<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
  <node name="service">
    <children>
      <node name="dns">
        <properties>
          <help>Domain Name System related services</help>
        </properties>
        <children>
          <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
            <properties>
              <help>DNS forwarding</help>
              <priority>918</priority>
            </properties>
            <children>
              <leafNode name="cache-size">
                <properties>
                  <help>DNS forwarding cache size (default: 10000)</help>
                  <valueHelp>
                    <format>u32:0-2147483647</format>
                    <description>DNS forwarding cache size</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-2147483647"/>
                  </constraint>
                </properties>
                <defaultValue>10000</defaultValue>
              </leafNode>
              <leafNode name="dhcp">
                <properties>
                  <help>Interfaces whose DHCP client nameservers to forward requests to</help>
                  <completionHelp>
                    <script>${vyos_completion_dir}/list_interfaces.py</script>
                  </completionHelp>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="dnssec">
                <properties>
                  <help>DNSSEC mode (default: process-no-validate)</help>
                  <completionHelp>
                    <list>off process-no-validate process log-fail validate</list>
                  </completionHelp>
                  <valueHelp>
                    <format>off</format>
                    <description>No DNSSEC processing whatsoever!</description>
                  </valueHelp>
                  <valueHelp>
                    <format>process-no-validate</format>
                    <description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
                  </valueHelp>
                  <valueHelp>
                    <format>process</format>
                    <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
                  </valueHelp>
                  <valueHelp>
                    <format>log-fail</format>
                    <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
                  </valueHelp>
                  <valueHelp>
                    <format>validate</format>
                    <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
                  </valueHelp>
                  <constraint>
                    <regex>^(off|process-no-validate|process|log-fail|validate)$</regex>
                  </constraint>
                </properties>
                <defaultValue>process-no-validate</defaultValue>
              </leafNode>
              <tagNode name="domain">
                <properties>
                  <help>Domain to forward to a custom DNS server</help>
                </properties>
                <children>
                  <leafNode name="server">
                    <properties>
                      <help>Domain Name Server (DNS) to forward queries to</help>
                      <valueHelp>
                        <format>ipv4</format>
                        <description>Domain Name Server (DNS) IPv4 address</description>
                      </valueHelp>
                      <valueHelp>
                        <format>ipv6</format>
                        <description>Domain Name Server (DNS) IPv6 address</description>
                      </valueHelp>
                      <multi/>
                      <constraint>
                        <validator name="ipv4-address"/>
                        <validator name="ipv6-address"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="addnta">
                    <properties>
                      <help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  <leafNode name="recursion-desired">
                    <properties>
                      <help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </tagNode>
              <leafNode name="ignore-hosts-file">
                <properties>
                  <help>Do not use local /etc/hosts file in name resolution</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="no-serve-rfc1918">
                <properties>
                  <help>Makes the server authoritatively not aware of RFC1918 addresses</help>
		  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="allow-from">
                <properties>
                  <help>Networks allowed to query this server</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IP address and prefix length</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 address and prefix length</description>
                  </valueHelp>
                  <multi/>
                  <constraint>
                    <validator name="ip-prefix"/>
                  </constraint>
                </properties>
              </leafNode>
              #include <include/listen-address.xml.i>
              <leafNode name="negative-ttl">
                <properties>
                  <help>Maximum amount of time negative entries are cached (default: 3600)</help>
                  <valueHelp>
                    <format>u32:0-7200</format>
                    <description>Seconds to cache NXDOMAIN entries</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-7200"/>
                  </constraint>
                </properties>
                <defaultValue>3600</defaultValue>
              </leafNode>
              #include <include/name-server-ipv4-ipv6.xml.i>
              <leafNode name="source-address">
                <properties>
                  <help>Local addresses from which to send DNS queries</help>
                  <completionHelp>
                    <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
                  </completionHelp>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>IPv4 address from which to send traffic</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6</format>
                    <description>IPv6 address from which to send traffic</description>
                  </valueHelp>
                  <multi/>
                  <constraint>
                    <validator name="ipv4-address"/>
                    <validator name="ipv6-address"/>
                  </constraint>
                </properties>
                <defaultValue>0.0.0.0 ::</defaultValue>
              </leafNode>
              <leafNode name="system">
                <properties>
                  <help>Use system name servers</help>
                  <valueless/>
                </properties>
              </leafNode>
            </children>
          </node>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>