unbound: remove unchecked configuration keys
This commit is contained in:
Yohaï-Eliel BERREBY
parent
b3712ed335
commit
f05e92dc5e
1 changed files with 6 additions and 72 deletions
|
|
@ -1,9 +1,11 @@
|
||||||
server:
|
server:
|
||||||
verbosity: 1
|
# Timestamps use UTC ASCII instead of UNIX epoch.
|
||||||
use-syslog: yes
|
|
||||||
logfile: "/var/log/unbound.log"
|
|
||||||
log-time-ascii: yes
|
log-time-ascii: yes
|
||||||
|
|
||||||
|
do-ip4: yes
|
||||||
|
# FIXME: IPv6 deployment... someday...
|
||||||
|
do-ip6: no
|
||||||
|
|
||||||
# IP addresses on which to listen.
|
# IP addresses on which to listen.
|
||||||
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
||||||
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
||||||
|
|
@ -16,74 +18,6 @@ server:
|
||||||
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
||||||
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
||||||
|
|
||||||
do-ip4: yes
|
|
||||||
# FIXME: IPv6 deployment... someday...
|
|
||||||
do-ip6: no
|
|
||||||
|
|
||||||
do-udp: yes
|
|
||||||
do-tcp: yes
|
|
||||||
|
|
||||||
num-threads: {{ ansible_processor_vcpus }}
|
num-threads: {{ ansible_processor_vcpus }}
|
||||||
|
|
||||||
# power of 2 close to num-threads
|
|
||||||
# TODO: compute this dynamically w/ Ansible
|
|
||||||
msg-cache-slabs: 16
|
|
||||||
rrset-cache-slabs: 16
|
|
||||||
infra-cache-slabs: 16
|
|
||||||
key-cache-slabs: 16
|
|
||||||
|
|
||||||
# Read the root hints from this file
|
|
||||||
# FIXME: missing file.
|
|
||||||
# root-hints: "/var/lib/unbound/root.hints"
|
|
||||||
|
|
||||||
harden-referral-path: yes
|
|
||||||
use-caps-for-id: yes
|
|
||||||
hide-identity: yes
|
|
||||||
hide-version: yes
|
|
||||||
harden-glue: yes
|
|
||||||
harden-dnssec-stripped: yes
|
|
||||||
|
|
||||||
# the time to live (TTL) value lower bound, in seconds. Default 0.
|
|
||||||
# If more than an hour could easily give trouble due to stale data.
|
|
||||||
# WARNING : against protocol rule but efficient against stupidly too low TTLs
|
|
||||||
|
|
||||||
cache-min-ttl: 3600
|
|
||||||
|
|
||||||
# the time to live (TTL) value cap for RRsets and messages in the
|
|
||||||
# cache. Items are not cached for longer. In seconds.
|
|
||||||
cache-max-ttl: 86400
|
|
||||||
|
|
||||||
prefetch: yes
|
|
||||||
|
|
||||||
# If nonzero, unwanted replies are not only reported in statistics, but also
|
|
||||||
# a running total is kept per thread. If it reaches the threshold, a warning
|
|
||||||
# is printed and a defensive action is taken, the cache is cleared to flush
|
|
||||||
# potential poison out of it. A suggested value is 10000000, the default is
|
|
||||||
# 0 (turned off). We think 10K is a good value.
|
|
||||||
unwanted-reply-threshold: 10000
|
|
||||||
|
|
||||||
# Should additional section of secure message also be kept clean of unsecure
|
|
||||||
# data. Useful to shield the users of this validator from potential bogus
|
|
||||||
# data in the additional section. All unsigned data in the additional section
|
|
||||||
# is removed from secure messages.
|
|
||||||
val-clean-additional: yes
|
|
||||||
|
|
||||||
# Log validation failures
|
|
||||||
val-log-level: 2
|
|
||||||
|
|
||||||
|
|
||||||
private-address: 10.0.0.0/8
|
private-address: 10.0.0.0/8
|
||||||
|
|
||||||
# Optimise
|
|
||||||
# https://unbound.net/documentation/howto_optimise.html
|
|
||||||
|
|
||||||
# Faster UDP with multithreading (only on Linux).
|
|
||||||
so-reuseport: yes
|
|
||||||
|
|
||||||
# Taille du cache
|
|
||||||
rrset-cache-size: 100m
|
|
||||||
msg-cache-size: 50m
|
|
||||||
|
|
||||||
# gestion DNSSEC
|
|
||||||
harden-below-nxdomain: yes
|
|
||||||
harden-dnssec-stripped: yes
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue