pull in new options of upstream unbound.conf and enable EDE (RFC8914)
This commit is contained in:
parent
7722f4b9bb
commit
cb937b3e49
48
unbound.conf
48
unbound.conf
@ -185,6 +185,10 @@ server:
|
||||
# perform connect for UDP sockets to mitigate ICMP side channel.
|
||||
# udp-connect: yes
|
||||
|
||||
# The number of retries, per upstream nameserver in a delegation, when
|
||||
# a throwaway response (also timeouts) is received.
|
||||
# outbound-msg-retry: 5
|
||||
|
||||
# msec for waiting for an unknown server to reply. Increase if you
|
||||
# are behind a slow satellite link, to eg. 1128.
|
||||
# unknown-server-time-limit: 376
|
||||
@ -216,6 +220,9 @@ server:
|
||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||
# infra-cache-min-rtt: 50
|
||||
|
||||
# maximum wait time for responses. In msec.
|
||||
# infra-cache-max-rtt: 120000
|
||||
|
||||
# enable to make server probe down hosts more frequently.
|
||||
# infra-keep-probing: no
|
||||
|
||||
@ -393,9 +400,6 @@ server:
|
||||
# enable to not answer version.server and version.bind queries.
|
||||
# hide-version: no
|
||||
|
||||
# enable to not set the User-Agent HTTP header.
|
||||
# hide-http-user-agent: no
|
||||
|
||||
# enable to not answer trustanchor.unbound queries.
|
||||
# hide-trustanchor: no
|
||||
|
||||
@ -697,6 +701,7 @@ server:
|
||||
# local-zone: "localhost." nodefault
|
||||
# local-zone: "127.in-addr.arpa." nodefault
|
||||
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
|
||||
# local-zone: "home.arpa." nodefault
|
||||
# local-zone: "onion." nodefault
|
||||
# local-zone: "test." nodefault
|
||||
# local-zone: "invalid." nodefault
|
||||
@ -844,6 +849,8 @@ server:
|
||||
|
||||
# Add system certs to the cert bundle, from the Windows Cert Store
|
||||
# tls-win-cert: no
|
||||
# and on other systems, the default openssl certificates
|
||||
# tls-system-cert: no
|
||||
|
||||
# Pad queries over TLS upstreams
|
||||
# pad-queries: yes
|
||||
@ -893,6 +900,10 @@ server:
|
||||
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
||||
# ratelimit-factor: 10
|
||||
|
||||
# Aggressive rate limit when the limit is reached and until demand has
|
||||
# decreased in a 2 second rate window.
|
||||
# ratelimit-backoff: no
|
||||
|
||||
# override the ratelimit for a specific domain name.
|
||||
# give this setting multiple times to have multiple overrides.
|
||||
# ratelimit-for-domain: example.com 1000
|
||||
@ -913,6 +924,10 @@ server:
|
||||
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
|
||||
# ip-ratelimit-factor: 10
|
||||
|
||||
# Aggressive rate limit when the limit is reached and until demand has
|
||||
# decreased in a 2 second rate window.
|
||||
# ip-ratelimit-backoff: no
|
||||
|
||||
# Limit the number of connections simultaneous from a netblock
|
||||
# tcp-connection-limit: 192.0.2.0/24 12
|
||||
|
||||
@ -922,6 +937,14 @@ server:
|
||||
# the number of servers that will be used in the fast server selection.
|
||||
# fast-server-num: 3
|
||||
|
||||
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
||||
ede: yes
|
||||
|
||||
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
||||
# Answer as EDNS0 option to expired responses.
|
||||
# Note that the ede option above needs to be enabled for this to work.
|
||||
ede-serve-expired: yes
|
||||
|
||||
# Specific options for ipsecmod. Unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
#
|
||||
@ -1033,6 +1056,7 @@ include: /etc/unbound/conf.d/*.conf
|
||||
# stub-addr: 192.0.2.68
|
||||
# stub-prime: no
|
||||
# stub-first: no
|
||||
# stub-tcp-upstream: no
|
||||
# stub-tls-upstream: no
|
||||
# stub-no-cache: no
|
||||
# stub-zone:
|
||||
@ -1054,6 +1078,7 @@ include: /etc/unbound/conf.d/*.conf
|
||||
# forward-addr: 192.0.2.68
|
||||
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
|
||||
# forward-first: no
|
||||
# forward-tcp-upstream: no
|
||||
# forward-tls-upstream: no
|
||||
# forward-no-cache: no
|
||||
# forward-zone:
|
||||
@ -1124,6 +1149,7 @@ auth-zone:
|
||||
# another crypto library
|
||||
#
|
||||
# DNSCrypt
|
||||
# o enable, use --enable-dnscrypt to configure before compiling.
|
||||
# Caveats:
|
||||
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
|
||||
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
||||
@ -1144,7 +1170,9 @@ auth-zone:
|
||||
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
|
||||
|
||||
# CacheDB
|
||||
# Enable external backend DB as auxiliary cache. Specify the backend name
|
||||
# External backend DB as auxiliary cache.
|
||||
# To enable, use --enable-cachedb to configure before compiling.
|
||||
# Specify the backend name
|
||||
# (default is "testframe", which has no use other than for debugging and
|
||||
# testing) and backend-specific options. The 'cachedb' module must be
|
||||
# included in module-config, just before the iterator module.
|
||||
@ -1154,6 +1182,7 @@ auth-zone:
|
||||
# secret-seed: "default"
|
||||
#
|
||||
# # For "redis" backend:
|
||||
# # (to enable, use --with-libhiredis to configure before compiling)
|
||||
# # redis server's IP address or host name
|
||||
# redis-server-host: 127.0.0.1
|
||||
# # redis server's TCP port
|
||||
@ -1165,7 +1194,9 @@ auth-zone:
|
||||
|
||||
# IPSet
|
||||
# Add specify domain into set via ipset.
|
||||
# Note: To enable ipset Unbound needs to run as root user.
|
||||
# To enable:
|
||||
# o use --enable-ipset to configure before compiling;
|
||||
# o Unbound then needs to run as root user.
|
||||
# ipset:
|
||||
# # set name for ip v4 addresses
|
||||
# name-v4: "list-v4"
|
||||
@ -1173,9 +1204,10 @@ auth-zone:
|
||||
# name-v6: "list-v6"
|
||||
#
|
||||
|
||||
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
|
||||
# to yes and also some of dnstap-log-..-messages to yes. And select an
|
||||
# upstream log destination, by socket path, TCP or TLS destination.
|
||||
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
|
||||
# To enable, set the dnstap-enable to yes and also some of
|
||||
# dnstap-log-..-messages to yes. And select an upstream log destination, by
|
||||
# socket path, TCP or TLS destination.
|
||||
# dnstap:
|
||||
# dnstap-enable: no
|
||||
# # if set to yes frame streams will be used in bidirectional mode
|
||||
|
@ -30,7 +30,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 2%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 3%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -471,6 +471,10 @@ popd
|
||||
%{_mandir}/man1/unbound-*
|
||||
|
||||
%changelog
|
||||
* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
|
||||
- sync up to upstream unbound.conf
|
||||
- Enable Extended DNS Error codes (RFC8914)
|
||||
|
||||
* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
|
||||
- Require openssl tool for unbound-keygen (#2116790)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user