summaryrefslogtreecommitdiffstats
path: root/contrib/unbound/doc/example.conf
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/unbound/doc/example.conf')
-rw-r--r--contrib/unbound/doc/example.conf46
1 files changed, 44 insertions, 2 deletions
diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf
index acb553b..87bbebe 100644
--- a/contrib/unbound/doc/example.conf
+++ b/contrib/unbound/doc/example.conf
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.5.3.
+# See unbound.conf(5) man page, version 1.5.5.
#
# this is a comment.
@@ -87,6 +87,10 @@ server:
# use SO_REUSEPORT to distribute queries over threads.
# so-reuseport: no
+
+ # use IP_TRANSPARENT so the interface: addresses can be non-local
+ # and you can config non-existing IPs that are going to work later on
+ # ip-transparent: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
@@ -135,6 +139,9 @@ server:
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
+ # the time to live (TTL) value cap for negative responses in the cache
+ # cache-max-negative-ttl: 3600
+
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
@@ -284,9 +291,18 @@ server:
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
# harden-referral-path: no
+ # Harden against algorithm downgrade when multiple algorithms are
+ # advertised in the DS record. If no, allows the weakest algorithm
+ # to validate the zone.
+ # harden-algo-downgrade: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
+
+ # Domains (and domains in them) without support for dns-0x20 and
+ # the fallback fails because they keep sending different answers.
+ # caps-whitelist: "licdn.com"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -349,7 +365,7 @@ server:
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
- # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
+ # DLV is going to be decommissioned. Please do not use it any more.
# dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
@@ -428,6 +444,9 @@ server:
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
+ # debug option that allows very small holddown times for key rollover
+ # permit-small-holddown: no
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -501,6 +520,7 @@ server:
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address
+ # o inform_deny drops queries and logs client IP address
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@@ -542,6 +562,26 @@ server:
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
# dns64-prefix: 64:ff9b::0/96
+ # ratelimit for uncached, new queries, this limits recursion effort.
+ # ratelimiting is experimental, and may help against randomqueryflood.
+ # if 0(default) it is disabled, otherwise state qps allowed per zone.
+ # ratelimit: 0
+
+ # ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+ # ratelimit-size: 4m
+ # ratelimit cache slabs, reduces lock contention if equal to cpucount.
+ # ratelimit-slabs: 4
+
+ # 0 blocks when ratelimited, otherwise let 1/xth traffic through
+ # ratelimit-factor: 10
+
+ # override the ratelimit for a specific domain name.
+ # give this setting multiple times to have multiple overrides.
+ # ratelimit-for-domain: example.com 1000
+ # override the ratelimits for all domains below a domain name
+ # can give this multiple times, the name closest to the zone is used.
+ # ratelimit-below-domain: example 1000
+
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
# o list python in the module-config string (above) to enable.
@@ -586,6 +626,8 @@ remote-control:
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
OpenPOWER on IntegriCloud