1.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
| 1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22"
|
2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" 10.SH "NAME" 11.LP 12.B unbound.conf 13\- Unbound configuration file. 14.SH "SYNOPSIS" 15.LP 16.B unbound.conf 17.SH "DESCRIPTION" 18.LP 19.B unbound.conf 20is used to configure 21\fIunbound\fR(8). 22The file format has attributes and values. Some attributes have attributes inside them. 23The notation is: attribute: value. 24.P 25Comments start with # and last to the end of line. Empty lines are 26ignored as is whitespace at the beginning of a line. 27.P 28The utility 29\fIunbound\-checkconf\fR(8) 30can be used to check unbound.conf prior to usage. 31.SH "EXAMPLE" 32An example config file is shown below. Copy this to /etc/unbound/unbound.conf 33and start the server with: 34.P 35.nf 36 $ unbound \-c /etc/unbound/unbound.conf 37.fi 38.P 39Most settings are the defaults. Stop the server with: 40.P 41.nf 42 $ kill `cat /etc/unbound/unbound.pid` 43.fi 44.P 45Below is a minimal config file. The source distribution contains an extensive 46example.conf file with all the options. 47.P 48.nf 49# unbound.conf(5) config file for unbound(8). 50server: 51 directory: "/etc/unbound" 52 username: unbound 53 # make sure unbound can access entropy from inside the chroot. 54 # e.g. on linux the use these commands (on BSD, devfs(8) is used): 55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random 56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log 57 chroot: "/etc/unbound" 58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. 59 pidfile: "/etc/unbound/unbound.pid" 60 # verbosity: 1 # uncomment and increase to get more logging. 61 # listen on all interfaces, answer queries from the local subnet. 62 interface: 0.0.0.0 63 interface: ::0 64 access\-control: 10.0.0.0/8 allow 65 access\-control: 2001:DB8::/64 allow 66.fi 67.SH "FILE FORMAT" 68.LP 69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute 70is followed by its containing attributes, or a value. 71.P 72Files can be included using the 73.B include: 74directive. It can appear anywhere, it accepts a single file name as argument. 75Processing continues as if the text from the included file was copied into 76the config file at that point. If also using chroot, using full path names 77for the included files works, relative pathnames for the included names work 78if the directory where the daemon is started equals its chroot/working 79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7). 80.SS "Server Options" 81These options are part of the 82.B server: 83clause. 84.TP 85.B verbosity: \fI<number> 86The verbosity number, level 0 means no verbosity, only errors. Level 1 87gives operational information. Level 2 gives detailed operational 88information. Level 3 gives query level information, output per query. 89Level 4 gives algorithm level information. Level 5 logs client 90identification for cache misses. Default is level 1. 91The verbosity can also be increased from the commandline, see \fIunbound\fR(8). 92.TP 93.B statistics\-interval: \fI<seconds> 94The number of seconds between printing statistics to the log for every thread. 95Disable with value 0 or "". Default is disabled. The histogram statistics 96are only printed if replies were sent during the statistics interval, 97requestlist statistics are printed for every interval (but can be 0). 98This is because the median calculation requires data to be present. 99.TP 100.B statistics\-cumulative: \fI<yes or no> 101If enabled, statistics are cumulative since starting unbound, without clearing 102the statistics counters after logging the statistics. Default is no. 103.TP 104.B extended\-statistics: \fI<yes or no> 105If enabled, extended statistics are printed from \fIunbound\-control\fR(8). 106Default is off, because keeping track of more statistics takes time. The 107counters are listed in \fIunbound\-control\fR(8). 108.TP 109.B num\-threads: \fI<number> 110The number of threads to create to serve clients. Use 1 for no threading. 111.TP 112.B port: \fI<port number> 113The port number, default 53, on which the server responds to queries. 114.TP 115.B interface: \fI<ip address[@port]> 116Interface to use to connect to the network. This interface is listened to 117for queries from clients, and answers to clients are given from it. 118Can be given multiple times to work on several interfaces. If none are 119given the default is to listen to localhost. 120The interfaces are not changed on a reload (kill \-HUP) but only on restart. 121A port number can be specified with @port (without spaces between 122interface and port number), if not specified the default port (from 123\fBport\fR) is used. 124.TP
| 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" 10.SH "NAME" 11.LP 12.B unbound.conf 13\- Unbound configuration file. 14.SH "SYNOPSIS" 15.LP 16.B unbound.conf 17.SH "DESCRIPTION" 18.LP 19.B unbound.conf 20is used to configure 21\fIunbound\fR(8). 22The file format has attributes and values. Some attributes have attributes inside them. 23The notation is: attribute: value. 24.P 25Comments start with # and last to the end of line. Empty lines are 26ignored as is whitespace at the beginning of a line. 27.P 28The utility 29\fIunbound\-checkconf\fR(8) 30can be used to check unbound.conf prior to usage. 31.SH "EXAMPLE" 32An example config file is shown below. Copy this to /etc/unbound/unbound.conf 33and start the server with: 34.P 35.nf 36 $ unbound \-c /etc/unbound/unbound.conf 37.fi 38.P 39Most settings are the defaults. Stop the server with: 40.P 41.nf 42 $ kill `cat /etc/unbound/unbound.pid` 43.fi 44.P 45Below is a minimal config file. The source distribution contains an extensive 46example.conf file with all the options. 47.P 48.nf 49# unbound.conf(5) config file for unbound(8). 50server: 51 directory: "/etc/unbound" 52 username: unbound 53 # make sure unbound can access entropy from inside the chroot. 54 # e.g. on linux the use these commands (on BSD, devfs(8) is used): 55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random 56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log 57 chroot: "/etc/unbound" 58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. 59 pidfile: "/etc/unbound/unbound.pid" 60 # verbosity: 1 # uncomment and increase to get more logging. 61 # listen on all interfaces, answer queries from the local subnet. 62 interface: 0.0.0.0 63 interface: ::0 64 access\-control: 10.0.0.0/8 allow 65 access\-control: 2001:DB8::/64 allow 66.fi 67.SH "FILE FORMAT" 68.LP 69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute 70is followed by its containing attributes, or a value. 71.P 72Files can be included using the 73.B include: 74directive. It can appear anywhere, it accepts a single file name as argument. 75Processing continues as if the text from the included file was copied into 76the config file at that point. If also using chroot, using full path names 77for the included files works, relative pathnames for the included names work 78if the directory where the daemon is started equals its chroot/working 79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7). 80.SS "Server Options" 81These options are part of the 82.B server: 83clause. 84.TP 85.B verbosity: \fI<number> 86The verbosity number, level 0 means no verbosity, only errors. Level 1 87gives operational information. Level 2 gives detailed operational 88information. Level 3 gives query level information, output per query. 89Level 4 gives algorithm level information. Level 5 logs client 90identification for cache misses. Default is level 1. 91The verbosity can also be increased from the commandline, see \fIunbound\fR(8). 92.TP 93.B statistics\-interval: \fI<seconds> 94The number of seconds between printing statistics to the log for every thread. 95Disable with value 0 or "". Default is disabled. The histogram statistics 96are only printed if replies were sent during the statistics interval, 97requestlist statistics are printed for every interval (but can be 0). 98This is because the median calculation requires data to be present. 99.TP 100.B statistics\-cumulative: \fI<yes or no> 101If enabled, statistics are cumulative since starting unbound, without clearing 102the statistics counters after logging the statistics. Default is no. 103.TP 104.B extended\-statistics: \fI<yes or no> 105If enabled, extended statistics are printed from \fIunbound\-control\fR(8). 106Default is off, because keeping track of more statistics takes time. The 107counters are listed in \fIunbound\-control\fR(8). 108.TP 109.B num\-threads: \fI<number> 110The number of threads to create to serve clients. Use 1 for no threading. 111.TP 112.B port: \fI<port number> 113The port number, default 53, on which the server responds to queries. 114.TP 115.B interface: \fI<ip address[@port]> 116Interface to use to connect to the network. This interface is listened to 117for queries from clients, and answers to clients are given from it. 118Can be given multiple times to work on several interfaces. If none are 119given the default is to listen to localhost. 120The interfaces are not changed on a reload (kill \-HUP) but only on restart. 121A port number can be specified with @port (without spaces between 122interface and port number), if not specified the default port (from 123\fBport\fR) is used. 124.TP
|
| 125.B ip\-address: \fI<ip address[@port]> 126Same as interface: (for easy of compatibility with nsd.conf). 127.TP
|
125.B interface\-automatic: \fI<yes or no> 126Detect source interface on UDP queries and copy them to replies. This 127feature is experimental, and needs support in your OS for particular socket 128options. Default value is no. 129.TP 130.B outgoing\-interface: \fI<ip address> 131Interface to use to connect to the network. This interface is used to send 132queries to authoritative servers and receive their replies. Can be given 133multiple times to work on several interfaces. If none are given the 134default (all) is used. You can specify the same interfaces in 135.B interface: 136and 137.B outgoing\-interface: 138lines, the interfaces are then used for both purposes. Outgoing queries are 139sent via a random outgoing interface to counter spoofing. 140.TP 141.B outgoing\-range: \fI<number> 142Number of ports to open. This number of file descriptors can be opened per 143thread. Must be at least 1. Default depends on compile options. Larger 144numbers need extra resources from the operating system. For performance a 145a very large value is best, use libevent to make this possible. 146.TP 147.B outgoing\-port\-permit: \fI<port number or range> 148Permit unbound to open this port or range of ports for use to send queries. 149A larger number of permitted outgoing ports increases resilience against 150spoofing attempts. Make sure these ports are not needed by other daemons. 151By default only ports above 1024 that have not been assigned by IANA are used. 152Give a port number or a range of the form "low\-high", without spaces. 153.IP 154The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements 155are processed in the line order of the config file, adding the permitted ports 156and subtracting the avoided ports from the set of allowed ports. The 157processing starts with the non IANA allocated ports above 1024 in the set 158of allowed ports. 159.TP 160.B outgoing\-port\-avoid: \fI<port number or range> 161Do not permit unbound to open this port or range of ports for use to send 162queries. Use this to make sure unbound does not grab a port that another 163daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. 164By default only ports above 1024 that have not been assigned by IANA are used. 165Give a port number or a range of the form "low\-high", without spaces. 166.TP 167.B outgoing\-num\-tcp: \fI<number> 168Number of outgoing TCP buffers to allocate per thread. Default is 10. If set 169to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done. 170.TP 171.B incoming\-num\-tcp: \fI<number> 172Number of incoming TCP buffers to allocate per thread. Default is 10. If set 173to 0, or if do_tcp is "no", no TCP queries from clients are accepted. 174.TP 175.B edns\-buffer\-size: \fI<number> 176Number of bytes size to advertise as the EDNS reassembly buffer size. 177This is the value put into datagrams over UDP towards peers. The actual 178buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 179not set higher than that value. Default is 4096 which is RFC recommended. 180If you have fragmentation reassembly problems, usually seen as timeouts, 181then a value of 1480 can fix it. Setting to 512 bypasses even the most 182stringent path MTU problems, but is seen as extreme, since the amount 183of TCP fallback generated is excessive (probably also for this resolver, 184consider tuning the outgoing tcp number). 185.TP
| 128.B interface\-automatic: \fI<yes or no> 129Detect source interface on UDP queries and copy them to replies. This 130feature is experimental, and needs support in your OS for particular socket 131options. Default value is no. 132.TP 133.B outgoing\-interface: \fI<ip address> 134Interface to use to connect to the network. This interface is used to send 135queries to authoritative servers and receive their replies. Can be given 136multiple times to work on several interfaces. If none are given the 137default (all) is used. You can specify the same interfaces in 138.B interface: 139and 140.B outgoing\-interface: 141lines, the interfaces are then used for both purposes. Outgoing queries are 142sent via a random outgoing interface to counter spoofing. 143.TP 144.B outgoing\-range: \fI<number> 145Number of ports to open. This number of file descriptors can be opened per 146thread. Must be at least 1. Default depends on compile options. Larger 147numbers need extra resources from the operating system. For performance a 148a very large value is best, use libevent to make this possible. 149.TP 150.B outgoing\-port\-permit: \fI<port number or range> 151Permit unbound to open this port or range of ports for use to send queries. 152A larger number of permitted outgoing ports increases resilience against 153spoofing attempts. Make sure these ports are not needed by other daemons. 154By default only ports above 1024 that have not been assigned by IANA are used. 155Give a port number or a range of the form "low\-high", without spaces. 156.IP 157The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements 158are processed in the line order of the config file, adding the permitted ports 159and subtracting the avoided ports from the set of allowed ports. The 160processing starts with the non IANA allocated ports above 1024 in the set 161of allowed ports. 162.TP 163.B outgoing\-port\-avoid: \fI<port number or range> 164Do not permit unbound to open this port or range of ports for use to send 165queries. Use this to make sure unbound does not grab a port that another 166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. 167By default only ports above 1024 that have not been assigned by IANA are used. 168Give a port number or a range of the form "low\-high", without spaces. 169.TP 170.B outgoing\-num\-tcp: \fI<number> 171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set 172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done. 173.TP 174.B incoming\-num\-tcp: \fI<number> 175Number of incoming TCP buffers to allocate per thread. Default is 10. If set 176to 0, or if do_tcp is "no", no TCP queries from clients are accepted. 177.TP 178.B edns\-buffer\-size: \fI<number> 179Number of bytes size to advertise as the EDNS reassembly buffer size. 180This is the value put into datagrams over UDP towards peers. The actual 181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 182not set higher than that value. Default is 4096 which is RFC recommended. 183If you have fragmentation reassembly problems, usually seen as timeouts, 184then a value of 1480 can fix it. Setting to 512 bypasses even the most 185stringent path MTU problems, but is seen as extreme, since the amount 186of TCP fallback generated is excessive (probably also for this resolver, 187consider tuning the outgoing tcp number). 188.TP
|
| 189.B max\-udp\-size: \fI<number> 190Maximum UDP response size (not applied to TCP response). 65536 disables the 191udp response size maximum, and uses the choice from the client, always. 192Suggested values are 512 to 4096. Default is 4096. 193.TP
|
186.B msg\-buffer\-size: \fI<number> 187Number of bytes size of the message buffers. Default is 65552 bytes, enough 188for 64 Kb packets, the maximum DNS message size. No message larger than this 189can be sent or received. Can be reduced to use less memory, but some requests 190for DNS data, such as for huge resource records, will result in a SERVFAIL 191reply to the client. 192.TP 193.B msg\-cache\-size: \fI<number> 194Number of bytes size of the message cache. Default is 4 megabytes. 195A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 196or gigabytes (1024*1024 bytes in a megabyte). 197.TP 198.B msg\-cache\-slabs: \fI<number> 199Number of slabs in the message cache. Slabs reduce lock contention by threads. 200Must be set to a power of 2. Setting (close) to the number of cpus is a 201reasonable guess. 202.TP 203.B num\-queries\-per\-thread: \fI<number> 204The number of queries that every thread will service simultaneously. 205If more queries arrive that need servicing, and no queries can be jostled out 206(see \fIjostle\-timeout\fR), then the queries are dropped. This forces 207the client to resend after a timeout; allowing the server time to work on 208the existing queries. Default depends on compile options, 512 or 1024. 209.TP 210.B jostle\-timeout: \fI<msec> 211Timeout used when the server is very busy. Set to a value that usually 212results in one roundtrip to the authority servers. If too many queries 213arrive, then 50% of the queries are allowed to run to completion, and 214the other 50% are replaced with the new incoming query if they have already 215spent more than their allowed time. This protects against denial of 216service by slow queries or high query rates. Default 200 milliseconds. 217The effect is that the qps for long-lasting queries is about 218(numqueriesperthread / 2) / (average time for such long queries) qps. 219The qps for short queries can be about (numqueriesperthread / 2) 220/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 221qps by default. 222.TP
| 194.B msg\-buffer\-size: \fI<number> 195Number of bytes size of the message buffers. Default is 65552 bytes, enough 196for 64 Kb packets, the maximum DNS message size. No message larger than this 197can be sent or received. Can be reduced to use less memory, but some requests 198for DNS data, such as for huge resource records, will result in a SERVFAIL 199reply to the client. 200.TP 201.B msg\-cache\-size: \fI<number> 202Number of bytes size of the message cache. Default is 4 megabytes. 203A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 204or gigabytes (1024*1024 bytes in a megabyte). 205.TP 206.B msg\-cache\-slabs: \fI<number> 207Number of slabs in the message cache. Slabs reduce lock contention by threads. 208Must be set to a power of 2. Setting (close) to the number of cpus is a 209reasonable guess. 210.TP 211.B num\-queries\-per\-thread: \fI<number> 212The number of queries that every thread will service simultaneously. 213If more queries arrive that need servicing, and no queries can be jostled out 214(see \fIjostle\-timeout\fR), then the queries are dropped. This forces 215the client to resend after a timeout; allowing the server time to work on 216the existing queries. Default depends on compile options, 512 or 1024. 217.TP 218.B jostle\-timeout: \fI<msec> 219Timeout used when the server is very busy. Set to a value that usually 220results in one roundtrip to the authority servers. If too many queries 221arrive, then 50% of the queries are allowed to run to completion, and 222the other 50% are replaced with the new incoming query if they have already 223spent more than their allowed time. This protects against denial of 224service by slow queries or high query rates. Default 200 milliseconds. 225The effect is that the qps for long-lasting queries is about 226(numqueriesperthread / 2) / (average time for such long queries) qps. 227The qps for short queries can be about (numqueriesperthread / 2) 228/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 229qps by default. 230.TP
|
| 231.B delay\-close: \fI<msec> 232Extra delay for timeouted UDP ports before they are closed, in msec. 233Default is 0, and that disables it. This prevents very delayed answer 234packets from the upstream (recursive) servers from bouncing against 235closed ports and setting off all sort of close-port counters, with 236eg. 1500 msec. When timeouts happen you need extra sockets, it checks 237the ID and remote IP of packets, and unwanted packets are added to the 238unwanted packet counter. 239.TP
|
223.B so\-rcvbuf: \fI<number> 224If not 0, then set the SO_RCVBUF socket option to get more buffer 225space on UDP port 53 incoming queries. So that short spikes on busy 226servers do not drop packets (see counter in netstat \-su). Default is 2270 (use system value). Otherwise, the number of bytes to ask for, try 228"4m" on a busy server. The OS caps it at a maximum, on linux unbound 229needs root permission to bypass the limit, or the admin can use sysctl 230net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. 231On OpenBSD change header and recompile kernel. On Solaris ndd \-set 232/dev/udp udp_max_buf 8388608. 233.TP 234.B so\-sndbuf: \fI<number> 235If not 0, then set the SO_SNDBUF socket option to get more buffer space on 236UDP port 53 outgoing queries. This for very busy servers handles spikes 237in answer traffic, otherwise 'send: resource temporarily unavailable' 238can get logged, the buffer overrun is also visible by netstat \-su. 239Default is 0 (use system value). Specify the number of bytes to ask 240for, try "4m" on a very busy server. The OS caps it at a maximum, on 241linux unbound needs root permission to bypass the limit, or the admin 242can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 243to so\-rcvbuf. 244.TP
| 240.B so\-rcvbuf: \fI<number> 241If not 0, then set the SO_RCVBUF socket option to get more buffer 242space on UDP port 53 incoming queries. So that short spikes on busy 243servers do not drop packets (see counter in netstat \-su). Default is 2440 (use system value). Otherwise, the number of bytes to ask for, try 245"4m" on a busy server. The OS caps it at a maximum, on linux unbound 246needs root permission to bypass the limit, or the admin can use sysctl 247net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. 248On OpenBSD change header and recompile kernel. On Solaris ndd \-set 249/dev/udp udp_max_buf 8388608. 250.TP 251.B so\-sndbuf: \fI<number> 252If not 0, then set the SO_SNDBUF socket option to get more buffer space on 253UDP port 53 outgoing queries. This for very busy servers handles spikes 254in answer traffic, otherwise 'send: resource temporarily unavailable' 255can get logged, the buffer overrun is also visible by netstat \-su. 256Default is 0 (use system value). Specify the number of bytes to ask 257for, try "4m" on a very busy server. The OS caps it at a maximum, on 258linux unbound needs root permission to bypass the limit, or the admin 259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 260to so\-rcvbuf. 261.TP
|
| 262.B so\-reuseport: \fI<yes or no> 263If yes, then open dedicated listening sockets for incoming queries for each 264thread and try to set the SO_REUSEPORT socket option on each socket. May 265distribute incoming queries to threads more evenly. Default is no. Only 266supported on Linux >= 3.9. You can enable it (on any platform and kernel), 267it then attempts to open the port and passes the option if it was available 268at compile time, if that works it is used, if it fails, it continues 269silently (unless verbosity 3) without the option. 270.TP
|
245.B rrset\-cache\-size: \fI<number> 246Number of bytes size of the RRset cache. Default is 4 megabytes. 247A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 248or gigabytes (1024*1024 bytes in a megabyte). 249.TP 250.B rrset\-cache\-slabs: \fI<number> 251Number of slabs in the RRset cache. Slabs reduce lock contention by threads. 252Must be set to a power of 2. 253.TP 254.B cache\-max\-ttl: \fI<seconds> 255Time to live maximum for RRsets and messages in the cache. Default is 25686400 seconds (1 day). If the maximum kicks in, responses to clients 257still get decrementing TTLs based on the original (larger) values. 258When the internal TTL expires, the cache item has expired. 259Can be set lower to force the resolver to query for data often, and not 260trust (very large) TTL values. 261.TP 262.B cache\-min\-ttl: \fI<seconds> 263Time to live minimum for RRsets and messages in the cache. Default is 0. 264If the the minimum kicks in, the data is cached for longer than the domain 265owner intended, and thus less queries are made to look up the data. 266Zero makes sure the data in the cache is as the domain owner intended, 267higher values, especially more than an hour or so, can lead to trouble as 268the data in the cache does not match up with the actual data any more. 269.TP 270.B infra\-host\-ttl: \fI<seconds> 271Time to live for entries in the host cache. The host cache contains 272roundtrip timing, lameness and EDNS support information. Default is 900. 273.TP 274.B infra\-cache\-slabs: \fI<number> 275Number of slabs in the infrastructure cache. Slabs reduce lock contention 276by threads. Must be set to a power of 2. 277.TP 278.B infra\-cache\-numhosts: \fI<number> 279Number of hosts for which information is cached. Default is 10000. 280.TP 281.B do\-ip4: \fI<yes or no> 282Enable or disable whether ip4 queries are answered or issued. Default is yes. 283.TP 284.B do\-ip6: \fI<yes or no> 285Enable or disable whether ip6 queries are answered or issued. Default is yes. 286If disabled, queries are not answered on IPv6, and queries are not sent on 287IPv6 to the internet nameservers. 288.TP 289.B do\-udp: \fI<yes or no> 290Enable or disable whether UDP queries are answered or issued. Default is yes. 291.TP 292.B do\-tcp: \fI<yes or no> 293Enable or disable whether TCP queries are answered or issued. Default is yes. 294.TP 295.B tcp\-upstream: \fI<yes or no> 296Enable or disable whether the upstream queries use TCP only for transport. 297Default is no. Useful in tunneling scenarios. 298.TP 299.B ssl\-upstream: \fI<yes or no> 300Enabled or disable whether the upstream queries use SSL only for transport. 301Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in 302TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). 303.TP 304.B ssl\-service-key: \fI<file> 305If enabled, the server provider SSL service on its TCP sockets. The clients 306have to use ssl\-upstream: yes. The file is the private key for the TLS 307session. The public certificate is in the ssl\-service\-pem file. Default 308is "", turned off. Requires a restart (a reload is not enough) if changed, 309because the private key is read while root permissions are held and before 310chroot (if any). Normal DNS TCP service is not provided and gives errors, 311this service is best run with a different \fBport:\fR config or \fI@port\fR 312suffixes in the \fBinterface\fR config. 313.TP 314.B ssl\-service\-pem: \fI<file> 315The public key certificate pem file for the ssl service. Default is "", 316turned off. 317.TP 318.B ssl\-port: \fI<number> 319The port number on which to provide TCP SSL service, default 443, only 320interfaces configured with that port number as @number get the SSL service. 321.TP 322.B do\-daemonize: \fI<yes or no> 323Enable or disable whether the unbound server forks into the background as 324a daemon. Default is yes. 325.TP 326.B access\-control: \fI<IP netblock> <action> 327The netblock is given as an IP4 or IP6 address with /size appended for a 328classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
| 271.B rrset\-cache\-size: \fI<number> 272Number of bytes size of the RRset cache. Default is 4 megabytes. 273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 274or gigabytes (1024*1024 bytes in a megabyte). 275.TP 276.B rrset\-cache\-slabs: \fI<number> 277Number of slabs in the RRset cache. Slabs reduce lock contention by threads. 278Must be set to a power of 2. 279.TP 280.B cache\-max\-ttl: \fI<seconds> 281Time to live maximum for RRsets and messages in the cache. Default is 28286400 seconds (1 day). If the maximum kicks in, responses to clients 283still get decrementing TTLs based on the original (larger) values. 284When the internal TTL expires, the cache item has expired. 285Can be set lower to force the resolver to query for data often, and not 286trust (very large) TTL values. 287.TP 288.B cache\-min\-ttl: \fI<seconds> 289Time to live minimum for RRsets and messages in the cache. Default is 0. 290If the the minimum kicks in, the data is cached for longer than the domain 291owner intended, and thus less queries are made to look up the data. 292Zero makes sure the data in the cache is as the domain owner intended, 293higher values, especially more than an hour or so, can lead to trouble as 294the data in the cache does not match up with the actual data any more. 295.TP 296.B infra\-host\-ttl: \fI<seconds> 297Time to live for entries in the host cache. The host cache contains 298roundtrip timing, lameness and EDNS support information. Default is 900. 299.TP 300.B infra\-cache\-slabs: \fI<number> 301Number of slabs in the infrastructure cache. Slabs reduce lock contention 302by threads. Must be set to a power of 2. 303.TP 304.B infra\-cache\-numhosts: \fI<number> 305Number of hosts for which information is cached. Default is 10000. 306.TP 307.B do\-ip4: \fI<yes or no> 308Enable or disable whether ip4 queries are answered or issued. Default is yes. 309.TP 310.B do\-ip6: \fI<yes or no> 311Enable or disable whether ip6 queries are answered or issued. Default is yes. 312If disabled, queries are not answered on IPv6, and queries are not sent on 313IPv6 to the internet nameservers. 314.TP 315.B do\-udp: \fI<yes or no> 316Enable or disable whether UDP queries are answered or issued. Default is yes. 317.TP 318.B do\-tcp: \fI<yes or no> 319Enable or disable whether TCP queries are answered or issued. Default is yes. 320.TP 321.B tcp\-upstream: \fI<yes or no> 322Enable or disable whether the upstream queries use TCP only for transport. 323Default is no. Useful in tunneling scenarios. 324.TP 325.B ssl\-upstream: \fI<yes or no> 326Enabled or disable whether the upstream queries use SSL only for transport. 327Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in 328TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). 329.TP 330.B ssl\-service-key: \fI<file> 331If enabled, the server provider SSL service on its TCP sockets. The clients 332have to use ssl\-upstream: yes. The file is the private key for the TLS 333session. The public certificate is in the ssl\-service\-pem file. Default 334is "", turned off. Requires a restart (a reload is not enough) if changed, 335because the private key is read while root permissions are held and before 336chroot (if any). Normal DNS TCP service is not provided and gives errors, 337this service is best run with a different \fBport:\fR config or \fI@port\fR 338suffixes in the \fBinterface\fR config. 339.TP 340.B ssl\-service\-pem: \fI<file> 341The public key certificate pem file for the ssl service. Default is "", 342turned off. 343.TP 344.B ssl\-port: \fI<number> 345The port number on which to provide TCP SSL service, default 443, only 346interfaces configured with that port number as @number get the SSL service. 347.TP 348.B do\-daemonize: \fI<yes or no> 349Enable or disable whether the unbound server forks into the background as 350a daemon. Default is yes. 351.TP 352.B access\-control: \fI<IP netblock> <action> 353The netblock is given as an IP4 or IP6 address with /size appended for a 354classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
329\fIallow\fR or \fIallow_snoop\fR.
| 355\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
330.IP 331The action \fIdeny\fR stops queries from hosts from that netblock. 332.IP 333The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 334error message back. 335.IP 336The action \fIallow\fR gives access to clients from that netblock. 337It gives only access for recursion clients (which is 338what almost all clients need). Nonrecursive queries are refused. 339.IP 340The \fIallow\fR action does allow nonrecursive queries to access the 341local\-data that is configured. The reason is that this does not involve 342the unbound server recursive lookup algorithm, and static data is served 343in the reply. This supports normal operations where nonrecursive queries 344are made for the authoritative data. For nonrecursive queries any replies 345from the dynamic cache are refused. 346.IP 347The action \fIallow_snoop\fR gives nonrecursive access too. This give 348both recursive and non recursive access. The name \fIallow_snoop\fR refers 349to cache snooping, a technique to use nonrecursive queries to examine 350the cache contents (for malicious acts). However, nonrecursive queries can 351also be a valuable debugging tool (when you want to examine the cache 352contents). In that case use \fIallow_snoop\fR for your administration host. 353.IP 354By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. 355The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 356protocol is not designed to handle dropped packets due to policy, and 357dropping may result in (possibly excessive) retried queries.
| 356.IP 357The action \fIdeny\fR stops queries from hosts from that netblock. 358.IP 359The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 360error message back. 361.IP 362The action \fIallow\fR gives access to clients from that netblock. 363It gives only access for recursion clients (which is 364what almost all clients need). Nonrecursive queries are refused. 365.IP 366The \fIallow\fR action does allow nonrecursive queries to access the 367local\-data that is configured. The reason is that this does not involve 368the unbound server recursive lookup algorithm, and static data is served 369in the reply. This supports normal operations where nonrecursive queries 370are made for the authoritative data. For nonrecursive queries any replies 371from the dynamic cache are refused. 372.IP 373The action \fIallow_snoop\fR gives nonrecursive access too. This give 374both recursive and non recursive access. The name \fIallow_snoop\fR refers 375to cache snooping, a technique to use nonrecursive queries to examine 376the cache contents (for malicious acts). However, nonrecursive queries can 377also be a valuable debugging tool (when you want to examine the cache 378contents). In that case use \fIallow_snoop\fR for your administration host. 379.IP 380By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. 381The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 382protocol is not designed to handle dropped packets due to policy, and 383dropping may result in (possibly excessive) retried queries.
|
| 384.IP 385The deny_non_local and refuse_non_local settings are for hosts that are 386only allowed to query for the authoritative local\-data, they are not 387allowed full recursion but only the static data. With deny_non_local, 388messages that are disallowed are dropped, with refuse_non_local they 389receive error code REFUSED.
|
358.TP 359.B chroot: \fI<directory> 360If chroot is enabled, you should pass the configfile (from the 361commandline) as a full path from the original root. After the 362chroot has been performed the now defunct portion of the config 363file path is removed to be able to reread the config after a reload. 364.IP 365All other file paths (working dir, logfile, roothints, and 366key files) can be specified in several ways: 367as an absolute path relative to the new root, 368as a relative path to the working directory, or 369as an absolute path relative to the original root. 370In the last case the path is adjusted to remove the unused portion. 371.IP 372The pidfile can be either a relative path to the working directory, or 373an absolute path relative to the original root. It is written just prior 374to chroot and dropping permissions. This allows the pidfile to be 375/var/run/unbound.pid and the chroot to be /var/unbound, for example. 376.IP 377Additionally, unbound may need to access /dev/random (for entropy) 378from inside the chroot. 379.IP 380If given a chroot is done to the given directory. The default is 381"/var/unbound". If you give "" no chroot is performed. 382.TP 383.B username: \fI<name> 384If given, after binding the port the user privileges are dropped. Default is 385"unbound". If you give username: "" no user change is performed. 386.IP 387If this user is not capable of binding the 388port, reloads (by signal HUP) will still retain the opened ports. 389If you change the port number in the config file, and that new port number 390requires privileges, then a reload will fail; a restart is needed. 391.TP 392.B directory: \fI<directory> 393Sets the working directory for the program. Default is "/var/unbound". 394.TP 395.B logfile: \fI<filename> 396If "" is given, logging goes to stderr, or nowhere once daemonized. 397The logfile is appended to, in the following format: 398.nf 399[seconds since 1970] unbound[pid:tid]: type: message. 400.fi 401If this option is given, the use\-syslog is option is set to "no". 402The logfile is reopened (for append) when the config file is reread, on 403SIGHUP. 404.TP 405.B use\-syslog: \fI<yes or no> 406Sets unbound to send log messages to the syslogd, using 407\fIsyslog\fR(3). 408The log facility LOG_DAEMON is used, with identity "unbound". 409The logfile setting is overridden when use\-syslog is turned on. 410The default is to log to syslog. 411.TP 412.B log\-time\-ascii: \fI<yes or no> 413Sets logfile lines to use a timestamp in UTC ascii. Default is no, which 414prints the seconds since 1970 in brackets. No effect if using syslog, in 415that case syslog formats the timestamp printed into the log files. 416.TP 417.B log\-queries: \fI<yes or no> 418Prints one line per query to the log, with the log timestamp and IP address, 419name, type and class. Default is no. Note that it takes time to print these 420lines which makes the server (significantly) slower. Odd (nonprintable) 421characters in names are printed as '?'. 422.TP 423.B pidfile: \fI<filename> 424The process id is written to the file. Default is "/var/unbound/unbound.pid". 425So, 426.nf 427kill \-HUP `cat /var/unbound/unbound.pid` 428.fi 429triggers a reload, 430.nf 431kill \-QUIT `cat /var/unbound/unbound.pid` 432.fi 433gracefully terminates. 434.TP 435.B root\-hints: \fI<filename> 436Read the root hints from this file. Default is nothing, using builtin hints 437for the IN class. The file has the format of zone files, with root 438nameserver names and addresses only. The default may become outdated, 439when servers change, therefore it is good practice to use a root\-hints file. 440.TP 441.B hide\-identity: \fI<yes or no> 442If enabled id.server and hostname.bind queries are refused. 443.TP 444.B identity: \fI<string> 445Set the identity to report. If set to "", the default, then the hostname 446of the server is returned. 447.TP 448.B hide\-version: \fI<yes or no> 449If enabled version.server and version.bind queries are refused. 450.TP 451.B version: \fI<string> 452Set the version to report. If set to "", the default, then the package 453version is returned. 454.TP 455.B target\-fetch\-policy: \fI<"list of numbers"> 456Set the target fetch policy used by unbound to determine if it should fetch 457nameserver target addresses opportunistically. The policy is described per 458dependency depth. 459.IP 460The number of values determines the maximum dependency depth 461that unbound will pursue in answering a query. 462A value of \-1 means to fetch all targets opportunistically for that dependency 463depth. A value of 0 means to fetch on demand only. A positive value fetches 464that many targets opportunistically. 465.IP 466Enclose the list between quotes ("") and put spaces between numbers. 467The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour 468closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour 469rumoured to be closer to that of BIND 8. 470.TP 471.B harden\-short\-bufsize: \fI<yes or no> 472Very small EDNS buffer sizes from queries are ignored. Default is off, since 473it is legal protocol wise to send these, and unbound tries to give very 474small answers to these queries, where possible. 475.TP 476.B harden\-large\-queries: \fI<yes or no> 477Very large queries are ignored. Default is off, since it is legal protocol 478wise to send these, and could be necessary for operation if TSIG or EDNS 479payload is very large. 480.TP 481.B harden\-glue: \fI<yes or no> 482Will trust glue only if it is within the servers authority. Default is on. 483.TP 484.B harden\-dnssec\-stripped: \fI<yes or no> 485Require DNSSEC data for trust\-anchored zones, if such data is absent, 486the zone becomes bogus. If turned off, and no DNSSEC data is received 487(or the DNSKEY data fails to validate), then the zone is made insecure, 488this behaves like there is no trust anchor. You could turn this off if 489you are sometimes behind an intrusive firewall (of some sort) that 490removes DNSSEC data from packets, or a zone changes from signed to 491unsigned to badly signed often. If turned off you run the risk of a 492downgrade attack that disables security for a zone. Default is on. 493.TP 494.B harden\-below\-nxdomain: \fI<yes or no>
| 390.TP 391.B chroot: \fI<directory> 392If chroot is enabled, you should pass the configfile (from the 393commandline) as a full path from the original root. After the 394chroot has been performed the now defunct portion of the config 395file path is removed to be able to reread the config after a reload. 396.IP 397All other file paths (working dir, logfile, roothints, and 398key files) can be specified in several ways: 399as an absolute path relative to the new root, 400as a relative path to the working directory, or 401as an absolute path relative to the original root. 402In the last case the path is adjusted to remove the unused portion. 403.IP 404The pidfile can be either a relative path to the working directory, or 405an absolute path relative to the original root. It is written just prior 406to chroot and dropping permissions. This allows the pidfile to be 407/var/run/unbound.pid and the chroot to be /var/unbound, for example. 408.IP 409Additionally, unbound may need to access /dev/random (for entropy) 410from inside the chroot. 411.IP 412If given a chroot is done to the given directory. The default is 413"/var/unbound". If you give "" no chroot is performed. 414.TP 415.B username: \fI<name> 416If given, after binding the port the user privileges are dropped. Default is 417"unbound". If you give username: "" no user change is performed. 418.IP 419If this user is not capable of binding the 420port, reloads (by signal HUP) will still retain the opened ports. 421If you change the port number in the config file, and that new port number 422requires privileges, then a reload will fail; a restart is needed. 423.TP 424.B directory: \fI<directory> 425Sets the working directory for the program. Default is "/var/unbound". 426.TP 427.B logfile: \fI<filename> 428If "" is given, logging goes to stderr, or nowhere once daemonized. 429The logfile is appended to, in the following format: 430.nf 431[seconds since 1970] unbound[pid:tid]: type: message. 432.fi 433If this option is given, the use\-syslog is option is set to "no". 434The logfile is reopened (for append) when the config file is reread, on 435SIGHUP. 436.TP 437.B use\-syslog: \fI<yes or no> 438Sets unbound to send log messages to the syslogd, using 439\fIsyslog\fR(3). 440The log facility LOG_DAEMON is used, with identity "unbound". 441The logfile setting is overridden when use\-syslog is turned on. 442The default is to log to syslog. 443.TP 444.B log\-time\-ascii: \fI<yes or no> 445Sets logfile lines to use a timestamp in UTC ascii. Default is no, which 446prints the seconds since 1970 in brackets. No effect if using syslog, in 447that case syslog formats the timestamp printed into the log files. 448.TP 449.B log\-queries: \fI<yes or no> 450Prints one line per query to the log, with the log timestamp and IP address, 451name, type and class. Default is no. Note that it takes time to print these 452lines which makes the server (significantly) slower. Odd (nonprintable) 453characters in names are printed as '?'. 454.TP 455.B pidfile: \fI<filename> 456The process id is written to the file. Default is "/var/unbound/unbound.pid". 457So, 458.nf 459kill \-HUP `cat /var/unbound/unbound.pid` 460.fi 461triggers a reload, 462.nf 463kill \-QUIT `cat /var/unbound/unbound.pid` 464.fi 465gracefully terminates. 466.TP 467.B root\-hints: \fI<filename> 468Read the root hints from this file. Default is nothing, using builtin hints 469for the IN class. The file has the format of zone files, with root 470nameserver names and addresses only. The default may become outdated, 471when servers change, therefore it is good practice to use a root\-hints file. 472.TP 473.B hide\-identity: \fI<yes or no> 474If enabled id.server and hostname.bind queries are refused. 475.TP 476.B identity: \fI<string> 477Set the identity to report. If set to "", the default, then the hostname 478of the server is returned. 479.TP 480.B hide\-version: \fI<yes or no> 481If enabled version.server and version.bind queries are refused. 482.TP 483.B version: \fI<string> 484Set the version to report. If set to "", the default, then the package 485version is returned. 486.TP 487.B target\-fetch\-policy: \fI<"list of numbers"> 488Set the target fetch policy used by unbound to determine if it should fetch 489nameserver target addresses opportunistically. The policy is described per 490dependency depth. 491.IP 492The number of values determines the maximum dependency depth 493that unbound will pursue in answering a query. 494A value of \-1 means to fetch all targets opportunistically for that dependency 495depth. A value of 0 means to fetch on demand only. A positive value fetches 496that many targets opportunistically. 497.IP 498Enclose the list between quotes ("") and put spaces between numbers. 499The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour 500closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour 501rumoured to be closer to that of BIND 8. 502.TP 503.B harden\-short\-bufsize: \fI<yes or no> 504Very small EDNS buffer sizes from queries are ignored. Default is off, since 505it is legal protocol wise to send these, and unbound tries to give very 506small answers to these queries, where possible. 507.TP 508.B harden\-large\-queries: \fI<yes or no> 509Very large queries are ignored. Default is off, since it is legal protocol 510wise to send these, and could be necessary for operation if TSIG or EDNS 511payload is very large. 512.TP 513.B harden\-glue: \fI<yes or no> 514Will trust glue only if it is within the servers authority. Default is on. 515.TP 516.B harden\-dnssec\-stripped: \fI<yes or no> 517Require DNSSEC data for trust\-anchored zones, if such data is absent, 518the zone becomes bogus. If turned off, and no DNSSEC data is received 519(or the DNSKEY data fails to validate), then the zone is made insecure, 520this behaves like there is no trust anchor. You could turn this off if 521you are sometimes behind an intrusive firewall (of some sort) that 522removes DNSSEC data from packets, or a zone changes from signed to 523unsigned to badly signed often. If turned off you run the risk of a 524downgrade attack that disables security for a zone. Default is on. 525.TP 526.B harden\-below\-nxdomain: \fI<yes or no>
|
495From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
| 527From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
|
496below another name that is already known to be nxdomain. DNSSEC mandates 497noerror for empty nonterminals, hence this is possible. Very old software 498might return nxdomain for empty nonterminals (that usually happen for reverse 499IP address lookups), and thus may be incompatible with this. To try to avoid 500this only DNSSEC-secure nxdomains are used, because the old software does not 501have DNSSEC. Default is off. 502.TP 503.B harden\-referral\-path: \fI<yes or no> 504Harden the referral path by performing additional queries for 505infrastructure data. Validates the replies if trust anchors are configured 506and the zones are signed. This enforces DNSSEC validation on nameserver 507NS sets and the nameserver addresses that are encountered on the referral 508path to the answer. 509Default off, because it burdens the authority servers, and it is 510not RFC standard, and could lead to performance problems because of the 511extra query load that is generated. Experimental option. 512If you enable it consider adding more numbers after the target\-fetch\-policy 513to increase the max depth that is checked to. 514.TP 515.B use\-caps\-for\-id: \fI<yes or no> 516Use 0x20\-encoded random bits in the query to foil spoof attempts. 517This perturbs the lowercase and uppercase of query names sent to 518authority servers and checks if the reply still has the correct casing. 519Disabled by default. 520This feature is an experimental implementation of draft dns\-0x20. 521.TP 522.B private\-address: \fI<IP address or subnet> 523Give IPv4 of IPv6 addresses or classless subnets. These are addresses 524on your private network, and are not allowed to be returned for public 525internet names. Any occurence of such addresses are removed from 526DNS answers. Additionally, the DNSSEC validator may mark the answers 527bogus. This protects against so\-called DNS Rebinding, where a user browser 528is turned into a network proxy, allowing remote access through the browser 529to other parts of your private network. Some names can be allowed to 530contain your private addresses, by default all the \fBlocal\-data\fR 531that you configured is allowed to, and you can specify additional 532names using \fBprivate\-domain\fR. No private addresses are enabled 533by default. We consider to enable this for the RFC1918 private IP 534address space by default in later releases. That would enable private 535addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 536fd00::/8 and fe80::/10, since the RFC standards say these addresses 537should not be visible on the public internet. Turning on 127.0.0.0/8 538would hinder many spamblocklists as they use that. 539.TP 540.B private\-domain: \fI<domain name> 541Allow this domain, and all its subdomains to contain private addresses. 542Give multiple times to allow multiple domain names to contain private 543addresses. Default is none. 544.TP 545.B unwanted\-reply\-threshold: \fI<number> 546If set, a total number of unwanted replies is kept track of in every thread. 547When it reaches the threshold, a defensive action is taken and a warning 548is printed to the log. The defensive action is to clear the rrset and 549message caches, hopefully flushing away any poison. A value of 10 million 550is suggested. Default is 0 (turned off). 551.TP 552.B do\-not\-query\-address: \fI<IP address> 553Do not query the given IP address. Can be IP4 or IP6. Append /num to 554indicate a classless delegation netblock, for example like 55510.2.3.4/24 or 2001::11/64. 556.TP 557.B do\-not\-query\-localhost: \fI<yes or no> 558If yes, localhost is added to the do\-not\-query\-address entries, both 559IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send 560queries to. Default is yes. 561.TP 562.B prefetch: \fI<yes or no> 563If yes, message cache elements are prefetched before they expire to 564keep the cache up to date. Default is no. Turning it on gives about 56510 percent more traffic and load on the machine, but popular items do 566not expire from the cache. 567.TP 568.B prefetch-key: \fI<yes or no> 569If yes, fetch the DNSKEYs earlier in the validation process, when a DS 570record is encountered. This lowers the latency of requests. It does use 571a little more CPU. Also if the cache is set to 0, it is no use. Default is no. 572.TP 573.B rrset-roundrobin: \fI<yes or no> 574If yes, Unbound rotates RRSet order in response (the random number is taken 575from the query ID, for speed and thread safety). Default is no. 576.TP 577.B minimal-responses: \fI<yes or no> 578If yes, Unbound doesn't insert authority/additional sections into response 579messages when those sections are not required. This reduces response 580size significantly, and may avoid TCP fallback for some responses. 581This may cause a slight speedup. The default is no, because the DNS 582protocol RFCs mandate these sections, and the additional content could 583be of use and save roundtrips for clients. 584.TP 585.B module\-config: \fI<"module names"> 586Module configuration, a list of module names separated by spaces, surround 587the string with quotes (""). The modules can be validator, iterator. 588Setting this to "iterator" will result in a non\-validating server. 589Setting this to "validator iterator" will turn on DNSSEC validation. 590The ordering of the modules is important. 591You must also set trust\-anchors for validation to be useful. 592.TP 593.B trust\-anchor\-file: \fI<filename> 594File with trusted keys for validation. Both DS and DNSKEY entries can appear 595in the file. The format of the file is the standard DNS Zone file format. 596Default is "", or no trust anchor file. 597.TP 598.B auto\-trust\-anchor\-file: \fI<filename> 599File with trust anchor for one zone, which is tracked with RFC5011 probes. 600The probes are several times per month, thus the machine must be online 601frequently. The initial file can be one with contents as described in 602\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, 603so the unbound user must have write permission. 604.TP 605.B trust\-anchor: \fI<"Resource Record"> 606A DS or DNSKEY RR for a key to use for validation. Multiple entries can be 607given to specify multiple trusted keys, in addition to the trust\-anchor\-files. 608The resource record is entered in the same format as 'dig' or 'drill' prints 609them, the same format as in the zone file. Has to be on a single line, with 610"" around it. A TTL can be specified for ease of cut and paste, but is ignored. 611A class can be specified, but class IN is default. 612.TP 613.B trusted\-keys\-file: \fI<filename> 614File with trusted keys for validation. Specify more than one file 615with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR 616but has a different file format. Format is BIND\-9 style format, 617the trusted\-keys { name flag proto algo "key"; }; clauses are read. 618It is possible to use wildcards with this statement, the wildcard is 619expanded on start and on reload. 620.TP 621.B dlv\-anchor\-file: \fI<filename> 622File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and 623DNSKEY entries can be used in the file, in the same format as for 624\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more 625would be slow. The DLV configured is used as a root trusted DLV, this 626means that it is a lookaside for the root. Default is "", or no dlv anchor file. 627.TP 628.B dlv\-anchor: \fI<"Resource Record"> 629Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. 630.TP 631.B domain\-insecure: \fI<domain name> 632Sets domain name to be insecure, DNSSEC chain of trust is ignored towards 633the domain name. So a trust anchor above the domain name can not make the 634domain secure with a DS record, such a DS record is then ignored. 635Also keys from DLV are ignored for the domain. Can be given multiple times 636to specify multiple domains that are treated as if unsigned. If you set 637trust anchors for the domain they override this setting (and the domain 638is secured). 639.IP 640This can be useful if you want to make sure a trust anchor for external 641lookups does not affect an (unsigned) internal domain. A DS record 642externally can create validation failures for that internal domain. 643.TP 644.B val\-override\-date: \fI<rrsig\-style date spec> 645Default is "" or "0", which disables this debugging feature. If enabled by 646giving a RRSIG style date, that date is used for verifying RRSIG inception 647and expiration dates, instead of the current date. Do not set this unless 648you are debugging signature inception and expiration. The value \-1 ignores 649the date altogether, useful for some special applications. 650.TP 651.B val\-sig\-skew\-min: \fI<seconds> 652Minimum number of seconds of clock skew to apply to validated signatures. 653A value of 10% of the signature lifetime (expiration \- inception) is 654used, capped by this setting. Default is 3600 (1 hour) which allows for 655daylight savings differences. Lower this value for more strict checking 656of short lived signatures. 657.TP 658.B val\-sig\-skew\-max: \fI<seconds> 659Maximum number of seconds of clock skew to apply to validated signatures. 660A value of 10% of the signature lifetime (expiration \- inception) 661is used, capped by this setting. Default is 86400 (24 hours) which 662allows for timezone setting problems in stable domains. Setting both 663min and max very low disables the clock skew allowances. Setting both 664min and max very high makes the validator check the signature timestamps 665less strictly. 666.TP 667.B val\-bogus\-ttl: \fI<number> 668The time to live for bogus data. This is data that has failed validation; 669due to invalid signatures or other checks. The TTL from that data cannot be 670trusted, and this value is used instead. The value is in seconds, default 60. 671The time interval prevents repeated revalidation of bogus data. 672.TP 673.B val\-clean\-additional: \fI<yes or no> 674Instruct the validator to remove data from the additional section of secure 675messages that are not signed properly. Messages that are insecure, bogus, 676indeterminate or unchecked are not affected. Default is yes. Use this setting 677to protect the users that rely on this validator for authentication from 678protentially bad data in the additional section. 679.TP 680.B val\-log\-level: \fI<number> 681Have the validator print validation failures to the log. Regardless of 682the verbosity setting. Default is 0, off. At 1, for every user query 683that fails a line is printed to the logs. This way you can monitor what 684happens with validation. Use a diagnosis tool, such as dig or drill, 685to find out why validation is failing for these queries. At 2, not only 686the query that failed is printed but also the reason why unbound thought 687it was wrong and which server sent the faulty data. 688.TP 689.B val\-permissive\-mode: \fI<yes or no> 690Instruct the validator to mark bogus messages as indeterminate. The security 691checks are performed, but if the result is bogus (failed security), the 692reply is not withheld from the client with SERVFAIL as usual. The client 693receives the bogus data. For messages that are found to be secure the AD bit 694is set in replies. Also logging is performed as for full validation. 695The default value is "no". 696.TP 697.B ignore\-cd\-flag: \fI<yes or no> 698Instruct unbound to ignore the CD flag from clients and refuse to 699return bogus answers to them. Thus, the CD (Checking Disabled) flag 700does not disable checking any more. This is useful if legacy (w2008) 701servers that set the CD flag but cannot validate DNSSEC themselves are 702the clients, and then unbound provides them with DNSSEC protection. 703The default value is "no". 704.TP 705.B val\-nsec3\-keysize\-iterations: \fI<"list of values"> 706List of keysize and iteration count values, separated by spaces, surrounded 707by quotes. Default is "1024 150 2048 500 4096 2500". This determines the 708maximum allowed NSEC3 iteration count before a message is simply marked 709insecure instead of performing the many hashing iterations. The list must 710be in ascending order and have at least one entry. If you set it to 711"1024 65535" there is no restriction to NSEC3 iteration values. 712This table must be kept short; a very long list could cause slower operation. 713.TP 714.B add\-holddown: \fI<seconds> 715Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 716autotrust updates to add new trust anchors only after they have been 717visible for this time. Default is 30 days as per the RFC. 718.TP 719.B del\-holddown: \fI<seconds> 720Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 721autotrust updates to remove revoked trust anchors after they have been 722kept in the revoked list for this long. Default is 30 days as per 723the RFC. 724.TP 725.B keep\-missing: \fI<seconds> 726Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 727autotrust updates to remove missing trust anchors after they have been 728unseen for this long. This cleans up the state file if the target zone 729does not perform trust anchor revocation, so this makes the auto probe 730mechanism work with zones that perform regular (non\-5011) rollovers. 731The default is 366 days. The value 0 does not remove missing anchors, 732as per the RFC. 733.TP 734.B key\-cache\-size: \fI<number> 735Number of bytes size of the key cache. Default is 4 megabytes. 736A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 737or gigabytes (1024*1024 bytes in a megabyte). 738.TP 739.B key\-cache\-slabs: \fI<number> 740Number of slabs in the key cache. Slabs reduce lock contention by threads. 741Must be set to a power of 2. Setting (close) to the number of cpus is a 742reasonable guess. 743.TP 744.B neg\-cache\-size: \fI<number> 745Number of bytes size of the aggressive negative cache. Default is 1 megabyte. 746A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 747or gigabytes (1024*1024 bytes in a megabyte). 748.TP
| 528below another name that is already known to be nxdomain. DNSSEC mandates 529noerror for empty nonterminals, hence this is possible. Very old software 530might return nxdomain for empty nonterminals (that usually happen for reverse 531IP address lookups), and thus may be incompatible with this. To try to avoid 532this only DNSSEC-secure nxdomains are used, because the old software does not 533have DNSSEC. Default is off. 534.TP 535.B harden\-referral\-path: \fI<yes or no> 536Harden the referral path by performing additional queries for 537infrastructure data. Validates the replies if trust anchors are configured 538and the zones are signed. This enforces DNSSEC validation on nameserver 539NS sets and the nameserver addresses that are encountered on the referral 540path to the answer. 541Default off, because it burdens the authority servers, and it is 542not RFC standard, and could lead to performance problems because of the 543extra query load that is generated. Experimental option. 544If you enable it consider adding more numbers after the target\-fetch\-policy 545to increase the max depth that is checked to. 546.TP 547.B use\-caps\-for\-id: \fI<yes or no> 548Use 0x20\-encoded random bits in the query to foil spoof attempts. 549This perturbs the lowercase and uppercase of query names sent to 550authority servers and checks if the reply still has the correct casing. 551Disabled by default. 552This feature is an experimental implementation of draft dns\-0x20. 553.TP 554.B private\-address: \fI<IP address or subnet> 555Give IPv4 of IPv6 addresses or classless subnets. These are addresses 556on your private network, and are not allowed to be returned for public 557internet names. Any occurence of such addresses are removed from 558DNS answers. Additionally, the DNSSEC validator may mark the answers 559bogus. This protects against so\-called DNS Rebinding, where a user browser 560is turned into a network proxy, allowing remote access through the browser 561to other parts of your private network. Some names can be allowed to 562contain your private addresses, by default all the \fBlocal\-data\fR 563that you configured is allowed to, and you can specify additional 564names using \fBprivate\-domain\fR. No private addresses are enabled 565by default. We consider to enable this for the RFC1918 private IP 566address space by default in later releases. That would enable private 567addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 568fd00::/8 and fe80::/10, since the RFC standards say these addresses 569should not be visible on the public internet. Turning on 127.0.0.0/8 570would hinder many spamblocklists as they use that. 571.TP 572.B private\-domain: \fI<domain name> 573Allow this domain, and all its subdomains to contain private addresses. 574Give multiple times to allow multiple domain names to contain private 575addresses. Default is none. 576.TP 577.B unwanted\-reply\-threshold: \fI<number> 578If set, a total number of unwanted replies is kept track of in every thread. 579When it reaches the threshold, a defensive action is taken and a warning 580is printed to the log. The defensive action is to clear the rrset and 581message caches, hopefully flushing away any poison. A value of 10 million 582is suggested. Default is 0 (turned off). 583.TP 584.B do\-not\-query\-address: \fI<IP address> 585Do not query the given IP address. Can be IP4 or IP6. Append /num to 586indicate a classless delegation netblock, for example like 58710.2.3.4/24 or 2001::11/64. 588.TP 589.B do\-not\-query\-localhost: \fI<yes or no> 590If yes, localhost is added to the do\-not\-query\-address entries, both 591IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send 592queries to. Default is yes. 593.TP 594.B prefetch: \fI<yes or no> 595If yes, message cache elements are prefetched before they expire to 596keep the cache up to date. Default is no. Turning it on gives about 59710 percent more traffic and load on the machine, but popular items do 598not expire from the cache. 599.TP 600.B prefetch-key: \fI<yes or no> 601If yes, fetch the DNSKEYs earlier in the validation process, when a DS 602record is encountered. This lowers the latency of requests. It does use 603a little more CPU. Also if the cache is set to 0, it is no use. Default is no. 604.TP 605.B rrset-roundrobin: \fI<yes or no> 606If yes, Unbound rotates RRSet order in response (the random number is taken 607from the query ID, for speed and thread safety). Default is no. 608.TP 609.B minimal-responses: \fI<yes or no> 610If yes, Unbound doesn't insert authority/additional sections into response 611messages when those sections are not required. This reduces response 612size significantly, and may avoid TCP fallback for some responses. 613This may cause a slight speedup. The default is no, because the DNS 614protocol RFCs mandate these sections, and the additional content could 615be of use and save roundtrips for clients. 616.TP 617.B module\-config: \fI<"module names"> 618Module configuration, a list of module names separated by spaces, surround 619the string with quotes (""). The modules can be validator, iterator. 620Setting this to "iterator" will result in a non\-validating server. 621Setting this to "validator iterator" will turn on DNSSEC validation. 622The ordering of the modules is important. 623You must also set trust\-anchors for validation to be useful. 624.TP 625.B trust\-anchor\-file: \fI<filename> 626File with trusted keys for validation. Both DS and DNSKEY entries can appear 627in the file. The format of the file is the standard DNS Zone file format. 628Default is "", or no trust anchor file. 629.TP 630.B auto\-trust\-anchor\-file: \fI<filename> 631File with trust anchor for one zone, which is tracked with RFC5011 probes. 632The probes are several times per month, thus the machine must be online 633frequently. The initial file can be one with contents as described in 634\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, 635so the unbound user must have write permission. 636.TP 637.B trust\-anchor: \fI<"Resource Record"> 638A DS or DNSKEY RR for a key to use for validation. Multiple entries can be 639given to specify multiple trusted keys, in addition to the trust\-anchor\-files. 640The resource record is entered in the same format as 'dig' or 'drill' prints 641them, the same format as in the zone file. Has to be on a single line, with 642"" around it. A TTL can be specified for ease of cut and paste, but is ignored. 643A class can be specified, but class IN is default. 644.TP 645.B trusted\-keys\-file: \fI<filename> 646File with trusted keys for validation. Specify more than one file 647with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR 648but has a different file format. Format is BIND\-9 style format, 649the trusted\-keys { name flag proto algo "key"; }; clauses are read. 650It is possible to use wildcards with this statement, the wildcard is 651expanded on start and on reload. 652.TP 653.B dlv\-anchor\-file: \fI<filename> 654File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and 655DNSKEY entries can be used in the file, in the same format as for 656\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more 657would be slow. The DLV configured is used as a root trusted DLV, this 658means that it is a lookaside for the root. Default is "", or no dlv anchor file. 659.TP 660.B dlv\-anchor: \fI<"Resource Record"> 661Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. 662.TP 663.B domain\-insecure: \fI<domain name> 664Sets domain name to be insecure, DNSSEC chain of trust is ignored towards 665the domain name. So a trust anchor above the domain name can not make the 666domain secure with a DS record, such a DS record is then ignored. 667Also keys from DLV are ignored for the domain. Can be given multiple times 668to specify multiple domains that are treated as if unsigned. If you set 669trust anchors for the domain they override this setting (and the domain 670is secured). 671.IP 672This can be useful if you want to make sure a trust anchor for external 673lookups does not affect an (unsigned) internal domain. A DS record 674externally can create validation failures for that internal domain. 675.TP 676.B val\-override\-date: \fI<rrsig\-style date spec> 677Default is "" or "0", which disables this debugging feature. If enabled by 678giving a RRSIG style date, that date is used for verifying RRSIG inception 679and expiration dates, instead of the current date. Do not set this unless 680you are debugging signature inception and expiration. The value \-1 ignores 681the date altogether, useful for some special applications. 682.TP 683.B val\-sig\-skew\-min: \fI<seconds> 684Minimum number of seconds of clock skew to apply to validated signatures. 685A value of 10% of the signature lifetime (expiration \- inception) is 686used, capped by this setting. Default is 3600 (1 hour) which allows for 687daylight savings differences. Lower this value for more strict checking 688of short lived signatures. 689.TP 690.B val\-sig\-skew\-max: \fI<seconds> 691Maximum number of seconds of clock skew to apply to validated signatures. 692A value of 10% of the signature lifetime (expiration \- inception) 693is used, capped by this setting. Default is 86400 (24 hours) which 694allows for timezone setting problems in stable domains. Setting both 695min and max very low disables the clock skew allowances. Setting both 696min and max very high makes the validator check the signature timestamps 697less strictly. 698.TP 699.B val\-bogus\-ttl: \fI<number> 700The time to live for bogus data. This is data that has failed validation; 701due to invalid signatures or other checks. The TTL from that data cannot be 702trusted, and this value is used instead. The value is in seconds, default 60. 703The time interval prevents repeated revalidation of bogus data. 704.TP 705.B val\-clean\-additional: \fI<yes or no> 706Instruct the validator to remove data from the additional section of secure 707messages that are not signed properly. Messages that are insecure, bogus, 708indeterminate or unchecked are not affected. Default is yes. Use this setting 709to protect the users that rely on this validator for authentication from 710protentially bad data in the additional section. 711.TP 712.B val\-log\-level: \fI<number> 713Have the validator print validation failures to the log. Regardless of 714the verbosity setting. Default is 0, off. At 1, for every user query 715that fails a line is printed to the logs. This way you can monitor what 716happens with validation. Use a diagnosis tool, such as dig or drill, 717to find out why validation is failing for these queries. At 2, not only 718the query that failed is printed but also the reason why unbound thought 719it was wrong and which server sent the faulty data. 720.TP 721.B val\-permissive\-mode: \fI<yes or no> 722Instruct the validator to mark bogus messages as indeterminate. The security 723checks are performed, but if the result is bogus (failed security), the 724reply is not withheld from the client with SERVFAIL as usual. The client 725receives the bogus data. For messages that are found to be secure the AD bit 726is set in replies. Also logging is performed as for full validation. 727The default value is "no". 728.TP 729.B ignore\-cd\-flag: \fI<yes or no> 730Instruct unbound to ignore the CD flag from clients and refuse to 731return bogus answers to them. Thus, the CD (Checking Disabled) flag 732does not disable checking any more. This is useful if legacy (w2008) 733servers that set the CD flag but cannot validate DNSSEC themselves are 734the clients, and then unbound provides them with DNSSEC protection. 735The default value is "no". 736.TP 737.B val\-nsec3\-keysize\-iterations: \fI<"list of values"> 738List of keysize and iteration count values, separated by spaces, surrounded 739by quotes. Default is "1024 150 2048 500 4096 2500". This determines the 740maximum allowed NSEC3 iteration count before a message is simply marked 741insecure instead of performing the many hashing iterations. The list must 742be in ascending order and have at least one entry. If you set it to 743"1024 65535" there is no restriction to NSEC3 iteration values. 744This table must be kept short; a very long list could cause slower operation. 745.TP 746.B add\-holddown: \fI<seconds> 747Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 748autotrust updates to add new trust anchors only after they have been 749visible for this time. Default is 30 days as per the RFC. 750.TP 751.B del\-holddown: \fI<seconds> 752Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 753autotrust updates to remove revoked trust anchors after they have been 754kept in the revoked list for this long. Default is 30 days as per 755the RFC. 756.TP 757.B keep\-missing: \fI<seconds> 758Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 759autotrust updates to remove missing trust anchors after they have been 760unseen for this long. This cleans up the state file if the target zone 761does not perform trust anchor revocation, so this makes the auto probe 762mechanism work with zones that perform regular (non\-5011) rollovers. 763The default is 366 days. The value 0 does not remove missing anchors, 764as per the RFC. 765.TP 766.B key\-cache\-size: \fI<number> 767Number of bytes size of the key cache. Default is 4 megabytes. 768A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 769or gigabytes (1024*1024 bytes in a megabyte). 770.TP 771.B key\-cache\-slabs: \fI<number> 772Number of slabs in the key cache. Slabs reduce lock contention by threads. 773Must be set to a power of 2. Setting (close) to the number of cpus is a 774reasonable guess. 775.TP 776.B neg\-cache\-size: \fI<number> 777Number of bytes size of the aggressive negative cache. Default is 1 megabyte. 778A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 779or gigabytes (1024*1024 bytes in a megabyte). 780.TP
|
| 781.B unblock\-lan\-zones: \fI<yesno> 782Default is disabled. If enabled, then for private address space, 783the reverse lookups are no longer filtered. This allows unbound when 784running as dns service on a host where it provides service for that host, 785to put out all of the queries for the 'lan' upstream. When enabled, 786only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured 787with default local zones. Disable the option when unbound is running 788as a (DHCP-) DNS network resolver for a group of machines, where such 789lookups should be filtered (RFC compliance), this also stops potential 790data leakage about the local network to the upstream DNS servers. 791.TP
|
749.B local\-zone: \fI<zone> <type> 750Configure a local zone. The type determines the answer to give if 751there is no match from local\-data. The types are deny, refuse, static, 752transparent, redirect, nodefault, typetransparent, and are explained 753below. After that the default settings are listed. Use local\-data: to 754enter data into the local zone. Answers for local zones are authoritative 755DNS answers. By default the zones are class IN. 756.IP 757If you need more complicated authoritative data, with referrals, wildcards, 758CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for 759it as detailed in the stub zone section below. 760.TP 10 761\h'5'\fIdeny\fR 762Do not send an answer, drop the query. 763If there is a match from local data, the query is answered. 764.TP 10 765\h'5'\fIrefuse\fR 766Send an error message reply, with rcode REFUSED. 767If there is a match from local data, the query is answered. 768.TP 10 769\h'5'\fIstatic\fR 770If there is a match from local data, the query is answered. 771Otherwise, the query is answered with nodata or nxdomain. 772For a negative answer a SOA is included in the answer if present 773as local\-data for the zone apex domain. 774.TP 10 775\h'5'\fItransparent\fR 776If there is a match from local data, the query is answered. 777Otherwise if the query has a different name, the query is resolved normally. 778If the query is for a name given in localdata but no such type of data is 779given in localdata, then a noerror nodata answer is returned. 780If no local\-zone is given local\-data causes a transparent zone 781to be created by default. 782.TP 10 783\h'5'\fItypetransparent\fR 784If there is a match from local data, the query is answered. If the query 785is for a different name, or for the same name but for a different type, 786the query is resolved normally. So, similar to transparent but types 787that are not listed in local data are resolved normally, so if an A record 788is in the local data that does not cause a nodata reply for AAAA queries. 789.TP 10 790\h'5'\fIredirect\fR 791The query is answered from the local data for the zone name. 792There may be no local data beneath the zone name. 793This answers queries for the zone, and all subdomains of the zone 794with the local data for the zone. 795It can be used to redirect a domain to return a different address record 796to the end user, with 797local\-zone: "example.com." redirect and 798local\-data: "example.com. A 127.0.0.1" 799queries for www.example.com and www.foo.example.com are redirected, so 800that users with web browsers cannot access sites with suffix example.com. 801.TP 10 802\h'5'\fInodefault\fR 803Used to turn off default contents for AS112 zones. The other types 804also turn off default contents for the zone. The 'nodefault' option 805has no other effect than turning off default contents for the 806given zone. 807.P 808The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 809zones. The AS112 zones are reverse DNS zones for private use and reserved 810IP addresses for which the servers on the internet cannot provide correct 811answers. They are configured by default to give nxdomain (no reverse 812information) answers. The defaults can be turned off by specifying your 813own local\-zone of that name, or using the 'nodefault' type. Below is a 814list of the default zone contents. 815.TP 10 816\h'5'\fIlocalhost\fR 817The IP4 and IP6 localhost information is given. NS and SOA records are provided 818for completeness and to satisfy some DNS update tools. Default content: 819.nf 820local\-zone: "localhost." static 821local\-data: "localhost. 10800 IN NS localhost." 822local\-data: "localhost. 10800 IN 823 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 824local\-data: "localhost. 10800 IN A 127.0.0.1" 825local\-data: "localhost. 10800 IN AAAA ::1" 826.fi 827.TP 10 828\h'5'\fIreverse IPv4 loopback\fR 829Default content: 830.nf 831local\-zone: "127.in\-addr.arpa." static 832local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." 833local\-data: "127.in\-addr.arpa. 10800 IN 834 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 835local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN 836 PTR localhost." 837.fi 838.TP 10 839\h'5'\fIreverse IPv6 loopback\fR 840Default content: 841.nf 842local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 843 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static 844local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 845 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 846 NS localhost." 847local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 848 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 849 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 850local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 851 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 852 PTR localhost." 853.fi 854.TP 10 855\h'5'\fIreverse RFC1918 local use zones\fR 856Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 85731.172.in\-addr.arpa, 168.192.in\-addr.arpa. 858The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 859records are provided. 860.TP 10 861\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 862Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 8632.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 864113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. 865.TP 10 866\h'5'\fIreverse RFC4291 IP6 unspecified\fR 867Reverse data for zone 868.nf 8690.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 8700.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 871.fi 872.TP 10 873\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR 874Reverse data for zone D.F.ip6.arpa. 875.TP 10 876\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR 877Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. 878.TP 10 879\h'5'\fIreverse IPv6 Example Prefix\fR 880Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for 881tutorials and examples. You can remove the block on this zone with: 882.nf 883 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault 884.fi 885You can also selectively unblock a part of the zone by making that part 886transparent with a local\-zone statement. 887This also works with the other default zones. 888.\" End of local-zone listing. 889.TP 5 890.B local\-data: \fI"<resource record string>" 891Configure local data, which is served in reply to queries for it. 892The query has to match exactly unless you configure the local\-zone as 893redirect. If not matched exactly, the local\-zone type determines 894further processing. If local\-data is configured that is not a subdomain of 895a local\-zone, a transparent local\-zone is configured. 896For record types such as TXT, use single quotes, as in 897local\-data: 'example. TXT "text"'. 898.IP 899If you need more complicated authoritative data, with referrals, wildcards, 900CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for 901it as detailed in the stub zone section below. 902.TP 5 903.B local\-data\-ptr: \fI"IPaddr name" 904Configure local data shorthand for a PTR record with the reversed IPv4 or 905IPv6 address and the host name. For example "192.0.2.4 www.example.com". 906TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" 907.SS "Remote Control Options" 908In the 909.B remote\-control: 910clause are the declarations for the remote control facility. If this is 911enabled, the \fIunbound\-control\fR(8) utility can be used to send 912commands to the running unbound server. The server uses these clauses 913to setup SSLv3 / TLSv1 security for the connection. The 914\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR 915section for options. To setup the correct self\-signed certificates use the 916\fIunbound\-control\-setup\fR(8) utility. 917.TP 5 918.B control\-enable: \fI<yes or no> 919The option is used to enable remote control, default is "no". 920If turned off, the server does not listen for control commands. 921.TP 5 922.B control\-interface: <ip address> 923Give IPv4 or IPv6 addresses to listen on for control commands. 924By default localhost (127.0.0.1 and ::1) is listened to. 925Use 0.0.0.0 and ::0 to listen to all interfaces. 926.TP 5 927.B control\-port: <port number> 928The port number to listen on for control commands, default is 8953. 929If you change this port number, and permissions have been dropped, 930a reload is not sufficient to open the port again, you must then restart. 931.TP 5 932.B server\-key\-file: "<private key file>" 933Path to the server private key, by default unbound_server.key. 934This file is generated by the \fIunbound\-control\-setup\fR utility. 935This file is used by the unbound server, but not by \fIunbound\-control\fR. 936.TP 5 937.B server\-cert\-file: "<certificate file.pem>" 938Path to the server self signed certificate, by default unbound_server.pem. 939This file is generated by the \fIunbound\-control\-setup\fR utility. 940This file is used by the unbound server, and also by \fIunbound\-control\fR. 941.TP 5 942.B control\-key\-file: "<private key file>" 943Path to the control client private key, by default unbound_control.key. 944This file is generated by the \fIunbound\-control\-setup\fR utility. 945This file is used by \fIunbound\-control\fR. 946.TP 5 947.B control\-cert\-file: "<certificate file.pem>" 948Path to the control client certificate, by default unbound_control.pem. 949This certificate has to be signed with the server certificate. 950This file is generated by the \fIunbound\-control\-setup\fR utility. 951This file is used by \fIunbound\-control\fR. 952.SS "Stub Zone Options" 953.LP 954There may be multiple 955.B stub\-zone: 956clauses. Each with a name: and zero or more hostnames or IP addresses. 957For the stub zone this list of nameservers is used. Class IN is assumed. 958The servers should be authority servers, not recursors; unbound performs 959the recursive processing itself for stub zones. 960.P 961The stub zone can be used to configure authoritative data to be used 962by the resolver that cannot be accessed using the public internet servers. 963This is useful for company\-local data or private zones. Setup an 964authoritative server on a different host (or different port). Enter a config 965entry for unbound with 966.B stub\-addr: 967<ip address of host[@port]>. 968The unbound resolver can then access the data, without referring to the 969public internet for it. 970.P 971This setup allows DNSSEC signed zones to be served by that 972authoritative server, in which case a trusted key entry with the public key 973can be put in config, so that unbound can validate the data and set the AD 974bit on replies for the private zone (authoritative servers do not set the 975AD bit). This setup makes unbound capable of answering queries for the 976private zone, and can even set the AD bit ('authentic'), but the AA 977('authoritative') bit is not set on these replies. 978.TP 979.B name: \fI<domain name> 980Name of the stub zone. 981.TP 982.B stub\-host: \fI<domain name> 983Name of stub zone nameserver. Is itself resolved before it is used. 984.TP 985.B stub\-addr: \fI<IP address> 986IP address of stub zone nameserver. Can be IP 4 or IP 6. 987To use a nondefault port for DNS communication append '@' with the port number. 988.TP 989.B stub\-prime: \fI<yes or no> 990This option is by default off. If enabled it performs NS set priming, 991which is similar to root hints, where it starts using the list of nameservers 992currently published by the zone. Thus, if the hint list is slightly outdated, 993the resolver picks up a correct list online. 994.TP 995.B stub\-first: \fI<yes or no> 996If enabled, a query is attempted without the stub clause if it fails. 997The data could not be retrieved and would have caused SERVFAIL because 998the servers are unreachable, instead it is tried without this clause. 999The default is no. 1000.SS "Forward Zone Options" 1001.LP 1002There may be multiple 1003.B forward\-zone: 1004clauses. Each with a \fBname:\fR and zero or more hostnames or IP 1005addresses. For the forward zone this list of nameservers is used to 1006forward the queries to. The servers listed as \fBforward\-host:\fR and 1007\fBforward\-addr:\fR have to handle further recursion for the query. Thus, 1008those servers are not authority servers, but are (just like unbound is) 1009recursive servers too; unbound does not perform recursion itself for the 1010forward zone, it lets the remote server do it. Class IN is assumed. 1011A forward\-zone entry with name "." and a forward\-addr target will 1012forward all queries to that other server (unless it can answer from 1013the cache). 1014.TP 1015.B name: \fI<domain name> 1016Name of the forward zone. 1017.TP 1018.B forward\-host: \fI<domain name> 1019Name of server to forward to. Is itself resolved before it is used. 1020.TP 1021.B forward\-addr: \fI<IP address> 1022IP address of server to forward to. Can be IP 4 or IP 6. 1023To use a nondefault port for DNS communication append '@' with the port number. 1024.TP 1025.B forward\-first: \fI<yes or no> 1026If enabled, a query is attempted without the forward clause if it fails. 1027The data could not be retrieved and would have caused SERVFAIL because 1028the servers are unreachable, instead it is tried without this clause. 1029The default is no. 1030.SS "Python Module Options" 1031.LP 1032The 1033.B python: 1034clause gives the settings for the \fIpython\fR(1) script module. This module 1035acts like the iterator and validator modules do, on queries and answers. 1036To enable the script module it has to be compiled into the daemon, 1037and the word "python" has to be put in the \fBmodule\-config:\fR option 1038(usually first, or between the validator and iterator). 1039.TP 1040.B python\-script: \fI<python file>\fR 1041The script file to load. 1042.SH "MEMORY CONTROL EXAMPLE" 1043In the example config settings below memory usage is reduced. Some service 1044levels are lower, notable very large data and a high TCP load are no longer 1045supported. Very large data and high TCP loads are exceptional for the DNS. 1046DNSSEC validation is enabled, just add trust anchors. 1047If you do not have to worry about programs using more than 3 Mb of memory, 1048the below example is not for you. Use the defaults to receive full service, 1049which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. 1050.P 1051.nf 1052# example settings that reduce memory usage 1053server: 1054 num\-threads: 1 1055 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. 1056 incoming\-num\-tcp: 1 1057 outgoing\-range: 60 # uses less memory, but less performance. 1058 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. 1059 msg\-cache\-size: 100k 1060 msg\-cache\-slabs: 1 1061 rrset\-cache\-size: 100k 1062 rrset\-cache\-slabs: 1 1063 infra\-cache\-numhosts: 200 1064 infra\-cache\-slabs: 1 1065 key\-cache\-size: 100k 1066 key\-cache\-slabs: 1 1067 neg\-cache\-size: 10k 1068 num\-queries\-per\-thread: 30 1069 target\-fetch\-policy: "2 1 0 0 0 0" 1070 harden\-large\-queries: "yes" 1071 harden\-short\-bufsize: "yes" 1072.fi 1073.SH "FILES" 1074.TP 1075.I /var/unbound 1076default unbound working directory. 1077.TP 1078.I /var/unbound 1079default 1080\fIchroot\fR(2) 1081location. 1082.TP 1083.I /var/unbound/unbound.conf 1084unbound configuration file. 1085.TP 1086.I /var/unbound/unbound.pid 1087default unbound pidfile with process ID of the running daemon. 1088.TP 1089.I unbound.log 1090unbound log file. default is to log to 1091\fIsyslog\fR(3). 1092.SH "SEE ALSO" 1093\fIunbound\fR(8), 1094\fIunbound\-checkconf\fR(8). 1095.SH "AUTHORS" 1096.B Unbound 1097was written by NLnet Labs. Please see CREDITS file 1098in the distribution for further details.
| 792.B local\-zone: \fI<zone> <type> 793Configure a local zone. The type determines the answer to give if 794there is no match from local\-data. The types are deny, refuse, static, 795transparent, redirect, nodefault, typetransparent, and are explained 796below. After that the default settings are listed. Use local\-data: to 797enter data into the local zone. Answers for local zones are authoritative 798DNS answers. By default the zones are class IN. 799.IP 800If you need more complicated authoritative data, with referrals, wildcards, 801CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for 802it as detailed in the stub zone section below. 803.TP 10 804\h'5'\fIdeny\fR 805Do not send an answer, drop the query. 806If there is a match from local data, the query is answered. 807.TP 10 808\h'5'\fIrefuse\fR 809Send an error message reply, with rcode REFUSED. 810If there is a match from local data, the query is answered. 811.TP 10 812\h'5'\fIstatic\fR 813If there is a match from local data, the query is answered. 814Otherwise, the query is answered with nodata or nxdomain. 815For a negative answer a SOA is included in the answer if present 816as local\-data for the zone apex domain. 817.TP 10 818\h'5'\fItransparent\fR 819If there is a match from local data, the query is answered. 820Otherwise if the query has a different name, the query is resolved normally. 821If the query is for a name given in localdata but no such type of data is 822given in localdata, then a noerror nodata answer is returned. 823If no local\-zone is given local\-data causes a transparent zone 824to be created by default. 825.TP 10 826\h'5'\fItypetransparent\fR 827If there is a match from local data, the query is answered. If the query 828is for a different name, or for the same name but for a different type, 829the query is resolved normally. So, similar to transparent but types 830that are not listed in local data are resolved normally, so if an A record 831is in the local data that does not cause a nodata reply for AAAA queries. 832.TP 10 833\h'5'\fIredirect\fR 834The query is answered from the local data for the zone name. 835There may be no local data beneath the zone name. 836This answers queries for the zone, and all subdomains of the zone 837with the local data for the zone. 838It can be used to redirect a domain to return a different address record 839to the end user, with 840local\-zone: "example.com." redirect and 841local\-data: "example.com. A 127.0.0.1" 842queries for www.example.com and www.foo.example.com are redirected, so 843that users with web browsers cannot access sites with suffix example.com. 844.TP 10 845\h'5'\fInodefault\fR 846Used to turn off default contents for AS112 zones. The other types 847also turn off default contents for the zone. The 'nodefault' option 848has no other effect than turning off default contents for the 849given zone. 850.P 851The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 852zones. The AS112 zones are reverse DNS zones for private use and reserved 853IP addresses for which the servers on the internet cannot provide correct 854answers. They are configured by default to give nxdomain (no reverse 855information) answers. The defaults can be turned off by specifying your 856own local\-zone of that name, or using the 'nodefault' type. Below is a 857list of the default zone contents. 858.TP 10 859\h'5'\fIlocalhost\fR 860The IP4 and IP6 localhost information is given. NS and SOA records are provided 861for completeness and to satisfy some DNS update tools. Default content: 862.nf 863local\-zone: "localhost." static 864local\-data: "localhost. 10800 IN NS localhost." 865local\-data: "localhost. 10800 IN 866 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 867local\-data: "localhost. 10800 IN A 127.0.0.1" 868local\-data: "localhost. 10800 IN AAAA ::1" 869.fi 870.TP 10 871\h'5'\fIreverse IPv4 loopback\fR 872Default content: 873.nf 874local\-zone: "127.in\-addr.arpa." static 875local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." 876local\-data: "127.in\-addr.arpa. 10800 IN 877 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 878local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN 879 PTR localhost." 880.fi 881.TP 10 882\h'5'\fIreverse IPv6 loopback\fR 883Default content: 884.nf 885local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 886 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static 887local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 888 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 889 NS localhost." 890local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 891 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 892 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" 893local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 894 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 895 PTR localhost." 896.fi 897.TP 10 898\h'5'\fIreverse RFC1918 local use zones\fR 899Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 90031.172.in\-addr.arpa, 168.192.in\-addr.arpa. 901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 902records are provided. 903.TP 10 904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. 908.TP 10 909\h'5'\fIreverse RFC4291 IP6 unspecified\fR 910Reverse data for zone 911.nf 9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 914.fi 915.TP 10 916\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR 917Reverse data for zone D.F.ip6.arpa. 918.TP 10 919\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR 920Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. 921.TP 10 922\h'5'\fIreverse IPv6 Example Prefix\fR 923Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for 924tutorials and examples. You can remove the block on this zone with: 925.nf 926 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault 927.fi 928You can also selectively unblock a part of the zone by making that part 929transparent with a local\-zone statement. 930This also works with the other default zones. 931.\" End of local-zone listing. 932.TP 5 933.B local\-data: \fI"<resource record string>" 934Configure local data, which is served in reply to queries for it. 935The query has to match exactly unless you configure the local\-zone as 936redirect. If not matched exactly, the local\-zone type determines 937further processing. If local\-data is configured that is not a subdomain of 938a local\-zone, a transparent local\-zone is configured. 939For record types such as TXT, use single quotes, as in 940local\-data: 'example. TXT "text"'. 941.IP 942If you need more complicated authoritative data, with referrals, wildcards, 943CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for 944it as detailed in the stub zone section below. 945.TP 5 946.B local\-data\-ptr: \fI"IPaddr name" 947Configure local data shorthand for a PTR record with the reversed IPv4 or 948IPv6 address and the host name. For example "192.0.2.4 www.example.com". 949TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" 950.SS "Remote Control Options" 951In the 952.B remote\-control: 953clause are the declarations for the remote control facility. If this is 954enabled, the \fIunbound\-control\fR(8) utility can be used to send 955commands to the running unbound server. The server uses these clauses 956to setup SSLv3 / TLSv1 security for the connection. The 957\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR 958section for options. To setup the correct self\-signed certificates use the 959\fIunbound\-control\-setup\fR(8) utility. 960.TP 5 961.B control\-enable: \fI<yes or no> 962The option is used to enable remote control, default is "no". 963If turned off, the server does not listen for control commands. 964.TP 5 965.B control\-interface: <ip address> 966Give IPv4 or IPv6 addresses to listen on for control commands. 967By default localhost (127.0.0.1 and ::1) is listened to. 968Use 0.0.0.0 and ::0 to listen to all interfaces. 969.TP 5 970.B control\-port: <port number> 971The port number to listen on for control commands, default is 8953. 972If you change this port number, and permissions have been dropped, 973a reload is not sufficient to open the port again, you must then restart. 974.TP 5 975.B server\-key\-file: "<private key file>" 976Path to the server private key, by default unbound_server.key. 977This file is generated by the \fIunbound\-control\-setup\fR utility. 978This file is used by the unbound server, but not by \fIunbound\-control\fR. 979.TP 5 980.B server\-cert\-file: "<certificate file.pem>" 981Path to the server self signed certificate, by default unbound_server.pem. 982This file is generated by the \fIunbound\-control\-setup\fR utility. 983This file is used by the unbound server, and also by \fIunbound\-control\fR. 984.TP 5 985.B control\-key\-file: "<private key file>" 986Path to the control client private key, by default unbound_control.key. 987This file is generated by the \fIunbound\-control\-setup\fR utility. 988This file is used by \fIunbound\-control\fR. 989.TP 5 990.B control\-cert\-file: "<certificate file.pem>" 991Path to the control client certificate, by default unbound_control.pem. 992This certificate has to be signed with the server certificate. 993This file is generated by the \fIunbound\-control\-setup\fR utility. 994This file is used by \fIunbound\-control\fR. 995.SS "Stub Zone Options" 996.LP 997There may be multiple 998.B stub\-zone: 999clauses. Each with a name: and zero or more hostnames or IP addresses. 1000For the stub zone this list of nameservers is used. Class IN is assumed. 1001The servers should be authority servers, not recursors; unbound performs 1002the recursive processing itself for stub zones. 1003.P 1004The stub zone can be used to configure authoritative data to be used 1005by the resolver that cannot be accessed using the public internet servers. 1006This is useful for company\-local data or private zones. Setup an 1007authoritative server on a different host (or different port). Enter a config 1008entry for unbound with 1009.B stub\-addr: 1010<ip address of host[@port]>. 1011The unbound resolver can then access the data, without referring to the 1012public internet for it. 1013.P 1014This setup allows DNSSEC signed zones to be served by that 1015authoritative server, in which case a trusted key entry with the public key 1016can be put in config, so that unbound can validate the data and set the AD 1017bit on replies for the private zone (authoritative servers do not set the 1018AD bit). This setup makes unbound capable of answering queries for the 1019private zone, and can even set the AD bit ('authentic'), but the AA 1020('authoritative') bit is not set on these replies. 1021.TP 1022.B name: \fI<domain name> 1023Name of the stub zone. 1024.TP 1025.B stub\-host: \fI<domain name> 1026Name of stub zone nameserver. Is itself resolved before it is used. 1027.TP 1028.B stub\-addr: \fI<IP address> 1029IP address of stub zone nameserver. Can be IP 4 or IP 6. 1030To use a nondefault port for DNS communication append '@' with the port number. 1031.TP 1032.B stub\-prime: \fI<yes or no> 1033This option is by default off. If enabled it performs NS set priming, 1034which is similar to root hints, where it starts using the list of nameservers 1035currently published by the zone. Thus, if the hint list is slightly outdated, 1036the resolver picks up a correct list online. 1037.TP 1038.B stub\-first: \fI<yes or no> 1039If enabled, a query is attempted without the stub clause if it fails. 1040The data could not be retrieved and would have caused SERVFAIL because 1041the servers are unreachable, instead it is tried without this clause. 1042The default is no. 1043.SS "Forward Zone Options" 1044.LP 1045There may be multiple 1046.B forward\-zone: 1047clauses. Each with a \fBname:\fR and zero or more hostnames or IP 1048addresses. For the forward zone this list of nameservers is used to 1049forward the queries to. The servers listed as \fBforward\-host:\fR and 1050\fBforward\-addr:\fR have to handle further recursion for the query. Thus, 1051those servers are not authority servers, but are (just like unbound is) 1052recursive servers too; unbound does not perform recursion itself for the 1053forward zone, it lets the remote server do it. Class IN is assumed. 1054A forward\-zone entry with name "." and a forward\-addr target will 1055forward all queries to that other server (unless it can answer from 1056the cache). 1057.TP 1058.B name: \fI<domain name> 1059Name of the forward zone. 1060.TP 1061.B forward\-host: \fI<domain name> 1062Name of server to forward to. Is itself resolved before it is used. 1063.TP 1064.B forward\-addr: \fI<IP address> 1065IP address of server to forward to. Can be IP 4 or IP 6. 1066To use a nondefault port for DNS communication append '@' with the port number. 1067.TP 1068.B forward\-first: \fI<yes or no> 1069If enabled, a query is attempted without the forward clause if it fails. 1070The data could not be retrieved and would have caused SERVFAIL because 1071the servers are unreachable, instead it is tried without this clause. 1072The default is no. 1073.SS "Python Module Options" 1074.LP 1075The 1076.B python: 1077clause gives the settings for the \fIpython\fR(1) script module. This module 1078acts like the iterator and validator modules do, on queries and answers. 1079To enable the script module it has to be compiled into the daemon, 1080and the word "python" has to be put in the \fBmodule\-config:\fR option 1081(usually first, or between the validator and iterator). 1082.TP 1083.B python\-script: \fI<python file>\fR 1084The script file to load. 1085.SH "MEMORY CONTROL EXAMPLE" 1086In the example config settings below memory usage is reduced. Some service 1087levels are lower, notable very large data and a high TCP load are no longer 1088supported. Very large data and high TCP loads are exceptional for the DNS. 1089DNSSEC validation is enabled, just add trust anchors. 1090If you do not have to worry about programs using more than 3 Mb of memory, 1091the below example is not for you. Use the defaults to receive full service, 1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. 1093.P 1094.nf 1095# example settings that reduce memory usage 1096server: 1097 num\-threads: 1 1098 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. 1099 incoming\-num\-tcp: 1 1100 outgoing\-range: 60 # uses less memory, but less performance. 1101 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. 1102 msg\-cache\-size: 100k 1103 msg\-cache\-slabs: 1 1104 rrset\-cache\-size: 100k 1105 rrset\-cache\-slabs: 1 1106 infra\-cache\-numhosts: 200 1107 infra\-cache\-slabs: 1 1108 key\-cache\-size: 100k 1109 key\-cache\-slabs: 1 1110 neg\-cache\-size: 10k 1111 num\-queries\-per\-thread: 30 1112 target\-fetch\-policy: "2 1 0 0 0 0" 1113 harden\-large\-queries: "yes" 1114 harden\-short\-bufsize: "yes" 1115.fi 1116.SH "FILES" 1117.TP 1118.I /var/unbound 1119default unbound working directory. 1120.TP 1121.I /var/unbound 1122default 1123\fIchroot\fR(2) 1124location. 1125.TP 1126.I /var/unbound/unbound.conf 1127unbound configuration file. 1128.TP 1129.I /var/unbound/unbound.pid 1130default unbound pidfile with process ID of the running daemon. 1131.TP 1132.I unbound.log 1133unbound log file. default is to log to 1134\fIsyslog\fR(3). 1135.SH "SEE ALSO" 1136\fIunbound\fR(8), 1137\fIunbound\-checkconf\fR(8). 1138.SH "AUTHORS" 1139.B Unbound 1140was written by NLnet Labs. Please see CREDITS file 1141in the distribution for further details.
|