summaryrefslogtreecommitdiff
path: root/doc/example.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/example.conf.in')
-rw-r--r--doc/example.conf.in48
1 files changed, 40 insertions, 8 deletions
diff --git a/doc/example.conf.in b/doc/example.conf.in
index b18513600700..73ed7fde0e5a 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.6.8.
+# See unbound.conf(5) man page, version 1.7.0.
#
# this is a comment.
@@ -371,7 +371,7 @@ server:
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
- # to NS when possible.
+ # to A when possible.
# qname-minimisation: no
# QNAME minimisation in strict mode. Do not fall-back to sending full
@@ -380,6 +380,10 @@ server:
# This option only has effect when qname-minimisation is enabled.
# qname-minimisation-strict: no
+ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+ # and other denials, using information from previous NXDOMAINs answers.
+ # aggressive-nsec: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
@@ -627,6 +631,7 @@ server:
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
+ # o noview breaks out of that view towards global local-zones.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@@ -662,13 +667,16 @@ server:
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
- # ssl-service-key: "path/to/privatekeyfile.key"
- # ssl-service-pem: "path/to/publiccertfile.pem"
- # ssl-port: 853
+ # tls-service-key: "path/to/privatekeyfile.key"
+ # tls-service-pem: "path/to/publiccertfile.pem"
+ # tls-port: 853
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
- # ssl-upstream: no
+ # tls-upstream: no
+
+ # Certificates used to authenticate connections made upstream.
+ # tls-cert-bundle: ""
# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
@@ -787,7 +795,7 @@ remote-control:
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
-# stub-ssl-upstream: no
+# stub-tls-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
@@ -803,11 +811,35 @@ remote-control:
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
-# forward-ssl-upstream: no
+# forward-tls-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream). The first example
+# has a copy of the root for local usage. The second serves example.org
+# authoritatively. zonefile: reads from file (and writes to it if you also
+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# auth-zone:
+# name: "."
+# for-downstream: no
+# for-upstream: yes
+# fallback-enabled: yes
+# master: b.root-servers.net
+# master: c.root-servers.net
+# master: e.root-servers.net
+# master: f.root-servers.net
+# master: g.root-servers.net
+# master: k.root-servers.net
+# auth-zone:
+# name: "example.org"
+# for-downstream: yes
+# for-upstream: yes
+# zonefile: "example.org.zone"
+
# Views
# Create named views. Name must be unique. Map views to requests using
# the access-control-view option. Views can contain zero or more local-zone