#
1.21 |
|
28-Oct-2020 |
sthen |
Remove commented-out edns-buffer-size section from the default unbound.conf.
The default in Unbound (and other DNS server software in the recent "DNS flag day") changed to 1232 bytes, this avoids problems due to fragmented packets (fragments can result in blackholes and also enable some attack vectors) so there's now little reason to reduce this from defaults, and increasing it is more of a specialist use case that isn't really needed in this streamlined default config.
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.20 |
|
21-Jun-2020 |
sthen |
tidy wording from when dnssec was enabled/disabled/reenabled ok kn gsoares
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.19 |
|
07-Nov-2019 |
sthen |
Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf.
ok florian@
|
#
1.18 |
|
07-Nov-2019 |
job |
Enable DNSSEC validation in unbound by default
OK deraadt@ otto@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.17 |
|
25-Aug-2019 |
ajacoutot |
space -> tabs
ok deraadt@ kn@
|
#
1.16 |
|
26-Jul-2019 |
sthen |
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.20 |
|
21-Jun-2020 |
sthen |
tidy wording from when dnssec was enabled/disabled/reenabled ok kn gsoares
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.19 |
|
07-Nov-2019 |
sthen |
Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf.
ok florian@
|
#
1.18 |
|
07-Nov-2019 |
job |
Enable DNSSEC validation in unbound by default
OK deraadt@ otto@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.17 |
|
25-Aug-2019 |
ajacoutot |
space -> tabs
ok deraadt@ kn@
|
#
1.16 |
|
26-Jul-2019 |
sthen |
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.19 |
|
07-Nov-2019 |
sthen |
Reenable "val-log-level: 2", so that when sites have misconfigured dnssec the sysadmin has some idea what's going on in logs, and "aggressive-nsec: yes", if we're using dnssec anyway we might as well get the benefits. These were both enabled last time dnssec was enabled in this sample unbound.conf.
ok florian@
|
#
1.18 |
|
07-Nov-2019 |
job |
Enable DNSSEC validation in unbound by default
OK deraadt@ otto@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.17 |
|
25-Aug-2019 |
ajacoutot |
space -> tabs
ok deraadt@ kn@
|
#
1.16 |
|
26-Jul-2019 |
sthen |
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.17 |
|
25-Aug-2019 |
ajacoutot |
space -> tabs
ok deraadt@ kn@
|
#
1.16 |
|
26-Jul-2019 |
sthen |
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.16 |
|
26-Jul-2019 |
sthen |
standard DoT port is 853 not 953; from myportslist20190323 at nym.hush.com
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.15 |
|
15-Jul-2019 |
dtucker |
Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.14 |
|
16-Dec-2018 |
tim |
Remove control-use-cert. It is ignored for local sockets (since unbound 1.7.3).
OK florian@ sthen@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.13 |
|
12-Dec-2018 |
sthen |
add commented-out "val-log-level: 2" next to the uncommentable line to enable dnssec validation, it's really useful for debug
|
#
1.12 |
|
11-Dec-2018 |
florian |
the world is not ready for dnssec enabled by default
|
#
1.11 |
|
10-Dec-2018 |
sthen |
remove qname-minimisation from sample config, this was turned on by default upstream in 1.7.2 (picked up by us with the update to 1.7.3).
ok florian@
|
#
1.10 |
|
07-Dec-2018 |
sthen |
Remove public resolver IP addresses, just provide a neutral "documentation prefix" address instead - there are so many available with varying policies that this isn't a good place to list them (and might imply some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns) strip RRSIG from results which cause DNSSEC failures now that validation is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby comments, and drop dns64 example which is quite a specialist use case and not really needed in this basic example.
|
#
1.9 |
|
07-Dec-2018 |
florian |
Enable DNSSEC validation. Requested by & OK claudio Input & OK sthen OK job, solene Various commenting that they run with validation since a long time without issues.
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
#
1.8 |
|
29-Mar-2018 |
florian |
Add aggressive-nsec example block. While here, qname minimisation is an RFC since some time.
tweak & OK sthen
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.7 |
|
30-Mar-2016 |
sthen |
add "outgoing-interface" to sample unbound.conf
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.6 |
|
15-Dec-2015 |
sthen |
add commented-out unbound.conf entries for dns64 (sitting in my tree and ok'd some time ago by phessler and IIRC also mikeb), and for qname-minimisation
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.5 |
|
19-Jul-2015 |
sthen |
change default unbound config to enable the control socket, without using keys/certificates for auth. ok florian@
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.4 |
|
02-Apr-2014 |
millert |
Fix syntax error in commented out local-zone entry. OK sthen@
|
#
1.3 |
|
23-Mar-2014 |
sthen |
Remove commented-out module-config line, it is already set to "validator iterator" by default. Pointed out by Patrik Lundin.
|
#
1.2 |
|
21-Mar-2014 |
sthen |
Install a /var/unbound/db directory, writable by the _unbound daemon, and use it as the default location for the DNSSEC root key. Update default config for this location.
With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart:
#module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
|
#
1.1 |
|
15-Mar-2014 |
sthen |
Add a new sample config file and rc.d script for unbound, ok deraadt@
|