From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Fri, 22 Dec 2023 10:42:20 +0000 (+0100)
Subject: - Update example.conf with cookie options.
X-Git-Tag: release-1.19.3rc1~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c82f4ae9bfa10e0c1883a3c4f43cb8dd621d7ef;p=thirdparty%2Funbound.git

- Update example.conf with cookie options.
---

diff --git a/doc/Changelog b/doc/Changelog
index 6c8dd94ef..130d46a8f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+22 December 2023: Yorgos
+	- Update example.conf with cookie options.
+
 8 December 2023: Yorgos
 	- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
 	  per RFC 6672.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 547b35500..4085b8616 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -303,6 +303,7 @@ server:
 	# Choose deny (drop message), refuse (polite error reply),
 	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
 	# allow_snoop (recursive and nonrecursive ok)
+	# allow_cookie (allow UDP with valid cookie or stateful transport)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 127.0.0.0/8 allow
@@ -986,6 +987,13 @@ server:
 	# if 0(default) it is disabled, otherwise states qps allowed per ip address
 	# ip-ratelimit: 0
 
+	# global query ratelimit for all ip addresses with a valid DNS Cookie.
+	# feature is experimental.
+	# if 0(default) it is disabled, otherwise states qps allowed per ip address
+	# useful in combination with 'allow_cookie'.
+	# If used, suggested to be higher than ip-ratelimit, tenfold.
+	# ip-ratelimit-cookie: 0
+
 	# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
 	# ip-ratelimit-size: 4m
 	# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
@@ -1007,6 +1015,14 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 
+	# reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018.
+	# answer-cookie: no
+
+	# secret for DNS Cookie generation.
+	# useful for anycast deployments.
+	# example value "000102030405060708090a0b0c0d0e0f".
+	# cookie-secret: <128 bit random hex string>
+
 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 	# ede: no