From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: unbound.conf: Do not set defaults explicitly
Date: Mon, 03 Feb 2020 15:00:13 +0000
Message-ID: <32149C0A-66A8-4B20-B465-E91A2F57D194@ipfire.org>
In-Reply-To: <ff2fb50d-0dc2-b6ae-9866-fc177779995b@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1216376331363337041=="
List-Id: <development.lists.ipfire.org>

--===============1216376331363337041==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 20 Jan 2020, at 19:36, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> In order to keep configuration files small and easy to review/audit,
> omitting defaults makes more sense than configure them explicitly (have
> changed my mind here).
> 
> Unbound comes with a good default confiuration, and we should only make
> changes when they are necessary. In addition, this patch updates the
> documentation's URL to the current one.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/unbound/unbound.conf | 22 ++--------------------
> 1 file changed, 2 insertions(+), 20 deletions(-)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 24822ee67..c78ca1db7 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -2,7 +2,7 @@
> # Unbound configuration file for IPFire
> #
> # The full documentation is available at:
> -# https://www.unbound.net/documentation/unbound.conf.html
> +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
> #
> 
> server:
> @@ -10,26 +10,17 @@ server:
> 	chroot: ""
> 	directory: "/etc/unbound"
> 	username: "nobody"
> -	port: 53
> -	do-ip4: yes
> 	do-ip6: no
> -	do-udp: yes
> -	do-tcp: yes
> -	so-reuseport: yes
> -	do-not-query-localhost: yes
> 
> 	# System Tuning
> 	include: "/etc/unbound/tuning.conf"
> 
> 	# Logging Options
> -	verbosity: 1
> 	use-syslog: yes
> 	log-time-ascii: yes
> -	log-queries: no
> 
> 	# Unbound Statistics
> 	statistics-interval: 86400
> -	statistics-cumulative: yes
> 	extended-statistics: yes
> 
> 	# Prefetching
> @@ -42,26 +33,17 @@ server:
> 	# Privacy Options
> 	hide-identity: yes
> 	hide-version: yes
> -	qname-minimisation: yes
> -	minimal-responses: yes
> 
> 	# DNSSEC
> 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
> -	val-permissive-mode: no
> -	val-clean-additional: yes
> 	val-log-level: 1
> +	log-servfail: yes
> 
> 	# Hardening Options
> -	harden-glue: yes
> -	harden-short-bufsize: no
> 	harden-large-queries: yes
> -	harden-dnssec-stripped: yes
> -	harden-below-nxdomain: yes
> 	harden-referral-path: yes
> -	harden-algo-downgrade: no
> 	use-caps-for-id: yes
> 	aggressive-nsec: yes
> -	qname-minimisation: yes
> 
> 	# TLS
> 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
> -- 
> 2.16.4


--===============1216376331363337041==--