unbound: Drop certificates for local control connection

[ipfire-2.x.git] / config / unbound / unbound.conf

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f76a81027a3a2b6542fb086a149010229..e20c3330d7045ac93856ee1eb2e01d7d41b62d83 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -28,7 +28,7 @@ server:
        log-queries: no
 
        # Unbound Statistics
-       statistics-interval: 0
+       statistics-interval: 86400
        statistics-cumulative: yes
        extended-statistics: yes
 
@@ -59,7 +59,11 @@ server:
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
-       use-caps-for-id: no
+       use-caps-for-id: yes
+       aggressive-nsec: yes
+
+       # Harden against DNS cache poisoning
+       unwanted-reply-threshold: 1000000
 
        # Listen on all interfaces
        interface-automatic: yes
@@ -79,12 +83,8 @@ server:
 
 remote-control:
        control-enable: yes
-       control-use-cert: yes
+       control-use-cert: no
        control-interface: 127.0.0.1
-       server-key-file: "/etc/unbound/unbound_server.key"
-       server-cert-file: "/etc/unbound/unbound_server.pem"
-       control-key-file: "/etc/unbound/unbound_control.key"
-       control-cert-file: "/etc/unbound/unbound_control.pem"
 
 # Import any local configurations
 include: "/etc/unbound/local.d/*.conf"