",
"default": null
}
}
},
"description": "List of Response Policy Zones and its configuration.",
"default": null
},
"forward": {
"type": [
"array",
"null"
],
"items": {
"description": "Configuration of forward subtree.",
"type": "object",
"properties": {
"subtree": {
"type": "string",
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$",
"description": "Subtree to forward."
},
"servers": {
"anyOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "array",
"items": {
"description": "Forward server configuration options.",
"type": "object",
"properties": {
"address": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
],
"description": "IP address(es) of a forward server."
},
"transport": {
"type": [
"string",
"null"
],
"enum": [
"tls"
],
"description": "Transport protocol for a forward server.",
"default": null
},
"pin-sha256": {
"anyOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "null"
}
],
"description": "Hash of accepted CA certificate.",
"default": null
},
"hostname": {
"type": [
"string",
"null"
],
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$",
"description": "Hostname of the Forward server.",
"default": null
},
"ca-file": {
"type": [
"string",
"null"
],
"description": "Path to CA certificate file.",
"default": null
}
}
}
}
],
"description": "Forward server configuration."
},
"options": {
"description": "Configuration options for forward subtree.",
"type": "object",
"properties": {
"dnssec": {
"type": "boolean",
"description": "Enable/disable DNSSEC.",
"default": true
}
},
"default": {
"dnssec": true
}
}
}
},
"description": "List of Forward Zones and its configuration.",
"default": null
},
"cache": {
"description": "DNS resolver cache configuration.",
"type": "object",
"properties": {
"storage": {
"type": "string",
"description": "Cache storage of the DNS resolver.",
"default": "/var/cache/knot-resolver"
},
"size-max": {
"type": "string",
"pattern": "^(\\d+)(B|K|M|G)$",
"description": "Maximum size of the cache.",
"default": "100M"
},
"garbage-collector": {
"anyOf": [
{
"description": "Configuration options of the cache garbage collector (kres-cache-gc).",
"type": "object",
"properties": {
"interval": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Time interval how often the garbage collector will be run.",
"default": "1s"
},
"threshold": {
"type": "integer",
"minimum": 0,
"maximum": 100,
"description": "Cache usage in percent that triggers the garbage collector.",
"default": 80
},
"release": {
"type": "integer",
"minimum": 0,
"maximum": 100,
"description": "Percent of used cache to be freed by the garbage collector.",
"default": 10
},
"temp-keys-space": {
"type": "string",
"pattern": "^(\\d+)(B|K|M|G)$",
"description": "Maximum amount of temporary memory for copied keys (0 = unlimited).",
"default": 0
},
"rw-deletes": {
"type": "integer",
"minimum": 0,
"description": "Maximum number of deleted records per read-write transaction (0 = unlimited).",
"default": 100
},
"rw-reads": {
"type": "integer",
"minimum": 0,
"description": "Maximum number of readed records per read-write transaction (0 = unlimited).",
"default": 200
},
"rw-duration": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Maximum duration of read-write transaction (0 = unlimited).",
"default": 0
},
"rw-delay": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Wait time between two read-write transactions.",
"default": 0
},
"dry-run": {
"type": "boolean",
"description": "Run the garbage collector in dry-run mode.",
"default": false
}
}
},
{
"type": "string",
"enum": [
false
]
}
],
"description": "Use the garbage collector (kres-cache-gc) to periodically clear cache.",
"default": {
"interval": "1s",
"threshold": 80,
"release": 10,
"temp_keys_space": 0,
"rw_deletes": 100,
"rw_reads": 200,
"rw_duration": 0,
"rw_delay": 0,
"dry_run": false
}
},
"ttl-min": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Minimum time-to-live for the cache entries.",
"default": "5s"
},
"ttl-max": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Maximum time-to-live for the cache entries.",
"default": "6d"
},
"ns-timeout": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Time interval for which a nameserver address will be ignored after determining that it does not return (useful) answers.",
"default": "1000ms"
},
"prefill": {
"type": [
"array",
"null"
],
"items": {
"description": "Prefill the cache periodically by importing zone data obtained over HTTP.",
"type": "object",
"properties": {
"origin": {
"type": "string",
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$",
"description": "Origin for the imported data. Cache prefilling is only supported for the root zone ('.')."
},
"url": {
"type": "string",
"description": "URL of the zone data to be imported."
},
"refresh-interval": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Time interval between consecutive refreshes of the imported zone data.",
"default": "1d"
},
"ca-file": {
"type": [
"string",
"null"
],
"description": "Path to the file containing a CA certificate bundle that is used to authenticate the HTTPS connection.",
"default": null
}
}
},
"description": "Prefill the cache periodically by importing zone data obtained over HTTP.",
"default": null
}
},
"default": {
"storage": "/var/cache/knot-resolver",
"size_max": "100M",
"garbage_collector": {
"interval": "1s",
"threshold": 80,
"release": 10,
"temp_keys_space": 0,
"rw_deletes": 100,
"rw_reads": 200,
"rw_duration": 0,
"rw_delay": 0,
"dry_run": false
},
"ttl_min": "5s",
"ttl_max": "6d",
"ns_timeout": "1000ms",
"prefill": null
}
},
"dnssec": {
"anyOf": [
{
"type": "boolean"
},
{
"description": "DNSSEC configuration.",
"type": "object",
"properties": {
"trust-anchor-sentinel": {
"type": "boolean",
"description": "Allows users of DNSSEC validating resolver to detect which root keys are configured in resolver's chain of trust. (RFC 8509)",
"default": true
},
"trust-anchor-signal-query": {
"type": "boolean",
"description": "Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, according to (RFC 8145#section-5).",
"default": true
},
"time-skew-detection": {
"type": "boolean",
"description": "Detection of difference between local system time and expiration time bounds in DNSSEC signatures for '. NS' records.",
"default": true
},
"keep-removed": {
"type": "integer",
"minimum": 0,
"description": "How many removed keys should be held in history (and key file) before being purged.",
"default": 0
},
"refresh-time": {
"type": [
"string",
"null"
],
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Force trust-anchors to be updated every defined time periodically instead of relying on (RFC 5011) logic and TTLs. Intended only for testing purposes.",
"default": null
},
"hold-down-time": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Modify hold-down timer (RFC 5011). Intended only for testing purposes.",
"default": "30d"
},
"trust-anchors": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "List of trust-anchors in DS/DNSKEY records format.",
"default": null
},
"negative-trust-anchors": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"description": "List of domain names representing negative trust-anchors. (RFC 7646)",
"default": null
},
"trust-anchors-files": {
"type": [
"array",
"null"
],
"items": {
"description": "Trust-anchor zonefile configuration.",
"type": "object",
"properties": {
"file": {
"type": "string",
"description": "Path to the zonefile that stores trust-anchors."
},
"read-only": {
"type": "boolean",
"description": "Blocks zonefile updates according to RFC 5011.",
"default": false
}
}
},
"description": "List of zonefiles where trust-anchors are stored.",
"default": null
}
}
}
],
"description": "Disable DNSSEC, enable with defaults or set new configuration.",
"default": true
},
"dns64": {
"anyOf": [
{
"type": "boolean"
},
{
"description": "DNS64 (RFC 6147) configuration.",
"type": "object",
"properties": {
"prefix": {
"type": "string",
"description": "IPv6 prefix to be used for synthesizing AAAA records.",
"default": "64:ff9b::/96"
}
}
}
],
"description": "Disable DNS64 (RFC 6147), enable with defaults or set new configuration.",
"default": false
},
"logging": {
"description": "Logging and debugging configuration.",
"type": "object",
"properties": {
"level": {
"type": "string",
"enum": [
"crit",
"err",
"warning",
"notice",
"info",
"debug"
],
"description": "Global logging level.",
"default": "notice"
},
"target": {
"anyOf": [
{
"type": "string",
"enum": [
"syslog",
"stderr",
"stdout"
]
},
{
"type": "string",
"enum": [
"from-env"
]
}
],
"description": "Global logging stream target. \"from-env\" uses $KRES_LOG_TARGET and defaults to \"stdout\".",
"default": "from-env"
},
"groups": {
"type": [
"array",
"null"
],
"items": {
"type": "string",
"enum": [
"manager",
"supervisord",
"cache-gc",
"system",
"cache",
"io",
"net",
"ta",
"tasent",
"tasign",
"taupd",
"tls",
"gnutls",
"tls_cl",
"xdp",
"zimprt",
"zscann",
"doh",
"dnssec",
"hint",
"plan",
"iterat",
"valdtr",
"resolv",
"select",
"zonecut",
"cookie",
"statis",
"rebind",
"worker",
"policy",
"daf",
"timejm",
"timesk",
"graphi",
"prefil",
"primin",
"srvstl",
"wtchdg",
"nsid",
"dnstap",
"tests",
"dotaut",
"http",
"contrl",
"module",
"devel",
"reqdbg"
]
},
"description": "List of groups for which 'debug' logging level is set.",
"default": null
},
"dnssec-bogus": {
"type": "boolean",
"description": "Logging a message for each DNSSEC validation failure.",
"default": false
},
"dnstap": {
"anyOf": [
{
"type": "string",
"enum": [
false
]
},
{
"description": "Logging DNS queries and responses to a unix socket.",
"type": "object",
"properties": {
"unix-socket": {
"type": "string",
"description": "Path to unix domain socket where dnstap messages will be sent."
},
"log-queries": {
"type": "boolean",
"description": "Log queries from downstream in wire format.",
"default": true
},
"log-responses": {
"type": "boolean",
"description": "Log responses to downstream in wire format.",
"default": true
},
"log-tcp-rtt": {
"type": "boolean",
"description": "Log TCP RTT (Round-trip time).",
"default": true
}
}
}
],
"description": "Logging DNS requests and responses to a unix socket.",
"default": false
},
"debugging": {
"description": "Advanced debugging parameters for kresd (Knot Resolver daemon).",
"type": "object",
"properties": {
"assertion-abort": {
"type": "boolean",
"description": "Allow the process to be aborted in case it encounters a failed assertion.",
"default": false
},
"assertion-fork": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"description": "Fork and abord child kresd process to obtain a coredump, while the parent process recovers and keeps running.",
"default": "5m"
}
},
"default": {
"assertion_abort": false,
"assertion_fork": "5m"
}
}
},
"default": {
"level": "notice",
"target": "stdout",
"groups": null,
"dnssec_bogus": false,
"dnstap": false,
"debugging": {
"assertion_abort": false,
"assertion_fork": "5m"
}
}
},
"monitoring": {
"description": "Metrics exposisition configuration (Prometheus, Graphite)",
"type": "object",
"properties": {
"enabled": {
"type": "string",
"enum": [
"manager-only",
"lazy",
"always"
],
"description": "configures, whether statistics module will be loaded into resolver",
"default": "lazy"
},
"graphite": {
"anyOf": [
{
"type": "string",
"enum": [
false
]
},
{
"type": "object",
"properties": {
"host": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
},
{
"type": "string",
"pattern": "(?=^.{,253}\\.?$)(^(?!\\.)((?!-)\\.?[a-zA-Z0-9-]{,62}[a-zA-Z0-9])+\\.?$)|^\\.$"
}
]
},
"port": {
"type": "integer",
"minimum": 1,
"maximum": 65535,
"default": 2003
},
"prefix": {
"type": "string",
"default": ""
},
"interval": {
"type": "string",
"pattern": "^(\\d+)(us|ms|s|m|h|d)$",
"default": "5s"
},
"tcp": {
"type": "boolean",
"default": false
}
}
}
],
"description": "optionally configures where should graphite metrics be sent to",
"default": false
}
},
"default": {
"enabled": "lazy",
"graphite": false
}
},
"lua": {
"description": "Custom Lua configuration.",
"type": "object",
"properties": {
"script-only": {
"type": "boolean",
"description": "Ignore declarative configuration and use only Lua script or file defined in this section.",
"default": false
},
"script": {
"type": [
"string",
"null"
],
"description": "Custom Lua configuration script.",
"default": null
},
"script-file": {
"type": [
"string",
"null"
],
"description": "Path to file that contains Lua configuration script.",
"default": null
}
},
"default": {
"script_only": false,
"script": null,
"script_file": null
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment