Remove commented-out edns-buffer-size section from the default unbound.conf.

The default in Unbound (and other DNS server software in the recent "DNS flag
day") changed to 1232 bytes, this avoids problems due to fragmented packets
(fragments can result in blackholes and also enable some attack vectors)
so there's now little reason to reduce this from defaults, and increasing
it is more of a specialist use case that isn't really needed in this
streamlined default config.

tidy wording from when dnssec was enabled/disabled/reenabled
ok kn gsoares

Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

space -> tabs

ok deraadt@ kn@

standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

tidy wording from when dnssec was enabled/disabled/reenabled
ok kn gsoares

Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

space -> tabs

ok deraadt@ kn@

standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

space -> tabs

ok deraadt@ kn@

standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

space -> tabs

ok deraadt@ kn@

standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.
Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP. ok sthen@ florian@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).

OK florian@ sthen@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

add commented-out "val-log-level: 2" next to the uncommentable line to
enable dnssec validation, it's really useful for debug

the world is not ready for dnssec enabled by default

remove qname-minimisation from sample config, this was turned on by
default upstream in 1.7.2 (picked up by us with the update to 1.7.3).

ok florian@

Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).

Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.

While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.

Enable DNSSEC validation.
Requested by & OK claudio
Input & OK sthen
OK job, solene
Various commenting that they run with validation since a long time
without issues.

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

Add aggressive-nsec example block.
While here, qname minimisation is an RFC since some time.

tweak & OK sthen

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@

add "outgoing-interface" to sample unbound.conf

add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd
some time ago by phessler and IIRC also mikeb), and for qname-minimisation

change default unbound config to enable the control socket, without using
keys/certificates for auth. ok florian@

Fix syntax error in commented out local-zone entry. OK sthen@

Remove commented-out module-config line, it is already set to "validator
iterator" by default. Pointed out by Patrik Lundin.

Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default
config for this location.

With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:

#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"

There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.

Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

Add a new sample config file and rc.d script for unbound, ok deraadt@