example.conf.in (268839) | example.conf.in (276605) |
---|---|
1# 2# Example configuration file. 3# | 1# 2# Example configuration file. 3# |
4# See unbound.conf(5) man page, version 1.4.22. | 4# See unbound.conf(5) man page, version 1.5.1. |
5# 6# this is a comment. 7 8#Use this to include other text into the file. 9#include: "otherfile.conf" 10 11# The server clause sets the main parameters. 12server: --- 67 unchanged lines hidden (view full) --- 80 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). 81 # 0 is system default. Use 4m to catch query spikes for busy servers. 82 # so-rcvbuf: 0 83 84 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 85 # 0 is system default. Use 4m to handle spikes on very busy servers. 86 # so-sndbuf: 0 87 | 5# 6# this is a comment. 7 8#Use this to include other text into the file. 9#include: "otherfile.conf" 10 11# The server clause sets the main parameters. 12server: --- 67 unchanged lines hidden (view full) --- 80 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). 81 # 0 is system default. Use 4m to catch query spikes for busy servers. 82 # so-rcvbuf: 0 83 84 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 85 # 0 is system default. Use 4m to handle spikes on very busy servers. 86 # so-sndbuf: 0 87 |
88 # on Linux(3.9+) use SO_REUSEPORT to distribute queries over threads. | 88 # use SO_REUSEPORT to distribute queries over threads. |
89 # so-reuseport: no 90 91 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 92 # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). 93 # edns-buffer-size: 4096 94 95 # Maximum UDP response size (not applied to TCP response). 96 # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. --- 229 unchanged lines hidden (view full) --- 326 # if yes, Unbound rotates RRSet order in response. 327 # rrset-roundrobin: no 328 329 # if yes, Unbound doesn't insert authority/additional sections 330 # into response messages when those sections are not required. 331 # minimal-responses: no 332 333 # module configuration of the server. A string with identifiers | 89 # so-reuseport: no 90 91 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 92 # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). 93 # edns-buffer-size: 4096 94 95 # Maximum UDP response size (not applied to TCP response). 96 # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. --- 229 unchanged lines hidden (view full) --- 326 # if yes, Unbound rotates RRSet order in response. 327 # rrset-roundrobin: no 328 329 # if yes, Unbound doesn't insert authority/additional sections 330 # into response messages when those sections are not required. 331 # minimal-responses: no 332 333 # module configuration of the server. A string with identifiers |
334 # separated by spaces. "iterator" or "validator iterator" | 334 # separated by spaces. Syntax: "[dns64] [validator] iterator" |
335 # module-config: "validator iterator" 336 337 # File with trusted keys, kept uptodate using RFC5011 probes, 338 # initial file like trust-anchor-file, then it stores metadata. 339 # Use several entries, one per domain name, to track multiple zones. 340 # 341 # If you want to perform DNSSEC validation, run unbound-anchor before 342 # you start unbound (i.e. in the system boot scripts). And enable: --- 90 unchanged lines hidden (view full) --- 433 # the number of slabs must be a power of 2. 434 # more slabs reduce lock contention, but fragment memory usage. 435 # key-cache-slabs: 4 436 437 # the amount of memory to use for the negative cache (used for DLV). 438 # plain value in bytes or you can append k, m or G. default is "1Mb". 439 # neg-cache-size: 1m 440 | 335 # module-config: "validator iterator" 336 337 # File with trusted keys, kept uptodate using RFC5011 probes, 338 # initial file like trust-anchor-file, then it stores metadata. 339 # Use several entries, one per domain name, to track multiple zones. 340 # 341 # If you want to perform DNSSEC validation, run unbound-anchor before 342 # you start unbound (i.e. in the system boot scripts). And enable: --- 90 unchanged lines hidden (view full) --- 433 # the number of slabs must be a power of 2. 434 # more slabs reduce lock contention, but fragment memory usage. 435 # key-cache-slabs: 4 436 437 # the amount of memory to use for the negative cache (used for DLV). 438 # plain value in bytes or you can append k, m or G. default is "1Mb". 439 # neg-cache-size: 1m 440 |
441 # if unbound is running service for the local host then it is useful 442 # to perform lan-wide lookups to the upstream, and unblock the 443 # long list of local-zones above. If this unbound is a dns server 444 # for a network of computers, disabled is better and stops information 445 # leakage of local lan information. 446 # unblock-lan-zones: no 447 | |
448 # By default, for a number of zones a small default 'nothing here' 449 # reply is built-in. Query traffic is thus blocked. If you 450 # wish to serve such zone you can unblock them by uncommenting one 451 # of the nodefault statements below. 452 # You may also have to use domain-insecure: zone to make DNSSEC work, 453 # unless you have your own trust anchors for this zone. 454 # local-zone: "localhost." nodefault 455 # local-zone: "127.in-addr.arpa." nodefault --- 24 unchanged lines hidden (view full) --- 480 # local-zone: "255.255.255.255.in-addr.arpa." nodefault 481 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 482 # local-zone: "d.f.ip6.arpa." nodefault 483 # local-zone: "8.e.f.ip6.arpa." nodefault 484 # local-zone: "9.e.f.ip6.arpa." nodefault 485 # local-zone: "a.e.f.ip6.arpa." nodefault 486 # local-zone: "b.e.f.ip6.arpa." nodefault 487 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault | 441 # By default, for a number of zones a small default 'nothing here' 442 # reply is built-in. Query traffic is thus blocked. If you 443 # wish to serve such zone you can unblock them by uncommenting one 444 # of the nodefault statements below. 445 # You may also have to use domain-insecure: zone to make DNSSEC work, 446 # unless you have your own trust anchors for this zone. 447 # local-zone: "localhost." nodefault 448 # local-zone: "127.in-addr.arpa." nodefault --- 24 unchanged lines hidden (view full) --- 473 # local-zone: "255.255.255.255.in-addr.arpa." nodefault 474 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 475 # local-zone: "d.f.ip6.arpa." nodefault 476 # local-zone: "8.e.f.ip6.arpa." nodefault 477 # local-zone: "9.e.f.ip6.arpa." nodefault 478 # local-zone: "a.e.f.ip6.arpa." nodefault 479 # local-zone: "b.e.f.ip6.arpa." nodefault 480 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault |
481 # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. 482 483 # if unbound is running service for the local host then it is useful 484 # to perform lan-wide lookups to the upstream, and unblock the 485 # long list of local-zones above. If this unbound is a dns server 486 # for a network of computers, disabled is better and stops information 487 # leakage of local lan information. 488 # unblock-lan-zones: no |
|
488 489 # a number of locally served zones can be configured. 490 # local-zone: <zone> <type> 491 # local-data: "<resource record string>" 492 # o deny serves local data (if any), else, drops queries. 493 # o refuse serves local data (if any), else, replies with error. 494 # o static serves local data, else, nxdomain or nodata answer. 495 # o transparent gives local data, but resolves normally for other names --- 32 unchanged lines hidden (view full) --- 528 # ssl-service-key: "path/to/privatekeyfile.key" 529 # ssl-service-pem: "path/to/publiccertfile.pem" 530 # ssl-port: 443 531 532 # request upstream over SSL (with plain DNS inside the SSL stream). 533 # Default is no. Can be turned on and off with unbound-control. 534 # ssl-upstream: no 535 | 489 490 # a number of locally served zones can be configured. 491 # local-zone: <zone> <type> 492 # local-data: "<resource record string>" 493 # o deny serves local data (if any), else, drops queries. 494 # o refuse serves local data (if any), else, replies with error. 495 # o static serves local data, else, nxdomain or nodata answer. 496 # o transparent gives local data, but resolves normally for other names --- 32 unchanged lines hidden (view full) --- 529 # ssl-service-key: "path/to/privatekeyfile.key" 530 # ssl-service-pem: "path/to/publiccertfile.pem" 531 # ssl-port: 443 532 533 # request upstream over SSL (with plain DNS inside the SSL stream). 534 # Default is no. Can be turned on and off with unbound-control. 535 # ssl-upstream: no 536 |
537 # DNS64 prefix. Must be specified when DNS64 is use. 538 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. 539 # dns64-prefix: 64:ff9b::0/96 540 |
|
536# Python config section. To enable: 537# o use --with-pythonmodule to configure before compiling. 538# o list python in the module-config string (above) to enable. 539# o and give a python-script to run. 540python: 541 # Script file to load 542 # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" 543 --- 55 unchanged lines hidden --- | 541# Python config section. To enable: 542# o use --with-pythonmodule to configure before compiling. 543# o list python in the module-config string (above) to enable. 544# o and give a python-script to run. 545python: 546 # Script file to load 547 # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" 548 --- 55 unchanged lines hidden --- |