Skip to content

Commit

Permalink
Merge pull request #437 from churchofnoise/main
Browse files Browse the repository at this point in the history
Unbound release 1.20.0
  • Loading branch information
klutchell authored May 8, 2024
2 parents 3efe25b + 09aa5d9 commit 110a4cd
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 19 deletions.
6 changes: 3 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ FROM build-base AS unbound

WORKDIR /src

ARG UNBOUND_VERSION=1.19.3
# https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz.sha256
ARG UNBOUND_SHA256="3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9"
ARG UNBOUND_VERSION=1.20.0
# https://nlnetlabs.nl/downloads/unbound/unbound-1.20.0.tar.gz.sha256
ARG UNBOUND_SHA256="56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf"

ADD https://nlnetlabs.nl/downloads/unbound/unbound-${UNBOUND_VERSION}.tar.gz unbound.tar.gz

Expand Down
75 changes: 59 additions & 16 deletions rootfs_overlay/etc/unbound/unbound.conf.example
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.19.3.
# See unbound.conf(5) man page, version @version@.
#
# this is a comment.

Expand Down Expand Up @@ -191,6 +191,21 @@ server:
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376

# msec before recursion replies are dropped. The work item continues.
# discard-timeout: 1900

# Max number of replies waiting for recursion per IP address.
# wait-limit: 1000

# Max replies waiting for recursion for IP address with cookie.
# wait-limit-cookie: 10000

# Apart from the default, the wait limit can be set for a netblock.
# wait-limit-netblock: 192.0.2.0/24 50000

# Apart from the default, the wait limit with cookie can be adjusted.
# wait-limit-cookie-netblock: 192.0.2.0/24 50000

# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
Expand All @@ -211,6 +226,11 @@ server:
# the time to live (TTL) value cap for negative responses in the cache
# cache-max-negative-ttl: 3600

# the time to live (TTL) value lower bound, in seconds. Default 0.
# For negative responses in the cache. If disabled, default,
# cache-min-tll applies if configured.
# cache-min-negative-ttl: 0

# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
Expand Down Expand Up @@ -283,7 +303,8 @@ server:
# Enable EDNS TCP keepalive option.
# edns-tcp-keepalive: no

# Timeout for EDNS TCP keepalive, in msec.
# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
# if edns-tcp-keepalive is set.
# edns-tcp-keepalive-timeout: 120000

# UDP queries that have waited in the socket buffer for a long time
Expand All @@ -303,6 +324,7 @@ server:
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# allow_cookie (allow UDP with valid cookie or stateful transport)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
# access-control: 127.0.0.0/8 allow
Expand Down Expand Up @@ -401,19 +423,19 @@ server:
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/var/unbound"
# chroot: "@UNBOUND_CHROOT_DIR@"

# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
# username: "unbound"
# username: "@UNBOUND_USERNAME@"

# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
# directory: "/var/unbound"
# directory: "@UNBOUND_RUN_DIR@"

# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
Expand Down Expand Up @@ -441,6 +463,9 @@ server:
# filtering log-queries and log-replies from the log.
# log-tag-queryreply: no

# log with destination address, port and type for log-replies.
# log-destaddr: no

# log the local-zone actions, like local-zone type inform is enabled
# also for the other local zone types.
# log-local-actions: no
Expand All @@ -449,7 +474,7 @@ server:
# log-servfail: no

# the pid file. Can be an absolute path outside of chroot/work dir.
# pidfile: "/var/unbound/unbound.pid"
# pidfile: "@UNBOUND_PIDFILE@"

# file to read root hints from.
# get one from https://www.internic.net/domain/named.cache
Expand Down Expand Up @@ -615,7 +640,7 @@ server:
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "/var/unbound/root.key"
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"

# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: yes
Expand Down Expand Up @@ -983,6 +1008,13 @@ server:
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# ip-ratelimit: 0

# global query ratelimit for all ip addresses with a valid DNS Cookie.
# feature is experimental.
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# useful in combination with 'allow_cookie'.
# If used, suggested to be higher than ip-ratelimit, tenfold.
# ip-ratelimit-cookie: 0

# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
# ip-ratelimit-size: 4m
# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
Expand All @@ -1004,6 +1036,14 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3

# reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018.
# answer-cookie: no

# secret for DNS Cookie generation.
# useful for anycast deployments.
# example value "000102030405060708090a0b0c0d0e0f".
# cookie-secret: <128 bit random hex string>

# Enable to attach Extended DNS Error codes (RFC8914) to responses.
# ede: no

Expand Down Expand Up @@ -1056,7 +1096,7 @@ server:
# o and give a python-script to run.
python:
# Script file to load
# python-script: "/var/unbound/ubmodule-tst.py"
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"

# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
Expand All @@ -1067,7 +1107,7 @@ python:
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/var/unbound/dynlib.so"
# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"

# Remote control config section.
remote-control:
Expand All @@ -1090,16 +1130,16 @@ remote-control:
# control-use-cert: "yes"

# Unbound server key file.
# server-key-file: "/var/unbound/unbound_server.key"
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"

# Unbound server certificate file.
# server-cert-file: "/var/unbound/unbound_server.pem"
# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"

# unbound-control key file.
# control-key-file: "/var/unbound/unbound_control.key"
# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"

# unbound-control certificate file.
# control-cert-file: "/var/unbound/unbound_control.pem"
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"

# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
Expand Down Expand Up @@ -1150,15 +1190,15 @@ remote-control:
# sources of notifies.
# auth-zone:
# name: "."
# primary: 199.9.14.201 # b.root-servers.net
# primary: 170.247.170.2 # b.root-servers.net
# primary: 192.33.4.12 # c.root-servers.net
# primary: 199.7.91.13 # d.root-servers.net
# primary: 192.5.5.241 # f.root-servers.net
# primary: 192.112.36.4 # g.root-servers.net
# primary: 193.0.14.129 # k.root-servers.net
# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
# primary: 192.0.32.132 # xfr.lax.dns.icann.org
# primary: 2001:500:200::b # b.root-servers.net
# primary: 2801:1b8:10::b # b.root-servers.net
# primary: 2001:500:2::c # c.root-servers.net
# primary: 2001:500:2d::d # d.root-servers.net
# primary: 2001:500:2f::f # f.root-servers.net
Expand Down Expand Up @@ -1228,6 +1268,9 @@ remote-control:
# secret-seed: "default"
# # if the backend should be read from, but not written to.
# cachedb-no-store: no
# # if the cachedb should be checked before a serve-expired response is
# # given, when serve-expired is enabled.
# cachedb-check-when-serve-expired: yes
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
Expand Down Expand Up @@ -1266,7 +1309,7 @@ remote-control:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
# dnstap-socket-path: ""
# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
Expand Down

0 comments on commit 110a4cd

Please sign in to comment.