From 31de85b2f8cc47ee61e05fe59e0efbac605bd5b0 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: May 31 2010 15:47:38 +0000 Subject: updated unbound.conf default config file --- diff --git a/unbound.conf b/unbound.conf index 28998c1..2f32c73 100644 --- a/unbound.conf +++ b/unbound.conf @@ -10,15 +10,6 @@ server: # whitespace is not necessary, but looks cleaner. - # To enable DNSSEC trust anchors, install the dnssec-keys package and - # uncomment the line below, or run dnssec-configure -h for more options - # trusted-keys-file: "/etc/pki/dnssec/production.conf" - - # To enable DLV trust anchor with DLV, install the dnssec-keys package - # and uncomment the line below, or run dnssec-configure -h for more - # options - # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key" - # verbosity number, 0 is least verbose. 1 is default. verbosity: 1 @@ -87,7 +78,15 @@ server: # number of incoming simultaneous tcp buffers to hold per thread. # incoming-num-tcp: 10 - + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -115,7 +114,11 @@ server: # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # rrset-cache-slabs: 4 - + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 @@ -208,6 +211,9 @@ server: # log to, with identity "unbound". If yes, it overrides the logfile. # use-syslog: yes + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" @@ -293,21 +299,32 @@ server: # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes - + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key - # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key" + # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key + dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. # trust-anchor-file: "" + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # (These examples are from August 2007 and may not be valid anymore). @@ -319,7 +336,10 @@ server: # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # trusted-keys-file: "" - + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception # and expiration. "" or "0" turns the feature off. @@ -328,7 +348,13 @@ server: # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 - + + # The signature inception and expiration dates are allowed to be off + # by 10% of the lifetime of the signature from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -342,6 +368,10 @@ server: # replies if the message is found secure. The default is off. # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY val-permissive-mode: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. @@ -349,6 +379,16 @@ server: # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -368,7 +408,7 @@ server: # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. - # o transparent serves local data, else, resolves normally . + # o transparent serves local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # @@ -397,6 +437,15 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" +## Python config section. To enable: +## o use --with-pythonmodule to configure before compiling. +## o list python in the module-config string (above) to enable. +## o and give a python-script to run. +#python: +# # Script file to load +# # python-script: "/etc/unbound/ubmodule-tst.py" + + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here.