From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 3/3] Unbound: Use aggressive NSEC
Date: Thu, 23 Aug 2018 14:43:34 +0100
Message-ID: <b1c83bd3fff61b4949fa8554a2858178876d29a9.camel@ipfire.org>
In-Reply-To: <4c59f5c0-751f-c74c-1f3a-5a8dd27cfe9f@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3157187564251842427=="
List-Id: <development.lists.ipfire.org>

--===============3157187564251842427==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Not sure if this actually makes a difference in reality. It is quite
unlikely to hit a match here.

But I can live with this change.

-Michael

On Sun, 2018-08-19 at 20:13 +0200, Peter Müller wrote:
> This avoids some needless lookups to destination domains
> with a very high NXDOMAIN rate and reduces load on upstream
> servers.
> 
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/
> for further details.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/unbound/unbound.conf | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 8b5d34ee3..8ad6bcb03 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -60,6 +60,7 @@ server:
>  	harden-referral-path: yes
>  	harden-algo-downgrade: no
>  	use-caps-for-id: yes
> +	aggressive-nsec: yes
>  
>  	# Harden against DNS cache poisoning
>  	unwanted-reply-threshold: 5000000


--===============3157187564251842427==--