GitHub - dnsjava/dnsjava: dnsjava - an implementation of the DNS protocol in Java

Property	Explanation
Property	Type	Default	Example
dns[.fallback].server	DNS server(s) to use for resolving. Comma separated list. Can be IPv4/IPv6 addresses or hostnames (which are resolved using Java’s built in DNS support).
dns[.fallback].server	String	-	8.8.8.8,[2001:4860:4860::8888]:853,dns.google
dns[.fallback].search	Comma separated list of DNS search paths.
dns[.fallback].search	String	-	ds.example.com,example.com
dns[.fallback].ndots	Sets a threshold for the number of dots which must appear in a name given to resolve before an initial absolute query will be made.
dns[.fallback].ndots	Integer	1	2
dnsjava.options	Comma separated key-value pairs, see dnsjava.options pairs.
dnsjava.options	option list	-	BINDTTL,tsigfudge=1
dnsjava.configprovider.skipinit	Set to true to disable static ResolverConfig initialization.
dnsjava.configprovider.skipinit	Boolean	false	true
dnsjava.configprovider.sunjvm.enabled	Set to true to enable the reflection based DNS server lookup, see Limitations.
dnsjava.configprovider.sunjvm.enabled	Boolean	false	true
dnsjava.udp.ephemeral.start	First ephemeral port for UDP-based DNS queries.
dnsjava.udp.ephemeral.start	Integer	49152 (Linux: 32768)	50000
dnsjava.udp.ephemeral.end	Last ephemeral port for UDP-based DNS queries.
dnsjava.udp.ephemeral.end	Integer	65535 (Linux: 60999)	60000
dnsjava.udp.ephemeral.use_ephemeral_port	Use an OS-assigned ephemeral port for UDP queries. Enabling this option is insecure! Do NOT use it.
dnsjava.udp.ephemeral.use_ephemeral_port	Boolean	false	true
dnsjava.lookup.max_iterations	Maximum number of CNAMEs to follow in a chain.
dnsjava.lookup.max_iterations	Integer	16	20
dnsjava.lookup.use_hosts_file	Use the system’s hosts file for lookups before resorting to a resolver.
dnsjava.lookup.use_hosts_file	Boolean	true	false
dnsjava.hostsfile.max_size_bytes	Set the size of the hosts file to be loaded at a time, in bytes.
dnsjava.hostsfile.max_size_bytes	Integer	16384	1000000
dnsjava.nio.selector_timeout	Set selector timeout in milliseconds. Default/Max 1000, Min 1.
dnsjava.nio.selector_timeout	Integer	1000	700
dnsjava.nio.register_shutdown_hook	Register Shutdown Hook for automatic termination of NIO. If disabled, the nio selector thread will not automatically clean up on JVM termination.
dnsjava.nio.register_shutdown_hook	Boolean	True	False
dnsjava.harden_unknown_additional	Harden against unknown records in the authority section and additional section. If disabled, such records are copied from the upstream and presented to the client together with the answer.
dnsjava.harden_unknown_additional	Boolean	True	False
DNSSEC Options
dnsjava.dnssec.keycache.max_ttl	Maximum time-to-live (TTL) of entries in the key cache in seconds.
dnsjava.dnssec.keycache.max_ttl	Integer	900	1800
dnsjava.dnssec.keycache.max_size	Maximum number of entries in the key cache.
dnsjava.dnssec.keycache.max_size	Integer	1000	5000
dnsjava.dnssec.nsec3.iterations.N	Maximum iteration count for the NSEC3 hashing function depending on the key size N. The defaults are from RFC5155.
dnsjava.dnssec.nsec3.iterations.N	Integer	1024 bit keys: 150 iterations 2048 bit keys: 500 iterations 4096 bit keys: 2500 iterations e.g. dnsjava.dnssec.nsec3.iterations.1024=200
dnsjava.dnssec.trust_anchor_file	The file from which the trust anchor should be loaded. The file must be formatted like a DNS zone master file. It can only contain DS or DNSKEY records.
dnsjava.dnssec.trust_anchor_file	String	-	/etc/dnssec-root-anchors
dnsjava.dnssec.digest_preference	Defines the preferred DS record digest algorithm if a zone has registered multiple DS records. The list is comma-separated, the highest preference first. If this property is not specified, the DS record with the highest digest ID is chosen. To stay compliant with the RFCs, the mandatory digest IDs must be listed in this property. The GOST digest requires BouncyCastle on the classpath.
dnsjava.dnssec.digest_preference	String	-	2,1,4
dnsjava.dnssec.harden_algo_downgrade	Prevent algorithm downgrade when multiple algorithms are advertised in a zone’s DS records. If `false`, allows any algorithm to validate the zone.
dnsjava.dnssec.harden_algo_downgrade	Boolean	true	false
dnsjava.dnssec.max_validate_rrsigs	Maximum number of RRSig records to validate until the response is considered bogus. This is limited to avoid the 'KeyTrap' vulnerability (CVE-2023-50387).
dnsjava.dnssec.max_validate_rrsigs	Integer	8	4
dnsjava.dnssec.max_ds_match_failures	Maximum number of DS records to validate until the response is considered bogus. This is limited to avoid the 'KeyTrap' vulnerability (CVE-2023-50387).
dnsjava.dnssec.max_ds_match_failures	Integer	4	2
dnsjava.dnssec.algorithm.ID	Enable or disable a DS/DNSKEY algorithm. See RFC8624 for recommended values. Note that algorithm number 1, `RSAMD5`, is disabled and cannot be enabled with this property.
dnsjava.dnssec.algorithm.ID	Boolean	Disable ED448: `dnsjava.dnssec.algorithm.16=false`
dnsjava.dnssec.algorithm_rsa_min_key_size	Set the minimum size, in bits, for RSA keys.
dnsjava.dnssec.algorithm_rsa_min_key_size	Integer	1024	512
dnsjava.dnssec.digest.ID	Enable or disable a DS record digest algorithm. See RFC8624 for recommended values.
dnsjava.dnssec.digest.ID	Boolean	Disable SHA.1: `dnsjava.dnssec.digest.1=false`