In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).
Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# Unbound configuration file for IPFire
#
# The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
chroot: ""
directory: "/etc/unbound"
username: "nobody"
chroot: ""
directory: "/etc/unbound"
username: "nobody"
- do-udp: yes
- do-tcp: yes
- so-reuseport: yes
- do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
use-syslog: yes
log-time-ascii: yes
use-syslog: yes
log-time-ascii: yes
# Unbound Statistics
statistics-interval: 86400
# Unbound Statistics
statistics-interval: 86400
- statistics-cumulative: yes
extended-statistics: yes
# Prefetching
extended-statistics: yes
# Prefetching
# Privacy Options
hide-identity: yes
hide-version: yes
# Privacy Options
hide-identity: yes
hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
- val-permissive-mode: no
- val-clean-additional: yes
- harden-glue: yes
- harden-short-bufsize: no
harden-large-queries: yes
harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
harden-referral-path: yes
harden-referral-path: yes
- harden-algo-downgrade: no
use-caps-for-id: yes
aggressive-nsec: yes
use-caps-for-id: yes
aggressive-nsec: yes
- qname-minimisation: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt