1.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
| 1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22"
|
2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
27.P
28The utility
29\fIunbound\-checkconf\fR(8)
30can be used to check unbound.conf prior to usage.
31.SH "EXAMPLE"
32An example config file is shown below. Copy this to /etc/unbound/unbound.conf
33and start the server with:
34.P
35.nf
36 $ unbound \-c /etc/unbound/unbound.conf
37.fi
38.P
39Most settings are the defaults. Stop the server with:
40.P
41.nf
42 $ kill `cat /etc/unbound/unbound.pid`
43.fi
44.P
45Below is a minimal config file. The source distribution contains an extensive
46example.conf file with all the options.
47.P
48.nf
49# unbound.conf(5) config file for unbound(8).
50server:
51 directory: "/etc/unbound"
52 username: unbound
53 # make sure unbound can access entropy from inside the chroot.
54 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
57 chroot: "/etc/unbound"
58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
59 pidfile: "/etc/unbound/unbound.pid"
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
77for the included files works, relative pathnames for the included names work
78if the directory where the daemon is started equals its chroot/working
79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
80.SS "Server Options"
81These options are part of the
82.B server:
83clause.
84.TP
85.B verbosity: \fI<number>
86The verbosity number, level 0 means no verbosity, only errors. Level 1
87gives operational information. Level 2 gives detailed operational
88information. Level 3 gives query level information, output per query.
89Level 4 gives algorithm level information. Level 5 logs client
90identification for cache misses. Default is level 1.
91The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
92.TP
93.B statistics\-interval: \fI<seconds>
94The number of seconds between printing statistics to the log for every thread.
95Disable with value 0 or "". Default is disabled. The histogram statistics
96are only printed if replies were sent during the statistics interval,
97requestlist statistics are printed for every interval (but can be 0).
98This is because the median calculation requires data to be present.
99.TP
100.B statistics\-cumulative: \fI<yes or no>
101If enabled, statistics are cumulative since starting unbound, without clearing
102the statistics counters after logging the statistics. Default is no.
103.TP
104.B extended\-statistics: \fI<yes or no>
105If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
106Default is off, because keeping track of more statistics takes time. The
107counters are listed in \fIunbound\-control\fR(8).
108.TP
109.B num\-threads: \fI<number>
110The number of threads to create to serve clients. Use 1 for no threading.
111.TP
112.B port: \fI<port number>
113The port number, default 53, on which the server responds to queries.
114.TP
115.B interface: \fI<ip address[@port]>
116Interface to use to connect to the network. This interface is listened to
117for queries from clients, and answers to clients are given from it.
118Can be given multiple times to work on several interfaces. If none are
119given the default is to listen to localhost.
120The interfaces are not changed on a reload (kill \-HUP) but only on restart.
121A port number can be specified with @port (without spaces between
122interface and port number), if not specified the default port (from
123\fBport\fR) is used.
124.TP
| 2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
27.P
28The utility
29\fIunbound\-checkconf\fR(8)
30can be used to check unbound.conf prior to usage.
31.SH "EXAMPLE"
32An example config file is shown below. Copy this to /etc/unbound/unbound.conf
33and start the server with:
34.P
35.nf
36 $ unbound \-c /etc/unbound/unbound.conf
37.fi
38.P
39Most settings are the defaults. Stop the server with:
40.P
41.nf
42 $ kill `cat /etc/unbound/unbound.pid`
43.fi
44.P
45Below is a minimal config file. The source distribution contains an extensive
46example.conf file with all the options.
47.P
48.nf
49# unbound.conf(5) config file for unbound(8).
50server:
51 directory: "/etc/unbound"
52 username: unbound
53 # make sure unbound can access entropy from inside the chroot.
54 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
57 chroot: "/etc/unbound"
58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
59 pidfile: "/etc/unbound/unbound.pid"
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
77for the included files works, relative pathnames for the included names work
78if the directory where the daemon is started equals its chroot/working
79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
80.SS "Server Options"
81These options are part of the
82.B server:
83clause.
84.TP
85.B verbosity: \fI<number>
86The verbosity number, level 0 means no verbosity, only errors. Level 1
87gives operational information. Level 2 gives detailed operational
88information. Level 3 gives query level information, output per query.
89Level 4 gives algorithm level information. Level 5 logs client
90identification for cache misses. Default is level 1.
91The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
92.TP
93.B statistics\-interval: \fI<seconds>
94The number of seconds between printing statistics to the log for every thread.
95Disable with value 0 or "". Default is disabled. The histogram statistics
96are only printed if replies were sent during the statistics interval,
97requestlist statistics are printed for every interval (but can be 0).
98This is because the median calculation requires data to be present.
99.TP
100.B statistics\-cumulative: \fI<yes or no>
101If enabled, statistics are cumulative since starting unbound, without clearing
102the statistics counters after logging the statistics. Default is no.
103.TP
104.B extended\-statistics: \fI<yes or no>
105If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
106Default is off, because keeping track of more statistics takes time. The
107counters are listed in \fIunbound\-control\fR(8).
108.TP
109.B num\-threads: \fI<number>
110The number of threads to create to serve clients. Use 1 for no threading.
111.TP
112.B port: \fI<port number>
113The port number, default 53, on which the server responds to queries.
114.TP
115.B interface: \fI<ip address[@port]>
116Interface to use to connect to the network. This interface is listened to
117for queries from clients, and answers to clients are given from it.
118Can be given multiple times to work on several interfaces. If none are
119given the default is to listen to localhost.
120The interfaces are not changed on a reload (kill \-HUP) but only on restart.
121A port number can be specified with @port (without spaces between
122interface and port number), if not specified the default port (from
123\fBport\fR) is used.
124.TP
|
| 125.B ip\-address: \fI<ip address[@port]>
126Same as interface: (for easy of compatibility with nsd.conf).
127.TP
|
125.B interface\-automatic: \fI<yes or no>
126Detect source interface on UDP queries and copy them to replies. This
127feature is experimental, and needs support in your OS for particular socket
128options. Default value is no.
129.TP
130.B outgoing\-interface: \fI<ip address>
131Interface to use to connect to the network. This interface is used to send
132queries to authoritative servers and receive their replies. Can be given
133multiple times to work on several interfaces. If none are given the
134default (all) is used. You can specify the same interfaces in
135.B interface:
136and
137.B outgoing\-interface:
138lines, the interfaces are then used for both purposes. Outgoing queries are
139sent via a random outgoing interface to counter spoofing.
140.TP
141.B outgoing\-range: \fI<number>
142Number of ports to open. This number of file descriptors can be opened per
143thread. Must be at least 1. Default depends on compile options. Larger
144numbers need extra resources from the operating system. For performance a
145a very large value is best, use libevent to make this possible.
146.TP
147.B outgoing\-port\-permit: \fI<port number or range>
148Permit unbound to open this port or range of ports for use to send queries.
149A larger number of permitted outgoing ports increases resilience against
150spoofing attempts. Make sure these ports are not needed by other daemons.
151By default only ports above 1024 that have not been assigned by IANA are used.
152Give a port number or a range of the form "low\-high", without spaces.
153.IP
154The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
155are processed in the line order of the config file, adding the permitted ports
156and subtracting the avoided ports from the set of allowed ports. The
157processing starts with the non IANA allocated ports above 1024 in the set
158of allowed ports.
159.TP
160.B outgoing\-port\-avoid: \fI<port number or range>
161Do not permit unbound to open this port or range of ports for use to send
162queries. Use this to make sure unbound does not grab a port that another
163daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
164By default only ports above 1024 that have not been assigned by IANA are used.
165Give a port number or a range of the form "low\-high", without spaces.
166.TP
167.B outgoing\-num\-tcp: \fI<number>
168Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
169to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
170.TP
171.B incoming\-num\-tcp: \fI<number>
172Number of incoming TCP buffers to allocate per thread. Default is 10. If set
173to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
174.TP
175.B edns\-buffer\-size: \fI<number>
176Number of bytes size to advertise as the EDNS reassembly buffer size.
177This is the value put into datagrams over UDP towards peers. The actual
178buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
179not set higher than that value. Default is 4096 which is RFC recommended.
180If you have fragmentation reassembly problems, usually seen as timeouts,
181then a value of 1480 can fix it. Setting to 512 bypasses even the most
182stringent path MTU problems, but is seen as extreme, since the amount
183of TCP fallback generated is excessive (probably also for this resolver,
184consider tuning the outgoing tcp number).
185.TP
| 128.B interface\-automatic: \fI<yes or no>
129Detect source interface on UDP queries and copy them to replies. This
130feature is experimental, and needs support in your OS for particular socket
131options. Default value is no.
132.TP
133.B outgoing\-interface: \fI<ip address>
134Interface to use to connect to the network. This interface is used to send
135queries to authoritative servers and receive their replies. Can be given
136multiple times to work on several interfaces. If none are given the
137default (all) is used. You can specify the same interfaces in
138.B interface:
139and
140.B outgoing\-interface:
141lines, the interfaces are then used for both purposes. Outgoing queries are
142sent via a random outgoing interface to counter spoofing.
143.TP
144.B outgoing\-range: \fI<number>
145Number of ports to open. This number of file descriptors can be opened per
146thread. Must be at least 1. Default depends on compile options. Larger
147numbers need extra resources from the operating system. For performance a
148a very large value is best, use libevent to make this possible.
149.TP
150.B outgoing\-port\-permit: \fI<port number or range>
151Permit unbound to open this port or range of ports for use to send queries.
152A larger number of permitted outgoing ports increases resilience against
153spoofing attempts. Make sure these ports are not needed by other daemons.
154By default only ports above 1024 that have not been assigned by IANA are used.
155Give a port number or a range of the form "low\-high", without spaces.
156.IP
157The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
158are processed in the line order of the config file, adding the permitted ports
159and subtracting the avoided ports from the set of allowed ports. The
160processing starts with the non IANA allocated ports above 1024 in the set
161of allowed ports.
162.TP
163.B outgoing\-port\-avoid: \fI<port number or range>
164Do not permit unbound to open this port or range of ports for use to send
165queries. Use this to make sure unbound does not grab a port that another
166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
167By default only ports above 1024 that have not been assigned by IANA are used.
168Give a port number or a range of the form "low\-high", without spaces.
169.TP
170.B outgoing\-num\-tcp: \fI<number>
171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
173.TP
174.B incoming\-num\-tcp: \fI<number>
175Number of incoming TCP buffers to allocate per thread. Default is 10. If set
176to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
177.TP
178.B edns\-buffer\-size: \fI<number>
179Number of bytes size to advertise as the EDNS reassembly buffer size.
180This is the value put into datagrams over UDP towards peers. The actual
181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
182not set higher than that value. Default is 4096 which is RFC recommended.
183If you have fragmentation reassembly problems, usually seen as timeouts,
184then a value of 1480 can fix it. Setting to 512 bypasses even the most
185stringent path MTU problems, but is seen as extreme, since the amount
186of TCP fallback generated is excessive (probably also for this resolver,
187consider tuning the outgoing tcp number).
188.TP
|
| 189.B max\-udp\-size: \fI<number>
190Maximum UDP response size (not applied to TCP response). 65536 disables the
191udp response size maximum, and uses the choice from the client, always.
192Suggested values are 512 to 4096. Default is 4096.
193.TP
|
186.B msg\-buffer\-size: \fI<number>
187Number of bytes size of the message buffers. Default is 65552 bytes, enough
188for 64 Kb packets, the maximum DNS message size. No message larger than this
189can be sent or received. Can be reduced to use less memory, but some requests
190for DNS data, such as for huge resource records, will result in a SERVFAIL
191reply to the client.
192.TP
193.B msg\-cache\-size: \fI<number>
194Number of bytes size of the message cache. Default is 4 megabytes.
195A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
196or gigabytes (1024*1024 bytes in a megabyte).
197.TP
198.B msg\-cache\-slabs: \fI<number>
199Number of slabs in the message cache. Slabs reduce lock contention by threads.
200Must be set to a power of 2. Setting (close) to the number of cpus is a
201reasonable guess.
202.TP
203.B num\-queries\-per\-thread: \fI<number>
204The number of queries that every thread will service simultaneously.
205If more queries arrive that need servicing, and no queries can be jostled out
206(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
207the client to resend after a timeout; allowing the server time to work on
208the existing queries. Default depends on compile options, 512 or 1024.
209.TP
210.B jostle\-timeout: \fI<msec>
211Timeout used when the server is very busy. Set to a value that usually
212results in one roundtrip to the authority servers. If too many queries
213arrive, then 50% of the queries are allowed to run to completion, and
214the other 50% are replaced with the new incoming query if they have already
215spent more than their allowed time. This protects against denial of
216service by slow queries or high query rates. Default 200 milliseconds.
217The effect is that the qps for long-lasting queries is about
218(numqueriesperthread / 2) / (average time for such long queries) qps.
219The qps for short queries can be about (numqueriesperthread / 2)
220/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
221qps by default.
222.TP
| 194.B msg\-buffer\-size: \fI<number>
195Number of bytes size of the message buffers. Default is 65552 bytes, enough
196for 64 Kb packets, the maximum DNS message size. No message larger than this
197can be sent or received. Can be reduced to use less memory, but some requests
198for DNS data, such as for huge resource records, will result in a SERVFAIL
199reply to the client.
200.TP
201.B msg\-cache\-size: \fI<number>
202Number of bytes size of the message cache. Default is 4 megabytes.
203A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
204or gigabytes (1024*1024 bytes in a megabyte).
205.TP
206.B msg\-cache\-slabs: \fI<number>
207Number of slabs in the message cache. Slabs reduce lock contention by threads.
208Must be set to a power of 2. Setting (close) to the number of cpus is a
209reasonable guess.
210.TP
211.B num\-queries\-per\-thread: \fI<number>
212The number of queries that every thread will service simultaneously.
213If more queries arrive that need servicing, and no queries can be jostled out
214(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
215the client to resend after a timeout; allowing the server time to work on
216the existing queries. Default depends on compile options, 512 or 1024.
217.TP
218.B jostle\-timeout: \fI<msec>
219Timeout used when the server is very busy. Set to a value that usually
220results in one roundtrip to the authority servers. If too many queries
221arrive, then 50% of the queries are allowed to run to completion, and
222the other 50% are replaced with the new incoming query if they have already
223spent more than their allowed time. This protects against denial of
224service by slow queries or high query rates. Default 200 milliseconds.
225The effect is that the qps for long-lasting queries is about
226(numqueriesperthread / 2) / (average time for such long queries) qps.
227The qps for short queries can be about (numqueriesperthread / 2)
228/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
229qps by default.
230.TP
|
| 231.B delay\-close: \fI<msec>
232Extra delay for timeouted UDP ports before they are closed, in msec.
233Default is 0, and that disables it. This prevents very delayed answer
234packets from the upstream (recursive) servers from bouncing against
235closed ports and setting off all sort of close-port counters, with
236eg. 1500 msec. When timeouts happen you need extra sockets, it checks
237the ID and remote IP of packets, and unwanted packets are added to the
238unwanted packet counter.
239.TP
|
223.B so\-rcvbuf: \fI<number>
224If not 0, then set the SO_RCVBUF socket option to get more buffer
225space on UDP port 53 incoming queries. So that short spikes on busy
226servers do not drop packets (see counter in netstat \-su). Default is
2270 (use system value). Otherwise, the number of bytes to ask for, try
228"4m" on a busy server. The OS caps it at a maximum, on linux unbound
229needs root permission to bypass the limit, or the admin can use sysctl
230net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
231On OpenBSD change header and recompile kernel. On Solaris ndd \-set
232/dev/udp udp_max_buf 8388608.
233.TP
234.B so\-sndbuf: \fI<number>
235If not 0, then set the SO_SNDBUF socket option to get more buffer space on
236UDP port 53 outgoing queries. This for very busy servers handles spikes
237in answer traffic, otherwise 'send: resource temporarily unavailable'
238can get logged, the buffer overrun is also visible by netstat \-su.
239Default is 0 (use system value). Specify the number of bytes to ask
240for, try "4m" on a very busy server. The OS caps it at a maximum, on
241linux unbound needs root permission to bypass the limit, or the admin
242can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
243to so\-rcvbuf.
244.TP
| 240.B so\-rcvbuf: \fI<number>
241If not 0, then set the SO_RCVBUF socket option to get more buffer
242space on UDP port 53 incoming queries. So that short spikes on busy
243servers do not drop packets (see counter in netstat \-su). Default is
2440 (use system value). Otherwise, the number of bytes to ask for, try
245"4m" on a busy server. The OS caps it at a maximum, on linux unbound
246needs root permission to bypass the limit, or the admin can use sysctl
247net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
248On OpenBSD change header and recompile kernel. On Solaris ndd \-set
249/dev/udp udp_max_buf 8388608.
250.TP
251.B so\-sndbuf: \fI<number>
252If not 0, then set the SO_SNDBUF socket option to get more buffer space on
253UDP port 53 outgoing queries. This for very busy servers handles spikes
254in answer traffic, otherwise 'send: resource temporarily unavailable'
255can get logged, the buffer overrun is also visible by netstat \-su.
256Default is 0 (use system value). Specify the number of bytes to ask
257for, try "4m" on a very busy server. The OS caps it at a maximum, on
258linux unbound needs root permission to bypass the limit, or the admin
259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
260to so\-rcvbuf.
261.TP
|
| 262.B so\-reuseport: \fI<yes or no>
263If yes, then open dedicated listening sockets for incoming queries for each
264thread and try to set the SO_REUSEPORT socket option on each socket. May
265distribute incoming queries to threads more evenly. Default is no. Only
266supported on Linux >= 3.9. You can enable it (on any platform and kernel),
267it then attempts to open the port and passes the option if it was available
268at compile time, if that works it is used, if it fails, it continues
269silently (unless verbosity 3) without the option.
270.TP
|
245.B rrset\-cache\-size: \fI<number>
246Number of bytes size of the RRset cache. Default is 4 megabytes.
247A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
248or gigabytes (1024*1024 bytes in a megabyte).
249.TP
250.B rrset\-cache\-slabs: \fI<number>
251Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
252Must be set to a power of 2.
253.TP
254.B cache\-max\-ttl: \fI<seconds>
255Time to live maximum for RRsets and messages in the cache. Default is
25686400 seconds (1 day). If the maximum kicks in, responses to clients
257still get decrementing TTLs based on the original (larger) values.
258When the internal TTL expires, the cache item has expired.
259Can be set lower to force the resolver to query for data often, and not
260trust (very large) TTL values.
261.TP
262.B cache\-min\-ttl: \fI<seconds>
263Time to live minimum for RRsets and messages in the cache. Default is 0.
264If the the minimum kicks in, the data is cached for longer than the domain
265owner intended, and thus less queries are made to look up the data.
266Zero makes sure the data in the cache is as the domain owner intended,
267higher values, especially more than an hour or so, can lead to trouble as
268the data in the cache does not match up with the actual data any more.
269.TP
270.B infra\-host\-ttl: \fI<seconds>
271Time to live for entries in the host cache. The host cache contains
272roundtrip timing, lameness and EDNS support information. Default is 900.
273.TP
274.B infra\-cache\-slabs: \fI<number>
275Number of slabs in the infrastructure cache. Slabs reduce lock contention
276by threads. Must be set to a power of 2.
277.TP
278.B infra\-cache\-numhosts: \fI<number>
279Number of hosts for which information is cached. Default is 10000.
280.TP
281.B do\-ip4: \fI<yes or no>
282Enable or disable whether ip4 queries are answered or issued. Default is yes.
283.TP
284.B do\-ip6: \fI<yes or no>
285Enable or disable whether ip6 queries are answered or issued. Default is yes.
286If disabled, queries are not answered on IPv6, and queries are not sent on
287IPv6 to the internet nameservers.
288.TP
289.B do\-udp: \fI<yes or no>
290Enable or disable whether UDP queries are answered or issued. Default is yes.
291.TP
292.B do\-tcp: \fI<yes or no>
293Enable or disable whether TCP queries are answered or issued. Default is yes.
294.TP
295.B tcp\-upstream: \fI<yes or no>
296Enable or disable whether the upstream queries use TCP only for transport.
297Default is no. Useful in tunneling scenarios.
298.TP
299.B ssl\-upstream: \fI<yes or no>
300Enabled or disable whether the upstream queries use SSL only for transport.
301Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
302TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
303.TP
304.B ssl\-service-key: \fI<file>
305If enabled, the server provider SSL service on its TCP sockets. The clients
306have to use ssl\-upstream: yes. The file is the private key for the TLS
307session. The public certificate is in the ssl\-service\-pem file. Default
308is "", turned off. Requires a restart (a reload is not enough) if changed,
309because the private key is read while root permissions are held and before
310chroot (if any). Normal DNS TCP service is not provided and gives errors,
311this service is best run with a different \fBport:\fR config or \fI@port\fR
312suffixes in the \fBinterface\fR config.
313.TP
314.B ssl\-service\-pem: \fI<file>
315The public key certificate pem file for the ssl service. Default is "",
316turned off.
317.TP
318.B ssl\-port: \fI<number>
319The port number on which to provide TCP SSL service, default 443, only
320interfaces configured with that port number as @number get the SSL service.
321.TP
322.B do\-daemonize: \fI<yes or no>
323Enable or disable whether the unbound server forks into the background as
324a daemon. Default is yes.
325.TP
326.B access\-control: \fI<IP netblock> <action>
327The netblock is given as an IP4 or IP6 address with /size appended for a
328classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
| 271.B rrset\-cache\-size: \fI<number>
272Number of bytes size of the RRset cache. Default is 4 megabytes.
273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
274or gigabytes (1024*1024 bytes in a megabyte).
275.TP
276.B rrset\-cache\-slabs: \fI<number>
277Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
278Must be set to a power of 2.
279.TP
280.B cache\-max\-ttl: \fI<seconds>
281Time to live maximum for RRsets and messages in the cache. Default is
28286400 seconds (1 day). If the maximum kicks in, responses to clients
283still get decrementing TTLs based on the original (larger) values.
284When the internal TTL expires, the cache item has expired.
285Can be set lower to force the resolver to query for data often, and not
286trust (very large) TTL values.
287.TP
288.B cache\-min\-ttl: \fI<seconds>
289Time to live minimum for RRsets and messages in the cache. Default is 0.
290If the the minimum kicks in, the data is cached for longer than the domain
291owner intended, and thus less queries are made to look up the data.
292Zero makes sure the data in the cache is as the domain owner intended,
293higher values, especially more than an hour or so, can lead to trouble as
294the data in the cache does not match up with the actual data any more.
295.TP
296.B infra\-host\-ttl: \fI<seconds>
297Time to live for entries in the host cache. The host cache contains
298roundtrip timing, lameness and EDNS support information. Default is 900.
299.TP
300.B infra\-cache\-slabs: \fI<number>
301Number of slabs in the infrastructure cache. Slabs reduce lock contention
302by threads. Must be set to a power of 2.
303.TP
304.B infra\-cache\-numhosts: \fI<number>
305Number of hosts for which information is cached. Default is 10000.
306.TP
307.B do\-ip4: \fI<yes or no>
308Enable or disable whether ip4 queries are answered or issued. Default is yes.
309.TP
310.B do\-ip6: \fI<yes or no>
311Enable or disable whether ip6 queries are answered or issued. Default is yes.
312If disabled, queries are not answered on IPv6, and queries are not sent on
313IPv6 to the internet nameservers.
314.TP
315.B do\-udp: \fI<yes or no>
316Enable or disable whether UDP queries are answered or issued. Default is yes.
317.TP
318.B do\-tcp: \fI<yes or no>
319Enable or disable whether TCP queries are answered or issued. Default is yes.
320.TP
321.B tcp\-upstream: \fI<yes or no>
322Enable or disable whether the upstream queries use TCP only for transport.
323Default is no. Useful in tunneling scenarios.
324.TP
325.B ssl\-upstream: \fI<yes or no>
326Enabled or disable whether the upstream queries use SSL only for transport.
327Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
328TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
329.TP
330.B ssl\-service-key: \fI<file>
331If enabled, the server provider SSL service on its TCP sockets. The clients
332have to use ssl\-upstream: yes. The file is the private key for the TLS
333session. The public certificate is in the ssl\-service\-pem file. Default
334is "", turned off. Requires a restart (a reload is not enough) if changed,
335because the private key is read while root permissions are held and before
336chroot (if any). Normal DNS TCP service is not provided and gives errors,
337this service is best run with a different \fBport:\fR config or \fI@port\fR
338suffixes in the \fBinterface\fR config.
339.TP
340.B ssl\-service\-pem: \fI<file>
341The public key certificate pem file for the ssl service. Default is "",
342turned off.
343.TP
344.B ssl\-port: \fI<number>
345The port number on which to provide TCP SSL service, default 443, only
346interfaces configured with that port number as @number get the SSL service.
347.TP
348.B do\-daemonize: \fI<yes or no>
349Enable or disable whether the unbound server forks into the background as
350a daemon. Default is yes.
351.TP
352.B access\-control: \fI<IP netblock> <action>
353The netblock is given as an IP4 or IP6 address with /size appended for a
354classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
329\fIallow\fR or \fIallow_snoop\fR.
| 355\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
330.IP
331The action \fIdeny\fR stops queries from hosts from that netblock.
332.IP
333The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
334error message back.
335.IP
336The action \fIallow\fR gives access to clients from that netblock.
337It gives only access for recursion clients (which is
338what almost all clients need). Nonrecursive queries are refused.
339.IP
340The \fIallow\fR action does allow nonrecursive queries to access the
341local\-data that is configured. The reason is that this does not involve
342the unbound server recursive lookup algorithm, and static data is served
343in the reply. This supports normal operations where nonrecursive queries
344are made for the authoritative data. For nonrecursive queries any replies
345from the dynamic cache are refused.
346.IP
347The action \fIallow_snoop\fR gives nonrecursive access too. This give
348both recursive and non recursive access. The name \fIallow_snoop\fR refers
349to cache snooping, a technique to use nonrecursive queries to examine
350the cache contents (for malicious acts). However, nonrecursive queries can
351also be a valuable debugging tool (when you want to examine the cache
352contents). In that case use \fIallow_snoop\fR for your administration host.
353.IP
354By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
355The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
356protocol is not designed to handle dropped packets due to policy, and
357dropping may result in (possibly excessive) retried queries.
| 356.IP
357The action \fIdeny\fR stops queries from hosts from that netblock.
358.IP
359The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
360error message back.
361.IP
362The action \fIallow\fR gives access to clients from that netblock.
363It gives only access for recursion clients (which is
364what almost all clients need). Nonrecursive queries are refused.
365.IP
366The \fIallow\fR action does allow nonrecursive queries to access the
367local\-data that is configured. The reason is that this does not involve
368the unbound server recursive lookup algorithm, and static data is served
369in the reply. This supports normal operations where nonrecursive queries
370are made for the authoritative data. For nonrecursive queries any replies
371from the dynamic cache are refused.
372.IP
373The action \fIallow_snoop\fR gives nonrecursive access too. This give
374both recursive and non recursive access. The name \fIallow_snoop\fR refers
375to cache snooping, a technique to use nonrecursive queries to examine
376the cache contents (for malicious acts). However, nonrecursive queries can
377also be a valuable debugging tool (when you want to examine the cache
378contents). In that case use \fIallow_snoop\fR for your administration host.
379.IP
380By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
381The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
382protocol is not designed to handle dropped packets due to policy, and
383dropping may result in (possibly excessive) retried queries.
|
| 384.IP
385The deny_non_local and refuse_non_local settings are for hosts that are
386only allowed to query for the authoritative local\-data, they are not
387allowed full recursion but only the static data. With deny_non_local,
388messages that are disallowed are dropped, with refuse_non_local they
389receive error code REFUSED.
|
358.TP
359.B chroot: \fI<directory>
360If chroot is enabled, you should pass the configfile (from the
361commandline) as a full path from the original root. After the
362chroot has been performed the now defunct portion of the config
363file path is removed to be able to reread the config after a reload.
364.IP
365All other file paths (working dir, logfile, roothints, and
366key files) can be specified in several ways:
367as an absolute path relative to the new root,
368as a relative path to the working directory, or
369as an absolute path relative to the original root.
370In the last case the path is adjusted to remove the unused portion.
371.IP
372The pidfile can be either a relative path to the working directory, or
373an absolute path relative to the original root. It is written just prior
374to chroot and dropping permissions. This allows the pidfile to be
375/var/run/unbound.pid and the chroot to be /var/unbound, for example.
376.IP
377Additionally, unbound may need to access /dev/random (for entropy)
378from inside the chroot.
379.IP
380If given a chroot is done to the given directory. The default is
381"/var/unbound". If you give "" no chroot is performed.
382.TP
383.B username: \fI<name>
384If given, after binding the port the user privileges are dropped. Default is
385"unbound". If you give username: "" no user change is performed.
386.IP
387If this user is not capable of binding the
388port, reloads (by signal HUP) will still retain the opened ports.
389If you change the port number in the config file, and that new port number
390requires privileges, then a reload will fail; a restart is needed.
391.TP
392.B directory: \fI<directory>
393Sets the working directory for the program. Default is "/var/unbound".
394.TP
395.B logfile: \fI<filename>
396If "" is given, logging goes to stderr, or nowhere once daemonized.
397The logfile is appended to, in the following format:
398.nf
399[seconds since 1970] unbound[pid:tid]: type: message.
400.fi
401If this option is given, the use\-syslog is option is set to "no".
402The logfile is reopened (for append) when the config file is reread, on
403SIGHUP.
404.TP
405.B use\-syslog: \fI<yes or no>
406Sets unbound to send log messages to the syslogd, using
407\fIsyslog\fR(3).
408The log facility LOG_DAEMON is used, with identity "unbound".
409The logfile setting is overridden when use\-syslog is turned on.
410The default is to log to syslog.
411.TP
412.B log\-time\-ascii: \fI<yes or no>
413Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
414prints the seconds since 1970 in brackets. No effect if using syslog, in
415that case syslog formats the timestamp printed into the log files.
416.TP
417.B log\-queries: \fI<yes or no>
418Prints one line per query to the log, with the log timestamp and IP address,
419name, type and class. Default is no. Note that it takes time to print these
420lines which makes the server (significantly) slower. Odd (nonprintable)
421characters in names are printed as '?'.
422.TP
423.B pidfile: \fI<filename>
424The process id is written to the file. Default is "/var/unbound/unbound.pid".
425So,
426.nf
427kill \-HUP `cat /var/unbound/unbound.pid`
428.fi
429triggers a reload,
430.nf
431kill \-QUIT `cat /var/unbound/unbound.pid`
432.fi
433gracefully terminates.
434.TP
435.B root\-hints: \fI<filename>
436Read the root hints from this file. Default is nothing, using builtin hints
437for the IN class. The file has the format of zone files, with root
438nameserver names and addresses only. The default may become outdated,
439when servers change, therefore it is good practice to use a root\-hints file.
440.TP
441.B hide\-identity: \fI<yes or no>
442If enabled id.server and hostname.bind queries are refused.
443.TP
444.B identity: \fI<string>
445Set the identity to report. If set to "", the default, then the hostname
446of the server is returned.
447.TP
448.B hide\-version: \fI<yes or no>
449If enabled version.server and version.bind queries are refused.
450.TP
451.B version: \fI<string>
452Set the version to report. If set to "", the default, then the package
453version is returned.
454.TP
455.B target\-fetch\-policy: \fI<"list of numbers">
456Set the target fetch policy used by unbound to determine if it should fetch
457nameserver target addresses opportunistically. The policy is described per
458dependency depth.
459.IP
460The number of values determines the maximum dependency depth
461that unbound will pursue in answering a query.
462A value of \-1 means to fetch all targets opportunistically for that dependency
463depth. A value of 0 means to fetch on demand only. A positive value fetches
464that many targets opportunistically.
465.IP
466Enclose the list between quotes ("") and put spaces between numbers.
467The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
468closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
469rumoured to be closer to that of BIND 8.
470.TP
471.B harden\-short\-bufsize: \fI<yes or no>
472Very small EDNS buffer sizes from queries are ignored. Default is off, since
473it is legal protocol wise to send these, and unbound tries to give very
474small answers to these queries, where possible.
475.TP
476.B harden\-large\-queries: \fI<yes or no>
477Very large queries are ignored. Default is off, since it is legal protocol
478wise to send these, and could be necessary for operation if TSIG or EDNS
479payload is very large.
480.TP
481.B harden\-glue: \fI<yes or no>
482Will trust glue only if it is within the servers authority. Default is on.
483.TP
484.B harden\-dnssec\-stripped: \fI<yes or no>
485Require DNSSEC data for trust\-anchored zones, if such data is absent,
486the zone becomes bogus. If turned off, and no DNSSEC data is received
487(or the DNSKEY data fails to validate), then the zone is made insecure,
488this behaves like there is no trust anchor. You could turn this off if
489you are sometimes behind an intrusive firewall (of some sort) that
490removes DNSSEC data from packets, or a zone changes from signed to
491unsigned to badly signed often. If turned off you run the risk of a
492downgrade attack that disables security for a zone. Default is on.
493.TP
494.B harden\-below\-nxdomain: \fI<yes or no>
| 390.TP
391.B chroot: \fI<directory>
392If chroot is enabled, you should pass the configfile (from the
393commandline) as a full path from the original root. After the
394chroot has been performed the now defunct portion of the config
395file path is removed to be able to reread the config after a reload.
396.IP
397All other file paths (working dir, logfile, roothints, and
398key files) can be specified in several ways:
399as an absolute path relative to the new root,
400as a relative path to the working directory, or
401as an absolute path relative to the original root.
402In the last case the path is adjusted to remove the unused portion.
403.IP
404The pidfile can be either a relative path to the working directory, or
405an absolute path relative to the original root. It is written just prior
406to chroot and dropping permissions. This allows the pidfile to be
407/var/run/unbound.pid and the chroot to be /var/unbound, for example.
408.IP
409Additionally, unbound may need to access /dev/random (for entropy)
410from inside the chroot.
411.IP
412If given a chroot is done to the given directory. The default is
413"/var/unbound". If you give "" no chroot is performed.
414.TP
415.B username: \fI<name>
416If given, after binding the port the user privileges are dropped. Default is
417"unbound". If you give username: "" no user change is performed.
418.IP
419If this user is not capable of binding the
420port, reloads (by signal HUP) will still retain the opened ports.
421If you change the port number in the config file, and that new port number
422requires privileges, then a reload will fail; a restart is needed.
423.TP
424.B directory: \fI<directory>
425Sets the working directory for the program. Default is "/var/unbound".
426.TP
427.B logfile: \fI<filename>
428If "" is given, logging goes to stderr, or nowhere once daemonized.
429The logfile is appended to, in the following format:
430.nf
431[seconds since 1970] unbound[pid:tid]: type: message.
432.fi
433If this option is given, the use\-syslog is option is set to "no".
434The logfile is reopened (for append) when the config file is reread, on
435SIGHUP.
436.TP
437.B use\-syslog: \fI<yes or no>
438Sets unbound to send log messages to the syslogd, using
439\fIsyslog\fR(3).
440The log facility LOG_DAEMON is used, with identity "unbound".
441The logfile setting is overridden when use\-syslog is turned on.
442The default is to log to syslog.
443.TP
444.B log\-time\-ascii: \fI<yes or no>
445Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
446prints the seconds since 1970 in brackets. No effect if using syslog, in
447that case syslog formats the timestamp printed into the log files.
448.TP
449.B log\-queries: \fI<yes or no>
450Prints one line per query to the log, with the log timestamp and IP address,
451name, type and class. Default is no. Note that it takes time to print these
452lines which makes the server (significantly) slower. Odd (nonprintable)
453characters in names are printed as '?'.
454.TP
455.B pidfile: \fI<filename>
456The process id is written to the file. Default is "/var/unbound/unbound.pid".
457So,
458.nf
459kill \-HUP `cat /var/unbound/unbound.pid`
460.fi
461triggers a reload,
462.nf
463kill \-QUIT `cat /var/unbound/unbound.pid`
464.fi
465gracefully terminates.
466.TP
467.B root\-hints: \fI<filename>
468Read the root hints from this file. Default is nothing, using builtin hints
469for the IN class. The file has the format of zone files, with root
470nameserver names and addresses only. The default may become outdated,
471when servers change, therefore it is good practice to use a root\-hints file.
472.TP
473.B hide\-identity: \fI<yes or no>
474If enabled id.server and hostname.bind queries are refused.
475.TP
476.B identity: \fI<string>
477Set the identity to report. If set to "", the default, then the hostname
478of the server is returned.
479.TP
480.B hide\-version: \fI<yes or no>
481If enabled version.server and version.bind queries are refused.
482.TP
483.B version: \fI<string>
484Set the version to report. If set to "", the default, then the package
485version is returned.
486.TP
487.B target\-fetch\-policy: \fI<"list of numbers">
488Set the target fetch policy used by unbound to determine if it should fetch
489nameserver target addresses opportunistically. The policy is described per
490dependency depth.
491.IP
492The number of values determines the maximum dependency depth
493that unbound will pursue in answering a query.
494A value of \-1 means to fetch all targets opportunistically for that dependency
495depth. A value of 0 means to fetch on demand only. A positive value fetches
496that many targets opportunistically.
497.IP
498Enclose the list between quotes ("") and put spaces between numbers.
499The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
500closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
501rumoured to be closer to that of BIND 8.
502.TP
503.B harden\-short\-bufsize: \fI<yes or no>
504Very small EDNS buffer sizes from queries are ignored. Default is off, since
505it is legal protocol wise to send these, and unbound tries to give very
506small answers to these queries, where possible.
507.TP
508.B harden\-large\-queries: \fI<yes or no>
509Very large queries are ignored. Default is off, since it is legal protocol
510wise to send these, and could be necessary for operation if TSIG or EDNS
511payload is very large.
512.TP
513.B harden\-glue: \fI<yes or no>
514Will trust glue only if it is within the servers authority. Default is on.
515.TP
516.B harden\-dnssec\-stripped: \fI<yes or no>
517Require DNSSEC data for trust\-anchored zones, if such data is absent,
518the zone becomes bogus. If turned off, and no DNSSEC data is received
519(or the DNSKEY data fails to validate), then the zone is made insecure,
520this behaves like there is no trust anchor. You could turn this off if
521you are sometimes behind an intrusive firewall (of some sort) that
522removes DNSSEC data from packets, or a zone changes from signed to
523unsigned to badly signed often. If turned off you run the risk of a
524downgrade attack that disables security for a zone. Default is on.
525.TP
526.B harden\-below\-nxdomain: \fI<yes or no>
|
495From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
| 527From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
|
496below another name that is already known to be nxdomain. DNSSEC mandates
497noerror for empty nonterminals, hence this is possible. Very old software
498might return nxdomain for empty nonterminals (that usually happen for reverse
499IP address lookups), and thus may be incompatible with this. To try to avoid
500this only DNSSEC-secure nxdomains are used, because the old software does not
501have DNSSEC. Default is off.
502.TP
503.B harden\-referral\-path: \fI<yes or no>
504Harden the referral path by performing additional queries for
505infrastructure data. Validates the replies if trust anchors are configured
506and the zones are signed. This enforces DNSSEC validation on nameserver
507NS sets and the nameserver addresses that are encountered on the referral
508path to the answer.
509Default off, because it burdens the authority servers, and it is
510not RFC standard, and could lead to performance problems because of the
511extra query load that is generated. Experimental option.
512If you enable it consider adding more numbers after the target\-fetch\-policy
513to increase the max depth that is checked to.
514.TP
515.B use\-caps\-for\-id: \fI<yes or no>
516Use 0x20\-encoded random bits in the query to foil spoof attempts.
517This perturbs the lowercase and uppercase of query names sent to
518authority servers and checks if the reply still has the correct casing.
519Disabled by default.
520This feature is an experimental implementation of draft dns\-0x20.
521.TP
522.B private\-address: \fI<IP address or subnet>
523Give IPv4 of IPv6 addresses or classless subnets. These are addresses
524on your private network, and are not allowed to be returned for public
525internet names. Any occurence of such addresses are removed from
526DNS answers. Additionally, the DNSSEC validator may mark the answers
527bogus. This protects against so\-called DNS Rebinding, where a user browser
528is turned into a network proxy, allowing remote access through the browser
529to other parts of your private network. Some names can be allowed to
530contain your private addresses, by default all the \fBlocal\-data\fR
531that you configured is allowed to, and you can specify additional
532names using \fBprivate\-domain\fR. No private addresses are enabled
533by default. We consider to enable this for the RFC1918 private IP
534address space by default in later releases. That would enable private
535addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
536fd00::/8 and fe80::/10, since the RFC standards say these addresses
537should not be visible on the public internet. Turning on 127.0.0.0/8
538would hinder many spamblocklists as they use that.
539.TP
540.B private\-domain: \fI<domain name>
541Allow this domain, and all its subdomains to contain private addresses.
542Give multiple times to allow multiple domain names to contain private
543addresses. Default is none.
544.TP
545.B unwanted\-reply\-threshold: \fI<number>
546If set, a total number of unwanted replies is kept track of in every thread.
547When it reaches the threshold, a defensive action is taken and a warning
548is printed to the log. The defensive action is to clear the rrset and
549message caches, hopefully flushing away any poison. A value of 10 million
550is suggested. Default is 0 (turned off).
551.TP
552.B do\-not\-query\-address: \fI<IP address>
553Do not query the given IP address. Can be IP4 or IP6. Append /num to
554indicate a classless delegation netblock, for example like
55510.2.3.4/24 or 2001::11/64.
556.TP
557.B do\-not\-query\-localhost: \fI<yes or no>
558If yes, localhost is added to the do\-not\-query\-address entries, both
559IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
560queries to. Default is yes.
561.TP
562.B prefetch: \fI<yes or no>
563If yes, message cache elements are prefetched before they expire to
564keep the cache up to date. Default is no. Turning it on gives about
56510 percent more traffic and load on the machine, but popular items do
566not expire from the cache.
567.TP
568.B prefetch-key: \fI<yes or no>
569If yes, fetch the DNSKEYs earlier in the validation process, when a DS
570record is encountered. This lowers the latency of requests. It does use
571a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
572.TP
573.B rrset-roundrobin: \fI<yes or no>
574If yes, Unbound rotates RRSet order in response (the random number is taken
575from the query ID, for speed and thread safety). Default is no.
576.TP
577.B minimal-responses: \fI<yes or no>
578If yes, Unbound doesn't insert authority/additional sections into response
579messages when those sections are not required. This reduces response
580size significantly, and may avoid TCP fallback for some responses.
581This may cause a slight speedup. The default is no, because the DNS
582protocol RFCs mandate these sections, and the additional content could
583be of use and save roundtrips for clients.
584.TP
585.B module\-config: \fI<"module names">
586Module configuration, a list of module names separated by spaces, surround
587the string with quotes (""). The modules can be validator, iterator.
588Setting this to "iterator" will result in a non\-validating server.
589Setting this to "validator iterator" will turn on DNSSEC validation.
590The ordering of the modules is important.
591You must also set trust\-anchors for validation to be useful.
592.TP
593.B trust\-anchor\-file: \fI<filename>
594File with trusted keys for validation. Both DS and DNSKEY entries can appear
595in the file. The format of the file is the standard DNS Zone file format.
596Default is "", or no trust anchor file.
597.TP
598.B auto\-trust\-anchor\-file: \fI<filename>
599File with trust anchor for one zone, which is tracked with RFC5011 probes.
600The probes are several times per month, thus the machine must be online
601frequently. The initial file can be one with contents as described in
602\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
603so the unbound user must have write permission.
604.TP
605.B trust\-anchor: \fI<"Resource Record">
606A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
607given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
608The resource record is entered in the same format as 'dig' or 'drill' prints
609them, the same format as in the zone file. Has to be on a single line, with
610"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
611A class can be specified, but class IN is default.
612.TP
613.B trusted\-keys\-file: \fI<filename>
614File with trusted keys for validation. Specify more than one file
615with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
616but has a different file format. Format is BIND\-9 style format,
617the trusted\-keys { name flag proto algo "key"; }; clauses are read.
618It is possible to use wildcards with this statement, the wildcard is
619expanded on start and on reload.
620.TP
621.B dlv\-anchor\-file: \fI<filename>
622File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
623DNSKEY entries can be used in the file, in the same format as for
624\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
625would be slow. The DLV configured is used as a root trusted DLV, this
626means that it is a lookaside for the root. Default is "", or no dlv anchor file.
627.TP
628.B dlv\-anchor: \fI<"Resource Record">
629Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
630.TP
631.B domain\-insecure: \fI<domain name>
632Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
633the domain name. So a trust anchor above the domain name can not make the
634domain secure with a DS record, such a DS record is then ignored.
635Also keys from DLV are ignored for the domain. Can be given multiple times
636to specify multiple domains that are treated as if unsigned. If you set
637trust anchors for the domain they override this setting (and the domain
638is secured).
639.IP
640This can be useful if you want to make sure a trust anchor for external
641lookups does not affect an (unsigned) internal domain. A DS record
642externally can create validation failures for that internal domain.
643.TP
644.B val\-override\-date: \fI<rrsig\-style date spec>
645Default is "" or "0", which disables this debugging feature. If enabled by
646giving a RRSIG style date, that date is used for verifying RRSIG inception
647and expiration dates, instead of the current date. Do not set this unless
648you are debugging signature inception and expiration. The value \-1 ignores
649the date altogether, useful for some special applications.
650.TP
651.B val\-sig\-skew\-min: \fI<seconds>
652Minimum number of seconds of clock skew to apply to validated signatures.
653A value of 10% of the signature lifetime (expiration \- inception) is
654used, capped by this setting. Default is 3600 (1 hour) which allows for
655daylight savings differences. Lower this value for more strict checking
656of short lived signatures.
657.TP
658.B val\-sig\-skew\-max: \fI<seconds>
659Maximum number of seconds of clock skew to apply to validated signatures.
660A value of 10% of the signature lifetime (expiration \- inception)
661is used, capped by this setting. Default is 86400 (24 hours) which
662allows for timezone setting problems in stable domains. Setting both
663min and max very low disables the clock skew allowances. Setting both
664min and max very high makes the validator check the signature timestamps
665less strictly.
666.TP
667.B val\-bogus\-ttl: \fI<number>
668The time to live for bogus data. This is data that has failed validation;
669due to invalid signatures or other checks. The TTL from that data cannot be
670trusted, and this value is used instead. The value is in seconds, default 60.
671The time interval prevents repeated revalidation of bogus data.
672.TP
673.B val\-clean\-additional: \fI<yes or no>
674Instruct the validator to remove data from the additional section of secure
675messages that are not signed properly. Messages that are insecure, bogus,
676indeterminate or unchecked are not affected. Default is yes. Use this setting
677to protect the users that rely on this validator for authentication from
678protentially bad data in the additional section.
679.TP
680.B val\-log\-level: \fI<number>
681Have the validator print validation failures to the log. Regardless of
682the verbosity setting. Default is 0, off. At 1, for every user query
683that fails a line is printed to the logs. This way you can monitor what
684happens with validation. Use a diagnosis tool, such as dig or drill,
685to find out why validation is failing for these queries. At 2, not only
686the query that failed is printed but also the reason why unbound thought
687it was wrong and which server sent the faulty data.
688.TP
689.B val\-permissive\-mode: \fI<yes or no>
690Instruct the validator to mark bogus messages as indeterminate. The security
691checks are performed, but if the result is bogus (failed security), the
692reply is not withheld from the client with SERVFAIL as usual. The client
693receives the bogus data. For messages that are found to be secure the AD bit
694is set in replies. Also logging is performed as for full validation.
695The default value is "no".
696.TP
697.B ignore\-cd\-flag: \fI<yes or no>
698Instruct unbound to ignore the CD flag from clients and refuse to
699return bogus answers to them. Thus, the CD (Checking Disabled) flag
700does not disable checking any more. This is useful if legacy (w2008)
701servers that set the CD flag but cannot validate DNSSEC themselves are
702the clients, and then unbound provides them with DNSSEC protection.
703The default value is "no".
704.TP
705.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
706List of keysize and iteration count values, separated by spaces, surrounded
707by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
708maximum allowed NSEC3 iteration count before a message is simply marked
709insecure instead of performing the many hashing iterations. The list must
710be in ascending order and have at least one entry. If you set it to
711"1024 65535" there is no restriction to NSEC3 iteration values.
712This table must be kept short; a very long list could cause slower operation.
713.TP
714.B add\-holddown: \fI<seconds>
715Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
716autotrust updates to add new trust anchors only after they have been
717visible for this time. Default is 30 days as per the RFC.
718.TP
719.B del\-holddown: \fI<seconds>
720Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
721autotrust updates to remove revoked trust anchors after they have been
722kept in the revoked list for this long. Default is 30 days as per
723the RFC.
724.TP
725.B keep\-missing: \fI<seconds>
726Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
727autotrust updates to remove missing trust anchors after they have been
728unseen for this long. This cleans up the state file if the target zone
729does not perform trust anchor revocation, so this makes the auto probe
730mechanism work with zones that perform regular (non\-5011) rollovers.
731The default is 366 days. The value 0 does not remove missing anchors,
732as per the RFC.
733.TP
734.B key\-cache\-size: \fI<number>
735Number of bytes size of the key cache. Default is 4 megabytes.
736A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
737or gigabytes (1024*1024 bytes in a megabyte).
738.TP
739.B key\-cache\-slabs: \fI<number>
740Number of slabs in the key cache. Slabs reduce lock contention by threads.
741Must be set to a power of 2. Setting (close) to the number of cpus is a
742reasonable guess.
743.TP
744.B neg\-cache\-size: \fI<number>
745Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
746A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
747or gigabytes (1024*1024 bytes in a megabyte).
748.TP
| 528below another name that is already known to be nxdomain. DNSSEC mandates
529noerror for empty nonterminals, hence this is possible. Very old software
530might return nxdomain for empty nonterminals (that usually happen for reverse
531IP address lookups), and thus may be incompatible with this. To try to avoid
532this only DNSSEC-secure nxdomains are used, because the old software does not
533have DNSSEC. Default is off.
534.TP
535.B harden\-referral\-path: \fI<yes or no>
536Harden the referral path by performing additional queries for
537infrastructure data. Validates the replies if trust anchors are configured
538and the zones are signed. This enforces DNSSEC validation on nameserver
539NS sets and the nameserver addresses that are encountered on the referral
540path to the answer.
541Default off, because it burdens the authority servers, and it is
542not RFC standard, and could lead to performance problems because of the
543extra query load that is generated. Experimental option.
544If you enable it consider adding more numbers after the target\-fetch\-policy
545to increase the max depth that is checked to.
546.TP
547.B use\-caps\-for\-id: \fI<yes or no>
548Use 0x20\-encoded random bits in the query to foil spoof attempts.
549This perturbs the lowercase and uppercase of query names sent to
550authority servers and checks if the reply still has the correct casing.
551Disabled by default.
552This feature is an experimental implementation of draft dns\-0x20.
553.TP
554.B private\-address: \fI<IP address or subnet>
555Give IPv4 of IPv6 addresses or classless subnets. These are addresses
556on your private network, and are not allowed to be returned for public
557internet names. Any occurence of such addresses are removed from
558DNS answers. Additionally, the DNSSEC validator may mark the answers
559bogus. This protects against so\-called DNS Rebinding, where a user browser
560is turned into a network proxy, allowing remote access through the browser
561to other parts of your private network. Some names can be allowed to
562contain your private addresses, by default all the \fBlocal\-data\fR
563that you configured is allowed to, and you can specify additional
564names using \fBprivate\-domain\fR. No private addresses are enabled
565by default. We consider to enable this for the RFC1918 private IP
566address space by default in later releases. That would enable private
567addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
568fd00::/8 and fe80::/10, since the RFC standards say these addresses
569should not be visible on the public internet. Turning on 127.0.0.0/8
570would hinder many spamblocklists as they use that.
571.TP
572.B private\-domain: \fI<domain name>
573Allow this domain, and all its subdomains to contain private addresses.
574Give multiple times to allow multiple domain names to contain private
575addresses. Default is none.
576.TP
577.B unwanted\-reply\-threshold: \fI<number>
578If set, a total number of unwanted replies is kept track of in every thread.
579When it reaches the threshold, a defensive action is taken and a warning
580is printed to the log. The defensive action is to clear the rrset and
581message caches, hopefully flushing away any poison. A value of 10 million
582is suggested. Default is 0 (turned off).
583.TP
584.B do\-not\-query\-address: \fI<IP address>
585Do not query the given IP address. Can be IP4 or IP6. Append /num to
586indicate a classless delegation netblock, for example like
58710.2.3.4/24 or 2001::11/64.
588.TP
589.B do\-not\-query\-localhost: \fI<yes or no>
590If yes, localhost is added to the do\-not\-query\-address entries, both
591IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
592queries to. Default is yes.
593.TP
594.B prefetch: \fI<yes or no>
595If yes, message cache elements are prefetched before they expire to
596keep the cache up to date. Default is no. Turning it on gives about
59710 percent more traffic and load on the machine, but popular items do
598not expire from the cache.
599.TP
600.B prefetch-key: \fI<yes or no>
601If yes, fetch the DNSKEYs earlier in the validation process, when a DS
602record is encountered. This lowers the latency of requests. It does use
603a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
604.TP
605.B rrset-roundrobin: \fI<yes or no>
606If yes, Unbound rotates RRSet order in response (the random number is taken
607from the query ID, for speed and thread safety). Default is no.
608.TP
609.B minimal-responses: \fI<yes or no>
610If yes, Unbound doesn't insert authority/additional sections into response
611messages when those sections are not required. This reduces response
612size significantly, and may avoid TCP fallback for some responses.
613This may cause a slight speedup. The default is no, because the DNS
614protocol RFCs mandate these sections, and the additional content could
615be of use and save roundtrips for clients.
616.TP
617.B module\-config: \fI<"module names">
618Module configuration, a list of module names separated by spaces, surround
619the string with quotes (""). The modules can be validator, iterator.
620Setting this to "iterator" will result in a non\-validating server.
621Setting this to "validator iterator" will turn on DNSSEC validation.
622The ordering of the modules is important.
623You must also set trust\-anchors for validation to be useful.
624.TP
625.B trust\-anchor\-file: \fI<filename>
626File with trusted keys for validation. Both DS and DNSKEY entries can appear
627in the file. The format of the file is the standard DNS Zone file format.
628Default is "", or no trust anchor file.
629.TP
630.B auto\-trust\-anchor\-file: \fI<filename>
631File with trust anchor for one zone, which is tracked with RFC5011 probes.
632The probes are several times per month, thus the machine must be online
633frequently. The initial file can be one with contents as described in
634\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
635so the unbound user must have write permission.
636.TP
637.B trust\-anchor: \fI<"Resource Record">
638A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
639given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
640The resource record is entered in the same format as 'dig' or 'drill' prints
641them, the same format as in the zone file. Has to be on a single line, with
642"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
643A class can be specified, but class IN is default.
644.TP
645.B trusted\-keys\-file: \fI<filename>
646File with trusted keys for validation. Specify more than one file
647with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
648but has a different file format. Format is BIND\-9 style format,
649the trusted\-keys { name flag proto algo "key"; }; clauses are read.
650It is possible to use wildcards with this statement, the wildcard is
651expanded on start and on reload.
652.TP
653.B dlv\-anchor\-file: \fI<filename>
654File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
655DNSKEY entries can be used in the file, in the same format as for
656\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
657would be slow. The DLV configured is used as a root trusted DLV, this
658means that it is a lookaside for the root. Default is "", or no dlv anchor file.
659.TP
660.B dlv\-anchor: \fI<"Resource Record">
661Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
662.TP
663.B domain\-insecure: \fI<domain name>
664Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
665the domain name. So a trust anchor above the domain name can not make the
666domain secure with a DS record, such a DS record is then ignored.
667Also keys from DLV are ignored for the domain. Can be given multiple times
668to specify multiple domains that are treated as if unsigned. If you set
669trust anchors for the domain they override this setting (and the domain
670is secured).
671.IP
672This can be useful if you want to make sure a trust anchor for external
673lookups does not affect an (unsigned) internal domain. A DS record
674externally can create validation failures for that internal domain.
675.TP
676.B val\-override\-date: \fI<rrsig\-style date spec>
677Default is "" or "0", which disables this debugging feature. If enabled by
678giving a RRSIG style date, that date is used for verifying RRSIG inception
679and expiration dates, instead of the current date. Do not set this unless
680you are debugging signature inception and expiration. The value \-1 ignores
681the date altogether, useful for some special applications.
682.TP
683.B val\-sig\-skew\-min: \fI<seconds>
684Minimum number of seconds of clock skew to apply to validated signatures.
685A value of 10% of the signature lifetime (expiration \- inception) is
686used, capped by this setting. Default is 3600 (1 hour) which allows for
687daylight savings differences. Lower this value for more strict checking
688of short lived signatures.
689.TP
690.B val\-sig\-skew\-max: \fI<seconds>
691Maximum number of seconds of clock skew to apply to validated signatures.
692A value of 10% of the signature lifetime (expiration \- inception)
693is used, capped by this setting. Default is 86400 (24 hours) which
694allows for timezone setting problems in stable domains. Setting both
695min and max very low disables the clock skew allowances. Setting both
696min and max very high makes the validator check the signature timestamps
697less strictly.
698.TP
699.B val\-bogus\-ttl: \fI<number>
700The time to live for bogus data. This is data that has failed validation;
701due to invalid signatures or other checks. The TTL from that data cannot be
702trusted, and this value is used instead. The value is in seconds, default 60.
703The time interval prevents repeated revalidation of bogus data.
704.TP
705.B val\-clean\-additional: \fI<yes or no>
706Instruct the validator to remove data from the additional section of secure
707messages that are not signed properly. Messages that are insecure, bogus,
708indeterminate or unchecked are not affected. Default is yes. Use this setting
709to protect the users that rely on this validator for authentication from
710protentially bad data in the additional section.
711.TP
712.B val\-log\-level: \fI<number>
713Have the validator print validation failures to the log. Regardless of
714the verbosity setting. Default is 0, off. At 1, for every user query
715that fails a line is printed to the logs. This way you can monitor what
716happens with validation. Use a diagnosis tool, such as dig or drill,
717to find out why validation is failing for these queries. At 2, not only
718the query that failed is printed but also the reason why unbound thought
719it was wrong and which server sent the faulty data.
720.TP
721.B val\-permissive\-mode: \fI<yes or no>
722Instruct the validator to mark bogus messages as indeterminate. The security
723checks are performed, but if the result is bogus (failed security), the
724reply is not withheld from the client with SERVFAIL as usual. The client
725receives the bogus data. For messages that are found to be secure the AD bit
726is set in replies. Also logging is performed as for full validation.
727The default value is "no".
728.TP
729.B ignore\-cd\-flag: \fI<yes or no>
730Instruct unbound to ignore the CD flag from clients and refuse to
731return bogus answers to them. Thus, the CD (Checking Disabled) flag
732does not disable checking any more. This is useful if legacy (w2008)
733servers that set the CD flag but cannot validate DNSSEC themselves are
734the clients, and then unbound provides them with DNSSEC protection.
735The default value is "no".
736.TP
737.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
738List of keysize and iteration count values, separated by spaces, surrounded
739by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
740maximum allowed NSEC3 iteration count before a message is simply marked
741insecure instead of performing the many hashing iterations. The list must
742be in ascending order and have at least one entry. If you set it to
743"1024 65535" there is no restriction to NSEC3 iteration values.
744This table must be kept short; a very long list could cause slower operation.
745.TP
746.B add\-holddown: \fI<seconds>
747Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
748autotrust updates to add new trust anchors only after they have been
749visible for this time. Default is 30 days as per the RFC.
750.TP
751.B del\-holddown: \fI<seconds>
752Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
753autotrust updates to remove revoked trust anchors after they have been
754kept in the revoked list for this long. Default is 30 days as per
755the RFC.
756.TP
757.B keep\-missing: \fI<seconds>
758Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
759autotrust updates to remove missing trust anchors after they have been
760unseen for this long. This cleans up the state file if the target zone
761does not perform trust anchor revocation, so this makes the auto probe
762mechanism work with zones that perform regular (non\-5011) rollovers.
763The default is 366 days. The value 0 does not remove missing anchors,
764as per the RFC.
765.TP
766.B key\-cache\-size: \fI<number>
767Number of bytes size of the key cache. Default is 4 megabytes.
768A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
769or gigabytes (1024*1024 bytes in a megabyte).
770.TP
771.B key\-cache\-slabs: \fI<number>
772Number of slabs in the key cache. Slabs reduce lock contention by threads.
773Must be set to a power of 2. Setting (close) to the number of cpus is a
774reasonable guess.
775.TP
776.B neg\-cache\-size: \fI<number>
777Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
778A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
779or gigabytes (1024*1024 bytes in a megabyte).
780.TP
|
| 781.B unblock\-lan\-zones: \fI<yesno>
782Default is disabled. If enabled, then for private address space,
783the reverse lookups are no longer filtered. This allows unbound when
784running as dns service on a host where it provides service for that host,
785to put out all of the queries for the 'lan' upstream. When enabled,
786only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
787with default local zones. Disable the option when unbound is running
788as a (DHCP-) DNS network resolver for a group of machines, where such
789lookups should be filtered (RFC compliance), this also stops potential
790data leakage about the local network to the upstream DNS servers.
791.TP
|
749.B local\-zone: \fI<zone> <type>
750Configure a local zone. The type determines the answer to give if
751there is no match from local\-data. The types are deny, refuse, static,
752transparent, redirect, nodefault, typetransparent, and are explained
753below. After that the default settings are listed. Use local\-data: to
754enter data into the local zone. Answers for local zones are authoritative
755DNS answers. By default the zones are class IN.
756.IP
757If you need more complicated authoritative data, with referrals, wildcards,
758CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
759it as detailed in the stub zone section below.
760.TP 10
761\h'5'\fIdeny\fR
762Do not send an answer, drop the query.
763If there is a match from local data, the query is answered.
764.TP 10
765\h'5'\fIrefuse\fR
766Send an error message reply, with rcode REFUSED.
767If there is a match from local data, the query is answered.
768.TP 10
769\h'5'\fIstatic\fR
770If there is a match from local data, the query is answered.
771Otherwise, the query is answered with nodata or nxdomain.
772For a negative answer a SOA is included in the answer if present
773as local\-data for the zone apex domain.
774.TP 10
775\h'5'\fItransparent\fR
776If there is a match from local data, the query is answered.
777Otherwise if the query has a different name, the query is resolved normally.
778If the query is for a name given in localdata but no such type of data is
779given in localdata, then a noerror nodata answer is returned.
780If no local\-zone is given local\-data causes a transparent zone
781to be created by default.
782.TP 10
783\h'5'\fItypetransparent\fR
784If there is a match from local data, the query is answered. If the query
785is for a different name, or for the same name but for a different type,
786the query is resolved normally. So, similar to transparent but types
787that are not listed in local data are resolved normally, so if an A record
788is in the local data that does not cause a nodata reply for AAAA queries.
789.TP 10
790\h'5'\fIredirect\fR
791The query is answered from the local data for the zone name.
792There may be no local data beneath the zone name.
793This answers queries for the zone, and all subdomains of the zone
794with the local data for the zone.
795It can be used to redirect a domain to return a different address record
796to the end user, with
797local\-zone: "example.com." redirect and
798local\-data: "example.com. A 127.0.0.1"
799queries for www.example.com and www.foo.example.com are redirected, so
800that users with web browsers cannot access sites with suffix example.com.
801.TP 10
802\h'5'\fInodefault\fR
803Used to turn off default contents for AS112 zones. The other types
804also turn off default contents for the zone. The 'nodefault' option
805has no other effect than turning off default contents for the
806given zone.
807.P
808The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
809zones. The AS112 zones are reverse DNS zones for private use and reserved
810IP addresses for which the servers on the internet cannot provide correct
811answers. They are configured by default to give nxdomain (no reverse
812information) answers. The defaults can be turned off by specifying your
813own local\-zone of that name, or using the 'nodefault' type. Below is a
814list of the default zone contents.
815.TP 10
816\h'5'\fIlocalhost\fR
817The IP4 and IP6 localhost information is given. NS and SOA records are provided
818for completeness and to satisfy some DNS update tools. Default content:
819.nf
820local\-zone: "localhost." static
821local\-data: "localhost. 10800 IN NS localhost."
822local\-data: "localhost. 10800 IN
823 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
824local\-data: "localhost. 10800 IN A 127.0.0.1"
825local\-data: "localhost. 10800 IN AAAA ::1"
826.fi
827.TP 10
828\h'5'\fIreverse IPv4 loopback\fR
829Default content:
830.nf
831local\-zone: "127.in\-addr.arpa." static
832local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
833local\-data: "127.in\-addr.arpa. 10800 IN
834 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
835local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
836 PTR localhost."
837.fi
838.TP 10
839\h'5'\fIreverse IPv6 loopback\fR
840Default content:
841.nf
842local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
843 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
844local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
845 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
846 NS localhost."
847local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
848 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
849 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
850local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
851 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
852 PTR localhost."
853.fi
854.TP 10
855\h'5'\fIreverse RFC1918 local use zones\fR
856Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
85731.172.in\-addr.arpa, 168.192.in\-addr.arpa.
858The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
859records are provided.
860.TP 10
861\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
862Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
8632.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
864113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
865.TP 10
866\h'5'\fIreverse RFC4291 IP6 unspecified\fR
867Reverse data for zone
868.nf
8690.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
8700.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
871.fi
872.TP 10
873\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
874Reverse data for zone D.F.ip6.arpa.
875.TP 10
876\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
877Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
878.TP 10
879\h'5'\fIreverse IPv6 Example Prefix\fR
880Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
881tutorials and examples. You can remove the block on this zone with:
882.nf
883 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
884.fi
885You can also selectively unblock a part of the zone by making that part
886transparent with a local\-zone statement.
887This also works with the other default zones.
888.\" End of local-zone listing.
889.TP 5
890.B local\-data: \fI"<resource record string>"
891Configure local data, which is served in reply to queries for it.
892The query has to match exactly unless you configure the local\-zone as
893redirect. If not matched exactly, the local\-zone type determines
894further processing. If local\-data is configured that is not a subdomain of
895a local\-zone, a transparent local\-zone is configured.
896For record types such as TXT, use single quotes, as in
897local\-data: 'example. TXT "text"'.
898.IP
899If you need more complicated authoritative data, with referrals, wildcards,
900CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
901it as detailed in the stub zone section below.
902.TP 5
903.B local\-data\-ptr: \fI"IPaddr name"
904Configure local data shorthand for a PTR record with the reversed IPv4 or
905IPv6 address and the host name. For example "192.0.2.4 www.example.com".
906TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
907.SS "Remote Control Options"
908In the
909.B remote\-control:
910clause are the declarations for the remote control facility. If this is
911enabled, the \fIunbound\-control\fR(8) utility can be used to send
912commands to the running unbound server. The server uses these clauses
913to setup SSLv3 / TLSv1 security for the connection. The
914\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
915section for options. To setup the correct self\-signed certificates use the
916\fIunbound\-control\-setup\fR(8) utility.
917.TP 5
918.B control\-enable: \fI<yes or no>
919The option is used to enable remote control, default is "no".
920If turned off, the server does not listen for control commands.
921.TP 5
922.B control\-interface: <ip address>
923Give IPv4 or IPv6 addresses to listen on for control commands.
924By default localhost (127.0.0.1 and ::1) is listened to.
925Use 0.0.0.0 and ::0 to listen to all interfaces.
926.TP 5
927.B control\-port: <port number>
928The port number to listen on for control commands, default is 8953.
929If you change this port number, and permissions have been dropped,
930a reload is not sufficient to open the port again, you must then restart.
931.TP 5
932.B server\-key\-file: "<private key file>"
933Path to the server private key, by default unbound_server.key.
934This file is generated by the \fIunbound\-control\-setup\fR utility.
935This file is used by the unbound server, but not by \fIunbound\-control\fR.
936.TP 5
937.B server\-cert\-file: "<certificate file.pem>"
938Path to the server self signed certificate, by default unbound_server.pem.
939This file is generated by the \fIunbound\-control\-setup\fR utility.
940This file is used by the unbound server, and also by \fIunbound\-control\fR.
941.TP 5
942.B control\-key\-file: "<private key file>"
943Path to the control client private key, by default unbound_control.key.
944This file is generated by the \fIunbound\-control\-setup\fR utility.
945This file is used by \fIunbound\-control\fR.
946.TP 5
947.B control\-cert\-file: "<certificate file.pem>"
948Path to the control client certificate, by default unbound_control.pem.
949This certificate has to be signed with the server certificate.
950This file is generated by the \fIunbound\-control\-setup\fR utility.
951This file is used by \fIunbound\-control\fR.
952.SS "Stub Zone Options"
953.LP
954There may be multiple
955.B stub\-zone:
956clauses. Each with a name: and zero or more hostnames or IP addresses.
957For the stub zone this list of nameservers is used. Class IN is assumed.
958The servers should be authority servers, not recursors; unbound performs
959the recursive processing itself for stub zones.
960.P
961The stub zone can be used to configure authoritative data to be used
962by the resolver that cannot be accessed using the public internet servers.
963This is useful for company\-local data or private zones. Setup an
964authoritative server on a different host (or different port). Enter a config
965entry for unbound with
966.B stub\-addr:
967<ip address of host[@port]>.
968The unbound resolver can then access the data, without referring to the
969public internet for it.
970.P
971This setup allows DNSSEC signed zones to be served by that
972authoritative server, in which case a trusted key entry with the public key
973can be put in config, so that unbound can validate the data and set the AD
974bit on replies for the private zone (authoritative servers do not set the
975AD bit). This setup makes unbound capable of answering queries for the
976private zone, and can even set the AD bit ('authentic'), but the AA
977('authoritative') bit is not set on these replies.
978.TP
979.B name: \fI<domain name>
980Name of the stub zone.
981.TP
982.B stub\-host: \fI<domain name>
983Name of stub zone nameserver. Is itself resolved before it is used.
984.TP
985.B stub\-addr: \fI<IP address>
986IP address of stub zone nameserver. Can be IP 4 or IP 6.
987To use a nondefault port for DNS communication append '@' with the port number.
988.TP
989.B stub\-prime: \fI<yes or no>
990This option is by default off. If enabled it performs NS set priming,
991which is similar to root hints, where it starts using the list of nameservers
992currently published by the zone. Thus, if the hint list is slightly outdated,
993the resolver picks up a correct list online.
994.TP
995.B stub\-first: \fI<yes or no>
996If enabled, a query is attempted without the stub clause if it fails.
997The data could not be retrieved and would have caused SERVFAIL because
998the servers are unreachable, instead it is tried without this clause.
999The default is no.
1000.SS "Forward Zone Options"
1001.LP
1002There may be multiple
1003.B forward\-zone:
1004clauses. Each with a \fBname:\fR and zero or more hostnames or IP
1005addresses. For the forward zone this list of nameservers is used to
1006forward the queries to. The servers listed as \fBforward\-host:\fR and
1007\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1008those servers are not authority servers, but are (just like unbound is)
1009recursive servers too; unbound does not perform recursion itself for the
1010forward zone, it lets the remote server do it. Class IN is assumed.
1011A forward\-zone entry with name "." and a forward\-addr target will
1012forward all queries to that other server (unless it can answer from
1013the cache).
1014.TP
1015.B name: \fI<domain name>
1016Name of the forward zone.
1017.TP
1018.B forward\-host: \fI<domain name>
1019Name of server to forward to. Is itself resolved before it is used.
1020.TP
1021.B forward\-addr: \fI<IP address>
1022IP address of server to forward to. Can be IP 4 or IP 6.
1023To use a nondefault port for DNS communication append '@' with the port number.
1024.TP
1025.B forward\-first: \fI<yes or no>
1026If enabled, a query is attempted without the forward clause if it fails.
1027The data could not be retrieved and would have caused SERVFAIL because
1028the servers are unreachable, instead it is tried without this clause.
1029The default is no.
1030.SS "Python Module Options"
1031.LP
1032The
1033.B python:
1034clause gives the settings for the \fIpython\fR(1) script module. This module
1035acts like the iterator and validator modules do, on queries and answers.
1036To enable the script module it has to be compiled into the daemon,
1037and the word "python" has to be put in the \fBmodule\-config:\fR option
1038(usually first, or between the validator and iterator).
1039.TP
1040.B python\-script: \fI<python file>\fR
1041The script file to load.
1042.SH "MEMORY CONTROL EXAMPLE"
1043In the example config settings below memory usage is reduced. Some service
1044levels are lower, notable very large data and a high TCP load are no longer
1045supported. Very large data and high TCP loads are exceptional for the DNS.
1046DNSSEC validation is enabled, just add trust anchors.
1047If you do not have to worry about programs using more than 3 Mb of memory,
1048the below example is not for you. Use the defaults to receive full service,
1049which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
1050.P
1051.nf
1052# example settings that reduce memory usage
1053server:
1054 num\-threads: 1
1055 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
1056 incoming\-num\-tcp: 1
1057 outgoing\-range: 60 # uses less memory, but less performance.
1058 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
1059 msg\-cache\-size: 100k
1060 msg\-cache\-slabs: 1
1061 rrset\-cache\-size: 100k
1062 rrset\-cache\-slabs: 1
1063 infra\-cache\-numhosts: 200
1064 infra\-cache\-slabs: 1
1065 key\-cache\-size: 100k
1066 key\-cache\-slabs: 1
1067 neg\-cache\-size: 10k
1068 num\-queries\-per\-thread: 30
1069 target\-fetch\-policy: "2 1 0 0 0 0"
1070 harden\-large\-queries: "yes"
1071 harden\-short\-bufsize: "yes"
1072.fi
1073.SH "FILES"
1074.TP
1075.I /var/unbound
1076default unbound working directory.
1077.TP
1078.I /var/unbound
1079default
1080\fIchroot\fR(2)
1081location.
1082.TP
1083.I /var/unbound/unbound.conf
1084unbound configuration file.
1085.TP
1086.I /var/unbound/unbound.pid
1087default unbound pidfile with process ID of the running daemon.
1088.TP
1089.I unbound.log
1090unbound log file. default is to log to
1091\fIsyslog\fR(3).
1092.SH "SEE ALSO"
1093\fIunbound\fR(8),
1094\fIunbound\-checkconf\fR(8).
1095.SH "AUTHORS"
1096.B Unbound
1097was written by NLnet Labs. Please see CREDITS file
1098in the distribution for further details.
| 792.B local\-zone: \fI<zone> <type>
793Configure a local zone. The type determines the answer to give if
794there is no match from local\-data. The types are deny, refuse, static,
795transparent, redirect, nodefault, typetransparent, and are explained
796below. After that the default settings are listed. Use local\-data: to
797enter data into the local zone. Answers for local zones are authoritative
798DNS answers. By default the zones are class IN.
799.IP
800If you need more complicated authoritative data, with referrals, wildcards,
801CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
802it as detailed in the stub zone section below.
803.TP 10
804\h'5'\fIdeny\fR
805Do not send an answer, drop the query.
806If there is a match from local data, the query is answered.
807.TP 10
808\h'5'\fIrefuse\fR
809Send an error message reply, with rcode REFUSED.
810If there is a match from local data, the query is answered.
811.TP 10
812\h'5'\fIstatic\fR
813If there is a match from local data, the query is answered.
814Otherwise, the query is answered with nodata or nxdomain.
815For a negative answer a SOA is included in the answer if present
816as local\-data for the zone apex domain.
817.TP 10
818\h'5'\fItransparent\fR
819If there is a match from local data, the query is answered.
820Otherwise if the query has a different name, the query is resolved normally.
821If the query is for a name given in localdata but no such type of data is
822given in localdata, then a noerror nodata answer is returned.
823If no local\-zone is given local\-data causes a transparent zone
824to be created by default.
825.TP 10
826\h'5'\fItypetransparent\fR
827If there is a match from local data, the query is answered. If the query
828is for a different name, or for the same name but for a different type,
829the query is resolved normally. So, similar to transparent but types
830that are not listed in local data are resolved normally, so if an A record
831is in the local data that does not cause a nodata reply for AAAA queries.
832.TP 10
833\h'5'\fIredirect\fR
834The query is answered from the local data for the zone name.
835There may be no local data beneath the zone name.
836This answers queries for the zone, and all subdomains of the zone
837with the local data for the zone.
838It can be used to redirect a domain to return a different address record
839to the end user, with
840local\-zone: "example.com." redirect and
841local\-data: "example.com. A 127.0.0.1"
842queries for www.example.com and www.foo.example.com are redirected, so
843that users with web browsers cannot access sites with suffix example.com.
844.TP 10
845\h'5'\fInodefault\fR
846Used to turn off default contents for AS112 zones. The other types
847also turn off default contents for the zone. The 'nodefault' option
848has no other effect than turning off default contents for the
849given zone.
850.P
851The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
852zones. The AS112 zones are reverse DNS zones for private use and reserved
853IP addresses for which the servers on the internet cannot provide correct
854answers. They are configured by default to give nxdomain (no reverse
855information) answers. The defaults can be turned off by specifying your
856own local\-zone of that name, or using the 'nodefault' type. Below is a
857list of the default zone contents.
858.TP 10
859\h'5'\fIlocalhost\fR
860The IP4 and IP6 localhost information is given. NS and SOA records are provided
861for completeness and to satisfy some DNS update tools. Default content:
862.nf
863local\-zone: "localhost." static
864local\-data: "localhost. 10800 IN NS localhost."
865local\-data: "localhost. 10800 IN
866 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
867local\-data: "localhost. 10800 IN A 127.0.0.1"
868local\-data: "localhost. 10800 IN AAAA ::1"
869.fi
870.TP 10
871\h'5'\fIreverse IPv4 loopback\fR
872Default content:
873.nf
874local\-zone: "127.in\-addr.arpa." static
875local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
876local\-data: "127.in\-addr.arpa. 10800 IN
877 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
878local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
879 PTR localhost."
880.fi
881.TP 10
882\h'5'\fIreverse IPv6 loopback\fR
883Default content:
884.nf
885local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
886 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
887local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
888 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
889 NS localhost."
890local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
891 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
892 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
893local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
894 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
895 PTR localhost."
896.fi
897.TP 10
898\h'5'\fIreverse RFC1918 local use zones\fR
899Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
90031.172.in\-addr.arpa, 168.192.in\-addr.arpa.
901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
902records are provided.
903.TP 10
904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
908.TP 10
909\h'5'\fIreverse RFC4291 IP6 unspecified\fR
910Reverse data for zone
911.nf
9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
914.fi
915.TP 10
916\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
917Reverse data for zone D.F.ip6.arpa.
918.TP 10
919\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
920Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
921.TP 10
922\h'5'\fIreverse IPv6 Example Prefix\fR
923Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
924tutorials and examples. You can remove the block on this zone with:
925.nf
926 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
927.fi
928You can also selectively unblock a part of the zone by making that part
929transparent with a local\-zone statement.
930This also works with the other default zones.
931.\" End of local-zone listing.
932.TP 5
933.B local\-data: \fI"<resource record string>"
934Configure local data, which is served in reply to queries for it.
935The query has to match exactly unless you configure the local\-zone as
936redirect. If not matched exactly, the local\-zone type determines
937further processing. If local\-data is configured that is not a subdomain of
938a local\-zone, a transparent local\-zone is configured.
939For record types such as TXT, use single quotes, as in
940local\-data: 'example. TXT "text"'.
941.IP
942If you need more complicated authoritative data, with referrals, wildcards,
943CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
944it as detailed in the stub zone section below.
945.TP 5
946.B local\-data\-ptr: \fI"IPaddr name"
947Configure local data shorthand for a PTR record with the reversed IPv4 or
948IPv6 address and the host name. For example "192.0.2.4 www.example.com".
949TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
950.SS "Remote Control Options"
951In the
952.B remote\-control:
953clause are the declarations for the remote control facility. If this is
954enabled, the \fIunbound\-control\fR(8) utility can be used to send
955commands to the running unbound server. The server uses these clauses
956to setup SSLv3 / TLSv1 security for the connection. The
957\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
958section for options. To setup the correct self\-signed certificates use the
959\fIunbound\-control\-setup\fR(8) utility.
960.TP 5
961.B control\-enable: \fI<yes or no>
962The option is used to enable remote control, default is "no".
963If turned off, the server does not listen for control commands.
964.TP 5
965.B control\-interface: <ip address>
966Give IPv4 or IPv6 addresses to listen on for control commands.
967By default localhost (127.0.0.1 and ::1) is listened to.
968Use 0.0.0.0 and ::0 to listen to all interfaces.
969.TP 5
970.B control\-port: <port number>
971The port number to listen on for control commands, default is 8953.
972If you change this port number, and permissions have been dropped,
973a reload is not sufficient to open the port again, you must then restart.
974.TP 5
975.B server\-key\-file: "<private key file>"
976Path to the server private key, by default unbound_server.key.
977This file is generated by the \fIunbound\-control\-setup\fR utility.
978This file is used by the unbound server, but not by \fIunbound\-control\fR.
979.TP 5
980.B server\-cert\-file: "<certificate file.pem>"
981Path to the server self signed certificate, by default unbound_server.pem.
982This file is generated by the \fIunbound\-control\-setup\fR utility.
983This file is used by the unbound server, and also by \fIunbound\-control\fR.
984.TP 5
985.B control\-key\-file: "<private key file>"
986Path to the control client private key, by default unbound_control.key.
987This file is generated by the \fIunbound\-control\-setup\fR utility.
988This file is used by \fIunbound\-control\fR.
989.TP 5
990.B control\-cert\-file: "<certificate file.pem>"
991Path to the control client certificate, by default unbound_control.pem.
992This certificate has to be signed with the server certificate.
993This file is generated by the \fIunbound\-control\-setup\fR utility.
994This file is used by \fIunbound\-control\fR.
995.SS "Stub Zone Options"
996.LP
997There may be multiple
998.B stub\-zone:
999clauses. Each with a name: and zero or more hostnames or IP addresses.
1000For the stub zone this list of nameservers is used. Class IN is assumed.
1001The servers should be authority servers, not recursors; unbound performs
1002the recursive processing itself for stub zones.
1003.P
1004The stub zone can be used to configure authoritative data to be used
1005by the resolver that cannot be accessed using the public internet servers.
1006This is useful for company\-local data or private zones. Setup an
1007authoritative server on a different host (or different port). Enter a config
1008entry for unbound with
1009.B stub\-addr:
1010<ip address of host[@port]>.
1011The unbound resolver can then access the data, without referring to the
1012public internet for it.
1013.P
1014This setup allows DNSSEC signed zones to be served by that
1015authoritative server, in which case a trusted key entry with the public key
1016can be put in config, so that unbound can validate the data and set the AD
1017bit on replies for the private zone (authoritative servers do not set the
1018AD bit). This setup makes unbound capable of answering queries for the
1019private zone, and can even set the AD bit ('authentic'), but the AA
1020('authoritative') bit is not set on these replies.
1021.TP
1022.B name: \fI<domain name>
1023Name of the stub zone.
1024.TP
1025.B stub\-host: \fI<domain name>
1026Name of stub zone nameserver. Is itself resolved before it is used.
1027.TP
1028.B stub\-addr: \fI<IP address>
1029IP address of stub zone nameserver. Can be IP 4 or IP 6.
1030To use a nondefault port for DNS communication append '@' with the port number.
1031.TP
1032.B stub\-prime: \fI<yes or no>
1033This option is by default off. If enabled it performs NS set priming,
1034which is similar to root hints, where it starts using the list of nameservers
1035currently published by the zone. Thus, if the hint list is slightly outdated,
1036the resolver picks up a correct list online.
1037.TP
1038.B stub\-first: \fI<yes or no>
1039If enabled, a query is attempted without the stub clause if it fails.
1040The data could not be retrieved and would have caused SERVFAIL because
1041the servers are unreachable, instead it is tried without this clause.
1042The default is no.
1043.SS "Forward Zone Options"
1044.LP
1045There may be multiple
1046.B forward\-zone:
1047clauses. Each with a \fBname:\fR and zero or more hostnames or IP
1048addresses. For the forward zone this list of nameservers is used to
1049forward the queries to. The servers listed as \fBforward\-host:\fR and
1050\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1051those servers are not authority servers, but are (just like unbound is)
1052recursive servers too; unbound does not perform recursion itself for the
1053forward zone, it lets the remote server do it. Class IN is assumed.
1054A forward\-zone entry with name "." and a forward\-addr target will
1055forward all queries to that other server (unless it can answer from
1056the cache).
1057.TP
1058.B name: \fI<domain name>
1059Name of the forward zone.
1060.TP
1061.B forward\-host: \fI<domain name>
1062Name of server to forward to. Is itself resolved before it is used.
1063.TP
1064.B forward\-addr: \fI<IP address>
1065IP address of server to forward to. Can be IP 4 or IP 6.
1066To use a nondefault port for DNS communication append '@' with the port number.
1067.TP
1068.B forward\-first: \fI<yes or no>
1069If enabled, a query is attempted without the forward clause if it fails.
1070The data could not be retrieved and would have caused SERVFAIL because
1071the servers are unreachable, instead it is tried without this clause.
1072The default is no.
1073.SS "Python Module Options"
1074.LP
1075The
1076.B python:
1077clause gives the settings for the \fIpython\fR(1) script module. This module
1078acts like the iterator and validator modules do, on queries and answers.
1079To enable the script module it has to be compiled into the daemon,
1080and the word "python" has to be put in the \fBmodule\-config:\fR option
1081(usually first, or between the validator and iterator).
1082.TP
1083.B python\-script: \fI<python file>\fR
1084The script file to load.
1085.SH "MEMORY CONTROL EXAMPLE"
1086In the example config settings below memory usage is reduced. Some service
1087levels are lower, notable very large data and a high TCP load are no longer
1088supported. Very large data and high TCP loads are exceptional for the DNS.
1089DNSSEC validation is enabled, just add trust anchors.
1090If you do not have to worry about programs using more than 3 Mb of memory,
1091the below example is not for you. Use the defaults to receive full service,
1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
1093.P
1094.nf
1095# example settings that reduce memory usage
1096server:
1097 num\-threads: 1
1098 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
1099 incoming\-num\-tcp: 1
1100 outgoing\-range: 60 # uses less memory, but less performance.
1101 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
1102 msg\-cache\-size: 100k
1103 msg\-cache\-slabs: 1
1104 rrset\-cache\-size: 100k
1105 rrset\-cache\-slabs: 1
1106 infra\-cache\-numhosts: 200
1107 infra\-cache\-slabs: 1
1108 key\-cache\-size: 100k
1109 key\-cache\-slabs: 1
1110 neg\-cache\-size: 10k
1111 num\-queries\-per\-thread: 30
1112 target\-fetch\-policy: "2 1 0 0 0 0"
1113 harden\-large\-queries: "yes"
1114 harden\-short\-bufsize: "yes"
1115.fi
1116.SH "FILES"
1117.TP
1118.I /var/unbound
1119default unbound working directory.
1120.TP
1121.I /var/unbound
1122default
1123\fIchroot\fR(2)
1124location.
1125.TP
1126.I /var/unbound/unbound.conf
1127unbound configuration file.
1128.TP
1129.I /var/unbound/unbound.pid
1130default unbound pidfile with process ID of the running daemon.
1131.TP
1132.I unbound.log
1133unbound log file. default is to log to
1134\fIsyslog\fR(3).
1135.SH "SEE ALSO"
1136\fIunbound\fR(8),
1137\fIunbound\-checkconf\fR(8).
1138.SH "AUTHORS"
1139.B Unbound
1140was written by NLnet Labs. Please see CREDITS file
1141in the distribution for further details.
|