From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Nov 2016 17:45:39 +0000 (+0000)
Subject: unbound: Deactivate qname-minimization & harden-below-nxdomain
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86e9d04bfb73eb256682a567e187fe1e5cdcc3ca;p=people%2Fms%2Fipfire-2.x.git

unbound: Deactivate qname-minimization & harden-below-nxdomain

This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f76..c9b01b8f47 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -42,7 +42,6 @@ server:
 	# Privacy Options
 	hide-identity: yes
 	hide-version: yes
-	qname-minimisation: yes
 	minimal-responses: yes
 
 	# DNSSEC
@@ -56,7 +55,6 @@ server:
 	harden-short-bufsize: no
 	harden-large-queries: yes
 	harden-dnssec-stripped: yes
-	harden-below-nxdomain: yes
 	harden-referral-path: yes
 	harden-algo-downgrade: no
 	use-caps-for-id: no