![[BACK]](/icons/back.gif){kind=icon}
Return to unbound.conf CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc|
Return to unbound.conf CVS log | Up to [local] / src / etc |
| File: [local] / src / etc / unbound.conf (download)
Revision 1.2, Fri Mar 21 00:23:15 2014 UTC (10 years, 2 months ago) by sthen
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location. With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart: #module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key" There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime. Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar. |
# $OpenBSD: unbound.conf,v 1.2 2014/03/21 00:23:15 sthen Exp $ server: interface: 127.0.0.1 #interface: 127.0.0.1@5353 # listen on alternative port interface: ::1 #do-ip6: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Uncomment to enable DNSSEC validation. # #module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key" # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. Note use of "nodefault" for AS112 zones, # i.e. reverse lookup zones for RFC1918 and similar addresses. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static nodefault #local-data-ptr: "192.0.2.51 mycomputer.local" # UDP EDNS reassembly buffer advertised to peers. Default 4096. # May need lowering on broken networks with fragmentation/MTU issues, # particularly if validating DNSSEC. # #edns-buffer-size: 1480 # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes # Use an upstream forwarder (recursive resolver) for specific zones. # Example addresses given below are public resolvers valid as of 2014/03. # #forward-zone: # name: "." # use for ALL queries # forward-addr: 74.82.42.42 # he.net # forward-addr: 2001:470:20::2 # he.net v6 # forward-addr: 8.8.8.8 # google.com # forward-addr: 2001:4860:4860::8888 # google.com v6 # forward-addr: 208.67.222.222 # opendns.com # forward-first: yes # try direct if forwarder fails