nameserver — format of nameserver component configuration


General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the nameserver component configuration.

Repeatable sections/items are marked by the '*' before section/item name.


Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in nameserver configuration directives:

yes-no (see common(5))

genesis (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

listen-on-sock (see listen-on(5))

forward (name-usage obligatory)


Only query the forwarders.


First query the forwarders. If that doesn't answer the question, resolve recursively from root name servers.


Do not use forwarders. Resolve from root servers only.


Configuration of nameserver library component consists of following prototypes:

* nameserver name { ... }


nameserver name {

  phase ... ;
* tag ... ;
  use-ipv4-only ... ;
  listen-on { ... }
  forward ... ;
* forwarder ... ;
* from ... ;
  dnssec { ... }
  send-cookie ... ;
* option ... ;
* raw ... ;
* zone name { ... }


Domain Name System Server Configuration.

This section allows to define a configuration for a simple nameserver serving local clients as a caching forwarder (typically forwarding to the DNS-PROXY) and an authoritative nameserver for local zones.

For configuration attributes details, see named.conf(5).


Addresses to listen on must be specified.

FORWARDER must be specified for forward mode ONLY or FIRST.

FORWARDER must not be specified for forward mode DISABLE.

Items & subsections:

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 30)

Phase number; the lower one, the earlier start.

tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)


Tag must contain letters, digits, hyphens and dots, only.


IPv4 only mode of nameserver.

This item affects usage of the -4 option of the named daemon.

If used, the daemon is started with the -4 option.

If omitted, the daemon is started without this option if at least one IPv6 interface is configured in the system.

listen-on {

* socket ... ;


The listen-on section is derived from listen-on section prototype. For detail description of it, see listen-on(5).

Changes to the listen-on section:

Item non-transparent used as socket.

Item transparent is not valid.

At least one address to listen on must be specified.

Item socket (see listen-on(5))

Element port is optional, default: 53.

Element proto is optional, default: tcp-udp.

forward [mode];

mode (type: forward, optional, default: only)

Whether use the forwarders, resolve from root servers, or both.

forwarder [static] addr;

forwarder dynamic;

Next-hop nameserver address.

Usually the forwarder will be a local dns-proxy.

DYNAMIC mode means getting the address via the DHCP.

<branching element> (type: genesis, optional, default: static)

addr (type: sock)

from clients;

Valid clients definition (ALLOW-QUERY).

clients (type: net-set)


Regexps and discontiguous masks not allowed in nameserver lists.

dnssec {

  managed-keys { ... }
  validate ... ;


DNSSEC configuration.

DNSSEC support is always switched on.

Items & subsections:

managed-keys {

  directory ... ;
* initial-key ... ;


DNSSEC validation keys configuration.

Items & subsections:

directory [path];

Managed keys directory.

path (type: str, optional, default: "/var/lib/named/dyn/")

initial-key domain flags protocol algorithm key;

Initial validation key.

domain (type: str)

Domain name.

flags (type: uint32)

protocol (type: uint32)

algorithm (type: uint32)

key (type: str)

[End of section nameserver.dnssec.managed-keys description.]

validate [val];

Whether to validate DNSSEC.

val (type: yes-no, optional, default: no)

[End of section nameserver.dnssec description.]


DNS cookie sending configuration.

option line;

Raw lines into options definition.

line (type: str)

raw line;

Raw lines into global definition.

line (type: str)

zone name {

  name ... ;
  reverse ... ;
* master-server ... ;
* raw ... ;
  generate { ... }


Nameserver zone definition.

Zone name is defined either by the NAME item (for a regular one) or by the REVERSE item (for a reverse one).

Zone type (master/slave) is defined by using of MASTER-SERVER item(s). If not used, this zone is MASTER, otherwise SLAVE.


Exactly one of NAME and REVERSE must be specified.

MASTER-SERVER and GENERATE are mutually exclusive.

Items & subsections:

name zone;

Zone domain name.

zone (type: str)

reverse zone;

Reverse zone specification.

zone (type: net)

master-server addr;

Define master server for domain.

addr (type: sock)

raw line;

Raw lines into zone definition.

line (type: str)

generate {

* raw ... ;


Zone data generation parameters.

If used, KGB will generate zone database file from HOST-TABLE. Otherwise, zone file is expected to be created outside the CML and will be used without modifications.

Items & subsections:

raw line;

Raw lines into zone database file.

line (type: str)

[End of section description.]

[End of section description.]

[End of section nameserver description.]


configuration(7), common(5), listen-on(5), named.conf(5)