Add new options from upstream example.conf to default unbound.conf (commented out)
Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
parent
41b8e28ac9
commit
9727819990
111
unbound.conf
111
unbound.conf
@ -67,7 +67,8 @@ server:
|
||||
# outgoing-interface: 2001:DB8::6
|
||||
|
||||
# number of ports to allocate per thread, determines the size of the
|
||||
# port range that can be open simultaneously.
|
||||
# port range that can be open simultaneously. About double the
|
||||
# num-queries-per-thread, or, use as many as the OS will allow you.
|
||||
# outgoing-range: 4096
|
||||
|
||||
# permit unbound to use this port number or port range for
|
||||
@ -97,6 +98,9 @@ server:
|
||||
# 0 is system default. Use 4m to handle spikes on very busy servers.
|
||||
# so-sndbuf: 0
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# so-reuseport: no
|
||||
|
||||
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
|
||||
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
|
||||
# edns-buffer-size: 4096
|
||||
@ -125,6 +129,9 @@ server:
|
||||
# if very busy, 50% queries run to completion, 50% get timeout in msec
|
||||
# jostle-timeout: 200
|
||||
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
@ -142,10 +149,16 @@ server:
|
||||
# cache. Items are not cached for longer. In seconds.
|
||||
# cache-max-ttl: 86400
|
||||
|
||||
# the time to live (TTL) value for cached roundtrip times, lameness
|
||||
# and EDNS version information for hosts. In seconds.
|
||||
# the time to live (TTL) value cap for negative responses in the cache
|
||||
# cache-max-negative-ttl: 3600
|
||||
|
||||
# the time to live (TTL) value for cached roundtrip times, lameness and
|
||||
# EDNS version information for hosts. In seconds.
|
||||
# infra-host-ttl: 900
|
||||
|
||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||
# infra-cache-min-rtt: 50
|
||||
|
||||
# the number of slabs to use for the Infrastructure cache.
|
||||
# the number of slabs must be a power of 2.
|
||||
# more slabs reduce lock contention, but fragment memory usage.
|
||||
@ -180,6 +193,8 @@ server:
|
||||
# By default everything is refused, except for localhost.
|
||||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
# access-control: 127.0.0.0/8 allow
|
||||
# access-control: ::0/0 refuse
|
||||
@ -343,6 +358,16 @@ server:
|
||||
# separated by spaces. "iterator" or "validator iterator"
|
||||
# module-config: "validator iterator"
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
# initial file like trust-anchor-file, then it stores metadata.
|
||||
# Use several entries, one per domain name, to track multiple zones.
|
||||
#
|
||||
# If you want to perform DNSSEC validation, run unbound-anchor before
|
||||
# you start unbound (i.e. in the system boot scripts). And enable:
|
||||
# Please note usage of unbound-anchor root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see that file in the source).
|
||||
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
||||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
|
||||
@ -410,6 +435,11 @@ server:
|
||||
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
|
||||
val-permissive-mode: no
|
||||
|
||||
# Ignore the CD flag in incoming queries and refuse them bogus data.
|
||||
# Enable it if the only clients of unbound are legacy servers (w2008)
|
||||
# that set CD but cannot validate themselves.
|
||||
# ignore-cd-flag: no
|
||||
|
||||
# Have the validator log failed validations for your diagnosis.
|
||||
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
|
||||
val-log-level: 1
|
||||
@ -443,16 +473,66 @@ server:
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# neg-cache-size: 1m
|
||||
|
||||
# By default, for a number of zones a small default 'nothing here'
|
||||
# reply is built-in. Query traffic is thus blocked. If you
|
||||
# wish to serve such zone you can unblock them by uncommenting one
|
||||
# of the nodefault statements below.
|
||||
# You may also have to use domain-insecure: zone to make DNSSEC work,
|
||||
# unless you have your own trust anchors for this zone.
|
||||
# local-zone: "localhost." nodefault
|
||||
# local-zone: "127.in-addr.arpa." nodefault
|
||||
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
|
||||
# local-zone: "10.in-addr.arpa." nodefault
|
||||
# local-zone: "16.172.in-addr.arpa." nodefault
|
||||
# local-zone: "17.172.in-addr.arpa." nodefault
|
||||
# local-zone: "18.172.in-addr.arpa." nodefault
|
||||
# local-zone: "19.172.in-addr.arpa." nodefault
|
||||
# local-zone: "20.172.in-addr.arpa." nodefault
|
||||
# local-zone: "21.172.in-addr.arpa." nodefault
|
||||
# local-zone: "22.172.in-addr.arpa." nodefault
|
||||
# local-zone: "23.172.in-addr.arpa." nodefault
|
||||
# local-zone: "24.172.in-addr.arpa." nodefault
|
||||
# local-zone: "25.172.in-addr.arpa." nodefault
|
||||
# local-zone: "26.172.in-addr.arpa." nodefault
|
||||
# local-zone: "27.172.in-addr.arpa." nodefault
|
||||
# local-zone: "28.172.in-addr.arpa." nodefault
|
||||
# local-zone: "29.172.in-addr.arpa." nodefault
|
||||
# local-zone: "30.172.in-addr.arpa." nodefault
|
||||
# local-zone: "31.172.in-addr.arpa." nodefault
|
||||
# local-zone: "168.192.in-addr.arpa." nodefault
|
||||
# local-zone: "0.in-addr.arpa." nodefault
|
||||
# local-zone: "254.169.in-addr.arpa." nodefault
|
||||
# local-zone: "2.0.192.in-addr.arpa." nodefault
|
||||
# local-zone: "100.51.198.in-addr.arpa." nodefault
|
||||
# local-zone: "113.0.203.in-addr.arpa." nodefault
|
||||
# local-zone: "255.255.255.255.in-addr.arpa." nodefault
|
||||
# local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
|
||||
# local-zone: "d.f.ip6.arpa." nodefault
|
||||
# local-zone: "8.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "9.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "a.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "b.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
||||
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
||||
|
||||
# if unbound is running service for the local host then it is useful
|
||||
# to perform lan-wide lookups to the upstream, and unblock the
|
||||
# long list of local-zones above. If this unbound is a dns server
|
||||
# for a network of computers, disabled is better and stops information
|
||||
# leakage of local lan information.
|
||||
# unblock-lan-zones: no
|
||||
|
||||
# a number of locally served zones can be configured.
|
||||
# local-zone: <zone> <type>
|
||||
# local-data: "<resource record string>"
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o refuse serves local data (if any), else, replies with error.
|
||||
# o static serves local data, else, nxdomain or nodata answer.
|
||||
# o transparent serves local data, but resolves normally for other names
|
||||
# o transparent gives local data, but resolves normally for other names
|
||||
# o redirect serves the zone data for any subdomain in the zone.
|
||||
# o nodefault can be used to normally resolve AS112 zones.
|
||||
# o typetransparent resolves normally for other types and other names
|
||||
# o inform resolves normally, but logs client IP address
|
||||
#
|
||||
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
||||
# and nxdomain for AS112 zones. If you configure one of these zones
|
||||
@ -492,14 +572,17 @@ server:
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
# ssl-upstream: no
|
||||
|
||||
## Python config section. To enable:
|
||||
## o use --with-pythonmodule to configure before compiling.
|
||||
## o list python in the module-config string (above) to enable.
|
||||
## o and give a python-script to run.
|
||||
#python:
|
||||
# # Script file to load
|
||||
# # python-script: "/etc/unbound/ubmodule-tst.py"
|
||||
# DNS64 prefix. Must be specified when DNS64 is use.
|
||||
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
|
||||
# dns64-prefix: 64:ff9b::0/96
|
||||
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
# o list python in the module-config string (above) to enable.
|
||||
# o and give a python-script to run.
|
||||
python:
|
||||
# Script file to load
|
||||
# python-script: "/etc/unbound/ubmodule-tst.py"
|
||||
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
@ -508,6 +591,10 @@ remote-control:
|
||||
# Note: required for unbound-munin package
|
||||
control-enable: yes
|
||||
|
||||
# Set to no and use an absolute path as control-interface to use
|
||||
# a unix local named pipe for unbound-control.
|
||||
# control-use-cert: yes
|
||||
|
||||
# what interfaces are listened to for remote control.
|
||||
# give 0.0.0.0 and ::0 to listen to all interfaces.
|
||||
# control-interface: 127.0.0.1
|
||||
|
Loading…
Reference in New Issue
Block a user