Edit

IABSD.fr/src/etc/unbound.conf

Branch :

  • Show log

    Commit

  • Author : sthen
    Date : 2019-11-07 15:46:37
    Hash : 5effc14a
    Message : Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf. ok florian@

  • etc/unbound.conf
  • # $OpenBSD: unbound.conf,v 1.19 2019/11/07 15:46:37 sthen Exp $
    
    server:
    	interface: 127.0.0.1
    	#interface: 127.0.0.1@5353	# listen on alternative port
    	interface: ::1
    	#do-ip6: no
    
    	# override the default "any" address to send queries; if multiple
    	# addresses are available, they are used randomly to counter spoofing
    	#outgoing-interface: 192.0.2.1
    	#outgoing-interface: 2001:db8::53
    
    	access-control: 0.0.0.0/0 refuse
    	access-control: 127.0.0.0/8 allow
    	access-control: ::0/0 refuse
    	access-control: ::1 allow
    
    	hide-identity: yes
    	hide-version: yes
    
    	# Perform DNSSEC validation. Comment out the below option to disable.
    	#
    	auto-trust-anchor-file: "/var/unbound/db/root.key"
    	val-log-level: 2
    
    	# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
    	# https://tools.ietf.org/html/rfc8198
    	#
    	aggressive-nsec: yes
    
    	# Serve zones authoritatively from Unbound to resolver clients.
    	# Not for external service.
    	#
    	#local-zone: "local." static
    	#local-data: "mycomputer.local. IN A 192.0.2.51"
    	#local-zone: "2.0.192.in-addr.arpa." static
    	#local-data-ptr: "192.0.2.51 mycomputer.local"
    
    	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
    	# May need lowering on broken networks with fragmentation/MTU issues,
    	# particularly if validating DNSSEC.
    	#
    	#edns-buffer-size: 1480
    
    	# Use TCP for "forward-zone" requests. Useful if you are making
    	# DNS requests over an SSH port forwarding.
    	#
    	#tcp-upstream: yes
    
    	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
    	# verification.  Since it's outside the chroot it is only loaded at
    	# startup and thus cannot be changed via a reload.
    	#tls-cert-bundle: "/etc/ssl/cert.pem"
    
    remote-control:
    	control-enable: yes
    	control-interface: /var/run/unbound.sock
    
    # Use an upstream forwarder (recursive resolver) for some or all zones.
    #
    #forward-zone:
    #	name: "."				# use for ALL queries
    #	forward-addr: 192.0.2.53		# example address only
    #	forward-first: yes			# try direct if forwarder fails
    
    # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
    # if that fails.
    #forward-zone:
    #	name: "."
    #	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
    #	forward-first: no			# do NOT send direct
    #	# the hostname after "#" is not a comment, it is used for TLS checks:
    #	forward-addr: 192.0.2.53@853#resolver.hostname.example