-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Okay, let's give it a try then. On Thu, 2018-08-23 at 21:15 +0200, Peter Müller wrote: > Hello, > > > This was deliberately not enabled because the documentation contains a > > warning about various incompatibilities with various other DNS servers. > > Yes, there are a lot of broken DNS servers out there... > > > > Is there some sort of study saying that this can be safely enabled? > > I know people operating DNS resolvers for > 30k customers with this setting > enabled. They never experienced any issue with this so far. This is enabled > on my systems too. > > Currently, I am not aware of a public study. > > Best regards, > Peter Müller > > > > -Michael > > > > On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote: > > > Attempt to detect DNS spoofing attacks by inserting 0x20-encoded > > > random bits into upstream queries. Upstream documentation claims > > > it to be an experimental implementation, it did not cause any trouble > > > on productive systems here. > > > > > > See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for > > > further details. > > > > > > Signed-off-by: Peter Müller > > > --- > > > config/unbound/unbound.conf | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > > > index fa2ca3fd4..8b5d34ee3 100644 > > > --- a/config/unbound/unbound.conf > > > +++ b/config/unbound/unbound.conf > > > @@ -59,7 +59,7 @@ server: > > > harden-below-nxdomain: yes > > > harden-referral-path: yes > > > harden-algo-downgrade: no > > > - use-caps-for-id: no > > > + use-caps-for-id: yes > > > > > > # Harden against DNS cache poisoning > > > unwanted-reply-threshold: 5000000 > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/8UgACgkQgHnw/2+Q CQd1JBAAgbHWIFzbXOOcaiQHgzyi3gVeZ4tnV8sMx3Fm563dBU0f24BteOm6lYDl nu9bqYIGsmIPBpc1Hweqjatc5bkU9NUH3YNCI5LSbu4a66r1wbHpFjpCZTwstufl THO6BLsm2karfXezpxWi9U+Ug3E2KWMvBnnpdTWy4QfiOQXQttqVoeMOVKLwpaM0 5ExsdjNl7caneflXA3C2Igo1Om7H2+bWQ82TyCD8kjb/SBxuTVfFzACPmWVjUwt7 wmhZiBUpR5vDWkikv4j7AHmi2aT7SKkIGcQiOQvn+sMa/tAqys9B3H5kxXuQYBWs DdqnIKVAOqk6EhxcDae6zthM+iKy5k5RCjxj6M4qUJXb14/b7LBecxZsiyI2rY1/ 8LiUzlq5WnpH8Qkf4f8uV42JGMi4JoY+Tz3css3BWnOB/jN7muIXqTP2DaKv7/rE weseImTTWftdIPtGlkg0ALMVuErHx0I5hmADfiYbjhJjSD8M9h0Ya7Mxlp5jXcvE gCq2mrXJxltvJnoQm7GYoK+ivQp9mW/bF+vc0hF7DhtIdFP7lTh0nYQVDgkaMU4k sAGGk+kovSqQIKuMcZYAjgw759aKVhEfJXNPMqUs7YcrN8lIq19a31vTToJLcEfW bsopTQJhG9oAb+dWnjDMtICCxlnferRKTVvkbxoUIhe+Y2hYTZw= =YbLO -----END PGP SIGNATURE-----