Fincer
/
openntpd-openbsd
mirror of https://github.com/Fincer/openntpd-openbsd
1
0
Fork 0
Code Issues 0 Projects 0 Releases 61 Wiki Activity
Source code pulled from OpenBSD for OpenNTPD. The place to contribute to this code is via the OpenBSD CVS tree.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8567 Commits
49 Branches
45 MiB
Tree: 7635e56a53
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7635e56a53'
${ noResults }
openntpd-openbsd/src/etc/unbound.conf

74 lines
2.2 KiB
Raw Normal View History

space -> tabs ok deraadt@ kn@
4 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
add "outgoing-interface" to sample unbound.conf
8 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
the world is not ready for dnssec enabled by default
5 years ago
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
5 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
the world is not ready for dnssec enabled by default
5 years ago
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time. tweak & OK sthen
6 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
Fix syntax error in commented out local-zone entry. OK sthen@
10 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
Fix syntax error in commented out local-zone entry. OK sthen@
10 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
5 years ago
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
9 years ago
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended). Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@. While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
5 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended). Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@. While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
5 years ago
Add a new sample config file and rc.d script for unbound, ok deraadt@
10 years ago
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
5 years ago
space -> tabs ok deraadt@ kn@
4 years ago
 
  1. # $OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $
  2. 

  3. server:
  4. 	interface: 127.0.0.1
  5. 	#interface: 127.0.0.1@5353	# listen on alternative port
  6. 	interface: ::1
  7. 	#do-ip6: no
  8. 

  9. 	# override the default "any" address to send queries; if multiple
  10. 	# addresses are available, they are used randomly to counter spoofing
  11. 	#outgoing-interface: 192.0.2.1
  12. 	#outgoing-interface: 2001:db8::53
  13. 

  14. 	access-control: 0.0.0.0/0 refuse
  15. 	access-control: 127.0.0.0/8 allow
  16. 	access-control: ::0/0 refuse
  17. 	access-control: ::1 allow
  18. 

  19. 	hide-identity: yes
  20. 	hide-version: yes
  21. 

  22. 	# Uncomment to enable DNSSEC validation.
  23. 	#
  24. 	#auto-trust-anchor-file: "/var/unbound/db/root.key"
  25. 	#val-log-level: 2
  26. 

  27. 	# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
  28. 	# https://tools.ietf.org/html/rfc8198
  29. 	#
  30. 	#aggressive-nsec: yes
  31. 

  32. 	# Serve zones authoritatively from Unbound to resolver clients.
  33. 	# Not for external service.
  34. 	#
  35. 	#local-zone: "local." static
  36. 	#local-data: "mycomputer.local. IN A 192.0.2.51"
  37. 	#local-zone: "2.0.192.in-addr.arpa." static
  38. 	#local-data-ptr: "192.0.2.51 mycomputer.local"
  39. 

  40. 	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
  41. 	# May need lowering on broken networks with fragmentation/MTU issues,
  42. 	# particularly if validating DNSSEC.
  43. 	#
  44. 	#edns-buffer-size: 1480
  45. 

  46. 	# Use TCP for "forward-zone" requests. Useful if you are making
  47. 	# DNS requests over an SSH port forwarding.
  48. 	#
  49. 	#tcp-upstream: yes
  50. 

  51. 	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
  52. 	# verification.  Since it's outside the chroot it is only loaded at
  53. 	# startup and thus cannot be changed via a reload.
  54. 	#tls-cert-bundle: "/etc/ssl/cert.pem"
  55. 

  56. remote-control:
  57. 	control-enable: yes
  58. 	control-interface: /var/run/unbound.sock
  59. 

  60. # Use an upstream forwarder (recursive resolver) for some or all zones.
  61. #
  62. #forward-zone:
  63. #	name: "."				# use for ALL queries
  64. #	forward-addr: 192.0.2.53		# example address only
  65. #	forward-first: yes			# try direct if forwarder fails
  66. 

  67. # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
  68. # if that fails.
  69. #forward-zone:
  70. #	name: "."
  71. #	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
  72. #	forward-first: no			# do NOT send direct
  73. #	# the hostname after "#" is not a comment, it is used for TLS checks:
  74. #	forward-addr: 192.0.2.53@853#resolver.hostname.example