rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update config file to 1.12.0

Browse Source 
Use new defaults from example.conf in Fedora shipped default file.
Don't include dnstap and DoH features yet.
This commit is contained in:
Petr Menšík 2020-10-13 18:18:50 +02:00
parent 9b40e98f88
commit ee9c33779e
2 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
unbound.conf
View File

@ -5,9 +5,13 @@
# #
# this is a comment. # this is a comment.
#Use this to include other text into the file. # Use this anywhere in the file to include other text into this file.
#include: "otherfile.conf" #include: "otherfile.conf"
# Use this anywhere in the file to include other text, that explicitly starts a
# clause, into this file. Text after this directive needs to start a clause.
#include-toplevel: "otherfile.conf"
# The server clause sets the main parameters. # The server clause sets the main parameters.
server: server:
# whitespace is not necessary, but looks cleaner. # whitespace is not necessary, but looks cleaner.
@ -86,6 +90,9 @@ server:
# Set this to yes to prefer ipv6 upstream servers over ipv4. # Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no # prefer-ip6: no
# Prefer ipv4 upstream servers, even if ipv6 is available.
# prefer-ip4: no
# number of ports to allocate per thread, determines the size of the # number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the # port range that can be open simultaneously. About double the
# num-queries-per-thread, or, use as many as the OS will allow you. # num-queries-per-thread, or, use as many as the OS will allow you.
@ -135,9 +142,14 @@ server:
# Linux only. On Linux you also have ip-transparent that is similar. # Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no # ip-freebind: no
# the value of the Differentiated Services Codepoint (DSCP)
# in the differentiated services field (DS) of the outgoing
# IP packets
# ip-dscp: 0
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
# edns-buffer-size: 4096 # edns-buffer-size: 1232
# Maximum UDP response size (not applied to TCP response). # Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it. # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@ -444,8 +456,8 @@ server:
# Domains (and domains in them) without support for dns-0x20 and # Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers. # the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com" # caps-exempt: "licdn.com"
# caps-whitelist: "senderbase.org" # caps-exempt: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers. # Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus. # It may cause DNSSEC validation to additionally mark it as bogus.
@ -522,11 +534,6 @@ server:
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes root-key-sentinel: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
# DLV is going to be decommissioned. Please do not use it any more.
# dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file # File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. # with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries. # Zone file format, with DS and DNSKEY entries.
@ -587,8 +594,8 @@ server:
# that set CD but cannot validate themselves. # that set CD but cannot validate themselves.
# ignore-cd-flag: no # ignore-cd-flag: no
# Serve expired responses from cache, with TTL 0 in the response, # Serve expired responses from cache, with serve-expired-reply-ttl in
# and then attempt to fetch the data afresh. # the response, and then attempt to fetch the data afresh.
serve-expired: yes serve-expired: yes
# #
# Limit serving of expired responses to configured seconds after # Limit serving of expired responses to configured seconds after
@ -606,7 +613,7 @@ server:
# #
# Time in milliseconds before replying to the client with expired data. # Time in milliseconds before replying to the client with expired data.
# This essentially enables the serve-stale behavior as specified in # This essentially enables the serve-stale behavior as specified in
# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before # RFC 8767 that first tries to resolve before
# immediately responding with expired data. 0 disables this behavior. # immediately responding with expired data. 0 disables this behavior.
# A recommended value is 1800. # A recommended value is 1800.
# serve-expired-client-timeout: 0 # serve-expired-client-timeout: 0
@ -644,7 +651,7 @@ server:
# more slabs reduce lock contention, but fragment memory usage. # more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4 # key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV). # the amount of memory to use for the negative cache.
# plain value in bytes or you can append k, m or G. default is "1Mb". # plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m # neg-cache-size: 1m
@ -757,18 +764,24 @@ server:
# add a netblock specific override to a localzone, with zone type # add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse # local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over TLS (on the TCP sockets), with plain DNS inside # service clients over TLS (on the TCP sockets) with plain DNS inside
# the TLS stream. Give the certificate to use and private key. # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect. # default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853 # tls-port: 853
# https-port: 443
# cipher setting for TLSv1.2 # cipher setting for TLSv1.2
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3 # cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Use the SNI extension for TLS connections. Default is yes.
# Changing the value requires a reload.
# tls-use-sni: yes
# Add the secret file for TLS Session Ticket. # Add the secret file for TLS Session Ticket.
# Secret file must be 80 bytes of random data. # Secret file must be 80 bytes of random data.
# First key use to encrypt and decrypt TLS session tickets. # First key use to encrypt and decrypt TLS session tickets.
@ -865,9 +878,9 @@ server:
# ipsecmod-ignore-bogus: no # ipsecmod-ignore-bogus: no
# #
# Domains for which ipsecmod will be triggered. If not defined (default) # Domains for which ipsecmod will be triggered. If not defined (default)
# all domains are treated as being whitelisted. # all domains are treated as being allowed.
# ipsecmod-whitelist: "libreswan.org" # ipsecmod-allow: "example.com"
# ipsecmod-whitelist: "nlnetlabs.nl" # ipsecmod-allow: "nlnetlabs.nl"
# Python config section. To enable: # Python config section. To enable:
# o use --with-pythonmodule to configure before compiling. # o use --with-pythonmodule to configure before compiling.
@ -1056,10 +1069,12 @@ auth-zone:
# redis-server-port: 6379 # redis-server-port: 6379
# # timeout (in ms) for communication with the redis server # # timeout (in ms) for communication with the redis server
# redis-timeout: 100 # redis-timeout: 100
# # set timeout on redis records based on DNS response TTL
# redis-expire-records: no
# IPSet # IPSet
# Add specify domain into set via ipset. # Add specify domain into set via ipset.
# Note: To enable ipset needs run unbound as root user. # Note: To enable ipset unbound needs run as root user.
# ipset: # ipset:
# # set name for ip v4 addresses # # set name for ip v4 addresses
# name-v4: "list-v4" # name-v4: "list-v4"

4
unbound.spec
View File

@ -3,6 +3,7 @@
%{?!with_munin: %global with_munin 1} %{?!with_munin: %global with_munin 1}
%bcond_with dnstap %bcond_with dnstap
%bcond_with systemd %bcond_with systemd
%bcond_with doh
%global _hardened_build 1 %global _hardened_build 1
@ -78,6 +79,9 @@ BuildRequires: fstrm-devel protobuf-c-devel
%if %{with systemd} %if %{with systemd}
BuildRequires: systemd-devel BuildRequires: systemd-devel
%endif %endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if 0%{?fedora} >= 30 %if 0%{?fedora} >= 30
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%else %else