diff options
Diffstat (limited to 'doc/unbound.conf.5.in')
| -rw-r--r-- | doc/unbound.conf.5.in | 82 |
1 files changed, 71 insertions, 11 deletions
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 2acf2622c5da..f48ef9214afa 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5" +.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -197,7 +197,7 @@ This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do not set higher than that value. Default is 4096 which is RFC recommended. If you have fragmentation reassembly problems, usually seen as timeouts, -then a value of 1480 can fix it. Setting to 512 bypasses even the most +then a value of 1472 can fix it. Setting to 512 bypasses even the most stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). @@ -1048,19 +1048,19 @@ has no other effect than turning off default contents for the given zone. Use \fInodefault\fR if you use exactly that zone, if you want to use a subzone, use \fItransparent\fR. .P -The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and -the AS112 zones. The AS112 zones are reverse DNS zones for private use and -reserved IP addresses for which the servers on the internet cannot provide -correct answers. They are configured by default to give nxdomain (no reverse -information) answers. The defaults can be turned off by specifying your -own local\-zone of that name, or using the 'nodefault' type. Below is a -list of the default zone contents. +The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test, +invalid and the AS112 zones. The AS112 zones are reverse DNS zones for +private use and reserved IP addresses for which the servers on the internet +cannot provide correct answers. They are configured by default to give +nxdomain (no reverse information) answers. The defaults can be turned off +by specifying your own local\-zone of that name, or using the 'nodefault' +type. Below is a list of the default zone contents. .TP 10 \h'5'\fIlocalhost\fR The IP4 and IP6 localhost information is given. NS and SOA records are provided for completeness and to satisfy some DNS update tools. Default content: .nf -local\-zone: "localhost." static +local\-zone: "localhost." redirect local\-data: "localhost. 10800 IN NS localhost." local\-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" @@ -1104,6 +1104,24 @@ local\-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 +\h'5'\fItest (RFC 7686)\fR +Default content: +.nf +local\-zone: "test." static +local\-data: "test. 10800 IN NS localhost." +local\-data: "test. 10800 IN + SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" +.fi +.TP 10 +\h'5'\fIinvalid (RFC 7686)\fR +Default content: +.nf +local\-zone: "invalid." static +local\-data: "invalid. 10800 IN NS localhost." +local\-data: "invalid. 10800 IN + SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" +.fi +.TP 10 \h'5'\fIreverse RFC1918 local use zones\fR Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. @@ -1461,7 +1479,7 @@ despite the presence of actual AAAA records. .LP The .B dnscrypt: -clause give the settings of the dnscrypt channel. While those options are +clause gives the settings of the dnscrypt channel. While those options are available, they are only meaningful if unbound was compiled with \fB\-\-enable\-dnscrypt\fR. Currently certificate and secret/public keys cannot be generated by unbound. @@ -1489,6 +1507,17 @@ times. .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option may be specified multiple times. +.TP +.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size> +Give the size of the data structure in which the shared secret keys are kept +in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). +The shared secret cache is used when a same client is making multiple queries +using the same public key. It saves a substantial amount of CPU. +.TP +.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number> +Give power of 2 number of slabs, this is used to reduce lock contention +in the dnscrypt shared secrets cache. Close to the number of cpus is +a fairly good setting. .SS "EDNS Client Subnet Module Options" .LP The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache @@ -1603,6 +1632,37 @@ A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no. Whitelist the domain so that the module logic will be executed. Can be given multiple times, for different domains. If the option is not specified, all domains are treated as being whitelisted (default). +.SS "Cache DB Module Options" +.LP +The Cache DB module must be configured in the \fBmodule\-config:\fR +"validator cachedb iterator" directive and be compiled into the daemon +with \fB\-\-enable\-cachedb\fR. +If this module is enabled and configured, the specified backend database +works as a second level cache: +When Unbound cannot find an answer to a query in its built-in in-memory +cache, it consults the specified backend. +If it finds a valid answer in the backend, Unbound uses it to respond +to the query without performing iterative DNS resolution. +If Unbound cannot even find an answer in the backend, it resolves the +query as usual, and stores the answer in the backend. +The +.B cachedb: +clause gives custom settings of the cache DB module. +.TP +.B backend: \fI<backend name>\fR +Specify the backend database name. +Currently, only the in-memory "testframe" backend is supported. +As the name suggests this backend is not of any practical use. +This option defaults to "testframe". +.TP +.B secret-seed: \fI<"secret string">\fR +Specify a seed to calculate a hash value from query information. +This value will be used as the key of the corresponding answer for the +backend database and can be customized if the hash should not be predictable +operationally. +If the backend database is shared by multiple Unbound instances, +all instances must use the same secret seed. +This option defaults to "default". .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer |