From 86e9d04bfb73eb256682a567e187fe1e5cdcc3ca Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Nov 2016 17:45:39 +0000
Subject: [PATCH] unbound: Deactivate qname-minimization &
 harden-below-nxdomain

This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/unbound/unbound.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..c9b01b8f4 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -42,7 +42,6 @@ server:
 	# Privacy Options
 	hide-identity: yes
 	hide-version: yes
-	qname-minimisation: yes
 	minimal-responses: yes
 
 	# DNSSEC
@@ -56,7 +55,6 @@ server:
 	harden-short-bufsize: no
 	harden-large-queries: yes
 	harden-dnssec-stripped: yes
-	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
 	use-caps-for-id: no
-- 
2.39.2