In order to keep configuration files small and easy to review/audit, omitting defaults makes more sense than configure them explicitly (have changed my mind here).
Unbound comes with a good default confiuration, and we should only make changes when they are necessary. In addition, this patch updates the documentation's URL to the current one.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org --- config/unbound/unbound.conf | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 24822ee67..c78ca1db7 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -2,7 +2,7 @@ # Unbound configuration file for IPFire # # The full documentation is available at: -# https://www.unbound.net/documentation/unbound.conf.html +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ #
server: @@ -10,26 +10,17 @@ server: chroot: "" directory: "/etc/unbound" username: "nobody" - port: 53 - do-ip4: yes do-ip6: no - do-udp: yes - do-tcp: yes - so-reuseport: yes - do-not-query-localhost: yes
# System Tuning include: "/etc/unbound/tuning.conf"
# Logging Options - verbosity: 1 use-syslog: yes log-time-ascii: yes - log-queries: no
# Unbound Statistics statistics-interval: 86400 - statistics-cumulative: yes extended-statistics: yes
# Prefetching @@ -42,26 +33,17 @@ server: # Privacy Options hide-identity: yes hide-version: yes - qname-minimisation: yes - minimal-responses: yes
# DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" - val-permissive-mode: no - val-clean-additional: yes val-log-level: 1 + log-servfail: yes
# Hardening Options - harden-glue: yes - harden-short-bufsize: no harden-large-queries: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes harden-referral-path: yes - harden-algo-downgrade: no use-caps-for-id: yes aggressive-nsec: yes - qname-minimisation: yes
# TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt