Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.21 / (download) - annotate - [select for diffs], Wed Oct 28 11:35:58 2020 UTC (3 years, 6 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
HEAD
Changes since 1.20: +1 -7 lines
Diff to previous 1.20 (colored)
Remove commented-out edns-buffer-size section from the default unbound.conf. The default in Unbound (and other DNS server software in the recent "DNS flag day") changed to 1232 bytes, this avoids problems due to fragmented packets (fragments can result in blackholes and also enable some attack vectors) so there's now little reason to reduce this from defaults, and increasing it is more of a specialist use case that isn't really needed in this streamlined default config.
Revision 1.20 / (download) - annotate - [select for diffs], Sun Jun 21 16:59:45 2020 UTC (3 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)
tidy wording from when dnssec was enabled/disabled/reenabled ok kn gsoares
Revision 1.19 / (download) - annotate - [select for diffs], Thu Nov 7 15:46:37 2019 UTC (4 years, 6 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored)
Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf. ok florian@
Revision 1.18 / (download) - annotate - [select for diffs], Thu Nov 7 12:49:45 2019 UTC (4 years, 6 months ago) by job
Branch: MAIN
Changes since 1.17: +3 -3 lines
Diff to previous 1.17 (colored)
Enable DNSSEC validation in unbound by default OK deraadt@ otto@
Revision 1.17 / (download) - annotate - [select for diffs], Sun Aug 25 15:50:21 2019 UTC (4 years, 8 months ago) by ajacoutot
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.16: +6 -6 lines
Diff to previous 1.16 (colored)
space -> tabs ok deraadt@ kn@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jul 26 17:22:09 2019 UTC (4 years, 9 months ago) by sthen
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
Revision 1.15 / (download) - annotate - [select for diffs], Mon Jul 15 10:18:20 2019 UTC (4 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.14: +15 -1 lines
Diff to previous 1.14 (colored)
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
Revision 1.14 / (download) - annotate - [select for diffs], Sun Dec 16 20:41:30 2018 UTC (5 years, 5 months ago) by tim
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.13: +1 -2 lines
Diff to previous 1.13 (colored)
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3). OK florian@ sthen@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Dec 12 23:20:38 2018 UTC (5 years, 5 months ago) by sthen
Branch: MAIN
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
Revision 1.12 / (download) - annotate - [select for diffs], Tue Dec 11 19:16:36 2018 UTC (5 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.11: +9 -7 lines
Diff to previous 1.11 (colored)
the world is not ready for dnssec enabled by default
Revision 1.11 / (download) - annotate - [select for diffs], Mon Dec 10 16:46:03 2018 UTC (5 years, 5 months ago) by sthen
Branch: MAIN
Changes since 1.10: +1 -4 lines
Diff to previous 1.10 (colored)
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3). ok florian@
Revision 1.10 / (download) - annotate - [select for diffs], Fri Dec 7 11:54:04 2018 UTC (5 years, 5 months ago) by sthen
Branch: MAIN
Changes since 1.9: +4 -18 lines
Diff to previous 1.9 (colored)
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended). Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@. While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
Revision 1.9 / (download) - annotate - [select for diffs], Fri Dec 7 09:21:08 2018 UTC (5 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.8: +6 -8 lines
Diff to previous 1.8 (colored)
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
Revision 1.8 / (download) - annotate - [select for diffs], Thu Mar 29 20:40:22 2018 UTC (6 years, 1 month ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.7: +8 -3 lines
Diff to previous 1.7 (colored)
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time. tweak & OK sthen
Revision 1.7 / (download) - annotate - [select for diffs], Wed Mar 30 01:41:25 2016 UTC (8 years, 1 month ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.6: +6 -1 lines
Diff to previous 1.6 (colored)
add "outgoing-interface" to sample unbound.conf
Revision 1.6 / (download) - annotate - [select for diffs], Tue Dec 15 20:26:55 2015 UTC (8 years, 5 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.5: +13 -1 lines
Diff to previous 1.5 (colored)
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jul 19 17:29:42 2015 UTC (8 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.4: +6 -1 lines
Diff to previous 1.4 (colored)
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
Revision 1.4 / (download) - annotate - [select for diffs], Wed Apr 2 21:43:30 2014 UTC (10 years, 1 month ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7,
OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.3: +3 -4 lines
Diff to previous 1.3 (colored)
Fix syntax error in commented out local-zone entry. OK sthen@
Revision 1.3 / (download) - annotate - [select for diffs], Sun Mar 23 12:25:26 2014 UTC (10 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.2: +1 -2 lines
Diff to previous 1.2 (colored)
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
Revision 1.2 / (download) - annotate - [select for diffs], Fri Mar 21 00:23:15 2014 UTC (10 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.1: +3 -3 lines
Diff to previous 1.1 (colored)
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location. With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart: #module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key" There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime. Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
Revision 1.1 / (download) - annotate - [select for diffs], Sat Mar 15 00:34:18 2014 UTC (10 years, 2 months ago) by sthen
Branch: MAIN
Add a new sample config file and rc.d script for unbound, ok deraadt@