This avoids some needless lookups to destination domains with a very high NXDOMAIN rate and reduces load on upstream servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 8b5d34ee3..8ad6bcb03 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -60,6 +60,7 @@ server: harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes + aggressive-nsec: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
Not sure if this actually makes a difference in reality. It is quite unlikely to hit a match here.
But I can live with this change.
-Michael
On Sun, 2018-08-19 at 20:13 +0200, Peter Müller wrote:
This avoids some needless lookups to destination domains with a very high NXDOMAIN rate and reduces load on upstream servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 8b5d34ee3..8ad6bcb03 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -60,6 +60,7 @@ server: harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes
aggressive-nsec: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
This avoids some needless lookups to destination domains with a very high NXDOMAIN rate and reduces load on upstream servers.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for further details.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 8b5d34ee3..8ad6bcb03 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -60,6 +60,7 @@ server: harden-referral-path: yes harden-algo-downgrade: no use-caps-for-id: yes + aggressive-nsec: yes
# Harden against DNS cache poisoning unwanted-reply-threshold: 5000000
-
Michael Tremer -
Peter Müller