diff options
Diffstat (limited to 'doc/example.conf.in')
| -rw-r--r-- | doc/example.conf.in | 67 |
1 files changed, 52 insertions, 15 deletions
diff --git a/doc/example.conf.in b/doc/example.conf.in index fc8bc6b0de8d..bbfaf66ddaed 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.8.1. +# See unbound.conf(5) man page, version 1.9.0. # # this is a comment. @@ -123,6 +123,9 @@ server: # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. # max-udp-size: 4096 + # max memory to use for stream(tcp and tls) waiting result buffers. + # stream-wait-size: 4m + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -145,6 +148,10 @@ server: # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -318,6 +325,10 @@ server: # timetoresolve, fromcache and responsesize. # log-replies: no + # log with tag 'query' and 'reply' instead of 'info' for + # filtering log-queries and log-replies from the log. + # log-tag-queryreply: no + # log the local-zone actions, like local-zone type inform is enabled # also for the other local zone types. # log-local-actions: no @@ -449,6 +460,9 @@ server: # if yes, perform key lookups adjacent to normal lookups. # prefetch-key: no + # deny queries of type ANY with an empty response. + # deny-any: no + # if yes, Unbound rotates RRSet order in response. # rrset-roundrobin: no @@ -701,6 +715,19 @@ server: # tls-service-pem: "path/to/publiccertfile.pem" # tls-port: 853 + # cipher setting for TLSv1.2 + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + + # Add the secret file for TLS Session Ticket. + # Secret file must be 80 bytes of random data. + # First key use to encrypt and decrypt TLS session tickets. + # Other keys use to decrypt only. + # requires restart to take effect. + # tls-session-ticket-keys: "path/to/secret_file1" + # tls-session-ticket-keys: "path/to/secret_file2" + # request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no @@ -757,12 +784,12 @@ server: # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 - # what is considered a low rtt (ping time for upstream server), in msec - # low-rtt: 45 - # select low rtt this many times out of 1000. 0 means the fast server - # select is disabled. prefetches are not sped up. - # low-rtt-permil: 0 - + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + # Specific options for ipsecmod. unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -879,15 +906,25 @@ remote-control: # notifies. # auth-zone: # name: "." -# for-downstream: no +# master: 199.9.14.201 # b.root-servers.net +# master: 192.33.4.12 # c.root-servers.net +# master: 199.7.91.13 # d.root-servers.net +# master: 192.5.5.241 # f.root-servers.net +# master: 192.112.36.4 # g.root-servers.net +# master: 193.0.14.129 # k.root-servers.net +# master: 192.0.47.132 # xfr.cjr.dns.icann.org +# master: 192.0.32.132 # xfr.lax.dns.icann.org +# master: 2001:500:200::b # b.root-servers.net +# master: 2001:500:2::c # c.root-servers.net +# master: 2001:500:2d::d # d.root-servers.net +# master: 2001:500:2f::f # f.root-servers.net +# master: 2001:500:12::d0d # g.root-servers.net +# master: 2001:7fd::1 # k.root-servers.net +# master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org +# master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +# fallback-enabled: yes +# for-downstream: no # for-upstream: yes -# fallback-enabled: yes -# master: b.root-servers.net -# master: c.root-servers.net -# master: e.root-servers.net -# master: f.root-servers.net -# master: g.root-servers.net -# master: k.root-servers.net # auth-zone: # name: "example.org" # for-downstream: yes |