Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 20 Jan 2020, at 19:36, Peter Müller peter.mueller@ipfire.org wrote:
In order to keep configuration files small and easy to review/audit, omitting defaults makes more sense than configure them explicitly (have changed my mind here).
Unbound comes with a good default confiuration, and we should only make changes when they are necessary. In addition, this patch updates the documentation's URL to the current one.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
config/unbound/unbound.conf | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 24822ee67..c78ca1db7 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -2,7 +2,7 @@ # Unbound configuration file for IPFire # # The full documentation is available at: -# https://www.unbound.net/documentation/unbound.conf.html +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ #
server: @@ -10,26 +10,17 @@ server: chroot: "" directory: "/etc/unbound" username: "nobody"
port: 53
do-ip4: yes do-ip6: no
do-udp: yes
do-tcp: yes
so-reuseport: yes
do-not-query-localhost: yes
# System Tuning include: "/etc/unbound/tuning.conf"
# Logging Options
verbosity: 1 use-syslog: yes log-time-ascii: yes
log-queries: no
# Unbound Statistics statistics-interval: 86400
statistics-cumulative: yes extended-statistics: yes
# Prefetching
@@ -42,26 +33,17 @@ server: # Privacy Options hide-identity: yes hide-version: yes
qname-minimisation: yes
minimal-responses: yes
# DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-permissive-mode: no
val-clean-additional: yes val-log-level: 1
log-servfail: yes
# Hardening Options
harden-glue: yes
harden-short-bufsize: no harden-large-queries: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes harden-referral-path: yes
harden-algo-downgrade: no use-caps-for-id: yes aggressive-nsec: yes
qname-minimisation: yes
# TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
-- 2.16.4