From: Peter Müller <peter.mueller@ipfire.org>
Date: Mon, 20 Jan 2020 19:36:00 +0000 (+0000)
Subject: unbound.conf: Do not set defaults explicitly
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa

unbound.conf: Do not set defaults explicitly

In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).

Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 24822ee67a..c78ca1db7c 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -2,7 +2,7 @@
 # Unbound configuration file for IPFire
 #
 # The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
 #
 
 server:
@@ -10,26 +10,17 @@ server:
 	chroot: ""
 	directory: "/etc/unbound"
 	username: "nobody"
-	port: 53
-	do-ip4: yes
 	do-ip6: no
-	do-udp: yes
-	do-tcp: yes
-	so-reuseport: yes
-	do-not-query-localhost: yes
 
 	# System Tuning
 	include: "/etc/unbound/tuning.conf"
 
 	# Logging Options
-	verbosity: 1
 	use-syslog: yes
 	log-time-ascii: yes
-	log-queries: no
 
 	# Unbound Statistics
 	statistics-interval: 86400
-	statistics-cumulative: yes
 	extended-statistics: yes
 
 	# Prefetching
@@ -42,26 +33,17 @@ server:
 	# Privacy Options
 	hide-identity: yes
 	hide-version: yes
-	qname-minimisation: yes
-	minimal-responses: yes
 
 	# DNSSEC
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
-	val-permissive-mode: no
-	val-clean-additional: yes
 	val-log-level: 1
+	log-servfail: yes
 
 	# Hardening Options
-	harden-glue: yes
-	harden-short-bufsize: no
 	harden-large-queries: yes
-	harden-dnssec-stripped: yes
-	harden-below-nxdomain: yes
 	harden-referral-path: yes
-	harden-algo-downgrade: no
 	use-caps-for-id: yes
 	aggressive-nsec: yes
-	qname-minimisation: yes
 
 	# TLS
 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt