Return to unbound.conf CVS log | Up to [local] / src / etc |
File: [local] / src / etc / unbound.conf (download)
Revision 1.10, Fri Dec 7 11:54:04 2018 UTC (5 years, 5 months ago) by sthen
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended). Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@. While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example. |
# $OpenBSD: unbound.conf,v 1.10 2018/12/07 11:54:04 sthen Exp $ server: interface: 127.0.0.1 #interface: 127.0.0.1@5353 # listen on alternative port interface: ::1 #do-ip6: no # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Uncomment to enable qname minimisation. RFC 7816 #qname-minimisation: yes # Enable DNSSEC validation. auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. RFC 8198 aggressive-nsec: yes # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static #local-data-ptr: "192.0.2.51 mycomputer.local" # UDP EDNS reassembly buffer advertised to peers. Default 4096. # May need lowering on broken networks with fragmentation/MTU issues, # particularly if validating DNSSEC. # #edns-buffer-size: 1480 # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for some or all zones. # #forward-zone: # name: "." # use for ALL queries # forward-addr: 192.0.2.53 # example address only # forward-first: yes # try direct if forwarder fails