diff options
Diffstat (limited to 'doc/example.conf.in')
-rw-r--r-- | doc/example.conf.in | 48 |
1 files changed, 40 insertions, 8 deletions
diff --git a/doc/example.conf.in b/doc/example.conf.in index b18513600700..73ed7fde0e5a 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.6.8. +# See unbound.conf(5) man page, version 1.7.0. # # this is a comment. @@ -371,7 +371,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to NS when possible. + # to A when possible. # qname-minimisation: no # QNAME minimisation in strict mode. Do not fall-back to sending full @@ -380,6 +380,10 @@ server: # This option only has effect when qname-minimisation is enabled. # qname-minimisation-strict: no + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + # aggressive-nsec: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no @@ -627,6 +631,7 @@ server: # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in # that way but ignore local data for that name. + # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -662,13 +667,16 @@ server: # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. - # ssl-service-key: "path/to/privatekeyfile.key" - # ssl-service-pem: "path/to/publiccertfile.pem" - # ssl-port: 853 + # tls-service-key: "path/to/privatekeyfile.key" + # tls-service-pem: "path/to/publiccertfile.pem" + # tls-port: 853 # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. - # ssl-upstream: no + # tls-upstream: no + + # Certificates used to authenticate connections made upstream. + # tls-cert-bundle: "" # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. @@ -787,7 +795,7 @@ remote-control: # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no -# stub-ssl-upstream: no +# stub-tls-upstream: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -803,11 +811,35 @@ remote-control: # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no -# forward-ssl-upstream: no +# forward-tls-upstream: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). The first example +# has a copy of the root for local usage. The second serves example.org +# authoritatively. zonefile: reads from file (and writes to it if you also +# download it), master: fetches with AXFR and IXFR, or url to zonefile. +# auth-zone: +# name: "." +# for-downstream: no +# for-upstream: yes +# fallback-enabled: yes +# master: b.root-servers.net +# master: c.root-servers.net +# master: e.root-servers.net +# master: f.root-servers.net +# master: g.root-servers.net +# master: k.root-servers.net +# auth-zone: +# name: "example.org" +# for-downstream: yes +# for-upstream: yes +# zonefile: "example.org.zone" + # Views # Create named views. Name must be unique. Map views to requests using # the access-control-view option. Views can contain zero or more local-zone |