Browse Source

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.

Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP.  ok sthen@ florian@
OPENBSD_6_6
dtucker 5 years ago
parent
commit
2519f7993f
1 changed files with 15 additions and 1 deletions
  1. +15
    -1
      src/etc/unbound.conf

+ 15
- 1
src/etc/unbound.conf View File

@ -1,4 +1,4 @@
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
# $OpenBSD: unbound.conf,v 1.15 2019/07/15 10:18:20 dtucker Exp $
server: server:
interface: 127.0.0.1 interface: 127.0.0.1
@ -48,6 +48,11 @@ server:
# #
#tcp-upstream: yes #tcp-upstream: yes
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
#tls-cert-bundle: "/etc/ssl/cert.pem"
remote-control: remote-control:
control-enable: yes control-enable: yes
control-interface: /var/run/unbound.sock control-interface: /var/run/unbound.sock
@ -58,3 +63,12 @@ remote-control:
# name: "." # use for ALL queries # name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only # forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails # forward-first: yes # try direct if forwarder fails
# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
# name: "."
# forward-tls-upstream: yes # use DNS-over-TLS forwarder
# forward-first: no # do NOT send direct
# # the hostname after "#" is not a comment, it is used for TLS checks:
# forward-addr: 192.0.2.53@953#resolver.hostname.example

Loading…
Cancel
Save