diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2018-12-07 11:54:05 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2018-12-07 11:54:05 +0000 |
| commit | 8209eefc9f00279328f15962211078afedbb9fc8 (patch) | |
| tree | 11cd47e657622395187b8184483de7bf6e440a77 /etc | |
| parent | 9e6238409f2016f419b4469fa0578372d3525b2f (diff) | |
Remove public resolver IP addresses, just provide a neutral "documentation
prefix" address instead - there are so many available with varying
policies that this isn't a good place to list them (and might imply
some kind of recommendation which is not intended).
Particularly prompted by several on the previous list (he.net and opendns)
strip RRSIG from results which cause DNSSEC failures now that validation
is enabled in the example config as noticed by solene@.
While there, shrink qname-minimisation comment to match other nearby
comments, and drop dns64 example which is quite a specialist use case
and not really needed in this basic example.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/unbound.conf | 22 |
1 files changed, 4 insertions, 18 deletions
diff --git a/etc/unbound.conf b/etc/unbound.conf index a523ab6f2df..132875fdf9f 100644 --- a/etc/unbound.conf +++ b/etc/unbound.conf @@ -1,4 +1,4 @@ -# $OpenBSD: unbound.conf,v 1.9 2018/12/07 09:21:08 florian Exp $ +# $OpenBSD: unbound.conf,v 1.10 2018/12/07 11:54:04 sthen Exp $ server: interface: 127.0.0.1 @@ -19,9 +19,7 @@ server: hide-identity: yes hide-version: yes - # Uncomment to enable qname minimisation. - # https://tools.ietf.org/html/rfc7816 - # + # Uncomment to enable qname minimisation. RFC 7816 #qname-minimisation: yes # Enable DNSSEC validation. @@ -50,26 +48,14 @@ server: # #tcp-upstream: yes - # DNS64 options, synthesizes AAAA records for hosts that don't have - # them. For use with NAT64 (PF "af-to"). - # - #module-config: "dns64 validator iterator" - #dns64-prefix: 64:ff9b::/96 # well-known prefix (default) - #dns64-synthall: no - remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock -# Use an upstream forwarder (recursive resolver) for specific zones. -# Example addresses given below are public resolvers valid as of 2014/03. +# Use an upstream forwarder (recursive resolver) for some or all zones. # #forward-zone: # name: "." # use for ALL queries -# forward-addr: 74.82.42.42 # he.net -# forward-addr: 2001:470:20::2 # he.net v6 -# forward-addr: 8.8.8.8 # google.com -# forward-addr: 2001:4860:4860::8888 # google.com v6 -# forward-addr: 208.67.222.222 # opendns.com +# forward-addr: 192.0.2.53 # example address only # forward-first: yes # try direct if forwarder fails |