unbound/unbound-fedora-config.patch
Petr Menšík 8eb43fc467 Generate configuration file from upstream example.conf
To reduce rebase burden, just modify upstream example with our Fedora
specific changes. The result should be the same, but without the need to
manually add new features into separate config file.
2023-11-10 16:25:39 +01:00

552 lines
21 KiB
Diff

From ecfc3a96a0d38cc31fb871d98789467434c7afda Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 10 Nov 2023 12:58:31 +0100
Subject: [PATCH] Customize unbound.conf for Fedora defaults
Set some Fedora/RHEL specific changes to example configuration file. By
patching upstream provided config file we would not need to manually
update external copy in source RPM.
---
unbound-1.19.0/doc/example.conf.in | 205 ++++++++++++++++++-----------
1 file changed, 131 insertions(+), 74 deletions(-)
diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
index fe0dde6..b79a322 100644
--- a/unbound-1.19.0/doc/example.conf.in
+++ b/unbound-1.19.0/doc/example.conf.in
@@ -17,11 +17,12 @@ server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
- # verbosity: 1
+ verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
+ # Needs to be disabled for munin plugin
+ statistics-interval: 0
# enable shm for stats, default no. if you enable also enable
# statistics-interval, every time it also writes stats to the
@@ -32,11 +33,13 @@ server:
# shm-key: 11777
# enable cumulative statistics, without clearing them after printing.
- # statistics-cumulative: no
+ # Needs to be disabled for munin plugin
+ statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
- # printed from unbound-control. Default off, because of speed.
- # extended-statistics: no
+ # printed from unbound-control. default off, because of speed.
+ # Needs to be enabled for munin plugin
+ extended-statistics: yes
# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
# rpz-actions) from printing if their value is 0.
@@ -44,22 +47,35 @@ server:
# statistics-inhibit-zero: yes
# number of threads to create. 1 disables threading.
- # num-threads: 1
+ num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
+ # interface: 0.0.0.0
+ # interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
# interface: eth0@5003
+ #
+ # for dns over tls and raw dns over port 80
+ # interface: 0.0.0.0@443
+ # interface: ::0@443
+ # interface: 0.0.0.0@80
+ # interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
- # interface-automatic: no
+ # interface-automatic: yes
+ #
+ # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+ # NOTE: Disabled per Fedora policy not to listen to * on default install
+ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+ interface-automatic: no
# instead of the default port, open additional ports separated by
# spaces when interface-automatic is enabled, by listing them here.
@@ -94,7 +110,8 @@ server:
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
+ # Only ephemeral ports are allowed by SElinux
+ outgoing-port-permit: 32768-60999
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -103,7 +120,9 @@ server:
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
- # outgoing-port-avoid: "3200-3208"
+ # Our SElinux policy does not allow non-ephemeral ports to be used
+ outgoing-port-avoid: 0-32767
+ outgoing-port-avoid: 61000-65535
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
@@ -121,12 +140,12 @@ server:
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
- # so-reuseport: yes
+ so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
- # ip-transparent: no
+ ip-transparent: yes
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
@@ -256,6 +275,8 @@ server:
# nat64-prefix: 64:ff9b::0/96
# Enable UDP, "yes" or "no".
+ # NOTE: if setting up an Unbound on tls443 for public use, you might want to
+ # disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
@@ -281,7 +302,7 @@ server:
# tcp-idle-timeout: 30000
# Enable EDNS TCP keepalive option.
- # edns-tcp-keepalive: no
+ edns-tcp-keepalive: yes
# Timeout for EDNS TCP keepalive, in msec.
# edns-tcp-keepalive-timeout: 120000
@@ -290,6 +311,9 @@ server:
# can be dropped. Default is 0, disabled. In seconds, such as 3.
# sock-queue-timeout: 0
+ # Fedora note: do not activate this - not compiled in because
+ # it causes frequent unbound crashes. Also, socket activation
+ # is bad when you have things like dnsmasq also running with libvirt.
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
@@ -402,6 +426,7 @@ server:
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "@UNBOUND_CHROOT_DIR@"
+ chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -413,7 +438,7 @@ server:
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
- # directory: "@UNBOUND_RUN_DIR@"
+ directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -428,7 +453,7 @@ server:
# log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
- # log-time-ascii: no
+ log-time-ascii: yes
# print one line with time, IP, name, type, class for every query.
# log-queries: no
@@ -497,22 +522,22 @@ server:
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
- # harden-glue: yes
+ harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
- # harden-dnssec-stripped: yes
+ harden-dnssec-stripped: yes
# Harden against queries that fall under dnssec-signed nxdomain names.
- # harden-below-nxdomain: yes
+ harden-below-nxdomain: yes
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
- # harden-referral-path: no
+ harden-referral-path: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
@@ -526,7 +551,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to A when possible.
- # qname-minimisation: yes
+ qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -536,7 +561,7 @@ server:
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
- # aggressive-nsec: yes
+ aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@@ -569,7 +594,7 @@ server:
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
- # unwanted-reply-threshold: 0
+ unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
@@ -581,20 +606,20 @@ server:
# do-not-query-localhost: yes
# if yes, perform prefetching of almost expired message cache entries.
- # prefetch: no
+ prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
- # prefetch-key: no
+ prefetch-key: yes
# deny queries of type ANY with an empty response.
- # deny-any: no
+ deny-any: yes
# if yes, Unbound rotates RRSet order in response.
- # rrset-roundrobin: yes
+ rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
- # minimal-responses: yes
+ minimal-responses: yes
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
@@ -604,7 +629,9 @@ server:
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
- # module-config: "validator iterator"
+ # For redis cachedb use:
+ # "ipsecmod validator cachedb iterator"
+ module-config: "ipsecmod validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
@@ -618,10 +645,10 @@ server:
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# trust anchor signaling sends a RFC8145 key tag query after priming.
- # trust-anchor-signaling: yes
+ trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
- # root-key-sentinel: yes
+ root-key-sentinel: yes
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
@@ -642,6 +669,9 @@ server:
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
+ #
+ trusted-keys-file: /etc/unbound/keys.d/*.key
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
@@ -669,14 +699,15 @@ server:
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
- # val-clean-additional: yes
+ val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
- # val-permissive-mode: no
+ # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+ val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of Unbound are legacy servers (w2008)
@@ -690,11 +721,11 @@ server:
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
- # serve-expired: no
+ serve-expired: yes
#
# Limit serving of expired responses to configured seconds after
# expiration. 0 disables the limit.
- # serve-expired-ttl: 0
+ serve-expired-ttl: 14400
#
# Set the TTL of expired records to the serve-expired-ttl value after a
# failed attempt to retrieve the record from upstream. This makes sure
@@ -721,7 +752,7 @@ server:
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
- # val-log-level: 0
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -865,6 +896,8 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ include: /etc/unbound/local.d/*.conf
+
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
@@ -875,8 +908,8 @@ server:
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
# Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-service-key: "/etc/unbound/unbound_server.key"
+ # tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
# https-port: 443
@@ -884,6 +917,8 @@ server:
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+ # Fedora/RHEL: use system-wide crypto policies
+ tls-ciphers: "PROFILE=SYSTEM"
# Pad responses to padded queries received over TLS
# pad-responses: yes
@@ -1005,12 +1040,12 @@ server:
# fast-server-num: 3
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
- # ede: no
+ ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
- # ede-serve-expired: no
+ ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
@@ -1018,12 +1053,14 @@ server:
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
- # ipsecmod-enabled: yes
- #
+ # Fedora: module will be enabled on-demand by libreswan
+ ipsecmod-enabled: no
+
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
- #
+ ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
+
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
@@ -1056,7 +1093,7 @@ server:
# o and give a python-script to run.
python:
# Script file to load
- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
+ # python-script: "/etc/unbound/ubmodule-tst.py"
# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
@@ -1067,13 +1104,18 @@ python:
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
- # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
+ # dynlib-file: "/etc/unbound/dynlib.so"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
- # control-enable: no
+ # Note: required for unbound-munin package
+ control-enable: yes
+
+ # Set to no and use an absolute path as control-interface to use
+ # a unix local named pipe for unbound-control.
+ # control-use-cert: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
@@ -1087,19 +1129,22 @@ remote-control:
# for localhost, you can disable use of TLS by setting this to "no"
# For local sockets this option is ignored, and TLS is not used.
- # control-use-cert: "yes"
+ control-use-cert: "no"
# Unbound server key file.
- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
+ server-key-file: "/etc/unbound/unbound_server.key"
# Unbound server certificate file.
- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
+ control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub and Forward zones
+include: /etc/unbound/conf.d/*.conf
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
@@ -1121,6 +1166,10 @@ remote-control:
# name: "example.org"
# stub-host: ns.example.com.
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
@@ -1138,6 +1187,10 @@ remote-control:
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
@@ -1145,30 +1198,31 @@ remote-control:
# upstream (which saves a lookup to the upstream). The first example
# has a copy of the root for local usage. The second serves example.org
# authoritatively. zonefile: reads from file (and writes to it if you also
-# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
-# With allow-notify: you can give additional (apart from primaries and urls)
-# sources of notifies.
-# auth-zone:
-# name: "."
-# primary: 199.9.14.201 # b.root-servers.net
-# primary: 192.33.4.12 # c.root-servers.net
-# primary: 199.7.91.13 # d.root-servers.net
-# primary: 192.5.5.241 # f.root-servers.net
-# primary: 192.112.36.4 # g.root-servers.net
-# primary: 193.0.14.129 # k.root-servers.net
-# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
-# primary: 192.0.32.132 # xfr.lax.dns.icann.org
-# primary: 2001:500:200::b # b.root-servers.net
-# primary: 2001:500:2::c # c.root-servers.net
-# primary: 2001:500:2d::d # d.root-servers.net
-# primary: 2001:500:2f::f # f.root-servers.net
-# primary: 2001:500:12::d0d # g.root-servers.net
-# primary: 2001:7fd::1 # k.root-servers.net
-# primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-# primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
-# fallback-enabled: yes
-# for-downstream: no
-# for-upstream: yes
+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
+auth-zone:
+ name: "."
+ primary: 199.9.14.201 # b.root-servers.net
+ primary: 192.33.4.12 # c.root-servers.net
+ primary: 199.7.91.13 # d.root-servers.net
+ primary: 192.5.5.241 # f.root-servers.net
+ primary: 192.112.36.4 # g.root-servers.net
+ primary: 193.0.14.129 # k.root-servers.net
+ primary: 192.0.47.132 # xfr.cjr.dns.icann.org
+ primary: 192.0.32.132 # xfr.lax.dns.icann.org
+ primary: 2001:500:200::b # b.root-servers.net
+ primary: 2001:500:2::c # c.root-servers.net
+ primary: 2001:500:2d::d # d.root-servers.net
+ primary: 2001:500:2f::f # f.root-servers.net
+ primary: 2001:500:12::d0d # g.root-servers.net
+ primary: 2001:7fd::1 # k.root-servers.net
+ primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+ primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+
# auth-zone:
# name: "example.org"
# for-downstream: yes
@@ -1194,6 +1248,9 @@ remote-control:
# name: "anotherview"
# local-zone: "example.com" refuse
+# Fedora: DNSCrypt support not enabled since it requires linking to
+# another crypto library
+#
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
@@ -1266,7 +1323,7 @@ remote-control:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
-# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
+# dnstap-socket-path: "/etc/unbound/dnstap.sock"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
--
2.41.0