88 lines
3.4 KiB
Plaintext
88 lines
3.4 KiB
Plaintext
# Fedora/EPEL version of dnssec-trigger.conf
|
|
|
|
# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
|
|
# verbosity: 1
|
|
|
|
# pidfile location
|
|
pidfile: "/var/run/dnssec-triggerd.pid"
|
|
|
|
# log to a file instead of syslog, default is to syslog
|
|
# logfile: "/var/log/dnssec-trigger.log"
|
|
|
|
# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
|
|
# use-syslog: yes
|
|
|
|
# chroot to this directory
|
|
# chroot: ""
|
|
|
|
# the unbound-control binary if not found in PATH.
|
|
# commandline options can be appended "unbound-control -c my.conf" if you wish.
|
|
# unbound-control: "/usr/sbin/unbound-control"
|
|
|
|
# where is resolv.conf to edit.
|
|
# resolvconf: "/etc/resolv.conf"
|
|
|
|
# the domain example.com line (if any) to add to resolv.conf(5). default none.
|
|
# domain: ""
|
|
|
|
# domain name search path to add to resolv.conf(5). default none.
|
|
# the search path from DHCP is not picked up, it could be used to misdirect.
|
|
# search: ""
|
|
|
|
# the command to run to open login pages on hot spots, a web browser.
|
|
# empty string runs no command.
|
|
# login-command: "xdg-open"
|
|
login-command: ""
|
|
|
|
# the url to open to get hot spot login, it gets overridden by the hotspot.
|
|
# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
|
|
# should to be a ttl=0 entry
|
|
# login-location: "http://hotspot-nocache.fedoraproject.org/"
|
|
|
|
# do not perform actions (unbound-control or resolv.conf), for a dry-run.
|
|
# noaction: no
|
|
|
|
# port number to use for probe daemon.
|
|
# port: 8955
|
|
|
|
# keys and certificates generated by the dnssec-trigger-keygen systemd service
|
|
# (which called dnssec-trigger-control-setup)
|
|
server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
|
|
server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
|
|
control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
|
|
control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
|
|
|
|
# check for updates, download and ask to install them (for Windows, OSX).
|
|
# check-updates: no
|
|
|
|
# webservers that are probed to see if internet access is possible.
|
|
# They serve a simple static page over HTTP port 80. It probes a random url:
|
|
# after a space is the content expected on the page, (the page can contain
|
|
# whitespace before and after this code). Without urls it skips http probes.
|
|
|
|
# provided by NLnetLabs
|
|
# It is provided on a best effort basis, with no service guarantee.
|
|
# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
|
|
|
|
# provided by FedoraProject
|
|
# on Workstation, the detection is turned off
|
|
# url: "http://fedoraproject.org/static/hotspot.txt OK"
|
|
|
|
# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
|
|
# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
|
|
# the following on one line: ssl443:<space><IP><space><HASHoutput>
|
|
# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
|
|
# You can add more with extra config lines.
|
|
|
|
# provided by NLnetLabs
|
|
# It is provided on a best effort basis, with no service guarantee.
|
|
tcp80: 185.49.140.67
|
|
tcp80: 2a04:b900::10:0:0:67
|
|
ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
|
|
ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
|
|
|
|
# How to add your own record:
|
|
# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
|
|
# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
|
|
# Append returned sha256 Fingerprint after ssl443: IP-address section.
|