Nsd

`services.nsd.bind8Stats`

Whether to enable BIND8 like statistics. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.dnssecInterval`

How often to check whether dnssec key rollover is required

Type: string

Default

"1h"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.enable`

Whether to enable NSD authoritative DNS server. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.extraConfig`

Extra nsd config.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.hideVersion`

Whether NSD should answer VERSION.BIND and VERSION.SERVER CHAOS class queries.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.identity`

Identify the server (CH TXT ID.SERVER entry).

Type: string

Default

"unidentified server"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.interfaces`

What addresses the server should listen to.

Type: list of string

Default

["127.0.0.0""::1"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipFreebind`

Whether to bind to nonlocal addresses and interfaces that are down. Similar to ip-transparent.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipTransparent`

Allow binding to non local addresses.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipv4`

Whether to listen on IPv4 connections.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipv4EDNSSize`

Preferred EDNS buffer size for IPv4.

Type: signed integer

Default

4096

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipv6`

Whether to listen on IPv6 connections.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ipv6EDNSSize`

Preferred EDNS buffer size for IPv6.

Type: signed integer

Default

4096

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.keys`

Define your TSIG keys here.

Type: attribute set of (submodule)

Default

{ }

Example

{ "tsig.example.org" = {algorithm = "hmac-md5";keyFile = "/path/to/my/key";};}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.keys.<name>.algorithm`

Authentication algorithm for this key.

Type: string

Default

"hmac-sha256"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.keys.<name>.keyFile`

Path to the file which contains the actual base64 encoded key. The key will be copied into "/var/lib/nsd/private" before NSD starts. The copied file is only accessibly by the NSD user.

Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.logTimeAscii`

Log time in ascii, if false then in unix epoch seconds.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.nsid`

NSID identity (hex string, or "ascii_somestring").

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.port`

Port the service should bind do.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

53

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.enable`

Whether to enable ratelimit capabilities. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.ipv4PrefixLength`

IPv4 prefix length. Addresses are grouped by netblock.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.ipv6PrefixLength`

IPv6 prefix length. Addresses are grouped by netblock.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.ratelimit`

Max qps allowed from any query source. 0 means unlimited. With an verbosity of 2 blocked and unblocked subnets will be logged.

Type: signed integer

Default

200

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.size`

Size of the hashtable. More buckets use more memory but lower the chance of hash hash collisions.

Type: signed integer

Default

1000000

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.slip`

Number of packets that get discarded before replying a SLIP response. 0 disables SLIP responses. 1 will make every response a SLIP response.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.ratelimit.whitelistRatelimit`

Max qps allowed from whitelisted sources. 0 means unlimited. Set the rrl-whitelist option for specific queries to apply this limit instead of the default to them.

Type: signed integer

Default

2000

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.controlCertFile`

Path to the client certificate signed with the server certificate. This file is used by nsd-control and generated by nsd-control-setup.

Type: path

Default

"/etc/nsd/nsd_control.pem"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.controlKeyFile`

Path to the client private key, which is used by nsd-control but not by the server. This file is generated by nsd-control-setup.

Type: path

Default

"/etc/nsd/nsd_control.key"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.enable`

Whether to enable remote control via nsd-control. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.interfaces`

Which interfaces NSD should bind to for remote control.

Type: list of string

Default

["127.0.0.1""::1"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.port`

Port number for remote control operations (uses TLS over TCP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

8952

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.serverCertFile`

Path to the server self signed certificate, which is used by the server but and by nsd-control. This file is generated by nsd-control-setup.

Type: path

Default

"/etc/nsd/nsd_server.pem"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.remoteControl.serverKeyFile`

Path to the server private key, which is used by the server but not by nsd-control. This file is generated by nsd-control-setup.

Type: path

Default

"/etc/nsd/nsd_server.key"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.reuseport`

Whether to enable SO_REUSEPORT on all used sockets. This lets multiple processes bind to the same port. This speeds up operation especially if the server count is greater than one and makes fast restarts less prone to fail

Type: boolean

Default

pkgs.stdenv.isLinux

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.rootServer`

Whether this server will be a root server (a DNS root server, you usually don't want that).

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.roundRobin`

Whether to enable round robin rotation of records. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.serverCount`

Number of NSD servers to fork. Put the number of CPUs to use here.

Type: signed integer

Default

1

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.statistics`

Statistics are produced every number of seconds. Prints to log. If null no statistics are logged.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.tcpCount`

Maximum number of concurrent TCP connections per server.

Type: signed integer

Default

100

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.tcpQueryCount`

Maximum number of queries served on a single TCP connection. 0 means no maximum.

Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.tcpTimeout`

TCP timeout in seconds.

Type: signed integer

Default

120

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.verbosity`

Verbosity level.

Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.version`

The version string replied for CH TXT version.server and version.bind queries. Will use the compiled package version on null. See hideVersion for enabling/disabling this responses.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.xfrdReloadTimeout`

Number of seconds between reloads triggered by xfrd.

Type: signed integer

Default

1

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zonefilesCheck`

Whether to check mtime of all zone files on start and sighup.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zonefilesWrite`

Write changed secondary zones to their zonefile every N seconds. If the zone (pattern) configuration has "" zonefile, it is not written. Zones that have received zone transfer updates are written to their zonefile. 0 disables writing to zone files.

Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones`

Define your zones here. Zones can cascade other zones and therefore inherit settings from parent zones. Look at the definition of children to learn about inheritance and child zones. The given example will define 3 zones (example.(com|org|net).). Both example.com. and example.org. inherit their configuration from serverGroup1.

Type: attribute set of (submodule)

Default

{ }

Example

`#!nix { "serverGroup1" = { provideXFR = [ "10.1.2.3 NOKEY" ]; children = { "example.com." = { data = '' $ORIGIN example.com. $TTL 86400 @ IN SOA a.ns.example.com. admin.example.com. ( ... ''; }; "example.org." = { data = '' $ORIGIN example.org. $TTL 86400 @ IN SOA a.ns.example.com. admin.example.com. ( ... ''; }; }; };

"example.net." = { provideXFR = [ "10.3.2.1 NOKEY" ]; data = '' ... ''; }; } `

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.allowAXFRFallback`

If NSD as secondary server should be allowed to AXFR if the primary server does not allow IXFR.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.allowNotify`

Listed primary servers are allowed to notify this secondary server.

Format: <ip> <key-name | NOKEY | BLOCKED>

<ip> either a plain IPv4/IPv6 address or range. Valid patters for ranges: * 10.0.0.0/24: via subnet size * 10.0.0.0&255.255.255.0: via subnet mask * 10.0.0.1-10.0.0.254: via range

A optional port number could be added with a '@': * 2001:1234::1@1234

<key-name | NOKEY | BLOCKED> * <key-name> will use the specified TSIG key * NOKEY no TSIG signature is required * BLOCKEDnotifies from non-listed or blocked IPs will be ignored

Type: list of string

Default

[ ]

Example

["192.0.2.0/24 NOKEY""10.0.0.1-10.0.0.5 my_tsig_key_name""10.0.3.4&255.255.0.0 BLOCKED"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.children`

Children zones inherit all options of their parents. Attributes defined in a child will overwrite the ones of its parent. Only leaf zones will be actually served. This way it's possible to define maybe zones which share most attributes without duplicating everything. This mechanism replaces nsd's patterns in a save and functional way.

Type: attribute set of anything

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.data`

The actual zone data. This is the content of your zone file. Use imports or pkgs.lib.readFile if you don't want this data in your config file.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssec`

Whether to enable DNSSEC. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.algorithm`

Which algorithm to use for DNSSEC Type: string

Default

"RSASHA256"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.coverage`

The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.

Type: string

Default

"1y"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.keyttl`

TTL for dnssec records Type: string

Default

"1h"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.ksk`

Key policy for key signing keys Type: submodule

Default

{keySize = 4096;postPublish = "1mo";prePublish = "1mo";rollPeriod = "0";}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.ksk.keySize`

Key size in bits Type: signed integer

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.ksk.postPublish`

How long after deactivation to keep a key in the zone Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.ksk.prePublish`

How long in advance to publish new keys Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.ksk.rollPeriod`

How frequently to change keys Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.zsk`

Key policy for zone signing keys Type: submodule

Default

{keySize = 2048;postPublish = "1w";prePublish = "1w";rollPeriod = "1mo";}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.zsk.keySize`

Key size in bits Type: signed integer

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.zsk.postPublish`

How long after deactivation to keep a key in the zone Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.zsk.prePublish`

How long in advance to publish new keys Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.dnssecPolicy.zsk.rollPeriod`

How frequently to change keys Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.maxRefreshSecs`

Limit refresh time for secondary zones. This is the timer which checks to see if the zone has to be refetched when it expires. Normally the value from the SOA record is used, but this option restricts that value.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.maxRetrySecs`

Limit retry time for secondary zones. This is the timeout after a failed fetch attempt for the zone. Normally the value from the SOA record is used, but this option restricts that value.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.minRefreshSecs`

Limit refresh time for secondary zones.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.minRetrySecs`

Limit retry time for secondary zones.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.multiMasterCheck`

If enabled, checks all masters for the last zone version. It uses the higher version from all configured masters. Useful if you have multiple masters that have different version numbers served.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.notify`

This primary server will notify all given secondary servers about zone changes.

Format: <ip> <key-name | NOKEY>

<ip> a plain IPv4/IPv6 address with on optional port number (ip@port)

<key-name | NOKEY> - <key-name> sign notifies with the specified key - NOKEY don't sign notifies

Type: list of string

Default

[ ]

Example

["10.0.0.1@3721 my_key""::5 NOKEY"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.notifyRetry`

Specifies the number of retries for failed notifies. Set this along with notify.

Type: signed integer

Default

5

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.outgoingInterface`

This address will be used for zone-transfer requests if configured as a secondary server or notifications in case of a primary server. Supply either a plain IPv4 or IPv6 address with an optional port number (ip@port).

Type: null or string

Default

null

Example

"2000::1@1234"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.provideXFR`

Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40

Type: list of string

Default

[ ]

Example

["192.0.2.0/24 NOKEY""192.0.2.0/24 my_tsig_key_name"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.requestXFR`

Format: [AXFR|UDP] <ip-address> <key-name | NOKEY>

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.rrlWhitelist`

Whitelists the given rrl-types.

Type: list of (one of "nxdomain", "error", "referral", "any", "rrsig", "wildcard", "nodata", "dnskey", "positive", "all")

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix

`services.nsd.zones.<name>.zoneStats`

When set to something distinct to null NSD is able to collect statistics per zone. All statistics of this zone(s) will be added to the group specified by this given name. Use "%s" to use the zones name as the group. The groups are output from nsd-control stats and stats_noreset.

Type: null or string

Default

null

Example

"%s"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/nsd.nix