Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unbound release 1.20.0 #437

Merged
merged 2 commits into from
May 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ FROM build-base AS unbound

WORKDIR /src

ARG UNBOUND_VERSION=1.19.3
# https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz.sha256
ARG UNBOUND_SHA256="3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9"
ARG UNBOUND_VERSION=1.20.0
# https://nlnetlabs.nl/downloads/unbound/unbound-1.20.0.tar.gz.sha256
ARG UNBOUND_SHA256="56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf"

ADD https://nlnetlabs.nl/downloads/unbound/unbound-${UNBOUND_VERSION}.tar.gz unbound.tar.gz

Expand Down
75 changes: 59 additions & 16 deletions rootfs_overlay/etc/unbound/unbound.conf.example
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.19.3.
# See unbound.conf(5) man page, version @version@.
#
# this is a comment.

Expand Down Expand Up @@ -191,6 +191,21 @@ server:
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376

# msec before recursion replies are dropped. The work item continues.
# discard-timeout: 1900

# Max number of replies waiting for recursion per IP address.
# wait-limit: 1000

# Max replies waiting for recursion for IP address with cookie.
# wait-limit-cookie: 10000

# Apart from the default, the wait limit can be set for a netblock.
# wait-limit-netblock: 192.0.2.0/24 50000

# Apart from the default, the wait limit with cookie can be adjusted.
# wait-limit-cookie-netblock: 192.0.2.0/24 50000

# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
Expand All @@ -211,6 +226,11 @@ server:
# the time to live (TTL) value cap for negative responses in the cache
# cache-max-negative-ttl: 3600

# the time to live (TTL) value lower bound, in seconds. Default 0.
# For negative responses in the cache. If disabled, default,
# cache-min-tll applies if configured.
# cache-min-negative-ttl: 0

# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
Expand Down Expand Up @@ -283,7 +303,8 @@ server:
# Enable EDNS TCP keepalive option.
# edns-tcp-keepalive: no

# Timeout for EDNS TCP keepalive, in msec.
# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
# if edns-tcp-keepalive is set.
# edns-tcp-keepalive-timeout: 120000

# UDP queries that have waited in the socket buffer for a long time
Expand All @@ -303,6 +324,7 @@ server:
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# allow_cookie (allow UDP with valid cookie or stateful transport)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
# access-control: 127.0.0.0/8 allow
Expand Down Expand Up @@ -401,19 +423,19 @@ server:
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/var/unbound"
# chroot: "@UNBOUND_CHROOT_DIR@"

# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
# username: "unbound"
# username: "@UNBOUND_USERNAME@"

# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
# directory: "/var/unbound"
# directory: "@UNBOUND_RUN_DIR@"

# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
Expand Down Expand Up @@ -441,6 +463,9 @@ server:
# filtering log-queries and log-replies from the log.
# log-tag-queryreply: no

# log with destination address, port and type for log-replies.
# log-destaddr: no

# log the local-zone actions, like local-zone type inform is enabled
# also for the other local zone types.
# log-local-actions: no
Expand All @@ -449,7 +474,7 @@ server:
# log-servfail: no

# the pid file. Can be an absolute path outside of chroot/work dir.
# pidfile: "/var/unbound/unbound.pid"
# pidfile: "@UNBOUND_PIDFILE@"

# file to read root hints from.
# get one from https://www.internic.net/domain/named.cache
Expand Down Expand Up @@ -615,7 +640,7 @@ server:
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "/var/unbound/root.key"
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"

# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: yes
Expand Down Expand Up @@ -983,6 +1008,13 @@ server:
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# ip-ratelimit: 0

# global query ratelimit for all ip addresses with a valid DNS Cookie.
# feature is experimental.
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# useful in combination with 'allow_cookie'.
# If used, suggested to be higher than ip-ratelimit, tenfold.
# ip-ratelimit-cookie: 0

# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
# ip-ratelimit-size: 4m
# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
Expand All @@ -1004,6 +1036,14 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3

# reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018.
# answer-cookie: no

# secret for DNS Cookie generation.
# useful for anycast deployments.
# example value "000102030405060708090a0b0c0d0e0f".
# cookie-secret: <128 bit random hex string>

# Enable to attach Extended DNS Error codes (RFC8914) to responses.
# ede: no

Expand Down Expand Up @@ -1056,7 +1096,7 @@ server:
# o and give a python-script to run.
python:
# Script file to load
# python-script: "/var/unbound/ubmodule-tst.py"
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"

# Dynamic library config section. To enable:
# o use --with-dynlibmodule to configure before compiling.
Expand All @@ -1067,7 +1107,7 @@ python:
# the module-config then you need one dynlib-file per instance.
dynlib:
# Script file to load
# dynlib-file: "/var/unbound/dynlib.so"
# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"

# Remote control config section.
remote-control:
Expand All @@ -1090,16 +1130,16 @@ remote-control:
# control-use-cert: "yes"

# Unbound server key file.
# server-key-file: "/var/unbound/unbound_server.key"
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"

# Unbound server certificate file.
# server-cert-file: "/var/unbound/unbound_server.pem"
# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"

# unbound-control key file.
# control-key-file: "/var/unbound/unbound_control.key"
# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"

# unbound-control certificate file.
# control-cert-file: "/var/unbound/unbound_control.pem"
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"

# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
Expand Down Expand Up @@ -1150,15 +1190,15 @@ remote-control:
# sources of notifies.
# auth-zone:
# name: "."
# primary: 199.9.14.201 # b.root-servers.net
# primary: 170.247.170.2 # b.root-servers.net
# primary: 192.33.4.12 # c.root-servers.net
# primary: 199.7.91.13 # d.root-servers.net
# primary: 192.5.5.241 # f.root-servers.net
# primary: 192.112.36.4 # g.root-servers.net
# primary: 193.0.14.129 # k.root-servers.net
# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
# primary: 192.0.32.132 # xfr.lax.dns.icann.org
# primary: 2001:500:200::b # b.root-servers.net
# primary: 2801:1b8:10::b # b.root-servers.net
# primary: 2001:500:2::c # c.root-servers.net
# primary: 2001:500:2d::d # d.root-servers.net
# primary: 2001:500:2f::f # f.root-servers.net
Expand Down Expand Up @@ -1228,6 +1268,9 @@ remote-control:
# secret-seed: "default"
# # if the backend should be read from, but not written to.
# cachedb-no-store: no
# # if the cachedb should be checked before a serve-expired response is
# # given, when serve-expired is enabled.
# cachedb-check-when-serve-expired: yes
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
Expand Down Expand Up @@ -1266,7 +1309,7 @@ remote-control:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
# dnstap-bidirectional: yes
# dnstap-socket-path: ""
# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
Expand Down
Loading