<!-- Do *not* edit this file; it was automatically generated by ej2html
Look for a name.ej file with the same name as this filename -->
<!-- Last updated Sat Nov 30 13:52:52 2002 -->
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8">
</HEAD><BODY >
<h1>NAME</h1>
mararc - Format of the mararc zone file that MaraDNS uses
<h1>MARARC FILE FORMAT</h1>
Mararc files use a syntax that is a subset of Python 1.5.2 syntax. In
particular, Python 1.5.2 (and possibly other versions of Python) can read
a properly formatted mararc file without error.
<p>
Unlike Python, however, a mararc file can only use certain variable names,
and the variables can only be declared as described below.
<p>
<h1>COMMENTS</h1>
Comments (lines ignored by the MaraDNS parser) start with the '#'
character, like this:
<pre>
# This is a comment
</pre>
The MaraDNS parser also ignores lines which contain only white space.
<h1>MARARC VARIABLES</h1>
Follows is a listing of variables that can be declared in the mararc file.
<h1>DICTIONARY VARIABLE FORMAT</h1>
A <b>dictionary variable</b>
is an array that can have multiple elements. Unlike a traditional
array, these arrays are indexed by strings instead of numbers. These
are analogous to assoscitative arrays, or what Perl somewhat inaccurately
calls hashes.
<p>
The syntax of a dictionary variable is in the following form:
<pre>
name["index"] = "value"
</pre>
Where <b>name</b> is the name of the dictionary variable,
<b>index</b> is the index of the array, and
<b>value</b> is the value stored at that index.
<p>
Every time we have a dictionary-type variable (such as csv1),
we must first initialize it using a line in the following form:
<pre>
csv1 = {}
</pre>
Here, csv1 is the name of the "dictionary" variable that we are
initializing.
<h1>DICTIONARY VARIABLES</h1>
Here is a listing of all "dictionary"-style variables that MaraDNS
uses:
<h2>csv1</h2>
csv1: Used to indicate the filename to use for a given zone.
<pre>
csv1["zone"] = "filename"
</pre>
<b>csv1</b>:
A pipe-separated-file. See
<b>csv1(5)</b>
for a description of this file's format.
<p>
<b>zone</b>:
the zone that file in question is authoritative for
<p>
<b>filename</b>:
the file with the CSV1 zone data
<p>
Note that csv1 files are read after MaraDNS is chrooted, and,
hence the filename is relative to the chroot_dir.
<p>
See <b>csv1(5)</b> for a technical description of the file format that
a csv1 zone file uses.
<h2>ipv4_alias</h2>
ipv4_alias: Used to give nicknames or aliases for ip/netmask
pairs for ipv4 (standard 32-bit) IP addresses.
<pre>
ipv4_alias["name"] = "ip1/netmask,ip2/netmask,etc"
</pre>
<b>name</b>: The name of the alias in question
<p>
<b>ip</b>: The ip portion of an ip/netmask pair
<p>
<b>netmask</b>: the mask portion of an ip/netmask pair
<p>
<b>,</b>: Used to separate ip/netmask pairs. It is important to
not have spaces before or after the comma.
<p>
An ip is in dotted-decimal format, e.g. "10.1.2.3".
<p>
The netmask can be in one of two formats: A single number between
1 and 32, which indicates the number of leading "1" bits in the
netmask, or a 4-digit dotted-decimal netmask.
<p>
The netmask is used to specify a range of IPs.
<p>
<h2>ipv4_alias examples</h2>
<b>10.1.1.1/24</b> indicates that any ip from 10.1.1.0 to 10.1.1.255
will match.
<p>
<b>10.1.1.1/255.255.255.0</b> is identical to 10.1.1.1/24
<p>
<b>10.2.3.4/16</b> indicates that any ip from 10.2.0.0 to 10.2.255.255
will match.
<p>
<b>10.2.3.4/255.255.0.0</b> is identical to 10.2.3.4/16
<p>
<b>127.0.0.0/8</b> indicates that any ip with "127" as the first
octet (number) will match.
<p>
<b>127.0.0.0/255.0.0.0</b> is identical to 127.0.0.0/8
<p>
The netmask is optional, and, if not present, indicates that only
a single IP will "match". e.g:
<p>
<b>10.9.9.9/32</b>, <b>10.9.9.9/255.255.255.255</b>, and <b>10.9.9.9</b>
are all functionally identical, and indicate that only the ip 10.9.9.9
will match.
<p>
The significance of "match" depends on what we use the ipv4
alias for.
<p>
ipv4 aliases can nest. E.g:
<pre>
ipv4_alias["susan"] = "10.6.7.8/24"
ipv4_alias["office"] = "susan,10.9.9.9"
</pre>
Where "susan" in the "office" alias matches the value of the
ipv4_alias susan.
<p>
Multiple levels of nesting are allowed. Self-referring nests will
result in an error.
<p>
<h2>root_servers</h2>
root_servers: This is a special "dictionary" element that can
(currently) only have one element: ".", which points to either
an ip, or a pointer to an ipv4 alias which is a listing of root name
servers.
<pre>
root_servers["."] = "list_of_servers"
</pre>
Where "." is the only allowed array reference for the root servers
(this format is used to allow potential future expansion), and
list_of_servers is a list of root name servers in the exact same
format as ipv4_aliases.
<p>
Note that, while ips in the list of root name servers can have
netmasks, the netmask portion is ignored.
<p>
The root_servers should only point to root servers. If one wishes to use
MaraDNS as a forwarding name server, which forwards DNS requests on to
another server, use the upstream_servers variable instead.
<h2>upstream_servers</h2>
This is identical to the root_servers variable (can have only one
element, the element is a list of ipv4_addresses, etc.), but is used
when one wishes to use MaraDNS to query other recursive servers, instead
of querying the actual root name servers for an answer.
<p>
Note that one can not have both root_servers and upstream_servers set
in a given mararc file; MaraDNS will return with a fatal error if one
attempts to do this.
<h2>Final note on dictionary variables</h2>
csv1, ipv4_alias, and root_servers are currently the only existing
dictionary variables.
<h1>NORMAL VARIABLE FORMAT</h1>
Normal variables. These are variables that can only take
a single value.
<p>
The syntax of a normal variable is in the form
<pre>
name = "value"
</pre>
Where <b>name</b> is the name of the normal variable, and <b>value</b>
is the value of the variable in question.
<h1>NORMAL VARIABLES</h1>
Here is a listing of normal variables that MaraDNS
uses:
<h2>bind_address</h2>
bind_address: The IP address to give the MaraDNS server.
<p>
This accepts a single IP in dotted-decimal (e.g. "127.0.0.1")
notation, and specifies what IP address the MaraDNS server will
listen on. To bind MaraDNS to all IPs that a given server has,
give this the value "0.0.0.0".
<p>
<h2>chroot_dir</h2>
chroot_dir: The directory MaraDNS chroots to
<p>
This accepts a single value: The full path to the directory to
use as a chroot jail.
<p>
Note that csv1 zone files are read after the chroot operation.
Hence, the chroot jail needs to have any and all zone files that
MaraDNS will load.
<h2>debug_msg_level</h2>
This is a number indicating what level of information about a running
MaraDNS process should be made public. When set to 0, no information
will be made public.
<p>
When set to one (the default), or higher, a
Terre-con-erre-cigarro.maradns.org. query will return the version
number of MaraDNS.
<p>
When set to two or higher, a Tnumthreads. query will return the
number of threads that MaraDNS is currently running, and a Tcache-elements.
query will return the number of elements in MaraDNS' cache. If
MaraDNS is compiled with debugging information on, a
Tmemusage. query will return the amount of memory MaraDNS has
allocated.
<p>
When set to three or higher, a Ttimestamp. query will return, in
seconds since the UNIX epoch, the timestamp for the system MaraDNS
is running on.
<br>
<h2>default_rrany_set</h2>
defult_rrany_set: Number which determines which RRs to return if
a ANY query is sent to MaraDNS.
<p>
Some registers require that an ANY reuqest returns NS ans SOA
records also.
<p>
When default_rrany_set is set to 3 (the default value), ANY requests
return only A and MX records.
<p>
When default_rrany_set is set to 15, ANY requests return A, MX,
NS, and SOA records.
<h2>hide_disclaimer</h2>
If this is set to "YES", MaraDNS will not display the legal disclaimer when
starting up.
<h2>maradns_uid</h2>
maradns_uid: The numeric UID that MaraDNS will run as
<p>
This accepts a single numerical value: The UID to run MaraDNS as.
<p>
MaraDNS, as soon as possible drops root privledges, minimizing the
damage a potential attacker can cause should there be a security
problem with MaraDNS. This is the UID maradns becomes.
<h2>maradns_gid</h2>
maradns_gid: An optional numeric GID that MaraDNS will run as.
<p>
This accepts a single numerical value: The GID to run MaraDNS as.
<p>
This optional parameter allows MaraDNS to also drop any and all
special group privledges that she has.
<h2>maximum_cache_elements</h2>
maximum_cache_elements: The maximum number of elements we can have
in the cache of recursive queries.
<p>
This cache of recursive queries is used to store entries we have
previously obtained from recursive queries.
<p>
If we approach this limit, the "custodian" kicks in to effect.
The custodian removes elements at random from the cache\(em8 elements
removed per query\(emuntil we are at the 99% or so level again.
<h2>maxprocs</h2>
maxprocs: The maximum number of threads or processes that MaraDNS
is allowed to run at the same time.
<p>
This variable is used to minimize the impact on the server when
MaraDNS is heavily loaded. When this number is reached, it is
impossible for MaraDNS to spawn new threads/processes until the
number of threads/processes is reduced.
<p>
The maximum value this can have is 125.
<h2>max_ar_chain</h2>
max_ar_chain: The maximum number of records to display if a record in
the additional section (e.g., the IP of a NS server
or the ip of a MX exchange) has more than one value.
<p>
This is similiar to max_chain, but applies to records in the
"additional" (or AR) section.
<p>
Due to limitations in the internal data structures that MaraDNS
uses to store RRs, if this has a value besides one, round robin
rotates of records are disabled.
<h2>max_chain</h2>
max_chain: The maximum number of records to display in a chain
of records.
<p>
With DNS, it is possible to have more than one RR for a given
domain label. For example, "example.com" can have, as the A record,
a list of multiple ip addresses.
<p>
This sets the maximum number of records MaraDNS will show for a
single RR.
<p>
MaraDNS normally round-robin rotates records. Hence, all records
for a given DNS label (e.g. "example.com.") will be visible,
although not at the same time if there are more records than the
value allowed with max_chain
<h2>max_glueless_level</h2>
Maximum glueless level allowed when performing recursive lookups. The
default value is 10.
<p>
This is the maximum number of times MaraDNS will "go back to the root
servers" in order to find out the IP of a name server for which we do
not have a glue IP for, or to find out the A value for a given CNAME
record.
<h2>max_queries_total</h2>
Maximum number of queries to perform when performing recursive lookups. The
default value is 32.
<p>
This is the maximum number of times MaraDNS will send a query to
nameservers in order to find out the andwer to a DNS question.
<h2>max_tcp_procs</h2>
max_tcp_procs: The (optional) maximum number of processes the zone
server is allowed to run.
<p>
Sometimes, it is desirable to have a different number of maximum
allowed tcp processes than maximum allowed threads. If this
variable is not set, the maximum number of allowed tcp processes is
"maxprocs".
<h2>max_total</h2>
max_total: The maximum number of records to show total for a given
DNS request.
<p>
This is the maximum total number of records that MaraDNS will make
available in a DNS reply.
<h2>min_ttl</h2>
min_ttl: The minimum amount of time a resource record will stay in
MaraDNS' cache, regardless of the TTL the remote server specifies.
<p>
Setting this value changes the minimum amount of time MaraDNS'
recursive server will keep a record in the cache. The value is
in seconds.
<p>
The default value of this is 300 (5 minutes); the mimimum value
for this is 180 (2 minutes).
<h2>min_ttl_cname</h2>
min_ttl_cname: The minimum amount of time a resource record
will stay in MaraDNS' cache, regardless of the TTL the remote server
specifies.
<p>
Setting this value changes the amount of time a CNAME record stays
in the cache. The value is in seconds.
<p>
The default value for this is the value min_ttl has; the minimum value
for this is 180 (2 minutes).
<h2>no_fingerprint</h2>
no_fingerprint: Flag that allows MaraDNS to be harder to detect.
<p>
Some people do not feel it is appropriate to have some information,
such as the version number of MaraDNS being run, be publically
available.
<p>
The normal value is 0.
<p>
By setting no_fingerprint to 1, it is possible to have MaraDNS not
reveal this information publically.
<h2>random_seed_file</h2>
randsom_seed_file: The file from which we read 16 bytes from to
get the 128-bit seed for the secure psudo random number generator.
<p>
This is ideally a file which is a good source of random numbers
(e.g. /dev/urandom), but can also be a fixed file if your OS does not
have a decent random number generator. In that case, make sure the
contents of that file is random and with 600 perms, owned by root.
We read the file *before* dropping root privledges.
<h2>recursive_acl</h2>
recursive_acl: List of ips allowed to perform recursive queries with
the recursive portion of the MaraDNS server
<p>
The format of this string is identical to the format of an ipv4_alias
entry.
<h2>spammers</h2>
spammers: A list of DNS servers which the recursive resolver will
not query.
<p>
This is mainly used to not allow spam-friendly domains to
resolve, since spammers are starting to get in the habit of using
spam-friendly DNS servers to resolve their domains, allowing them
to hop from ISP to ISP.
<p>
The format of this string is identical to the format of an ipv4_alias
entry.
<h2>timeout_seconds</h2>
This only applies when performing recursive lookups.
<p>
The amount of time, in seconds, to wait for a reply from a remote DNS
server before giving up and trying the next server on this list. The
default value is 2 seconds.
<p>
Note that, the larger this value is, the slower MaraDNS will process
recursive queries when a DNS server is not responding to DNS queries.
<h2>timestamp_type</h2>
timestamp_type: The type of timestamp to display.
This can have the following values:
<dl>
<dt>0
<dd>The string "Timestamp" followed by a UNIX timestamp
<dt>1
<dd>Just the bare UNIX timestamp
</dl>
<h2>verbose_level</h2>
verbose_level: The number of messages we log to stdout
<P>
This can have five values:
<dl>
<dt>0
<dd>No messages except for the legal disclaimer and fatal parsing errors
<dt>1
<dd>Only startup messages logged (Default level)
<dt>2
<dd>Error queries logged
<dt>3
<dd>All queries logged
<dt>4
<dd>All actions adding and removing records from the cache logged
</dl>
<h2>zone_transfer_acl</h2>
zone_transfer_acl: List of ips allowed to perform zone transfers
with the zone server
<p>
The format of this string is identical to the format of an ipv4_alias
entry.
<h1>EXAMPLE MARARC FILE</h1>
<pre>
# Example simplified mararc file.
# This only shows a subset of MaraDNS' features needed to be an
# authoritative and recursive name server. Look at
# detailed/example_full_mararc for an example showing most of
# the features that MaraDNS has.
# Note that this example mararc file will not actually do anything
# without modification.
# Look in the doc/en/examples directory for a working example
# authoritative nameserver, and a working recursive nameserver.
# The various zones we support
# When running in authoritative mode, we must initialize the csv1 hash,
# or MaraDNS will be unable to load any zone files
csv1 = {}
# This is just to show the format of the file
# Note the this is commented out. Any line that starts with
# a '#' is not read by the parser. Remove the leading '# ' to
# enable any line that is commented out
# csv1["example.com."] = "db.example.com"
# Naturally, we can have multiple zone files
# csv1["example.org."] = "db.example.org"
# The address this DNS server runs on. If you want to bind
# to all addresses a given machine has, use "0.0.0.0".
# Note that binding to all address can cause problems; please read
# the FAQ.
bind_address = "127.0.0.3"
# The directory with all of the zone files
chroot_dir = "/etc/maradns"
# The numeric UID MaraDNS will run as
maradns_uid = 99
# The maximum number of threads (or processes, with the zone server)
# MaraDNS is allowed to run
maxprocs = 96
# Most of the time, this can stay 3. However, when registering
# a domain under .de, .au, and possibly other top-level-domains,
# this needs to have a value of 15.
default_rrany_set = 3
# The number of messages we log to stdout
# 0: No messages except for fatal parsing errors and the legal
# disclaimer
# 1: Only startup messages logged (default)
# 2: Error queries logged
# 3: All queries logged (but not very verbosely right now)
verbose_level = 1
# Initialize the IP aliases, which are used by the list of root
# name servers, the ACL for zone transfers, and the ACL of who gets
# to perform recursive queries
ipv4_alias = {}
# Other root servers are in the full example mararc file
# Here is a ACL which restricts who is allowed to perform zone
# transfer from the zoneserver program
# VERY IMPORTANT: Do not put spaces in the zone_transfer_acl list
# Good: zone_transfer_acl = "10.2.3.4,10.2.3.6"
# Bad: zone_transfer_acl = "10.2.3.4, 10.2.3.6"
# Simplest form: 10.1.1.1/24 (IP: 10.1.1.1, 24 left bits in IP need
# to match) and 10.100.100.100/255.255.255.224 (IP: 10.100.100.100,
# netmask 255.255.255.224) are allowed to connect to the zone server
# NOTE: The "maradns" program does not serve zones. Zones are served
# by the "zoneserver" program.
# zone_transfer_acl = "10.1.1.1/24,10.100.100.100/255.255.255.224"
# If you want to enable recursion on the loopback interface, uncomment
# the relevent lines in the following section
# Recursive ACL: Who is allowd to perform recursive queries. The
# format is identical to that of "zone_transfer_acl", including
# ipv4_alias support
# ipv4_alias["localhost"] = "127.0.0.0/8"
# recursive_acl = "localhost"
# Random seed file: The file form which we read 16 bytes from to
# get the 128-bit random seed. This is ideally a file which is
# a good source of random numbers, but can also be a fixed file
# if your OS does not have a decent random number generator (make
# sure the contents of that file is # random and with 600 perms,
# owned by root, since we read the file *before* dropping root
# privledges)
# random_seed_file = "/dev/urandom"
# The maximum number of elements we can have in the cache. If we
# have more elements in the cache than this amount, the
# "custodian" kicks in to effect, removing elements not recently
# accessed from the cache (8 elements removed per query) until we
# are at the 99% level or so again.
# maximum_cache_elements = 1024
# The root servers which we use when making recursive queries.
# Various sets of root name servers
# Note: Netmasks can exist, but are ignored when specifying root
# name servers
# ICANN: the most common and most controversial root name server
# http://www.icann.org
ipv4_alias["icann"] = "198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17,192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33"
# OSRC: http://www.open-rsc.org/
ipv4_alias["osrc"] = "199.166.24.1,205.189.73.102,199.166.24.3,207.126.103.16,195.117.6.10,205.189.73.10,204.57.55.100,213.196.2.97"
# The following line must be uncommented to enable recursive
# queries when contacting the root name servers
# root_servers = {}
# You can choose which set of root servers to use. Current values
# (set above) are: icann, and osrc
# Other alternate registries are listed in the example_full_mararc file
# root_servers["."] = "osrc"
# The following line is uncommented to enable recursive queries
# when contacting upstream name servers (see below)
# upstream_servers = {}
# If one wishes to, instead of pointing to a list of actual root servers,
# have MaraDNS, in recursive mode, contact other recursive name servers
# which in turn perform recursion to process a given query, use
# the upstream_servers variable instead. Both upstream_servers and
# root servers can not be set.
# upstream_servers["."] = "usually_your_isps_dns_servers"
# We can also blacklist known spam-friendly DNS servers, so that
# MaraDNS refuses to query known spam-friendly DNS servers
# As of August 12, 2001, azmalink.net is a known spam-friendly DNS
# provider (see doc/en/misc/spammers/azmalink.net for details).
# Note that this is based on IPs, and azmalink.net constantly
# changes IPs (as they constantly have to change ISPs)
# Updated 2002/10/12 to reflect Azmalink's current ISP
ipv4_alias["azmalink"] = "12.164.194.0/24"
# As of September 20, 2001, hiddenonline.net is a known spam-friendly
# DNS provider (see doc/en/misc/spammers/hiddenonline for details).
ipv4_alias["hiddenonline"] = "65.107.225.0/24"
spammers = "azmalink,hiddenonline"
# And that does it for the caching at this point
</pre>
<h1>BUGS</h1>
If one should declare the same the same index twice with
a dictionary variable, MaraDNS will exit with a fatal error. This is
because earlier versions of MaraDNS acted in a different manner than
Python 1.5.2. With Python 1.5.2, the last declaration is used, while
MaraDNS used to use the first declaration.
<h1>LEGAL DISCLAIMER</h1>
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</BODY></HTML>
