diff options
Diffstat (limited to 'doc/example.conf.in')
| -rw-r--r-- | doc/example.conf.in | 92 |
1 files changed, 49 insertions, 43 deletions
diff --git a/doc/example.conf.in b/doc/example.conf.in index a96ccd3faf73..ff90e3b715d6 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,14 +1,14 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.6. +# See unbound.conf(5) man page, version 1.5.7. # # this is a comment. #Use this to include other text into the file. #include: "otherfile.conf" -# The server clause sets the main parameters. +# The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -40,7 +40,7 @@ server: # interface: 2001:DB8::5 # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. + # Socket options are not supported on all platforms. experimental. # interface-automatic: no # port to answer queries from @@ -84,10 +84,10 @@ server: # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 - + # use SO_REUSEPORT to distribute queries over threads. # so-reuseport: no - + # use IP_TRANSPARENT so the interface: addresses can be non-local # and you can config non-existing IPs that are going to work later on # ip-transparent: no @@ -105,7 +105,7 @@ server: # msg-buffer-size: 65552 # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. @@ -118,12 +118,12 @@ server: # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 - + # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. @@ -145,7 +145,7 @@ server: # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 - + # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 @@ -195,8 +195,8 @@ server: # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: @@ -205,7 +205,7 @@ server: # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # - # The pid file can be absolute and outside of the chroot, it is + # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). @@ -219,22 +219,22 @@ server: # If you give "" no privileges are dropped. # username: "@UNBOUND_USERNAME@" - # the working directory. The relative files in this config are + # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. # directory: "@UNBOUND_RUN_DIR@" - # the log file, "" means log to stderr. + # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. - # use-syslog: yes + # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no - + # print one line with time, IP, name, type, class for every query. # log-queries: no @@ -242,7 +242,7 @@ server: # pidfile: "@UNBOUND_PIDFILE@" # file to read root hints from. - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # get one from https://www.internic.net/domain/named.cache # root-hints: "" # enable to not answer id.server and hostname.bind queries. @@ -258,8 +258,8 @@ server: # version: "" # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, @@ -267,17 +267,17 @@ server: # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" - # Harden against very small EDNS buffer sizes. + # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no # Harden against unseemly large queries. # harden-large-queries: no - # Harden against out of zone rrsets, to avoid spoofing attempts. + # Harden against out of zone rrsets, to avoid spoofing attempts. # harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will + # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. # harden-dnssec-stripped: yes @@ -287,7 +287,7 @@ server: # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental + # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no @@ -296,18 +296,23 @@ server: # to validate the zone. # harden-algo-downgrade: no + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to NS when possible. + # qname-minimisation: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no - + # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. # caps-whitelist: "licdn.com" - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 @@ -315,6 +320,7 @@ server: # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. @@ -373,7 +379,7 @@ server: # Zone file format, with DS and DNSKEY entries. # Note this gets out of date, use auto-trust-anchor-file please. # trust-anchor-file: "" - + # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # Note this gets out of date, use auto-trust-anchor-file please. @@ -383,7 +389,7 @@ server: # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, + # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -408,7 +414,7 @@ server: # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data + # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. # val-clean-additional: yes @@ -433,7 +439,7 @@ server: # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" - + # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -448,7 +454,7 @@ server: # permit-small-holddown: no # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. @@ -457,7 +463,7 @@ server: # key-cache-slabs: 4 # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". + # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m # By default, for a number of zones a small default 'nothing here' @@ -501,7 +507,7 @@ server: # local-zone: "b.e.f.ip6.arpa." nodefault # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - + # if unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server @@ -512,7 +518,7 @@ server: # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" - # o deny serves local data (if any), else, drops queries. + # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent gives local data, but resolves normally for other names @@ -525,7 +531,7 @@ server: # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. - # + # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # @@ -571,7 +577,7 @@ server: # ratelimit-size: 4m # ratelimit cache slabs, reduces lock contention if equal to cpucount. # ratelimit-slabs: 4 - + # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 @@ -590,7 +596,7 @@ python: # Script file to load # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" -# Remote control config section. +# Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. @@ -621,9 +627,9 @@ remote-control: # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" # Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. # Consider adding domain-insecure: name and local-zone: name nodefault |