diff options
Diffstat (limited to 'doc/example.conf.in')
| -rw-r--r-- | doc/example.conf.in | 47 |
1 files changed, 41 insertions, 6 deletions
diff --git a/doc/example.conf.in b/doc/example.conf.in index c520c881f0e9..55bbc32e616f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.10. +# See unbound.conf(5) man page, version 1.6.0. # # this is a comment. @@ -52,7 +52,7 @@ server: # outgoing-interface: 192.0.2.153 # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 - + # Specify a netblock to use remainder 64 bits as random bits for # upstream queries. Uses freebind option (Linux). # outgoing-interface: 2001:DB8::/64 @@ -171,7 +171,7 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - + # define a number of tags here, use with local-zone, access-control. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -230,6 +230,9 @@ server: # set redirect data for particular tag for access control element # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + # Set view for access control element + # access-control-view: 192.0.2.0/24 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -272,9 +275,13 @@ server: # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to, with identity "unbound". If yes, it overrides the logfile. + # log to. If yes, it overrides the logfile. # use-syslog: yes + # Log identity to report. if empty, defaults to the name of argv[0] + # (usually "unbound"). + # log-identity: "" + # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no @@ -328,7 +335,7 @@ server: # Harden against queries that fall under dnssec-signed nxdomain names. # harden-below-nxdomain: no - # Harden the referral path by performing additional queries for + # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -344,6 +351,12 @@ server: # to NS when possible. # qname-minimisation: no + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be + # resolvable when this option in enabled. + # This option only has effect when qname-minimisation is enabled. + # qname-minimisation-strict: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no @@ -477,6 +490,10 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no + # Serve expired reponses from cache, with TTL 0 in the response, + # and then attempt to fetch the data afresh. + # serve-expired: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. # val-log-level: 0 @@ -578,7 +595,7 @@ server: # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names - # o inform resolves normally, but logs client IP address + # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in # that way but ignore local data for that name. @@ -700,6 +717,7 @@ remote-control: # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-ssl-upstream: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -715,6 +733,23 @@ remote-control: # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-ssl-upstream: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com + +# Views +# Create named views. Name must be unique. Map views to requests using +# the access-control-view option. Views can contain zero or more local-zone +# and local-data options. Options from matching views will override global +# options. Global options will be used if no matching view is found. +# With view-first yes, it will try to answer using the global local-zone and +# local-data elements if there is no view specific match. +# view: +# name: "viewname" +# local-zone: "example.com" redirect +# local-data: "example.com A 192.0.2.3" +# view-first: no +# view: +# name: "anotherview" +# local-zone: "example.com" refuse |