Masters are determined by the masters field in the domains table.
The default behaviour is enabled (yes), which means that it will try to forward.
This configures how the soa serial should be updated. After every update, the soa serial is updated as this is required by section 3.7 of RFC2136. RFC2136 (Section 3.6) defines some specific behaviour for updates of SOA records.
The behaviour is configurable via domainmetadata with the SOA-EDIT-DNSUPDATE option. Whenever the SOA record is updated via the update message, the logic to change the SOA is not executed.
The option can be left empty to disallow everything, this then should be used in combination with the allow-dnsupdate-from domainmetadata setting per zone.
Tell Power DNS to forward to the master server if the zone is configured as slave.
There is no content, the existence of the entry enables the forwarding.
If you have GSS-TSIG enabled, you can use Kerberos principals here.
An example: If a TSIG key is set for the domain, it is required to be used for the update.
The TSIG is extra security on top of the ALLOW-DNSUPDATE-FROM setting.
If a TSIG key is set, the IP(-range) still needs to be allowed via ALLOW-DNSUPDATE-FROM.
In the processing of the update packet, the allow-dnsupdate-from and TSIG-ALLOW-DNSUPDATE are processed first, so those permissions apply before the forward-dnsupdate is used.