From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: unbound.conf: Do not set defaults explicitly
Date: Mon, 03 Feb 2020 15:00:13 +0000 [thread overview]
Message-ID: <32149C0A-66A8-4B20-B465-E91A2F57D194@ipfire.org> (raw)
In-Reply-To: <ff2fb50d-0dc2-b6ae-9866-fc177779995b@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2384 bytes --]
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 20 Jan 2020, at 19:36, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> In order to keep configuration files small and easy to review/audit,
> omitting defaults makes more sense than configure them explicitly (have
> changed my mind here).
>
> Unbound comes with a good default confiuration, and we should only make
> changes when they are necessary. In addition, this patch updates the
> documentation's URL to the current one.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/unbound/unbound.conf | 22 ++--------------------
> 1 file changed, 2 insertions(+), 20 deletions(-)
>
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 24822ee67..c78ca1db7 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -2,7 +2,7 @@
> # Unbound configuration file for IPFire
> #
> # The full documentation is available at:
> -# https://www.unbound.net/documentation/unbound.conf.html
> +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
> #
>
> server:
> @@ -10,26 +10,17 @@ server:
> chroot: ""
> directory: "/etc/unbound"
> username: "nobody"
> - port: 53
> - do-ip4: yes
> do-ip6: no
> - do-udp: yes
> - do-tcp: yes
> - so-reuseport: yes
> - do-not-query-localhost: yes
>
> # System Tuning
> include: "/etc/unbound/tuning.conf"
>
> # Logging Options
> - verbosity: 1
> use-syslog: yes
> log-time-ascii: yes
> - log-queries: no
>
> # Unbound Statistics
> statistics-interval: 86400
> - statistics-cumulative: yes
> extended-statistics: yes
>
> # Prefetching
> @@ -42,26 +33,17 @@ server:
> # Privacy Options
> hide-identity: yes
> hide-version: yes
> - qname-minimisation: yes
> - minimal-responses: yes
>
> # DNSSEC
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
> - val-permissive-mode: no
> - val-clean-additional: yes
> val-log-level: 1
> + log-servfail: yes
>
> # Hardening Options
> - harden-glue: yes
> - harden-short-bufsize: no
> harden-large-queries: yes
> - harden-dnssec-stripped: yes
> - harden-below-nxdomain: yes
> harden-referral-path: yes
> - harden-algo-downgrade: no
> use-caps-for-id: yes
> aggressive-nsec: yes
> - qname-minimisation: yes
>
> # TLS
> tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
> --
> 2.16.4
prev parent reply other threads:[~2020-02-03 15:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 19:36 Peter Müller
2020-02-03 15:00 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32149C0A-66A8-4B20-B465-E91A2F57D194@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox