vendor/unbound/1.7.1

1 files changed, 30 insertions, 8 deletions

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 73ed7fde0e5a..2260ba2544ab 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.7.0.
+# See unbound.conf(5) man page, version 1.7.1.
 #
 # this is a comment.
 
@@ -199,7 +199,7 @@ server:
 	# upstream connections use TCP only (and no UDP), "yes" or "no"
 	# useful for tunneling scenarios, default no.
 	# tcp-upstream: no
-	
+
 	# upstream connections also use UDP (even if do-udp is no).
 	# useful if if you want UDP upstream, but don't provide UDP downstream.
 	# udp-upstream-without-downstream: no
@@ -320,7 +320,7 @@ server:
 
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
-	
+
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
@@ -458,6 +458,9 @@ server:
 
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
 	# trust-anchor-signaling: yes
+	
+	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+	# root-key-sentinel: yes
 
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
@@ -630,7 +633,7 @@ server:
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
-	#   that way but ignore local data for that name.
+	#   that way but ignore local data for that name
 	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
@@ -664,20 +667,23 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over SSL (on the TCP sockets), with plain DNS inside
-	# the SSL stream.  Give the certificate to use and private key.
+	# service clients over TLS (on the TCP sockets), with plain DNS inside
+	# the TLS stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "path/to/privatekeyfile.key"
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
 
-	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Also serve tls on these port numbers (eg. 443, ...), by listing
+	# additional-tls-port: portno for each of the port numbers.
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
@@ -715,6 +721,12 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# what is considered a low rtt (ping time for upstream server), in msec
+	# low-rtt: 45
+	# select low rtt this many times out of 1000. 0 means the fast server
+	# select is disabled.  prefetches are not sped up.
+	# low-rtt-pct: 0
+
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
@@ -823,6 +835,8 @@ remote-control:
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
 # auth-zone:
 #	name: "."
 #	for-downstream: no
@@ -851,7 +865,7 @@ remote-control:
 #	name: "viewname"
 #	local-zone: "example.com" redirect
 #	local-data: "example.com A 192.0.2.3"
-# 	local-data-ptr: "192.0.2.3 www.example.com"
+#	local-data-ptr: "192.0.2.3 www.example.com"
 #	view-first: no
 # view:
 #	name: "anotherview"
@@ -886,3 +900,11 @@ remote-control:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
 #     secret-seed: "default"
+#
+#     # For "redis" backend:
+#     # redis server's IP address or host name
+#     redis-server-host: 127.0.0.1
+#     # redis server's TCP port
+#     redis-server-port: 6379
+#     # timeout (in ms) for communication with the redis server
+#     redis-timeout: 100