DELPHINUSDNS.CONF(5) File Formats Manual DELPHINUSDNS.CONF(5)

delphinusdns.confthe delphinus DNS daemon configuration file

The delphinusdnsd(8) has a default configfile it is called delphinusdns.conf and it is found in /var/delphinusdnsd/etc. You may wonder why there is a missing d, so I ask you to look up syslogd(8) and syslog.conf(5) which also drop the d in the config file. This follows that name convention.

Delphinusdnsd zonefiles can be packed into the configfile, but this is discouraged. It is encouraged to use zinclude's to include each logical zone separately. This also makes sense from a DNSSEC signing perspective which requires separate zonefiles. The format of zonefiles deviates from RFC 1034 format (BIND format) and I have adopted a CSV (comma separated values) scheme. This scheme requires that all domainnames be written out absolute relative to the DNS root. There is no emphasis on a trailing dot and a trailing dot can be left out on domainnames. It is also necessary to write out a TTL on every RR. Here is an example of the beginning of a zonefile:

zone "delphinusdns.org" {
        delphinusdns.org,soa,86400,pod.delphinusdns.org.,dns-admin.delphinusdns.org.,2021040404,3600,1200,1209600,86400
        delphinusdns.org,ns,86400,pod.delphinusdns.org.
        delphinusdns.org,ns,86400,job.delphinusdns.org.
        delphinusdns.org,ns,86400,sky.delphinusdns.org.
        delphinusdns.org,mx,86400,10,mail.delphinusdns.org
	[...]
}
Do note that it is a requirement that an SOA and NS records exist in the apex (beginning) of a zone, otherwise delphinusdnsd behaviour is undefined. You would use the dddctl tool to DNSSEC sign a zonefile.

Here is a sample delphinusdns.conf file:

version "1";
options {
	interface "lo0";
	interface "em0";

	;bind 127.0.0.1;
	;bind 192.168.34.4;

	ratelimit-pps 6;

	port 53;

	;fork 2;
	log;
	;dnssec;
	;tcp-on-any-only;
	axfrport 10053;
}

axfr-for {
	127.0.0.1;
	::1;
	192.168.0.0/16;
}

mzone "centroid.eu" {
	zonename "centroid.eu";
	notifydest 192.168.34.1 NOKEY;
	notifydest ::1 port 8053 NOKEY;
}

zone "centroid.eu" {
	centroid.eu,soa,3600,ns1.centroid.eu.,hostcontact.centroid.eu.,2019111901,3600,1800,7200,3600
	centroid.eu,ns,3600,somenameserver.delphinusdns.org.
	centroid.eu,ns,3600,anothernameserver.delphinusdns.org.
	; all lines in zone start with domainname, RR Type, RR TTL, RDATA
	centroid.eu,a,3600,127.0.0.1
	centroid.eu,a,3600,10.0.0.10
}
Here is a sample delphinusdns.conf file suited for DNSSEC: 
version "1";
options {
        ratelimit-pps 12;
        bind 127.0.0.1;
        bind ::1;
        bind 10.110.99.87;
        port 32253;
        log;
        dnssec;
        versionstring "delphinusdnsd 1.5.0";
	axfrport 10053;
}
axfr-for {
        ::1/128;
        127.0.0.1/32;
        10.110.99.88/32;
}


mzone "centroid.eu" {
	zonename "centroid.eu";
	notifydest 10.1110.99.88 NOKEY;
	notifydest ::1 port 8053 NOKEY;
}


zinclude "/var/delphinusdnsd/primary/centroid.eu.signed";
Then the included files are output of dddctl(8)

A forwarding-only config may look like this:

version "1";

options {
        interface "em0";
        interface "lo0";
        port 8053;
        versionstring "";
        dnssec;
}

tsig-auth secret "9qD4Qi4ghqFR1xm0fIwGF9t0aLx+SZWVEPAqEvysZFg=";
tsig {
        0.0.0.0/0;
}

forward {
        incoming-tsig yes;
        destination 127.0.0.1 port 5353 key NOKEY;
	forwardstrategy spray;
}

Finally below is a sample replicant delphinusdns.conf as taken from a delphinusdnsd with only one zone:

version "1";

options {
        ratelimit-pps 12;
        interface "lo0";
        interface "vio0";
        port 53;
        log;
        dnssec;
        versionstring "delphinusdnsd-20191103";
}

include "/var/delphinusdnsd/etc/delphinusdns.tsig";

rzone "ip6.centroid.eu." {
	constraints 600, 600, 600;
	bytelimit 65536;
	; do make sure you have a tsig {} for this
        tsigkey "pass";
        primaryport 10053;
        primary 2a01:4f8:162:e700:881c:fe60:3582:f49c;
        zonename "ip6.centroid.eu.";
        filename "/var/delphinusdnsd/replicant/ip6.centroid.eu.repl";
}
Notice the /var/delphinusdnsd/replicant/ directory, this is a hardcoded path.

Syntax for delphinusdns.conf in BNF:

line = ( 	version | include | zinclude | zone | region |
		axfr | mzone | passlist | filter | comment | options |
		forward | rzone | tsig | tsig-auth | tsigpassname )

version = "version" ("number") ;

include = "include" ("filename") ;

zinclude = "zinclude" ("filename") ;

hostname = string
zone = "zone" ("hostname") [ "{" zonedata "}" ]
zonedata = { [hostname] [ "," dnstype] [ "," ttl ] ["," variablednsdata] }
dnstype = ( 	"a" | "aaaa" | "caa" | "cname" | "dnskey" | "ds" |
		"eui48" | "eui64" | "hinfo" | "hint" | "https" | "kx" |
		"mx" | "naptr" | "ns" | "nsec3" | "nsec3param" |
		"ptr" | "rp" | "rrsig" | "soa" | "srv" | "sshfp" |
		"svcb" | "tlsa" | "txt" )

ttl = number

region = "region" ("string") [ "{" cidrlist "}"


cidrlist = { [ cidr-address ] ; ... }

axfr = "axfr-for" [ "{" cidrlist "}" ]

mzonelist = ( optzonename | optnotifydest | optnotifybind )
optzonename = "zonename" ("string") ;
optnotifydest = "notifydest" cidr-address ["port number"] "tsigkey" ;
optnotifybind = "notifybind" cidr-address ;

mzone = "mzone" ("string") [ "{" mzonelist "}" ]

passlist = "passlist" [ "{" cidrlist "}" ]

filter = "filter" [ "{" cidrlist "}" ]

base64-string = (string)
tsig-auth = "tsig-auth" (string) ("base64-string") ;
tsig = "tsig" ("string") [ "{" cidrlist "}" ]
tsigpassname = "tsigpassname" ("string") [ "{" ("hostname") "}" ]

rzone = "rzone" ("string") [ "{" rzonelist "}" ]
rzonelist = ( opttsig | optprimary | optprimaryport | optrzonename |
		optfilename | optconstraints | optbytelimit )

opttsig = "tsigkey" ("string") ;
optprimary = "primary" ("cidr-address") ;
optprimaryport = "primaryport"  (number) ;
optrzonename = "zonename" ("string") ;
optfilename = "filename" ("string") ;
optconstraints = "constraints" (number), (number), (number) ;
optbytelimit = "bytelimit" (number) ;


forward = "forward"  [ "{" forwardlist "}" ]
forwardlist = ( optdestination | optstrictx20 | optcache | optincomingtsig |
			optfudge | optrdomain | optstrategy )

optdestination = "destination" ("cidr-address") "port" ("integer") "key"
			(string | "NOKEY") ;
optstrictx20 = "strictx20" ("yes" | "no") ;
optcache =  "cache" ("yes" | "no") ;
optincomingtsig = "incoming-tsig" ("yes" | "no") ;
optfudge = "fudge" (number) ;
optrdomain = "rdomain" (number) ;
optstrategy = "forwardstrategy" ("single" | "spray") ;

comment = ( ; | pound ) line

options = "options" [ "{" optionlist "}" ]
optionlist = (  optinterface | optfork | optport | optratelimit |
		optratelimit-cidr | optratelimit-cidr6 |
		optbind | optdnssec | opttcponanyonly |
		optmaxudppayload | optnocookies | optcookiesecret |
		optrdomain | optaxfrport | strictaxfr )
optinterface = "interface" ("string") ;
optfork = "fork" (number) ;
optratelimit = "ratelimit-pps" (number) ;
optratelimit-cidr = "ratelimit-cidr" (number) ;
optratelimit-cidr6 = "ratelimit-cidr6" (number) ;
optbind = "bind" cidr-address ;
optdnssec = "dnssec" ;
opttcponanyonly = "tcp-on-any-only" ;
optmaxudppayload = "max-udp-payload" (number) ;
optnocookies = "nocookies" ;
optcookiesecret = "cookie-secret" ("base64string") ;
optrdomain = "rdomain" (number) ;
optaxfrport = "axfrport" (number) ;
optstrictaxfr = "strictaxfr" ;

/var/delphinusdnsd/etc/delphinusdns.conf

delphinusdns.zone(5), dddctl(8), delphinusdnsd(8)

This software was written by Peter J. Philipp ⟨pbug44@delphinusdns.org⟩ and this manual was written with the help of Francisco Gaitan.

November 3, 2022 OpenBSD 7.2