From 676242f53f30839f96c081d791891404e2e221af Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 15 Jul 2019 10:18:21 +0000 Subject: Add tls-cert-bundle and example of using a DNS-over-TLS forwarder. Note that, at this time, Unbound does not re-use TLS connections (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and TLS handshakes will cause a disproportiate increase in latency compared to UDP. ok sthen@ florian@ --- etc/unbound.conf | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'etc/unbound.conf') diff --git a/etc/unbound.conf b/etc/unbound.conf index 614b8b55fa9..e16b08c23c6 100644 --- a/etc/unbound.conf +++ b/etc/unbound.conf @@ -1,4 +1,4 @@ -# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $ +# $OpenBSD: unbound.conf,v 1.15 2019/07/15 10:18:20 dtucker Exp $ server: interface: 127.0.0.1 @@ -48,6 +48,11 @@ server: # #tcp-upstream: yes + # CA Certificates used for forward-tls-upstream (RFC7858) hostname + # verification. Since it's outside the chroot it is only loaded at + # startup and thus cannot be changed via a reload. + #tls-cert-bundle: "/etc/ssl/cert.pem" + remote-control: control-enable: yes control-interface: /var/run/unbound.sock @@ -58,3 +63,12 @@ remote-control: # name: "." # use for ALL queries # forward-addr: 192.0.2.53 # example address only # forward-first: yes # try direct if forwarder fails + +# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext +# if that fails. +#forward-zone: +# name: "." +# forward-tls-upstream: yes # use DNS-over-TLS forwarder +# forward-first: no # do NOT send direct +# # the hostname after "#" is not a comment, it is used for TLS checks: +# forward-addr: 192.0.2.53@953#resolver.hostname.example -- cgit v1.2.3