From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Nov 2016 17:45:39 +0000 (+0000)
Subject: unbound: Deactivate qname-minimization & harden-below-nxdomain
X-Git-Tag: v2.19-core108~18
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=86e9d04bfb73eb256682a567e187fe1e5cdcc3ca

unbound: Deactivate qname-minimization & harden-below-nxdomain

This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f76..c9b01b8f47 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -42,7 +42,6 @@ server:
 	# Privacy Options
 	hide-identity: yes
 	hide-version: yes
-	qname-minimisation: yes
 	minimal-responses: yes
 
 	# DNSSEC
@@ -56,7 +55,6 @@ server:
 	harden-short-bufsize: no
 	harden-large-queries: yes
 	harden-dnssec-stripped: yes
-	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
 	use-caps-for-id: no