From 3ac9b78c4b380799d00d7d19447a0b354b93918d Mon Sep 17 00:00:00 2001
From: sthen <>
Date: Thu, 7 Nov 2019 15:46:37 +0000
Subject: [PATCH] Reenable "val-log-level: 2", so that when sites have
 misconfigured dnssec the sysadmin has some idea what's going on in logs, and
 "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the
 benefits. These were both enabled last time dnssec was enabled in this sample
 unbound.conf.

ok florian@
---
 src/etc/unbound.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/etc/unbound.conf b/src/etc/unbound.conf
index b46847e3..528405a9 100644
--- a/src/etc/unbound.conf
+++ b/src/etc/unbound.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.18 2019/11/07 12:49:45 job Exp $
+# $OpenBSD: unbound.conf,v 1.19 2019/11/07 15:46:37 sthen Exp $
 
 server:
 	interface: 127.0.0.1
@@ -22,12 +22,12 @@ server:
 	# Perform DNSSEC validation. Comment out the below option to disable.
 	#
 	auto-trust-anchor-file: "/var/unbound/db/root.key"
-	#val-log-level: 2
+	val-log-level: 2
 
 	# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
 	# https://tools.ietf.org/html/rfc8198
 	#
-	#aggressive-nsec: yes
+	aggressive-nsec: yes
 
 	# Serve zones authoritatively from Unbound to resolver clients.
 	# Not for external service.