Import few changes to configuration

(cherry picked from commit c469ecef1546594729359c39d744e692e37f545e) Resolves: rhbz#2087120
2022-03-29 17:28:39 +02:00 · 2022-03-29 17:28:39 +02:00 · 5e9b07ef98
parent c5810ec4d9
commit 5e9b07ef98
1 changed files with 25 additions and 22 deletions
--- a/unbound.conf
+++ b/unbound.conf
@ -98,14 +98,14 @@ server:
 	# num-queries-per-thread, or, use as many as the OS will allow you.
 	# outgoing-range: 4096

-	# permit unbound to use this port number or port range for
+	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-60999

-	# deny unbound the use this of port number or port range for
+	# deny Unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
+	# Use this to make sure Unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
@ -238,7 +238,7 @@ server:
 	# do-ip6: yes

 	# Enable UDP, "yes" or "no".
-	# NOTE: if setting up an unbound on tls443 for public use, you might want to
+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
 	# disable UDP to avoid being used in DNS amplification attacks.
 	# do-udp: yes

@ -275,7 +275,7 @@ server:
 	# use-systemd: no

 	# Detach from the terminal, run in background, "yes" or "no".
-	# Set the value to "no" when unbound runs as systemd service.
+	# Set the value to "no" when Unbound runs as systemd service.
 	# do-daemonize: yes

 	# control which clients are allowed to make (recursive) queries
@ -328,7 +328,7 @@ server:
 	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
-	# Additionally, unbound may need to access /dev/urandom (for entropy).
+	# Additionally, Unbound may need to access /dev/urandom (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
@ -542,7 +542,7 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).  And enable:
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
@ -613,7 +613,7 @@ server:
 	val-permissive-mode: no

 	# Ignore the CD flag in incoming queries and refuse them bogus data.
-	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# Enable it if the only clients of Unbound are legacy servers (w2008)
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no

@ -643,7 +643,7 @@ server:

 	# Return the original TTL as received from the upstream name server rather
 	# than the decrementing TTL as stored in the cache.  Enabling this feature
-	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# does not impact cache expiry, it only changes the TTL Unbound embeds in
 	# responses to queries. Note that enabling this feature implicitly disables
 	# enforcement of the configured minimum and maximum TTL.
 	# serve-original-ttl: no
@ -736,9 +736,9 @@ server:
 	# Add example.com into ipset
 	# local-zone: "example.com" ipset

-	# If unbound is running service for the local host then it is useful
+	# If Unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
-	# long list of local-zones above.  If this unbound is a dns server
+	# long list of local-zones above.  If this Unbound is a dns server
 	# for a network of computers, disabled is better and stops information
 	# leakage of local lan information.
 	# unblock-lan-zones: no
@ -922,7 +922,7 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3

-	# Specific options for ipsecmod. unbound needs to be configured with
+	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
 	# Enable or disable ipsecmod (it still needs to be defined in
@ -936,7 +936,7 @@ server:
 	# ipsecmod-hook: "./my_executable"
 	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook

-	# When enabled unbound will reply with SERVFAIL if the return value of
+	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
 	#
@ -1005,10 +1005,10 @@ remote-control:
 	# For local sockets this option is ignored, and TLS is not used.
 	control-use-cert: "no"

-	# unbound server key file.
+	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"

-	# unbound server certificate file.
+	# Unbound server certificate file.
 	server-cert-file: "/etc/unbound/unbound_server.pem"

 	# unbound-control key file.
@ -1125,7 +1125,7 @@ auth-zone:
 #
 # DNSCrypt
 # Caveats:
-# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
 #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
 #   listen on `dnscrypt-port` with the follo0wing snippet:
@ -1165,7 +1165,7 @@ auth-zone:

 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset unbound needs to run as root user.
+# Note: To enable ipset Unbound needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
@ -1188,7 +1188,7 @@ auth-zone:
 # 	dnstap-tls: yes
 # 	# name for authenticating the upstream server. or "" disabled.
 # 	dnstap-tls-server-name: ""
-# 	# if "", it uses the cert bundle from the main unbound config.
+# 	# if "", it uses the cert bundle from the main Unbound config.
 # 	dnstap-tls-cert-bundle: ""
 # 	# key file for client authentication, or "" disabled.
 # 	dnstap-tls-client-key-file: ""
@ -1208,10 +1208,11 @@ auth-zone:
 # 	dnstap-log-forwarder-response-messages: no

 # Response Policy Zones
-# RPZ policies. Applied in order of configuration. QNAME and Response IP
-# Address trigger are the only supported triggers. Supported actions are:
-# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
-# file, using zone transfer, or using HTTP. The respip module needs to be added
+# RPZ policies. Applied in order of configuration. QNAME, Response IP
+# Address, nsdname, nsip and clientip triggers are supported. Supported
+# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
+# and drop.  Policies can be loaded from a file, or using zone
+# transfer, or using HTTP. The respip module needs to be added
 # to the module-config, e.g.: module-config: "respip validator iterator".
 # rpz:
 #     name: "rpz.example.com"
@ -1223,4 +1224,6 @@ auth-zone:
 #     rpz-cname-override: www.example.org
 #     rpz-log: yes
 #     rpz-log-name: "example policy"
+#     rpz-signal-nxdomain-ra: no
+#     for-downstream: no
 #     tags: "example"