diff --git a/unbound.conf b/unbound.conf index 2300e71..653079e 100644 --- a/unbound.conf +++ b/unbound.conf @@ -67,7 +67,8 @@ server: # outgoing-interface: 2001:DB8::6 # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 # permit unbound to use this port number or port range for @@ -97,6 +98,9 @@ server: # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 + # use SO_REUSEPORT to distribute queries over threads. + # so-reuseport: no + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -125,6 +129,9 @@ server: # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -142,10 +149,16 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 - # the time to live (TTL) value for cached roundtrip times, lameness - # and EDNS version information for hosts. In seconds. + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 + # minimum wait time for responses, increase if uplink is long. In msec. + # infra-cache-min-rtt: 50 + # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. @@ -180,6 +193,8 @@ server: # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow # access-control: ::0/0 refuse @@ -343,6 +358,16 @@ server: # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + # auto-trust-anchor-file: "/var/lib/unbound/root.key" + # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key @@ -410,6 +435,11 @@ server: # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY val-permissive-mode: no + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of unbound are legacy servers (w2008) + # that set CD but cannot validate themselves. + # ignore-cd-flag: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -443,16 +473,66 @@ server: # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + + # if unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + # a number of locally served zones can be configured. # local-zone: # local-data: "" - # o deny serves local data (if any), else, drops queries. + # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. - # o transparent serves local data, but resolves normally for other names + # o transparent gives local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names + # o inform resolves normally, but logs client IP address # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -492,14 +572,17 @@ server: # Default is no. Can be turned on and off with unbound-control. # ssl-upstream: no -## Python config section. To enable: -## o use --with-pythonmodule to configure before compiling. -## o list python in the module-config string (above) to enable. -## o and give a python-script to run. -#python: -# # Script file to load -# # python-script: "/etc/unbound/ubmodule-tst.py" + # DNS64 prefix. Must be specified when DNS64 is use. + # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. + # dns64-prefix: 64:ff9b::0/96 +# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# o and give a python-script to run. +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" # Remote control config section. remote-control: @@ -508,6 +591,10 @@ remote-control: # Note: required for unbound-munin package control-enable: yes + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes + # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # control-interface: 127.0.0.1