unbound.conf: Do not set defaults explicitly

In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).

Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 24822ee67a59bd3247a7fd7693a1eb38b33db7ef..c78ca1db7c63e1ece3c98259b28e9428a1164867 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -2,7 +2,7 @@
 # Unbound configuration file for IPFire
 #
 # The full documentation is available at:
 # Unbound configuration file for IPFire
 #
 # The full documentation is available at:

-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/

 #
 
 server:
 #
 
 server:


@@ -10,26 +10,17 @@ server:
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"

-       port: 53
-       do-ip4: yes

        do-ip6: no
        do-ip6: no

-       do-udp: yes
-       do-tcp: yes
-       so-reuseport: yes
-       do-not-query-localhost: yes

 
        # System Tuning
        include: "/etc/unbound/tuning.conf"
 
        # Logging Options
 
        # System Tuning
        include: "/etc/unbound/tuning.conf"
 
        # Logging Options

-       verbosity: 1

        use-syslog: yes
        log-time-ascii: yes
        use-syslog: yes
        log-time-ascii: yes

-       log-queries: no

 
        # Unbound Statistics
        statistics-interval: 86400
 
        # Unbound Statistics
        statistics-interval: 86400

-       statistics-cumulative: yes

        extended-statistics: yes
 
        # Prefetching
        extended-statistics: yes
 
        # Prefetching


@@ -42,26 +33,17 @@ server:
        # Privacy Options
        hide-identity: yes
        hide-version: yes
        # Privacy Options
        hide-identity: yes
        hide-version: yes

-       qname-minimisation: yes
-       minimal-responses: yes

 
        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
 
        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"

-       val-permissive-mode: no
-       val-clean-additional: yes

        val-log-level: 1
        val-log-level: 1

+       log-servfail: yes

 
        # Hardening Options
 
        # Hardening Options

-       harden-glue: yes
-       harden-short-bufsize: no

        harden-large-queries: yes
        harden-large-queries: yes

-       harden-dnssec-stripped: yes
-       harden-below-nxdomain: yes

        harden-referral-path: yes
        harden-referral-path: yes

-       harden-algo-downgrade: no

        use-caps-for-id: yes
        aggressive-nsec: yes
        use-caps-for-id: yes
        aggressive-nsec: yes

-       qname-minimisation: yes

 
        # TLS
        tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
 
        # TLS
        tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt