1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22"
2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
27.P
28The utility
29\fIunbound\-checkconf\fR(8)
30can be used to check unbound.conf prior to usage.
31.SH "EXAMPLE"
32An example config file is shown below. Copy this to /etc/unbound/unbound.conf
33and start the server with:
34.P
35.nf
36 $ unbound \-c /etc/unbound/unbound.conf
37.fi
38.P
39Most settings are the defaults. Stop the server with:
40.P
41.nf
42 $ kill `cat /etc/unbound/unbound.pid`
43.fi
44.P
45Below is a minimal config file. The source distribution contains an extensive
46example.conf file with all the options.
47.P
48.nf
49# unbound.conf(5) config file for unbound(8).
50server:
51 directory: "/etc/unbound"
52 username: unbound
53 # make sure unbound can access entropy from inside the chroot.
54 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
57 chroot: "/etc/unbound"
58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
59 pidfile: "/etc/unbound/unbound.pid"
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
77for the included files works, relative pathnames for the included names work
78if the directory where the daemon is started equals its chroot/working
79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
80.SS "Server Options"
81These options are part of the
82.B server:
83clause.
84.TP
85.B verbosity: \fI<number>
86The verbosity number, level 0 means no verbosity, only errors. Level 1
87gives operational information. Level 2 gives detailed operational
88information. Level 3 gives query level information, output per query.
89Level 4 gives algorithm level information. Level 5 logs client
90identification for cache misses. Default is level 1.
91The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
92.TP
93.B statistics\-interval: \fI<seconds>
94The number of seconds between printing statistics to the log for every thread.
95Disable with value 0 or "". Default is disabled. The histogram statistics
96are only printed if replies were sent during the statistics interval,
97requestlist statistics are printed for every interval (but can be 0).
98This is because the median calculation requires data to be present.
99.TP
100.B statistics\-cumulative: \fI<yes or no>
101If enabled, statistics are cumulative since starting unbound, without clearing
102the statistics counters after logging the statistics. Default is no.
103.TP
104.B extended\-statistics: \fI<yes or no>
105If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
106Default is off, because keeping track of more statistics takes time. The
107counters are listed in \fIunbound\-control\fR(8).
108.TP
109.B num\-threads: \fI<number>
110The number of threads to create to serve clients. Use 1 for no threading.
111.TP
112.B port: \fI<port number>
113The port number, default 53, on which the server responds to queries.
114.TP
115.B interface: \fI<ip address[@port]>
116Interface to use to connect to the network. This interface is listened to
117for queries from clients, and answers to clients are given from it.
118Can be given multiple times to work on several interfaces. If none are
119given the default is to listen to localhost.
120The interfaces are not changed on a reload (kill \-HUP) but only on restart.
121A port number can be specified with @port (without spaces between
122interface and port number), if not specified the default port (from
123\fBport\fR) is used.
124.TP
125.B ip\-address: \fI<ip address[@port]>
126Same as interface: (for easy of compatibility with nsd.conf).
127.TP
128.B interface\-automatic: \fI<yes or no>
129Detect source interface on UDP queries and copy them to replies. This
130feature is experimental, and needs support in your OS for particular socket
131options. Default value is no.
132.TP
133.B outgoing\-interface: \fI<ip address>
134Interface to use to connect to the network. This interface is used to send
135queries to authoritative servers and receive their replies. Can be given
136multiple times to work on several interfaces. If none are given the
137default (all) is used. You can specify the same interfaces in
138.B interface:
139and
140.B outgoing\-interface:
141lines, the interfaces are then used for both purposes. Outgoing queries are
142sent via a random outgoing interface to counter spoofing.
143.TP
144.B outgoing\-range: \fI<number>
145Number of ports to open. This number of file descriptors can be opened per
146thread. Must be at least 1. Default depends on compile options. Larger
147numbers need extra resources from the operating system. For performance a
148a very large value is best, use libevent to make this possible.
149.TP
150.B outgoing\-port\-permit: \fI<port number or range>
151Permit unbound to open this port or range of ports for use to send queries.
152A larger number of permitted outgoing ports increases resilience against
153spoofing attempts. Make sure these ports are not needed by other daemons.
154By default only ports above 1024 that have not been assigned by IANA are used.
155Give a port number or a range of the form "low\-high", without spaces.
156.IP
157The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
158are processed in the line order of the config file, adding the permitted ports
159and subtracting the avoided ports from the set of allowed ports. The
160processing starts with the non IANA allocated ports above 1024 in the set
161of allowed ports.
162.TP
163.B outgoing\-port\-avoid: \fI<port number or range>
164Do not permit unbound to open this port or range of ports for use to send
165queries. Use this to make sure unbound does not grab a port that another
166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
167By default only ports above 1024 that have not been assigned by IANA are used.
168Give a port number or a range of the form "low\-high", without spaces.
169.TP
170.B outgoing\-num\-tcp: \fI<number>
171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
173.TP
174.B incoming\-num\-tcp: \fI<number>
175Number of incoming TCP buffers to allocate per thread. Default is 10. If set
176to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
177.TP
178.B edns\-buffer\-size: \fI<number>
179Number of bytes size to advertise as the EDNS reassembly buffer size.
180This is the value put into datagrams over UDP towards peers. The actual
181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
182not set higher than that value. Default is 4096 which is RFC recommended.
183If you have fragmentation reassembly problems, usually seen as timeouts,
184then a value of 1480 can fix it. Setting to 512 bypasses even the most
185stringent path MTU problems, but is seen as extreme, since the amount
186of TCP fallback generated is excessive (probably also for this resolver,
187consider tuning the outgoing tcp number).
188.TP
189.B max\-udp\-size: \fI<number>
190Maximum UDP response size (not applied to TCP response). 65536 disables the
191udp response size maximum, and uses the choice from the client, always.
192Suggested values are 512 to 4096. Default is 4096.
193.TP
194.B msg\-buffer\-size: \fI<number>
195Number of bytes size of the message buffers. Default is 65552 bytes, enough
196for 64 Kb packets, the maximum DNS message size. No message larger than this
197can be sent or received. Can be reduced to use less memory, but some requests
198for DNS data, such as for huge resource records, will result in a SERVFAIL
199reply to the client.
200.TP
201.B msg\-cache\-size: \fI<number>
202Number of bytes size of the message cache. Default is 4 megabytes.
203A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
204or gigabytes (1024*1024 bytes in a megabyte).
205.TP
206.B msg\-cache\-slabs: \fI<number>
207Number of slabs in the message cache. Slabs reduce lock contention by threads.
208Must be set to a power of 2. Setting (close) to the number of cpus is a
209reasonable guess.
210.TP
211.B num\-queries\-per\-thread: \fI<number>
212The number of queries that every thread will service simultaneously.
213If more queries arrive that need servicing, and no queries can be jostled out
214(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
215the client to resend after a timeout; allowing the server time to work on
216the existing queries. Default depends on compile options, 512 or 1024.
217.TP
218.B jostle\-timeout: \fI<msec>
219Timeout used when the server is very busy. Set to a value that usually
220results in one roundtrip to the authority servers. If too many queries
221arrive, then 50% of the queries are allowed to run to completion, and
222the other 50% are replaced with the new incoming query if they have already
223spent more than their allowed time. This protects against denial of
224service by slow queries or high query rates. Default 200 milliseconds.
225The effect is that the qps for long-lasting queries is about
226(numqueriesperthread / 2) / (average time for such long queries) qps.
227The qps for short queries can be about (numqueriesperthread / 2)
228/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
229qps by default.
230.TP
231.B delay\-close: \fI<msec>
232Extra delay for timeouted UDP ports before they are closed, in msec.
233Default is 0, and that disables it. This prevents very delayed answer
234packets from the upstream (recursive) servers from bouncing against
235closed ports and setting off all sort of close-port counters, with
236eg. 1500 msec. When timeouts happen you need extra sockets, it checks
237the ID and remote IP of packets, and unwanted packets are added to the
238unwanted packet counter.
239.TP
240.B so\-rcvbuf: \fI<number>
241If not 0, then set the SO_RCVBUF socket option to get more buffer
242space on UDP port 53 incoming queries. So that short spikes on busy
243servers do not drop packets (see counter in netstat \-su). Default is
2440 (use system value). Otherwise, the number of bytes to ask for, try
245"4m" on a busy server. The OS caps it at a maximum, on linux unbound
246needs root permission to bypass the limit, or the admin can use sysctl
247net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
248On OpenBSD change header and recompile kernel. On Solaris ndd \-set
249/dev/udp udp_max_buf 8388608.
250.TP
251.B so\-sndbuf: \fI<number>
252If not 0, then set the SO_SNDBUF socket option to get more buffer space on
253UDP port 53 outgoing queries. This for very busy servers handles spikes
254in answer traffic, otherwise 'send: resource temporarily unavailable'
255can get logged, the buffer overrun is also visible by netstat \-su.
256Default is 0 (use system value). Specify the number of bytes to ask
257for, try "4m" on a very busy server. The OS caps it at a maximum, on
258linux unbound needs root permission to bypass the limit, or the admin
259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
260to so\-rcvbuf.
261.TP
262.B so\-reuseport: \fI<yes or no>
263If yes, then open dedicated listening sockets for incoming queries for each
264thread and try to set the SO_REUSEPORT socket option on each socket. May
265distribute incoming queries to threads more evenly. Default is no. Only
266supported on Linux >= 3.9. You can enable it (on any platform and kernel),
267it then attempts to open the port and passes the option if it was available
268at compile time, if that works it is used, if it fails, it continues
269silently (unless verbosity 3) without the option.
270.TP
271.B rrset\-cache\-size: \fI<number>
272Number of bytes size of the RRset cache. Default is 4 megabytes.
273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
274or gigabytes (1024*1024 bytes in a megabyte).
275.TP
276.B rrset\-cache\-slabs: \fI<number>
277Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
278Must be set to a power of 2.
279.TP
280.B cache\-max\-ttl: \fI<seconds>
281Time to live maximum for RRsets and messages in the cache. Default is
28286400 seconds (1 day). If the maximum kicks in, responses to clients
283still get decrementing TTLs based on the original (larger) values.
284When the internal TTL expires, the cache item has expired.
285Can be set lower to force the resolver to query for data often, and not
286trust (very large) TTL values.
287.TP
288.B cache\-min\-ttl: \fI<seconds>
289Time to live minimum for RRsets and messages in the cache. Default is 0.
290If the the minimum kicks in, the data is cached for longer than the domain
291owner intended, and thus less queries are made to look up the data.
292Zero makes sure the data in the cache is as the domain owner intended,
293higher values, especially more than an hour or so, can lead to trouble as
294the data in the cache does not match up with the actual data any more.
295.TP
296.B infra\-host\-ttl: \fI<seconds>
297Time to live for entries in the host cache. The host cache contains
298roundtrip timing, lameness and EDNS support information. Default is 900.
299.TP
300.B infra\-cache\-slabs: \fI<number>
301Number of slabs in the infrastructure cache. Slabs reduce lock contention
302by threads. Must be set to a power of 2.
303.TP
304.B infra\-cache\-numhosts: \fI<number>
305Number of hosts for which information is cached. Default is 10000.
306.TP
307.B do\-ip4: \fI<yes or no>
308Enable or disable whether ip4 queries are answered or issued. Default is yes.
309.TP
310.B do\-ip6: \fI<yes or no>
311Enable or disable whether ip6 queries are answered or issued. Default is yes.
312If disabled, queries are not answered on IPv6, and queries are not sent on
313IPv6 to the internet nameservers.
314.TP
315.B do\-udp: \fI<yes or no>
316Enable or disable whether UDP queries are answered or issued. Default is yes.
317.TP
318.B do\-tcp: \fI<yes or no>
319Enable or disable whether TCP queries are answered or issued. Default is yes.
320.TP
321.B tcp\-upstream: \fI<yes or no>
322Enable or disable whether the upstream queries use TCP only for transport.
323Default is no. Useful in tunneling scenarios.
324.TP
325.B ssl\-upstream: \fI<yes or no>
326Enabled or disable whether the upstream queries use SSL only for transport.
327Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
328TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
329.TP
330.B ssl\-service-key: \fI<file>
331If enabled, the server provider SSL service on its TCP sockets. The clients
332have to use ssl\-upstream: yes. The file is the private key for the TLS
333session. The public certificate is in the ssl\-service\-pem file. Default
334is "", turned off. Requires a restart (a reload is not enough) if changed,
335because the private key is read while root permissions are held and before
336chroot (if any). Normal DNS TCP service is not provided and gives errors,
337this service is best run with a different \fBport:\fR config or \fI@port\fR
338suffixes in the \fBinterface\fR config.
339.TP
340.B ssl\-service\-pem: \fI<file>
341The public key certificate pem file for the ssl service. Default is "",
342turned off.
343.TP
344.B ssl\-port: \fI<number>
345The port number on which to provide TCP SSL service, default 443, only
346interfaces configured with that port number as @number get the SSL service.
347.TP
348.B do\-daemonize: \fI<yes or no>
349Enable or disable whether the unbound server forks into the background as
350a daemon. Default is yes.
351.TP
352.B access\-control: \fI<IP netblock> <action>
353The netblock is given as an IP4 or IP6 address with /size appended for a
354classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
355\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
356.IP
357The action \fIdeny\fR stops queries from hosts from that netblock.
358.IP
359The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
360error message back.
361.IP
362The action \fIallow\fR gives access to clients from that netblock.
363It gives only access for recursion clients (which is
364what almost all clients need). Nonrecursive queries are refused.
365.IP
366The \fIallow\fR action does allow nonrecursive queries to access the
367local\-data that is configured. The reason is that this does not involve
368the unbound server recursive lookup algorithm, and static data is served
369in the reply. This supports normal operations where nonrecursive queries
370are made for the authoritative data. For nonrecursive queries any replies
371from the dynamic cache are refused.
372.IP
373The action \fIallow_snoop\fR gives nonrecursive access too. This give
374both recursive and non recursive access. The name \fIallow_snoop\fR refers
375to cache snooping, a technique to use nonrecursive queries to examine
376the cache contents (for malicious acts). However, nonrecursive queries can
377also be a valuable debugging tool (when you want to examine the cache
378contents). In that case use \fIallow_snoop\fR for your administration host.
379.IP
380By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
381The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
382protocol is not designed to handle dropped packets due to policy, and
383dropping may result in (possibly excessive) retried queries.
384.IP
385The deny_non_local and refuse_non_local settings are for hosts that are
386only allowed to query for the authoritative local\-data, they are not
387allowed full recursion but only the static data. With deny_non_local,
388messages that are disallowed are dropped, with refuse_non_local they
389receive error code REFUSED.
390.TP
391.B chroot: \fI<directory>
392If chroot is enabled, you should pass the configfile (from the
393commandline) as a full path from the original root. After the
394chroot has been performed the now defunct portion of the config
395file path is removed to be able to reread the config after a reload.
396.IP
397All other file paths (working dir, logfile, roothints, and
398key files) can be specified in several ways:
399as an absolute path relative to the new root,
400as a relative path to the working directory, or
401as an absolute path relative to the original root.
402In the last case the path is adjusted to remove the unused portion.
403.IP
404The pidfile can be either a relative path to the working directory, or
405an absolute path relative to the original root. It is written just prior
406to chroot and dropping permissions. This allows the pidfile to be
407/var/run/unbound.pid and the chroot to be /var/unbound, for example.
408.IP
409Additionally, unbound may need to access /dev/random (for entropy)
410from inside the chroot.
411.IP
412If given a chroot is done to the given directory. The default is
413"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
414.TP
415.B username: \fI<name>
416If given, after binding the port the user privileges are dropped. Default is
417"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
418.IP
419If this user is not capable of binding the
420port, reloads (by signal HUP) will still retain the opened ports.
421If you change the port number in the config file, and that new port number
422requires privileges, then a reload will fail; a restart is needed.
423.TP
424.B directory: \fI<directory>
425Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
426.TP
427.B logfile: \fI<filename>
428If "" is given, logging goes to stderr, or nowhere once daemonized.
429The logfile is appended to, in the following format:
430.nf
431[seconds since 1970] unbound[pid:tid]: type: message.
432.fi
433If this option is given, the use\-syslog is option is set to "no".
434The logfile is reopened (for append) when the config file is reread, on
435SIGHUP.
436.TP
437.B use\-syslog: \fI<yes or no>
438Sets unbound to send log messages to the syslogd, using
439\fIsyslog\fR(3).
440The log facility LOG_DAEMON is used, with identity "unbound".
441The logfile setting is overridden when use\-syslog is turned on.
442The default is to log to syslog.
443.TP
444.B log\-time\-ascii: \fI<yes or no>
445Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
446prints the seconds since 1970 in brackets. No effect if using syslog, in
447that case syslog formats the timestamp printed into the log files.
448.TP
449.B log\-queries: \fI<yes or no>
450Prints one line per query to the log, with the log timestamp and IP address,
451name, type and class. Default is no. Note that it takes time to print these
452lines which makes the server (significantly) slower. Odd (nonprintable)
453characters in names are printed as '?'.
454.TP
455.B pidfile: \fI<filename>
456The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
457So,
458.nf
459kill \-HUP `cat @UNBOUND_PIDFILE@`
460.fi
461triggers a reload,
462.nf
463kill \-QUIT `cat @UNBOUND_PIDFILE@`
464.fi
465gracefully terminates.
466.TP
467.B root\-hints: \fI<filename>
468Read the root hints from this file. Default is nothing, using builtin hints
469for the IN class. The file has the format of zone files, with root
470nameserver names and addresses only. The default may become outdated,
471when servers change, therefore it is good practice to use a root\-hints file.
472.TP
473.B hide\-identity: \fI<yes or no>
474If enabled id.server and hostname.bind queries are refused.
475.TP
476.B identity: \fI<string>
477Set the identity to report. If set to "", the default, then the hostname
478of the server is returned.
479.TP
480.B hide\-version: \fI<yes or no>
481If enabled version.server and version.bind queries are refused.
482.TP
483.B version: \fI<string>
484Set the version to report. If set to "", the default, then the package
485version is returned.
486.TP
487.B target\-fetch\-policy: \fI<"list of numbers">
488Set the target fetch policy used by unbound to determine if it should fetch
489nameserver target addresses opportunistically. The policy is described per
490dependency depth.
491.IP
492The number of values determines the maximum dependency depth
493that unbound will pursue in answering a query.
494A value of \-1 means to fetch all targets opportunistically for that dependency
495depth. A value of 0 means to fetch on demand only. A positive value fetches
496that many targets opportunistically.
497.IP
498Enclose the list between quotes ("") and put spaces between numbers.
499The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
500closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
501rumoured to be closer to that of BIND 8.
502.TP
503.B harden\-short\-bufsize: \fI<yes or no>
504Very small EDNS buffer sizes from queries are ignored. Default is off, since
505it is legal protocol wise to send these, and unbound tries to give very
506small answers to these queries, where possible.
507.TP
508.B harden\-large\-queries: \fI<yes or no>
509Very large queries are ignored. Default is off, since it is legal protocol
510wise to send these, and could be necessary for operation if TSIG or EDNS
511payload is very large.
512.TP
513.B harden\-glue: \fI<yes or no>
514Will trust glue only if it is within the servers authority. Default is on.
515.TP
516.B harden\-dnssec\-stripped: \fI<yes or no>
517Require DNSSEC data for trust\-anchored zones, if such data is absent,
518the zone becomes bogus. If turned off, and no DNSSEC data is received
519(or the DNSKEY data fails to validate), then the zone is made insecure,
520this behaves like there is no trust anchor. You could turn this off if
521you are sometimes behind an intrusive firewall (of some sort) that
522removes DNSSEC data from packets, or a zone changes from signed to
523unsigned to badly signed often. If turned off you run the risk of a
524downgrade attack that disables security for a zone. Default is on.
525.TP
526.B harden\-below\-nxdomain: \fI<yes or no>
527From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
528below another name that is already known to be nxdomain. DNSSEC mandates
529noerror for empty nonterminals, hence this is possible. Very old software
530might return nxdomain for empty nonterminals (that usually happen for reverse
531IP address lookups), and thus may be incompatible with this. To try to avoid
532this only DNSSEC-secure nxdomains are used, because the old software does not
533have DNSSEC. Default is off.
534.TP
535.B harden\-referral\-path: \fI<yes or no>
536Harden the referral path by performing additional queries for
537infrastructure data. Validates the replies if trust anchors are configured
538and the zones are signed. This enforces DNSSEC validation on nameserver
539NS sets and the nameserver addresses that are encountered on the referral
540path to the answer.
541Default off, because it burdens the authority servers, and it is
542not RFC standard, and could lead to performance problems because of the
543extra query load that is generated. Experimental option.
544If you enable it consider adding more numbers after the target\-fetch\-policy
545to increase the max depth that is checked to.
546.TP
547.B use\-caps\-for\-id: \fI<yes or no>
548Use 0x20\-encoded random bits in the query to foil spoof attempts.
549This perturbs the lowercase and uppercase of query names sent to
550authority servers and checks if the reply still has the correct casing.
551Disabled by default.
552This feature is an experimental implementation of draft dns\-0x20.
553.TP
554.B private\-address: \fI<IP address or subnet>
555Give IPv4 of IPv6 addresses or classless subnets. These are addresses
556on your private network, and are not allowed to be returned for public
557internet names. Any occurence of such addresses are removed from
558DNS answers. Additionally, the DNSSEC validator may mark the answers
559bogus. This protects against so\-called DNS Rebinding, where a user browser
560is turned into a network proxy, allowing remote access through the browser
561to other parts of your private network. Some names can be allowed to
562contain your private addresses, by default all the \fBlocal\-data\fR
563that you configured is allowed to, and you can specify additional
564names using \fBprivate\-domain\fR. No private addresses are enabled
565by default. We consider to enable this for the RFC1918 private IP
566address space by default in later releases. That would enable private
567addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
568fd00::/8 and fe80::/10, since the RFC standards say these addresses
569should not be visible on the public internet. Turning on 127.0.0.0/8
570would hinder many spamblocklists as they use that.
571.TP
572.B private\-domain: \fI<domain name>
573Allow this domain, and all its subdomains to contain private addresses.
574Give multiple times to allow multiple domain names to contain private
575addresses. Default is none.
576.TP
577.B unwanted\-reply\-threshold: \fI<number>
578If set, a total number of unwanted replies is kept track of in every thread.
579When it reaches the threshold, a defensive action is taken and a warning
580is printed to the log. The defensive action is to clear the rrset and
581message caches, hopefully flushing away any poison. A value of 10 million
582is suggested. Default is 0 (turned off).
583.TP
584.B do\-not\-query\-address: \fI<IP address>
585Do not query the given IP address. Can be IP4 or IP6. Append /num to
586indicate a classless delegation netblock, for example like
58710.2.3.4/24 or 2001::11/64.
588.TP
589.B do\-not\-query\-localhost: \fI<yes or no>
590If yes, localhost is added to the do\-not\-query\-address entries, both
591IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
592queries to. Default is yes.
593.TP
594.B prefetch: \fI<yes or no>
595If yes, message cache elements are prefetched before they expire to
596keep the cache up to date. Default is no. Turning it on gives about
59710 percent more traffic and load on the machine, but popular items do
598not expire from the cache.
599.TP
600.B prefetch-key: \fI<yes or no>
601If yes, fetch the DNSKEYs earlier in the validation process, when a DS
602record is encountered. This lowers the latency of requests. It does use
603a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
604.TP
605.B rrset-roundrobin: \fI<yes or no>
606If yes, Unbound rotates RRSet order in response (the random number is taken
607from the query ID, for speed and thread safety). Default is no.
608.TP
609.B minimal-responses: \fI<yes or no>
610If yes, Unbound doesn't insert authority/additional sections into response
611messages when those sections are not required. This reduces response
612size significantly, and may avoid TCP fallback for some responses.
613This may cause a slight speedup. The default is no, because the DNS
614protocol RFCs mandate these sections, and the additional content could
615be of use and save roundtrips for clients.
616.TP
617.B module\-config: \fI<"module names">
618Module configuration, a list of module names separated by spaces, surround
619the string with quotes (""). The modules can be validator, iterator.
620Setting this to "iterator" will result in a non\-validating server.
621Setting this to "validator iterator" will turn on DNSSEC validation.
622The ordering of the modules is important.
623You must also set trust\-anchors for validation to be useful.
624.TP
625.B trust\-anchor\-file: \fI<filename>
626File with trusted keys for validation. Both DS and DNSKEY entries can appear
627in the file. The format of the file is the standard DNS Zone file format.
628Default is "", or no trust anchor file.
629.TP
630.B auto\-trust\-anchor\-file: \fI<filename>
631File with trust anchor for one zone, which is tracked with RFC5011 probes.
632The probes are several times per month, thus the machine must be online
633frequently. The initial file can be one with contents as described in
634\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
635so the unbound user must have write permission.
636.TP
637.B trust\-anchor: \fI<"Resource Record">
638A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
639given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
640The resource record is entered in the same format as 'dig' or 'drill' prints
641them, the same format as in the zone file. Has to be on a single line, with
642"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
643A class can be specified, but class IN is default.
644.TP
645.B trusted\-keys\-file: \fI<filename>
646File with trusted keys for validation. Specify more than one file
647with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
648but has a different file format. Format is BIND\-9 style format,
649the trusted\-keys { name flag proto algo "key"; }; clauses are read.
650It is possible to use wildcards with this statement, the wildcard is
651expanded on start and on reload.
652.TP
653.B dlv\-anchor\-file: \fI<filename>
654File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
655DNSKEY entries can be used in the file, in the same format as for
656\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
657would be slow. The DLV configured is used as a root trusted DLV, this
658means that it is a lookaside for the root. Default is "", or no dlv anchor file.
659.TP
660.B dlv\-anchor: \fI<"Resource Record">
661Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
662.TP
663.B domain\-insecure: \fI<domain name>
664Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
665the domain name. So a trust anchor above the domain name can not make the
666domain secure with a DS record, such a DS record is then ignored.
667Also keys from DLV are ignored for the domain. Can be given multiple times
668to specify multiple domains that are treated as if unsigned. If you set
669trust anchors for the domain they override this setting (and the domain
670is secured).
671.IP
672This can be useful if you want to make sure a trust anchor for external
673lookups does not affect an (unsigned) internal domain. A DS record
674externally can create validation failures for that internal domain.
675.TP
676.B val\-override\-date: \fI<rrsig\-style date spec>
677Default is "" or "0", which disables this debugging feature. If enabled by
678giving a RRSIG style date, that date is used for verifying RRSIG inception
679and expiration dates, instead of the current date. Do not set this unless
680you are debugging signature inception and expiration. The value \-1 ignores
681the date altogether, useful for some special applications.
682.TP
683.B val\-sig\-skew\-min: \fI<seconds>
684Minimum number of seconds of clock skew to apply to validated signatures.
685A value of 10% of the signature lifetime (expiration \- inception) is
686used, capped by this setting. Default is 3600 (1 hour) which allows for
687daylight savings differences. Lower this value for more strict checking
688of short lived signatures.
689.TP
690.B val\-sig\-skew\-max: \fI<seconds>
691Maximum number of seconds of clock skew to apply to validated signatures.
692A value of 10% of the signature lifetime (expiration \- inception)
693is used, capped by this setting. Default is 86400 (24 hours) which
694allows for timezone setting problems in stable domains. Setting both
695min and max very low disables the clock skew allowances. Setting both
696min and max very high makes the validator check the signature timestamps
697less strictly.
698.TP
699.B val\-bogus\-ttl: \fI<number>
700The time to live for bogus data. This is data that has failed validation;
701due to invalid signatures or other checks. The TTL from that data cannot be
702trusted, and this value is used instead. The value is in seconds, default 60.
703The time interval prevents repeated revalidation of bogus data.
704.TP
705.B val\-clean\-additional: \fI<yes or no>
706Instruct the validator to remove data from the additional section of secure
707messages that are not signed properly. Messages that are insecure, bogus,
708indeterminate or unchecked are not affected. Default is yes. Use this setting
709to protect the users that rely on this validator for authentication from
710protentially bad data in the additional section.
711.TP
712.B val\-log\-level: \fI<number>
713Have the validator print validation failures to the log. Regardless of
714the verbosity setting. Default is 0, off. At 1, for every user query
715that fails a line is printed to the logs. This way you can monitor what
716happens with validation. Use a diagnosis tool, such as dig or drill,
717to find out why validation is failing for these queries. At 2, not only
718the query that failed is printed but also the reason why unbound thought
719it was wrong and which server sent the faulty data.
720.TP
721.B val\-permissive\-mode: \fI<yes or no>
722Instruct the validator to mark bogus messages as indeterminate. The security
723checks are performed, but if the result is bogus (failed security), the
724reply is not withheld from the client with SERVFAIL as usual. The client
725receives the bogus data. For messages that are found to be secure the AD bit
726is set in replies. Also logging is performed as for full validation.
727The default value is "no".
728.TP
729.B ignore\-cd\-flag: \fI<yes or no>
730Instruct unbound to ignore the CD flag from clients and refuse to
731return bogus answers to them. Thus, the CD (Checking Disabled) flag
732does not disable checking any more. This is useful if legacy (w2008)
733servers that set the CD flag but cannot validate DNSSEC themselves are
734the clients, and then unbound provides them with DNSSEC protection.
735The default value is "no".
736.TP
737.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
738List of keysize and iteration count values, separated by spaces, surrounded
739by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
740maximum allowed NSEC3 iteration count before a message is simply marked
741insecure instead of performing the many hashing iterations. The list must
742be in ascending order and have at least one entry. If you set it to
743"1024 65535" there is no restriction to NSEC3 iteration values.
744This table must be kept short; a very long list could cause slower operation.
745.TP
746.B add\-holddown: \fI<seconds>
747Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
748autotrust updates to add new trust anchors only after they have been
749visible for this time. Default is 30 days as per the RFC.
750.TP
751.B del\-holddown: \fI<seconds>
752Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
753autotrust updates to remove revoked trust anchors after they have been
754kept in the revoked list for this long. Default is 30 days as per
755the RFC.
756.TP
757.B keep\-missing: \fI<seconds>
758Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
759autotrust updates to remove missing trust anchors after they have been
760unseen for this long. This cleans up the state file if the target zone
761does not perform trust anchor revocation, so this makes the auto probe
762mechanism work with zones that perform regular (non\-5011) rollovers.
763The default is 366 days. The value 0 does not remove missing anchors,
764as per the RFC.
765.TP
766.B key\-cache\-size: \fI<number>
767Number of bytes size of the key cache. Default is 4 megabytes.
768A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
769or gigabytes (1024*1024 bytes in a megabyte).
770.TP
771.B key\-cache\-slabs: \fI<number>
772Number of slabs in the key cache. Slabs reduce lock contention by threads.
773Must be set to a power of 2. Setting (close) to the number of cpus is a
774reasonable guess.
775.TP
776.B neg\-cache\-size: \fI<number>
777Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
778A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
779or gigabytes (1024*1024 bytes in a megabyte).
780.TP
781.B unblock\-lan\-zones: \fI<yesno>
782Default is disabled. If enabled, then for private address space,
783the reverse lookups are no longer filtered. This allows unbound when
784running as dns service on a host where it provides service for that host,
785to put out all of the queries for the 'lan' upstream. When enabled,
786only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
787with default local zones. Disable the option when unbound is running
788as a (DHCP-) DNS network resolver for a group of machines, where such
789lookups should be filtered (RFC compliance), this also stops potential
790data leakage about the local network to the upstream DNS servers.
791.TP
792.B local\-zone: \fI<zone> <type>
793Configure a local zone. The type determines the answer to give if
794there is no match from local\-data. The types are deny, refuse, static,
795transparent, redirect, nodefault, typetransparent, and are explained
796below. After that the default settings are listed. Use local\-data: to
797enter data into the local zone. Answers for local zones are authoritative
798DNS answers. By default the zones are class IN.
799.IP
800If you need more complicated authoritative data, with referrals, wildcards,
801CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
802it as detailed in the stub zone section below.
803.TP 10
804\h'5'\fIdeny\fR
805Do not send an answer, drop the query.
806If there is a match from local data, the query is answered.
807.TP 10
808\h'5'\fIrefuse\fR
809Send an error message reply, with rcode REFUSED.
810If there is a match from local data, the query is answered.
811.TP 10
812\h'5'\fIstatic\fR
813If there is a match from local data, the query is answered.
814Otherwise, the query is answered with nodata or nxdomain.
815For a negative answer a SOA is included in the answer if present
816as local\-data for the zone apex domain.
817.TP 10
818\h'5'\fItransparent\fR
819If there is a match from local data, the query is answered.
820Otherwise if the query has a different name, the query is resolved normally.
821If the query is for a name given in localdata but no such type of data is
822given in localdata, then a noerror nodata answer is returned.
823If no local\-zone is given local\-data causes a transparent zone
824to be created by default.
825.TP 10
826\h'5'\fItypetransparent\fR
827If there is a match from local data, the query is answered. If the query
828is for a different name, or for the same name but for a different type,
829the query is resolved normally. So, similar to transparent but types
830that are not listed in local data are resolved normally, so if an A record
831is in the local data that does not cause a nodata reply for AAAA queries.
832.TP 10
833\h'5'\fIredirect\fR
834The query is answered from the local data for the zone name.
835There may be no local data beneath the zone name.
836This answers queries for the zone, and all subdomains of the zone
837with the local data for the zone.
838It can be used to redirect a domain to return a different address record
839to the end user, with
840local\-zone: "example.com." redirect and
841local\-data: "example.com. A 127.0.0.1"
842queries for www.example.com and www.foo.example.com are redirected, so
843that users with web browsers cannot access sites with suffix example.com.
844.TP 10
845\h'5'\fInodefault\fR
846Used to turn off default contents for AS112 zones. The other types
847also turn off default contents for the zone. The 'nodefault' option
848has no other effect than turning off default contents for the
849given zone.
850.P
851The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
852zones. The AS112 zones are reverse DNS zones for private use and reserved
853IP addresses for which the servers on the internet cannot provide correct
854answers. They are configured by default to give nxdomain (no reverse
855information) answers. The defaults can be turned off by specifying your
856own local\-zone of that name, or using the 'nodefault' type. Below is a
857list of the default zone contents.
858.TP 10
859\h'5'\fIlocalhost\fR
860The IP4 and IP6 localhost information is given. NS and SOA records are provided
861for completeness and to satisfy some DNS update tools. Default content:
862.nf
863local\-zone: "localhost." static
864local\-data: "localhost. 10800 IN NS localhost."
865local\-data: "localhost. 10800 IN
866 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
867local\-data: "localhost. 10800 IN A 127.0.0.1"
868local\-data: "localhost. 10800 IN AAAA ::1"
869.fi
870.TP 10
871\h'5'\fIreverse IPv4 loopback\fR
872Default content:
873.nf
874local\-zone: "127.in\-addr.arpa." static
875local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
876local\-data: "127.in\-addr.arpa. 10800 IN
877 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
878local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
879 PTR localhost."
880.fi
881.TP 10
882\h'5'\fIreverse IPv6 loopback\fR
883Default content:
884.nf
885local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
886 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
887local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
888 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
889 NS localhost."
890local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
891 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
892 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
893local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
894 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
895 PTR localhost."
896.fi
897.TP 10
898\h'5'\fIreverse RFC1918 local use zones\fR
899Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
90031.172.in\-addr.arpa, 168.192.in\-addr.arpa.
901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
902records are provided.
903.TP 10
904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
908.TP 10
909\h'5'\fIreverse RFC4291 IP6 unspecified\fR
910Reverse data for zone
911.nf
9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
914.fi
915.TP 10
916\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
917Reverse data for zone D.F.ip6.arpa.
918.TP 10
919\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
920Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
921.TP 10
922\h'5'\fIreverse IPv6 Example Prefix\fR
923Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
924tutorials and examples. You can remove the block on this zone with:
925.nf
926 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
927.fi
928You can also selectively unblock a part of the zone by making that part
929transparent with a local\-zone statement.
930This also works with the other default zones.
931.\" End of local-zone listing.
932.TP 5
933.B local\-data: \fI"<resource record string>"
934Configure local data, which is served in reply to queries for it.
935The query has to match exactly unless you configure the local\-zone as
936redirect. If not matched exactly, the local\-zone type determines
937further processing. If local\-data is configured that is not a subdomain of
938a local\-zone, a transparent local\-zone is configured.
939For record types such as TXT, use single quotes, as in
940local\-data: 'example. TXT "text"'.
941.IP
942If you need more complicated authoritative data, with referrals, wildcards,
943CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
944it as detailed in the stub zone section below.
945.TP 5
946.B local\-data\-ptr: \fI"IPaddr name"
947Configure local data shorthand for a PTR record with the reversed IPv4 or
948IPv6 address and the host name. For example "192.0.2.4 www.example.com".
949TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
950.SS "Remote Control Options"
951In the
952.B remote\-control:
953clause are the declarations for the remote control facility. If this is
954enabled, the \fIunbound\-control\fR(8) utility can be used to send
955commands to the running unbound server. The server uses these clauses
956to setup SSLv3 / TLSv1 security for the connection. The
957\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
958section for options. To setup the correct self\-signed certificates use the
959\fIunbound\-control\-setup\fR(8) utility.
960.TP 5
961.B control\-enable: \fI<yes or no>
962The option is used to enable remote control, default is "no".
963If turned off, the server does not listen for control commands.
964.TP 5
965.B control\-interface: <ip address>
966Give IPv4 or IPv6 addresses to listen on for control commands.
967By default localhost (127.0.0.1 and ::1) is listened to.
968Use 0.0.0.0 and ::0 to listen to all interfaces.
969.TP 5
970.B control\-port: <port number>
971The port number to listen on for control commands, default is 8953.
972If you change this port number, and permissions have been dropped,
973a reload is not sufficient to open the port again, you must then restart.
974.TP 5
975.B server\-key\-file: "<private key file>"
976Path to the server private key, by default unbound_server.key.
977This file is generated by the \fIunbound\-control\-setup\fR utility.
978This file is used by the unbound server, but not by \fIunbound\-control\fR.
979.TP 5
980.B server\-cert\-file: "<certificate file.pem>"
981Path to the server self signed certificate, by default unbound_server.pem.
982This file is generated by the \fIunbound\-control\-setup\fR utility.
983This file is used by the unbound server, and also by \fIunbound\-control\fR.
984.TP 5
985.B control\-key\-file: "<private key file>"
986Path to the control client private key, by default unbound_control.key.
987This file is generated by the \fIunbound\-control\-setup\fR utility.
988This file is used by \fIunbound\-control\fR.
989.TP 5
990.B control\-cert\-file: "<certificate file.pem>"
991Path to the control client certificate, by default unbound_control.pem.
992This certificate has to be signed with the server certificate.
993This file is generated by the \fIunbound\-control\-setup\fR utility.
994This file is used by \fIunbound\-control\fR.
995.SS "Stub Zone Options"
996.LP
997There may be multiple
998.B stub\-zone:
999clauses. Each with a name: and zero or more hostnames or IP addresses.
1000For the stub zone this list of nameservers is used. Class IN is assumed.
1001The servers should be authority servers, not recursors; unbound performs
1002the recursive processing itself for stub zones.
1003.P
1004The stub zone can be used to configure authoritative data to be used
1005by the resolver that cannot be accessed using the public internet servers.
1006This is useful for company\-local data or private zones. Setup an
1007authoritative server on a different host (or different port). Enter a config
1008entry for unbound with
1009.B stub\-addr:
1010<ip address of host[@port]>.
1011The unbound resolver can then access the data, without referring to the
1012public internet for it.
1013.P
1014This setup allows DNSSEC signed zones to be served by that
1015authoritative server, in which case a trusted key entry with the public key
1016can be put in config, so that unbound can validate the data and set the AD
1017bit on replies for the private zone (authoritative servers do not set the
1018AD bit). This setup makes unbound capable of answering queries for the
1019private zone, and can even set the AD bit ('authentic'), but the AA
1020('authoritative') bit is not set on these replies.
1021.TP
1022.B name: \fI<domain name>
1023Name of the stub zone.
1024.TP
1025.B stub\-host: \fI<domain name>
1026Name of stub zone nameserver. Is itself resolved before it is used.
1027.TP
1028.B stub\-addr: \fI<IP address>
1029IP address of stub zone nameserver. Can be IP 4 or IP 6.
1030To use a nondefault port for DNS communication append '@' with the port number.
1031.TP
1032.B stub\-prime: \fI<yes or no>
1033This option is by default off. If enabled it performs NS set priming,
1034which is similar to root hints, where it starts using the list of nameservers
1035currently published by the zone. Thus, if the hint list is slightly outdated,
1036the resolver picks up a correct list online.
1037.TP
1038.B stub\-first: \fI<yes or no>
1039If enabled, a query is attempted without the stub clause if it fails.
1040The data could not be retrieved and would have caused SERVFAIL because
1041the servers are unreachable, instead it is tried without this clause.
1042The default is no.
1043.SS "Forward Zone Options"
1044.LP
1045There may be multiple
1046.B forward\-zone:
1047clauses. Each with a \fBname:\fR and zero or more hostnames or IP
1048addresses. For the forward zone this list of nameservers is used to
1049forward the queries to. The servers listed as \fBforward\-host:\fR and
1050\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1051those servers are not authority servers, but are (just like unbound is)
1052recursive servers too; unbound does not perform recursion itself for the
1053forward zone, it lets the remote server do it. Class IN is assumed.
1054A forward\-zone entry with name "." and a forward\-addr target will
1055forward all queries to that other server (unless it can answer from
1056the cache).
1057.TP
1058.B name: \fI<domain name>
1059Name of the forward zone.
1060.TP
1061.B forward\-host: \fI<domain name>
1062Name of server to forward to. Is itself resolved before it is used.
1063.TP
1064.B forward\-addr: \fI<IP address>
1065IP address of server to forward to. Can be IP 4 or IP 6.
1066To use a nondefault port for DNS communication append '@' with the port number.
1067.TP
1068.B forward\-first: \fI<yes or no>
1069If enabled, a query is attempted without the forward clause if it fails.
1070The data could not be retrieved and would have caused SERVFAIL because
1071the servers are unreachable, instead it is tried without this clause.
1072The default is no.
1073.SS "Python Module Options"
1074.LP
1075The
1076.B python:
1077clause gives the settings for the \fIpython\fR(1) script module. This module
1078acts like the iterator and validator modules do, on queries and answers.
1079To enable the script module it has to be compiled into the daemon,
1080and the word "python" has to be put in the \fBmodule\-config:\fR option
1081(usually first, or between the validator and iterator).
1082.TP
1083.B python\-script: \fI<python file>\fR
1084The script file to load.
1085.SH "MEMORY CONTROL EXAMPLE"
1086In the example config settings below memory usage is reduced. Some service
1087levels are lower, notable very large data and a high TCP load are no longer
1088supported. Very large data and high TCP loads are exceptional for the DNS.
1089DNSSEC validation is enabled, just add trust anchors.
1090If you do not have to worry about programs using more than 3 Mb of memory,
1091the below example is not for you. Use the defaults to receive full service,
1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
1093.P
1094.nf
1095# example settings that reduce memory usage
1096server:
1097 num\-threads: 1
1098 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
1099 incoming\-num\-tcp: 1
1100 outgoing\-range: 60 # uses less memory, but less performance.
1101 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
1102 msg\-cache\-size: 100k
1103 msg\-cache\-slabs: 1
1104 rrset\-cache\-size: 100k
1105 rrset\-cache\-slabs: 1
1106 infra\-cache\-numhosts: 200
1107 infra\-cache\-slabs: 1
1108 key\-cache\-size: 100k
1109 key\-cache\-slabs: 1
1110 neg\-cache\-size: 10k
1111 num\-queries\-per\-thread: 30
1112 target\-fetch\-policy: "2 1 0 0 0 0"
1113 harden\-large\-queries: "yes"
1114 harden\-short\-bufsize: "yes"
1115.fi
1116.SH "FILES"
1117.TP
1118.I @UNBOUND_RUN_DIR@
1119default unbound working directory.
1120.TP
1121.I @UNBOUND_CHROOT_DIR@
1122default
1123\fIchroot\fR(2)
1124location.
1125.TP
1126.I @ub_conf_file@
1127unbound configuration file.
1128.TP
1129.I @UNBOUND_PIDFILE@
1130default unbound pidfile with process ID of the running daemon.
1131.TP
1132.I unbound.log
1133unbound log file. default is to log to
1134\fIsyslog\fR(3).
1135.SH "SEE ALSO"
1136\fIunbound\fR(8),
1137\fIunbound\-checkconf\fR(8).
1138.SH "AUTHORS"
1139.B Unbound
1140was written by NLnet Labs. Please see CREDITS file
1141in the distribution for further details.
2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
27.P
28The utility
29\fIunbound\-checkconf\fR(8)
30can be used to check unbound.conf prior to usage.
31.SH "EXAMPLE"
32An example config file is shown below. Copy this to /etc/unbound/unbound.conf
33and start the server with:
34.P
35.nf
36 $ unbound \-c /etc/unbound/unbound.conf
37.fi
38.P
39Most settings are the defaults. Stop the server with:
40.P
41.nf
42 $ kill `cat /etc/unbound/unbound.pid`
43.fi
44.P
45Below is a minimal config file. The source distribution contains an extensive
46example.conf file with all the options.
47.P
48.nf
49# unbound.conf(5) config file for unbound(8).
50server:
51 directory: "/etc/unbound"
52 username: unbound
53 # make sure unbound can access entropy from inside the chroot.
54 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
55 # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
56 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
57 chroot: "/etc/unbound"
58 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
59 pidfile: "/etc/unbound/unbound.pid"
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
77for the included files works, relative pathnames for the included names work
78if the directory where the daemon is started equals its chroot/working
79directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
80.SS "Server Options"
81These options are part of the
82.B server:
83clause.
84.TP
85.B verbosity: \fI<number>
86The verbosity number, level 0 means no verbosity, only errors. Level 1
87gives operational information. Level 2 gives detailed operational
88information. Level 3 gives query level information, output per query.
89Level 4 gives algorithm level information. Level 5 logs client
90identification for cache misses. Default is level 1.
91The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
92.TP
93.B statistics\-interval: \fI<seconds>
94The number of seconds between printing statistics to the log for every thread.
95Disable with value 0 or "". Default is disabled. The histogram statistics
96are only printed if replies were sent during the statistics interval,
97requestlist statistics are printed for every interval (but can be 0).
98This is because the median calculation requires data to be present.
99.TP
100.B statistics\-cumulative: \fI<yes or no>
101If enabled, statistics are cumulative since starting unbound, without clearing
102the statistics counters after logging the statistics. Default is no.
103.TP
104.B extended\-statistics: \fI<yes or no>
105If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
106Default is off, because keeping track of more statistics takes time. The
107counters are listed in \fIunbound\-control\fR(8).
108.TP
109.B num\-threads: \fI<number>
110The number of threads to create to serve clients. Use 1 for no threading.
111.TP
112.B port: \fI<port number>
113The port number, default 53, on which the server responds to queries.
114.TP
115.B interface: \fI<ip address[@port]>
116Interface to use to connect to the network. This interface is listened to
117for queries from clients, and answers to clients are given from it.
118Can be given multiple times to work on several interfaces. If none are
119given the default is to listen to localhost.
120The interfaces are not changed on a reload (kill \-HUP) but only on restart.
121A port number can be specified with @port (without spaces between
122interface and port number), if not specified the default port (from
123\fBport\fR) is used.
124.TP
125.B ip\-address: \fI<ip address[@port]>
126Same as interface: (for easy of compatibility with nsd.conf).
127.TP
128.B interface\-automatic: \fI<yes or no>
129Detect source interface on UDP queries and copy them to replies. This
130feature is experimental, and needs support in your OS for particular socket
131options. Default value is no.
132.TP
133.B outgoing\-interface: \fI<ip address>
134Interface to use to connect to the network. This interface is used to send
135queries to authoritative servers and receive their replies. Can be given
136multiple times to work on several interfaces. If none are given the
137default (all) is used. You can specify the same interfaces in
138.B interface:
139and
140.B outgoing\-interface:
141lines, the interfaces are then used for both purposes. Outgoing queries are
142sent via a random outgoing interface to counter spoofing.
143.TP
144.B outgoing\-range: \fI<number>
145Number of ports to open. This number of file descriptors can be opened per
146thread. Must be at least 1. Default depends on compile options. Larger
147numbers need extra resources from the operating system. For performance a
148a very large value is best, use libevent to make this possible.
149.TP
150.B outgoing\-port\-permit: \fI<port number or range>
151Permit unbound to open this port or range of ports for use to send queries.
152A larger number of permitted outgoing ports increases resilience against
153spoofing attempts. Make sure these ports are not needed by other daemons.
154By default only ports above 1024 that have not been assigned by IANA are used.
155Give a port number or a range of the form "low\-high", without spaces.
156.IP
157The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
158are processed in the line order of the config file, adding the permitted ports
159and subtracting the avoided ports from the set of allowed ports. The
160processing starts with the non IANA allocated ports above 1024 in the set
161of allowed ports.
162.TP
163.B outgoing\-port\-avoid: \fI<port number or range>
164Do not permit unbound to open this port or range of ports for use to send
165queries. Use this to make sure unbound does not grab a port that another
166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
167By default only ports above 1024 that have not been assigned by IANA are used.
168Give a port number or a range of the form "low\-high", without spaces.
169.TP
170.B outgoing\-num\-tcp: \fI<number>
171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
173.TP
174.B incoming\-num\-tcp: \fI<number>
175Number of incoming TCP buffers to allocate per thread. Default is 10. If set
176to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
177.TP
178.B edns\-buffer\-size: \fI<number>
179Number of bytes size to advertise as the EDNS reassembly buffer size.
180This is the value put into datagrams over UDP towards peers. The actual
181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
182not set higher than that value. Default is 4096 which is RFC recommended.
183If you have fragmentation reassembly problems, usually seen as timeouts,
184then a value of 1480 can fix it. Setting to 512 bypasses even the most
185stringent path MTU problems, but is seen as extreme, since the amount
186of TCP fallback generated is excessive (probably also for this resolver,
187consider tuning the outgoing tcp number).
188.TP
189.B max\-udp\-size: \fI<number>
190Maximum UDP response size (not applied to TCP response). 65536 disables the
191udp response size maximum, and uses the choice from the client, always.
192Suggested values are 512 to 4096. Default is 4096.
193.TP
194.B msg\-buffer\-size: \fI<number>
195Number of bytes size of the message buffers. Default is 65552 bytes, enough
196for 64 Kb packets, the maximum DNS message size. No message larger than this
197can be sent or received. Can be reduced to use less memory, but some requests
198for DNS data, such as for huge resource records, will result in a SERVFAIL
199reply to the client.
200.TP
201.B msg\-cache\-size: \fI<number>
202Number of bytes size of the message cache. Default is 4 megabytes.
203A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
204or gigabytes (1024*1024 bytes in a megabyte).
205.TP
206.B msg\-cache\-slabs: \fI<number>
207Number of slabs in the message cache. Slabs reduce lock contention by threads.
208Must be set to a power of 2. Setting (close) to the number of cpus is a
209reasonable guess.
210.TP
211.B num\-queries\-per\-thread: \fI<number>
212The number of queries that every thread will service simultaneously.
213If more queries arrive that need servicing, and no queries can be jostled out
214(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
215the client to resend after a timeout; allowing the server time to work on
216the existing queries. Default depends on compile options, 512 or 1024.
217.TP
218.B jostle\-timeout: \fI<msec>
219Timeout used when the server is very busy. Set to a value that usually
220results in one roundtrip to the authority servers. If too many queries
221arrive, then 50% of the queries are allowed to run to completion, and
222the other 50% are replaced with the new incoming query if they have already
223spent more than their allowed time. This protects against denial of
224service by slow queries or high query rates. Default 200 milliseconds.
225The effect is that the qps for long-lasting queries is about
226(numqueriesperthread / 2) / (average time for such long queries) qps.
227The qps for short queries can be about (numqueriesperthread / 2)
228/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
229qps by default.
230.TP
231.B delay\-close: \fI<msec>
232Extra delay for timeouted UDP ports before they are closed, in msec.
233Default is 0, and that disables it. This prevents very delayed answer
234packets from the upstream (recursive) servers from bouncing against
235closed ports and setting off all sort of close-port counters, with
236eg. 1500 msec. When timeouts happen you need extra sockets, it checks
237the ID and remote IP of packets, and unwanted packets are added to the
238unwanted packet counter.
239.TP
240.B so\-rcvbuf: \fI<number>
241If not 0, then set the SO_RCVBUF socket option to get more buffer
242space on UDP port 53 incoming queries. So that short spikes on busy
243servers do not drop packets (see counter in netstat \-su). Default is
2440 (use system value). Otherwise, the number of bytes to ask for, try
245"4m" on a busy server. The OS caps it at a maximum, on linux unbound
246needs root permission to bypass the limit, or the admin can use sysctl
247net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
248On OpenBSD change header and recompile kernel. On Solaris ndd \-set
249/dev/udp udp_max_buf 8388608.
250.TP
251.B so\-sndbuf: \fI<number>
252If not 0, then set the SO_SNDBUF socket option to get more buffer space on
253UDP port 53 outgoing queries. This for very busy servers handles spikes
254in answer traffic, otherwise 'send: resource temporarily unavailable'
255can get logged, the buffer overrun is also visible by netstat \-su.
256Default is 0 (use system value). Specify the number of bytes to ask
257for, try "4m" on a very busy server. The OS caps it at a maximum, on
258linux unbound needs root permission to bypass the limit, or the admin
259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
260to so\-rcvbuf.
261.TP
262.B so\-reuseport: \fI<yes or no>
263If yes, then open dedicated listening sockets for incoming queries for each
264thread and try to set the SO_REUSEPORT socket option on each socket. May
265distribute incoming queries to threads more evenly. Default is no. Only
266supported on Linux >= 3.9. You can enable it (on any platform and kernel),
267it then attempts to open the port and passes the option if it was available
268at compile time, if that works it is used, if it fails, it continues
269silently (unless verbosity 3) without the option.
270.TP
271.B rrset\-cache\-size: \fI<number>
272Number of bytes size of the RRset cache. Default is 4 megabytes.
273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
274or gigabytes (1024*1024 bytes in a megabyte).
275.TP
276.B rrset\-cache\-slabs: \fI<number>
277Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
278Must be set to a power of 2.
279.TP
280.B cache\-max\-ttl: \fI<seconds>
281Time to live maximum for RRsets and messages in the cache. Default is
28286400 seconds (1 day). If the maximum kicks in, responses to clients
283still get decrementing TTLs based on the original (larger) values.
284When the internal TTL expires, the cache item has expired.
285Can be set lower to force the resolver to query for data often, and not
286trust (very large) TTL values.
287.TP
288.B cache\-min\-ttl: \fI<seconds>
289Time to live minimum for RRsets and messages in the cache. Default is 0.
290If the the minimum kicks in, the data is cached for longer than the domain
291owner intended, and thus less queries are made to look up the data.
292Zero makes sure the data in the cache is as the domain owner intended,
293higher values, especially more than an hour or so, can lead to trouble as
294the data in the cache does not match up with the actual data any more.
295.TP
296.B infra\-host\-ttl: \fI<seconds>
297Time to live for entries in the host cache. The host cache contains
298roundtrip timing, lameness and EDNS support information. Default is 900.
299.TP
300.B infra\-cache\-slabs: \fI<number>
301Number of slabs in the infrastructure cache. Slabs reduce lock contention
302by threads. Must be set to a power of 2.
303.TP
304.B infra\-cache\-numhosts: \fI<number>
305Number of hosts for which information is cached. Default is 10000.
306.TP
307.B do\-ip4: \fI<yes or no>
308Enable or disable whether ip4 queries are answered or issued. Default is yes.
309.TP
310.B do\-ip6: \fI<yes or no>
311Enable or disable whether ip6 queries are answered or issued. Default is yes.
312If disabled, queries are not answered on IPv6, and queries are not sent on
313IPv6 to the internet nameservers.
314.TP
315.B do\-udp: \fI<yes or no>
316Enable or disable whether UDP queries are answered or issued. Default is yes.
317.TP
318.B do\-tcp: \fI<yes or no>
319Enable or disable whether TCP queries are answered or issued. Default is yes.
320.TP
321.B tcp\-upstream: \fI<yes or no>
322Enable or disable whether the upstream queries use TCP only for transport.
323Default is no. Useful in tunneling scenarios.
324.TP
325.B ssl\-upstream: \fI<yes or no>
326Enabled or disable whether the upstream queries use SSL only for transport.
327Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
328TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
329.TP
330.B ssl\-service-key: \fI<file>
331If enabled, the server provider SSL service on its TCP sockets. The clients
332have to use ssl\-upstream: yes. The file is the private key for the TLS
333session. The public certificate is in the ssl\-service\-pem file. Default
334is "", turned off. Requires a restart (a reload is not enough) if changed,
335because the private key is read while root permissions are held and before
336chroot (if any). Normal DNS TCP service is not provided and gives errors,
337this service is best run with a different \fBport:\fR config or \fI@port\fR
338suffixes in the \fBinterface\fR config.
339.TP
340.B ssl\-service\-pem: \fI<file>
341The public key certificate pem file for the ssl service. Default is "",
342turned off.
343.TP
344.B ssl\-port: \fI<number>
345The port number on which to provide TCP SSL service, default 443, only
346interfaces configured with that port number as @number get the SSL service.
347.TP
348.B do\-daemonize: \fI<yes or no>
349Enable or disable whether the unbound server forks into the background as
350a daemon. Default is yes.
351.TP
352.B access\-control: \fI<IP netblock> <action>
353The netblock is given as an IP4 or IP6 address with /size appended for a
354classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
355\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
356.IP
357The action \fIdeny\fR stops queries from hosts from that netblock.
358.IP
359The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
360error message back.
361.IP
362The action \fIallow\fR gives access to clients from that netblock.
363It gives only access for recursion clients (which is
364what almost all clients need). Nonrecursive queries are refused.
365.IP
366The \fIallow\fR action does allow nonrecursive queries to access the
367local\-data that is configured. The reason is that this does not involve
368the unbound server recursive lookup algorithm, and static data is served
369in the reply. This supports normal operations where nonrecursive queries
370are made for the authoritative data. For nonrecursive queries any replies
371from the dynamic cache are refused.
372.IP
373The action \fIallow_snoop\fR gives nonrecursive access too. This give
374both recursive and non recursive access. The name \fIallow_snoop\fR refers
375to cache snooping, a technique to use nonrecursive queries to examine
376the cache contents (for malicious acts). However, nonrecursive queries can
377also be a valuable debugging tool (when you want to examine the cache
378contents). In that case use \fIallow_snoop\fR for your administration host.
379.IP
380By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
381The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
382protocol is not designed to handle dropped packets due to policy, and
383dropping may result in (possibly excessive) retried queries.
384.IP
385The deny_non_local and refuse_non_local settings are for hosts that are
386only allowed to query for the authoritative local\-data, they are not
387allowed full recursion but only the static data. With deny_non_local,
388messages that are disallowed are dropped, with refuse_non_local they
389receive error code REFUSED.
390.TP
391.B chroot: \fI<directory>
392If chroot is enabled, you should pass the configfile (from the
393commandline) as a full path from the original root. After the
394chroot has been performed the now defunct portion of the config
395file path is removed to be able to reread the config after a reload.
396.IP
397All other file paths (working dir, logfile, roothints, and
398key files) can be specified in several ways:
399as an absolute path relative to the new root,
400as a relative path to the working directory, or
401as an absolute path relative to the original root.
402In the last case the path is adjusted to remove the unused portion.
403.IP
404The pidfile can be either a relative path to the working directory, or
405an absolute path relative to the original root. It is written just prior
406to chroot and dropping permissions. This allows the pidfile to be
407/var/run/unbound.pid and the chroot to be /var/unbound, for example.
408.IP
409Additionally, unbound may need to access /dev/random (for entropy)
410from inside the chroot.
411.IP
412If given a chroot is done to the given directory. The default is
413"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
414.TP
415.B username: \fI<name>
416If given, after binding the port the user privileges are dropped. Default is
417"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
418.IP
419If this user is not capable of binding the
420port, reloads (by signal HUP) will still retain the opened ports.
421If you change the port number in the config file, and that new port number
422requires privileges, then a reload will fail; a restart is needed.
423.TP
424.B directory: \fI<directory>
425Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
426.TP
427.B logfile: \fI<filename>
428If "" is given, logging goes to stderr, or nowhere once daemonized.
429The logfile is appended to, in the following format:
430.nf
431[seconds since 1970] unbound[pid:tid]: type: message.
432.fi
433If this option is given, the use\-syslog is option is set to "no".
434The logfile is reopened (for append) when the config file is reread, on
435SIGHUP.
436.TP
437.B use\-syslog: \fI<yes or no>
438Sets unbound to send log messages to the syslogd, using
439\fIsyslog\fR(3).
440The log facility LOG_DAEMON is used, with identity "unbound".
441The logfile setting is overridden when use\-syslog is turned on.
442The default is to log to syslog.
443.TP
444.B log\-time\-ascii: \fI<yes or no>
445Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
446prints the seconds since 1970 in brackets. No effect if using syslog, in
447that case syslog formats the timestamp printed into the log files.
448.TP
449.B log\-queries: \fI<yes or no>
450Prints one line per query to the log, with the log timestamp and IP address,
451name, type and class. Default is no. Note that it takes time to print these
452lines which makes the server (significantly) slower. Odd (nonprintable)
453characters in names are printed as '?'.
454.TP
455.B pidfile: \fI<filename>
456The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
457So,
458.nf
459kill \-HUP `cat @UNBOUND_PIDFILE@`
460.fi
461triggers a reload,
462.nf
463kill \-QUIT `cat @UNBOUND_PIDFILE@`
464.fi
465gracefully terminates.
466.TP
467.B root\-hints: \fI<filename>
468Read the root hints from this file. Default is nothing, using builtin hints
469for the IN class. The file has the format of zone files, with root
470nameserver names and addresses only. The default may become outdated,
471when servers change, therefore it is good practice to use a root\-hints file.
472.TP
473.B hide\-identity: \fI<yes or no>
474If enabled id.server and hostname.bind queries are refused.
475.TP
476.B identity: \fI<string>
477Set the identity to report. If set to "", the default, then the hostname
478of the server is returned.
479.TP
480.B hide\-version: \fI<yes or no>
481If enabled version.server and version.bind queries are refused.
482.TP
483.B version: \fI<string>
484Set the version to report. If set to "", the default, then the package
485version is returned.
486.TP
487.B target\-fetch\-policy: \fI<"list of numbers">
488Set the target fetch policy used by unbound to determine if it should fetch
489nameserver target addresses opportunistically. The policy is described per
490dependency depth.
491.IP
492The number of values determines the maximum dependency depth
493that unbound will pursue in answering a query.
494A value of \-1 means to fetch all targets opportunistically for that dependency
495depth. A value of 0 means to fetch on demand only. A positive value fetches
496that many targets opportunistically.
497.IP
498Enclose the list between quotes ("") and put spaces between numbers.
499The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
500closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
501rumoured to be closer to that of BIND 8.
502.TP
503.B harden\-short\-bufsize: \fI<yes or no>
504Very small EDNS buffer sizes from queries are ignored. Default is off, since
505it is legal protocol wise to send these, and unbound tries to give very
506small answers to these queries, where possible.
507.TP
508.B harden\-large\-queries: \fI<yes or no>
509Very large queries are ignored. Default is off, since it is legal protocol
510wise to send these, and could be necessary for operation if TSIG or EDNS
511payload is very large.
512.TP
513.B harden\-glue: \fI<yes or no>
514Will trust glue only if it is within the servers authority. Default is on.
515.TP
516.B harden\-dnssec\-stripped: \fI<yes or no>
517Require DNSSEC data for trust\-anchored zones, if such data is absent,
518the zone becomes bogus. If turned off, and no DNSSEC data is received
519(or the DNSKEY data fails to validate), then the zone is made insecure,
520this behaves like there is no trust anchor. You could turn this off if
521you are sometimes behind an intrusive firewall (of some sort) that
522removes DNSSEC data from packets, or a zone changes from signed to
523unsigned to badly signed often. If turned off you run the risk of a
524downgrade attack that disables security for a zone. Default is on.
525.TP
526.B harden\-below\-nxdomain: \fI<yes or no>
527From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
528below another name that is already known to be nxdomain. DNSSEC mandates
529noerror for empty nonterminals, hence this is possible. Very old software
530might return nxdomain for empty nonterminals (that usually happen for reverse
531IP address lookups), and thus may be incompatible with this. To try to avoid
532this only DNSSEC-secure nxdomains are used, because the old software does not
533have DNSSEC. Default is off.
534.TP
535.B harden\-referral\-path: \fI<yes or no>
536Harden the referral path by performing additional queries for
537infrastructure data. Validates the replies if trust anchors are configured
538and the zones are signed. This enforces DNSSEC validation on nameserver
539NS sets and the nameserver addresses that are encountered on the referral
540path to the answer.
541Default off, because it burdens the authority servers, and it is
542not RFC standard, and could lead to performance problems because of the
543extra query load that is generated. Experimental option.
544If you enable it consider adding more numbers after the target\-fetch\-policy
545to increase the max depth that is checked to.
546.TP
547.B use\-caps\-for\-id: \fI<yes or no>
548Use 0x20\-encoded random bits in the query to foil spoof attempts.
549This perturbs the lowercase and uppercase of query names sent to
550authority servers and checks if the reply still has the correct casing.
551Disabled by default.
552This feature is an experimental implementation of draft dns\-0x20.
553.TP
554.B private\-address: \fI<IP address or subnet>
555Give IPv4 of IPv6 addresses or classless subnets. These are addresses
556on your private network, and are not allowed to be returned for public
557internet names. Any occurence of such addresses are removed from
558DNS answers. Additionally, the DNSSEC validator may mark the answers
559bogus. This protects against so\-called DNS Rebinding, where a user browser
560is turned into a network proxy, allowing remote access through the browser
561to other parts of your private network. Some names can be allowed to
562contain your private addresses, by default all the \fBlocal\-data\fR
563that you configured is allowed to, and you can specify additional
564names using \fBprivate\-domain\fR. No private addresses are enabled
565by default. We consider to enable this for the RFC1918 private IP
566address space by default in later releases. That would enable private
567addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
568fd00::/8 and fe80::/10, since the RFC standards say these addresses
569should not be visible on the public internet. Turning on 127.0.0.0/8
570would hinder many spamblocklists as they use that.
571.TP
572.B private\-domain: \fI<domain name>
573Allow this domain, and all its subdomains to contain private addresses.
574Give multiple times to allow multiple domain names to contain private
575addresses. Default is none.
576.TP
577.B unwanted\-reply\-threshold: \fI<number>
578If set, a total number of unwanted replies is kept track of in every thread.
579When it reaches the threshold, a defensive action is taken and a warning
580is printed to the log. The defensive action is to clear the rrset and
581message caches, hopefully flushing away any poison. A value of 10 million
582is suggested. Default is 0 (turned off).
583.TP
584.B do\-not\-query\-address: \fI<IP address>
585Do not query the given IP address. Can be IP4 or IP6. Append /num to
586indicate a classless delegation netblock, for example like
58710.2.3.4/24 or 2001::11/64.
588.TP
589.B do\-not\-query\-localhost: \fI<yes or no>
590If yes, localhost is added to the do\-not\-query\-address entries, both
591IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
592queries to. Default is yes.
593.TP
594.B prefetch: \fI<yes or no>
595If yes, message cache elements are prefetched before they expire to
596keep the cache up to date. Default is no. Turning it on gives about
59710 percent more traffic and load on the machine, but popular items do
598not expire from the cache.
599.TP
600.B prefetch-key: \fI<yes or no>
601If yes, fetch the DNSKEYs earlier in the validation process, when a DS
602record is encountered. This lowers the latency of requests. It does use
603a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
604.TP
605.B rrset-roundrobin: \fI<yes or no>
606If yes, Unbound rotates RRSet order in response (the random number is taken
607from the query ID, for speed and thread safety). Default is no.
608.TP
609.B minimal-responses: \fI<yes or no>
610If yes, Unbound doesn't insert authority/additional sections into response
611messages when those sections are not required. This reduces response
612size significantly, and may avoid TCP fallback for some responses.
613This may cause a slight speedup. The default is no, because the DNS
614protocol RFCs mandate these sections, and the additional content could
615be of use and save roundtrips for clients.
616.TP
617.B module\-config: \fI<"module names">
618Module configuration, a list of module names separated by spaces, surround
619the string with quotes (""). The modules can be validator, iterator.
620Setting this to "iterator" will result in a non\-validating server.
621Setting this to "validator iterator" will turn on DNSSEC validation.
622The ordering of the modules is important.
623You must also set trust\-anchors for validation to be useful.
624.TP
625.B trust\-anchor\-file: \fI<filename>
626File with trusted keys for validation. Both DS and DNSKEY entries can appear
627in the file. The format of the file is the standard DNS Zone file format.
628Default is "", or no trust anchor file.
629.TP
630.B auto\-trust\-anchor\-file: \fI<filename>
631File with trust anchor for one zone, which is tracked with RFC5011 probes.
632The probes are several times per month, thus the machine must be online
633frequently. The initial file can be one with contents as described in
634\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
635so the unbound user must have write permission.
636.TP
637.B trust\-anchor: \fI<"Resource Record">
638A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
639given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
640The resource record is entered in the same format as 'dig' or 'drill' prints
641them, the same format as in the zone file. Has to be on a single line, with
642"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
643A class can be specified, but class IN is default.
644.TP
645.B trusted\-keys\-file: \fI<filename>
646File with trusted keys for validation. Specify more than one file
647with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
648but has a different file format. Format is BIND\-9 style format,
649the trusted\-keys { name flag proto algo "key"; }; clauses are read.
650It is possible to use wildcards with this statement, the wildcard is
651expanded on start and on reload.
652.TP
653.B dlv\-anchor\-file: \fI<filename>
654File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
655DNSKEY entries can be used in the file, in the same format as for
656\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
657would be slow. The DLV configured is used as a root trusted DLV, this
658means that it is a lookaside for the root. Default is "", or no dlv anchor file.
659.TP
660.B dlv\-anchor: \fI<"Resource Record">
661Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
662.TP
663.B domain\-insecure: \fI<domain name>
664Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
665the domain name. So a trust anchor above the domain name can not make the
666domain secure with a DS record, such a DS record is then ignored.
667Also keys from DLV are ignored for the domain. Can be given multiple times
668to specify multiple domains that are treated as if unsigned. If you set
669trust anchors for the domain they override this setting (and the domain
670is secured).
671.IP
672This can be useful if you want to make sure a trust anchor for external
673lookups does not affect an (unsigned) internal domain. A DS record
674externally can create validation failures for that internal domain.
675.TP
676.B val\-override\-date: \fI<rrsig\-style date spec>
677Default is "" or "0", which disables this debugging feature. If enabled by
678giving a RRSIG style date, that date is used for verifying RRSIG inception
679and expiration dates, instead of the current date. Do not set this unless
680you are debugging signature inception and expiration. The value \-1 ignores
681the date altogether, useful for some special applications.
682.TP
683.B val\-sig\-skew\-min: \fI<seconds>
684Minimum number of seconds of clock skew to apply to validated signatures.
685A value of 10% of the signature lifetime (expiration \- inception) is
686used, capped by this setting. Default is 3600 (1 hour) which allows for
687daylight savings differences. Lower this value for more strict checking
688of short lived signatures.
689.TP
690.B val\-sig\-skew\-max: \fI<seconds>
691Maximum number of seconds of clock skew to apply to validated signatures.
692A value of 10% of the signature lifetime (expiration \- inception)
693is used, capped by this setting. Default is 86400 (24 hours) which
694allows for timezone setting problems in stable domains. Setting both
695min and max very low disables the clock skew allowances. Setting both
696min and max very high makes the validator check the signature timestamps
697less strictly.
698.TP
699.B val\-bogus\-ttl: \fI<number>
700The time to live for bogus data. This is data that has failed validation;
701due to invalid signatures or other checks. The TTL from that data cannot be
702trusted, and this value is used instead. The value is in seconds, default 60.
703The time interval prevents repeated revalidation of bogus data.
704.TP
705.B val\-clean\-additional: \fI<yes or no>
706Instruct the validator to remove data from the additional section of secure
707messages that are not signed properly. Messages that are insecure, bogus,
708indeterminate or unchecked are not affected. Default is yes. Use this setting
709to protect the users that rely on this validator for authentication from
710protentially bad data in the additional section.
711.TP
712.B val\-log\-level: \fI<number>
713Have the validator print validation failures to the log. Regardless of
714the verbosity setting. Default is 0, off. At 1, for every user query
715that fails a line is printed to the logs. This way you can monitor what
716happens with validation. Use a diagnosis tool, such as dig or drill,
717to find out why validation is failing for these queries. At 2, not only
718the query that failed is printed but also the reason why unbound thought
719it was wrong and which server sent the faulty data.
720.TP
721.B val\-permissive\-mode: \fI<yes or no>
722Instruct the validator to mark bogus messages as indeterminate. The security
723checks are performed, but if the result is bogus (failed security), the
724reply is not withheld from the client with SERVFAIL as usual. The client
725receives the bogus data. For messages that are found to be secure the AD bit
726is set in replies. Also logging is performed as for full validation.
727The default value is "no".
728.TP
729.B ignore\-cd\-flag: \fI<yes or no>
730Instruct unbound to ignore the CD flag from clients and refuse to
731return bogus answers to them. Thus, the CD (Checking Disabled) flag
732does not disable checking any more. This is useful if legacy (w2008)
733servers that set the CD flag but cannot validate DNSSEC themselves are
734the clients, and then unbound provides them with DNSSEC protection.
735The default value is "no".
736.TP
737.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
738List of keysize and iteration count values, separated by spaces, surrounded
739by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
740maximum allowed NSEC3 iteration count before a message is simply marked
741insecure instead of performing the many hashing iterations. The list must
742be in ascending order and have at least one entry. If you set it to
743"1024 65535" there is no restriction to NSEC3 iteration values.
744This table must be kept short; a very long list could cause slower operation.
745.TP
746.B add\-holddown: \fI<seconds>
747Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
748autotrust updates to add new trust anchors only after they have been
749visible for this time. Default is 30 days as per the RFC.
750.TP
751.B del\-holddown: \fI<seconds>
752Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
753autotrust updates to remove revoked trust anchors after they have been
754kept in the revoked list for this long. Default is 30 days as per
755the RFC.
756.TP
757.B keep\-missing: \fI<seconds>
758Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
759autotrust updates to remove missing trust anchors after they have been
760unseen for this long. This cleans up the state file if the target zone
761does not perform trust anchor revocation, so this makes the auto probe
762mechanism work with zones that perform regular (non\-5011) rollovers.
763The default is 366 days. The value 0 does not remove missing anchors,
764as per the RFC.
765.TP
766.B key\-cache\-size: \fI<number>
767Number of bytes size of the key cache. Default is 4 megabytes.
768A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
769or gigabytes (1024*1024 bytes in a megabyte).
770.TP
771.B key\-cache\-slabs: \fI<number>
772Number of slabs in the key cache. Slabs reduce lock contention by threads.
773Must be set to a power of 2. Setting (close) to the number of cpus is a
774reasonable guess.
775.TP
776.B neg\-cache\-size: \fI<number>
777Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
778A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
779or gigabytes (1024*1024 bytes in a megabyte).
780.TP
781.B unblock\-lan\-zones: \fI<yesno>
782Default is disabled. If enabled, then for private address space,
783the reverse lookups are no longer filtered. This allows unbound when
784running as dns service on a host where it provides service for that host,
785to put out all of the queries for the 'lan' upstream. When enabled,
786only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
787with default local zones. Disable the option when unbound is running
788as a (DHCP-) DNS network resolver for a group of machines, where such
789lookups should be filtered (RFC compliance), this also stops potential
790data leakage about the local network to the upstream DNS servers.
791.TP
792.B local\-zone: \fI<zone> <type>
793Configure a local zone. The type determines the answer to give if
794there is no match from local\-data. The types are deny, refuse, static,
795transparent, redirect, nodefault, typetransparent, and are explained
796below. After that the default settings are listed. Use local\-data: to
797enter data into the local zone. Answers for local zones are authoritative
798DNS answers. By default the zones are class IN.
799.IP
800If you need more complicated authoritative data, with referrals, wildcards,
801CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
802it as detailed in the stub zone section below.
803.TP 10
804\h'5'\fIdeny\fR
805Do not send an answer, drop the query.
806If there is a match from local data, the query is answered.
807.TP 10
808\h'5'\fIrefuse\fR
809Send an error message reply, with rcode REFUSED.
810If there is a match from local data, the query is answered.
811.TP 10
812\h'5'\fIstatic\fR
813If there is a match from local data, the query is answered.
814Otherwise, the query is answered with nodata or nxdomain.
815For a negative answer a SOA is included in the answer if present
816as local\-data for the zone apex domain.
817.TP 10
818\h'5'\fItransparent\fR
819If there is a match from local data, the query is answered.
820Otherwise if the query has a different name, the query is resolved normally.
821If the query is for a name given in localdata but no such type of data is
822given in localdata, then a noerror nodata answer is returned.
823If no local\-zone is given local\-data causes a transparent zone
824to be created by default.
825.TP 10
826\h'5'\fItypetransparent\fR
827If there is a match from local data, the query is answered. If the query
828is for a different name, or for the same name but for a different type,
829the query is resolved normally. So, similar to transparent but types
830that are not listed in local data are resolved normally, so if an A record
831is in the local data that does not cause a nodata reply for AAAA queries.
832.TP 10
833\h'5'\fIredirect\fR
834The query is answered from the local data for the zone name.
835There may be no local data beneath the zone name.
836This answers queries for the zone, and all subdomains of the zone
837with the local data for the zone.
838It can be used to redirect a domain to return a different address record
839to the end user, with
840local\-zone: "example.com." redirect and
841local\-data: "example.com. A 127.0.0.1"
842queries for www.example.com and www.foo.example.com are redirected, so
843that users with web browsers cannot access sites with suffix example.com.
844.TP 10
845\h'5'\fInodefault\fR
846Used to turn off default contents for AS112 zones. The other types
847also turn off default contents for the zone. The 'nodefault' option
848has no other effect than turning off default contents for the
849given zone.
850.P
851The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
852zones. The AS112 zones are reverse DNS zones for private use and reserved
853IP addresses for which the servers on the internet cannot provide correct
854answers. They are configured by default to give nxdomain (no reverse
855information) answers. The defaults can be turned off by specifying your
856own local\-zone of that name, or using the 'nodefault' type. Below is a
857list of the default zone contents.
858.TP 10
859\h'5'\fIlocalhost\fR
860The IP4 and IP6 localhost information is given. NS and SOA records are provided
861for completeness and to satisfy some DNS update tools. Default content:
862.nf
863local\-zone: "localhost." static
864local\-data: "localhost. 10800 IN NS localhost."
865local\-data: "localhost. 10800 IN
866 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
867local\-data: "localhost. 10800 IN A 127.0.0.1"
868local\-data: "localhost. 10800 IN AAAA ::1"
869.fi
870.TP 10
871\h'5'\fIreverse IPv4 loopback\fR
872Default content:
873.nf
874local\-zone: "127.in\-addr.arpa." static
875local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
876local\-data: "127.in\-addr.arpa. 10800 IN
877 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
878local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
879 PTR localhost."
880.fi
881.TP 10
882\h'5'\fIreverse IPv6 loopback\fR
883Default content:
884.nf
885local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
886 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
887local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
888 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
889 NS localhost."
890local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
891 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
892 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
893local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
894 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
895 PTR localhost."
896.fi
897.TP 10
898\h'5'\fIreverse RFC1918 local use zones\fR
899Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
90031.172.in\-addr.arpa, 168.192.in\-addr.arpa.
901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
902records are provided.
903.TP 10
904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
908.TP 10
909\h'5'\fIreverse RFC4291 IP6 unspecified\fR
910Reverse data for zone
911.nf
9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
914.fi
915.TP 10
916\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
917Reverse data for zone D.F.ip6.arpa.
918.TP 10
919\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
920Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
921.TP 10
922\h'5'\fIreverse IPv6 Example Prefix\fR
923Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
924tutorials and examples. You can remove the block on this zone with:
925.nf
926 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
927.fi
928You can also selectively unblock a part of the zone by making that part
929transparent with a local\-zone statement.
930This also works with the other default zones.
931.\" End of local-zone listing.
932.TP 5
933.B local\-data: \fI"<resource record string>"
934Configure local data, which is served in reply to queries for it.
935The query has to match exactly unless you configure the local\-zone as
936redirect. If not matched exactly, the local\-zone type determines
937further processing. If local\-data is configured that is not a subdomain of
938a local\-zone, a transparent local\-zone is configured.
939For record types such as TXT, use single quotes, as in
940local\-data: 'example. TXT "text"'.
941.IP
942If you need more complicated authoritative data, with referrals, wildcards,
943CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
944it as detailed in the stub zone section below.
945.TP 5
946.B local\-data\-ptr: \fI"IPaddr name"
947Configure local data shorthand for a PTR record with the reversed IPv4 or
948IPv6 address and the host name. For example "192.0.2.4 www.example.com".
949TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
950.SS "Remote Control Options"
951In the
952.B remote\-control:
953clause are the declarations for the remote control facility. If this is
954enabled, the \fIunbound\-control\fR(8) utility can be used to send
955commands to the running unbound server. The server uses these clauses
956to setup SSLv3 / TLSv1 security for the connection. The
957\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
958section for options. To setup the correct self\-signed certificates use the
959\fIunbound\-control\-setup\fR(8) utility.
960.TP 5
961.B control\-enable: \fI<yes or no>
962The option is used to enable remote control, default is "no".
963If turned off, the server does not listen for control commands.
964.TP 5
965.B control\-interface: <ip address>
966Give IPv4 or IPv6 addresses to listen on for control commands.
967By default localhost (127.0.0.1 and ::1) is listened to.
968Use 0.0.0.0 and ::0 to listen to all interfaces.
969.TP 5
970.B control\-port: <port number>
971The port number to listen on for control commands, default is 8953.
972If you change this port number, and permissions have been dropped,
973a reload is not sufficient to open the port again, you must then restart.
974.TP 5
975.B server\-key\-file: "<private key file>"
976Path to the server private key, by default unbound_server.key.
977This file is generated by the \fIunbound\-control\-setup\fR utility.
978This file is used by the unbound server, but not by \fIunbound\-control\fR.
979.TP 5
980.B server\-cert\-file: "<certificate file.pem>"
981Path to the server self signed certificate, by default unbound_server.pem.
982This file is generated by the \fIunbound\-control\-setup\fR utility.
983This file is used by the unbound server, and also by \fIunbound\-control\fR.
984.TP 5
985.B control\-key\-file: "<private key file>"
986Path to the control client private key, by default unbound_control.key.
987This file is generated by the \fIunbound\-control\-setup\fR utility.
988This file is used by \fIunbound\-control\fR.
989.TP 5
990.B control\-cert\-file: "<certificate file.pem>"
991Path to the control client certificate, by default unbound_control.pem.
992This certificate has to be signed with the server certificate.
993This file is generated by the \fIunbound\-control\-setup\fR utility.
994This file is used by \fIunbound\-control\fR.
995.SS "Stub Zone Options"
996.LP
997There may be multiple
998.B stub\-zone:
999clauses. Each with a name: and zero or more hostnames or IP addresses.
1000For the stub zone this list of nameservers is used. Class IN is assumed.
1001The servers should be authority servers, not recursors; unbound performs
1002the recursive processing itself for stub zones.
1003.P
1004The stub zone can be used to configure authoritative data to be used
1005by the resolver that cannot be accessed using the public internet servers.
1006This is useful for company\-local data or private zones. Setup an
1007authoritative server on a different host (or different port). Enter a config
1008entry for unbound with
1009.B stub\-addr:
1010<ip address of host[@port]>.
1011The unbound resolver can then access the data, without referring to the
1012public internet for it.
1013.P
1014This setup allows DNSSEC signed zones to be served by that
1015authoritative server, in which case a trusted key entry with the public key
1016can be put in config, so that unbound can validate the data and set the AD
1017bit on replies for the private zone (authoritative servers do not set the
1018AD bit). This setup makes unbound capable of answering queries for the
1019private zone, and can even set the AD bit ('authentic'), but the AA
1020('authoritative') bit is not set on these replies.
1021.TP
1022.B name: \fI<domain name>
1023Name of the stub zone.
1024.TP
1025.B stub\-host: \fI<domain name>
1026Name of stub zone nameserver. Is itself resolved before it is used.
1027.TP
1028.B stub\-addr: \fI<IP address>
1029IP address of stub zone nameserver. Can be IP 4 or IP 6.
1030To use a nondefault port for DNS communication append '@' with the port number.
1031.TP
1032.B stub\-prime: \fI<yes or no>
1033This option is by default off. If enabled it performs NS set priming,
1034which is similar to root hints, where it starts using the list of nameservers
1035currently published by the zone. Thus, if the hint list is slightly outdated,
1036the resolver picks up a correct list online.
1037.TP
1038.B stub\-first: \fI<yes or no>
1039If enabled, a query is attempted without the stub clause if it fails.
1040The data could not be retrieved and would have caused SERVFAIL because
1041the servers are unreachable, instead it is tried without this clause.
1042The default is no.
1043.SS "Forward Zone Options"
1044.LP
1045There may be multiple
1046.B forward\-zone:
1047clauses. Each with a \fBname:\fR and zero or more hostnames or IP
1048addresses. For the forward zone this list of nameservers is used to
1049forward the queries to. The servers listed as \fBforward\-host:\fR and
1050\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1051those servers are not authority servers, but are (just like unbound is)
1052recursive servers too; unbound does not perform recursion itself for the
1053forward zone, it lets the remote server do it. Class IN is assumed.
1054A forward\-zone entry with name "." and a forward\-addr target will
1055forward all queries to that other server (unless it can answer from
1056the cache).
1057.TP
1058.B name: \fI<domain name>
1059Name of the forward zone.
1060.TP
1061.B forward\-host: \fI<domain name>
1062Name of server to forward to. Is itself resolved before it is used.
1063.TP
1064.B forward\-addr: \fI<IP address>
1065IP address of server to forward to. Can be IP 4 or IP 6.
1066To use a nondefault port for DNS communication append '@' with the port number.
1067.TP
1068.B forward\-first: \fI<yes or no>
1069If enabled, a query is attempted without the forward clause if it fails.
1070The data could not be retrieved and would have caused SERVFAIL because
1071the servers are unreachable, instead it is tried without this clause.
1072The default is no.
1073.SS "Python Module Options"
1074.LP
1075The
1076.B python:
1077clause gives the settings for the \fIpython\fR(1) script module. This module
1078acts like the iterator and validator modules do, on queries and answers.
1079To enable the script module it has to be compiled into the daemon,
1080and the word "python" has to be put in the \fBmodule\-config:\fR option
1081(usually first, or between the validator and iterator).
1082.TP
1083.B python\-script: \fI<python file>\fR
1084The script file to load.
1085.SH "MEMORY CONTROL EXAMPLE"
1086In the example config settings below memory usage is reduced. Some service
1087levels are lower, notable very large data and a high TCP load are no longer
1088supported. Very large data and high TCP loads are exceptional for the DNS.
1089DNSSEC validation is enabled, just add trust anchors.
1090If you do not have to worry about programs using more than 3 Mb of memory,
1091the below example is not for you. Use the defaults to receive full service,
1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
1093.P
1094.nf
1095# example settings that reduce memory usage
1096server:
1097 num\-threads: 1
1098 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
1099 incoming\-num\-tcp: 1
1100 outgoing\-range: 60 # uses less memory, but less performance.
1101 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
1102 msg\-cache\-size: 100k
1103 msg\-cache\-slabs: 1
1104 rrset\-cache\-size: 100k
1105 rrset\-cache\-slabs: 1
1106 infra\-cache\-numhosts: 200
1107 infra\-cache\-slabs: 1
1108 key\-cache\-size: 100k
1109 key\-cache\-slabs: 1
1110 neg\-cache\-size: 10k
1111 num\-queries\-per\-thread: 30
1112 target\-fetch\-policy: "2 1 0 0 0 0"
1113 harden\-large\-queries: "yes"
1114 harden\-short\-bufsize: "yes"
1115.fi
1116.SH "FILES"
1117.TP
1118.I @UNBOUND_RUN_DIR@
1119default unbound working directory.
1120.TP
1121.I @UNBOUND_CHROOT_DIR@
1122default
1123\fIchroot\fR(2)
1124location.
1125.TP
1126.I @ub_conf_file@
1127unbound configuration file.
1128.TP
1129.I @UNBOUND_PIDFILE@
1130default unbound pidfile with process ID of the running daemon.
1131.TP
1132.I unbound.log
1133unbound log file. default is to log to
1134\fIsyslog\fR(3).
1135.SH "SEE ALSO"
1136\fIunbound\fR(8),
1137\fIunbound\-checkconf\fR(8).
1138.SH "AUTHORS"
1139.B Unbound
1140was written by NLnet Labs. Please see CREDITS file
1141in the distribution for further details.