rpms/unbound/F-13 unbound.conf,1.8,1.9

Paul Wouters pwouters at fedoraproject.org
Mon May 31 15:47:39 UTC 2010 

Author: pwouters

Update of /cvs/extras/rpms/unbound/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv20742

Modified Files:
	unbound.conf 
Log Message:
updated unbound.conf default config file



Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-13/unbound.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- unbound.conf	14 Jan 2009 14:57:11 -0000	1.8
+++ unbound.conf	31 May 2010 15:47:38 -0000	1.9
@@ -10,15 +10,6 @@
 server:
 	# whitespace is not necessary, but looks cleaner.
 
-	# To enable DNSSEC trust anchors, install the dnssec-keys package and
-	# uncomment the line below, or run dnssec-configure -h for more options
-	# trusted-keys-file: "/etc/pki/dnssec/production.conf"
-
-	# To enable DLV trust anchor with DLV, install the dnssec-keys package
-	# and uncomment the line below, or run dnssec-configure -h for more
-	# options
-	# dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key"
-
 	# verbosity number, 0 is least verbose. 1 is default.
 	verbosity: 1
 
@@ -87,7 +78,15 @@ server:
 
 	# number of incoming simultaneous tcp buffers to hold per thread.
 	# incoming-num-tcp: 10
-	
+
+	# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+	# 0 is system default.  Use 4m to catch query spikes for busy servers.
+	# so-rcvbuf: 0
+
+	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+	# edns-buffer-size: 4096
+       
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@@ -115,7 +114,11 @@ server:
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# rrset-cache-slabs: 4
-	
+
+	# the time to live (TTL) value lower bound, in seconds. Default 0.
+	# If more than an hour could easily give trouble due to stale data.
+	# cache-min-ttl: 0
+
 	# the time to live (TTL) value cap for RRsets and messages in the
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400
@@ -208,6 +211,9 @@ server:
 	# log to, with identity "unbound". If yes, it overrides the logfile.
 	# use-syslog: yes 
 
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	log-time-ascii: yes
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
 	
@@ -293,21 +299,32 @@ server:
 	# if yes, the above default do-not-query-address entries are present.
 	# if no, localhost can be queried (for testing and debugging).
 	# do-not-query-localhost: yes
-	
+
+	# if yes, perform prefetching of almost expired message cache entries.
+	prefetch: yes
+
+	# if yes, perform key lookups adjacent to normal lookups.
+	prefetch-key: yes
+
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. "iterator" or "validator iterator"
 	# module-config: "validator iterator"
 	
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
-	# Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
-	# dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key"
+	# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
+	dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
 	# trust-anchor-file: ""
 
+	# File with trusted keys, kept uptodate using RFC5011 probes,
+	# initial file like trust-anchor-file, then it stores metadata.
+	# Use several entries, one per domain name, to track multiple zones.
+	# auto-trust-anchor-file: ""
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# (These examples are from August 2007 and may not be valid anymore).
@@ -319,7 +336,10 @@ server:
 	# but has a different file format. Format is BIND-9 style format, 
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# trusted-keys-file: ""
-	
+
+	# Ignore chain of trust. Domain is treated as insecure.
+	# domain-insecure: "example.com"
+
 	# Override the date for validation with a specific fixed date.
 	# Do not set this unless you are debugging signature inception
 	# and expiration. "" or "0" turns the feature off. 
@@ -328,7 +348,13 @@ server:
 	# The time to live for bogus data, rrsets and messages. This avoids
 	# some of the revalidation, until the time interval expires. in secs.
 	# val-bogus-ttl: 60
-	
+
+	# The signature inception and expiration dates are allowed to be off
+	# by 10% of the lifetime of the signature from our local clock.
+	# This leeway is capped with a minimum and a maximum.  In seconds.
+	# val-sig-skew-min: 3600
+	# val-sig-skew-max: 86400
+
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data 
@@ -342,6 +368,10 @@ server:
 	# replies if the message is found secure. The default is off.
 	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
 	val-permissive-mode: no
+
+	# Have the validator log failed validations for your diagnosis.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+	val-log-level: 1
 	
 	# It is possible to configure NSEC3 maximum iteration counts per
 	# keysize. Keep this table very short, as linear search is done.
@@ -349,6 +379,16 @@ server:
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
 
+	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
+	# add-holddown: 2592000 # 30 days
+
+	# instruct the auto-trust-anchor-file probing to del anchors after ttl.
+	# del-holddown: 2592000 # 30 days
+
+	# auto-trust-anchor-file probing removes missing anchors after ttl.
+	# If the value 0 is given, missing anchors are not removed.
+	# keep-missing: 31622400 # 366 days
+
 	# the amount of memory to use for the key cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
 	# key-cache-size: 4m
@@ -368,7 +408,7 @@ server:
 	# o deny serves local data (if any), else, drops queries. 
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
-	# o transparent serves local data, else, resolves normally .
+	# o transparent serves local data, but resolves normally for other names
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
 	#
@@ -397,6 +437,15 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 
+## Python config section. To enable:
+## o use --with-pythonmodule to configure before compiling.
+## o list python in the module-config string (above) to enable.
+## o and give a python-script to run.
+#python:
+#	# Script file to load
+#	# python-script: "/etc/unbound/ubmodule-tst.py"
+
+
 # Remote control config section. 
 remote-control:
 	# Enable remote control with unbound-control(8) here.

More information about the scm-commits mailing list