Lines Matching +full:timeout +full:- +full:enable
13 #include-toplevel: "otherfile.conf"
24 # statistics-interval: 0
26 # enable shm for stats, default no. if you enable also enable
27 # statistics-interval, every time it also writes stats to the
28 # shared memory segment keyed with shm-key.
29 # shm-enable: no
32 # shm-key: 11777
34 # enable cumulative statistics, without clearing them after printing.
35 # statistics-cumulative: no
37 # enable extended statistics (query types, answer codes, status)
38 # printed from unbound-control. Default off, because of speed.
39 # extended-statistics: no
42 # rpz-actions) from printing if their value is 0.
44 # statistics-inhibit-zero: yes
47 # num-threads: 1
49 # specify the interfaces to answer queries from by ip-address.
60 # enable this feature to copy the source address of queries to reply.
62 # interface-automatic: no
65 # spaces when interface-automatic is enabled, by listing them here.
66 # interface-automatic-ports: ""
72 # server from by ip-address. If none, the default (all) interface
73 # is used. Specify every interface on a 'outgoing-interface:' line.
74 # outgoing-interface: 192.0.2.153
75 # outgoing-interface: 2001:DB8::5
76 # outgoing-interface: 2001:DB8::6
80 # outgoing-interface: 2001:DB8::/64
81 # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
82 # And: ip -6 route add local 2001:db8::/64 dev lo
83 # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
85 # prefer-ip6: no
88 # prefer-ip4: no
92 # num-queries-per-thread, or, use as many as the OS will allow you.
93 # outgoing-range: 4096
97 # outgoing-port-permit: 32768
103 # IANA-assigned port numbers.
104 # If multiple outgoing-port-permit and outgoing-port-avoid options
106 # outgoing-port-avoid: "3200-3208"
109 # outgoing-num-tcp: 10
112 # incoming-num-tcp: 10
116 # so-rcvbuf: 0
120 # so-sndbuf: 4m
124 # so-reuseport: yes
126 # use IP_TRANSPARENT so the interface: addresses can be non-local
127 # and you can config non-existing IPs that are going to work later on
129 # ip-transparent: no
131 # use IP_FREEBIND so the interface: addresses can be non-local
133 # Linux only. On Linux you also have ip-transparent that is similar.
134 # ip-freebind: no
139 # ip-dscp: 0
142 # is set with msg-buffer-size).
143 # edns-buffer-size: 1232
147 # max-udp-size: 1232
150 # stream-wait-size: 4m
154 # msg-buffer-size: 65552
158 # msg-cache-size: 4m
163 # msg-cache-slabs: 4
166 # num-queries-per-thread: 2048
168 # if very busy, 50% queries run to completion, 50% get timeout in msec
169 # jostle-timeout: 200
171 # msec to wait before close of port on timeout UDP. 0 disables.
172 # delay-close: 0
175 # udp-connect: yes
179 # outbound-msg-retry: 5
184 # max-sent-count: 32
188 # max-query-restarts: 11
191 # iter-scrub-ns: 20
194 # iter-scrub-cname: 11
197 # max-global-quota: 200
201 # iter-scrub-promiscuous: yes
205 # unknown-server-time-limit: 376
208 # discard-timeout: 1900
211 # wait-limit: 1000
214 # wait-limit-cookie: 10000
217 # wait-limit-netblock: 192.0.2.0/24 50000
220 # wait-limit-cookie-netblock: 192.0.2.0/24 50000
223 # wait-limit-netblock: 127.0.0.0/8 -1
224 # wait-limit-netblock: ::1/128 -1
225 # wait-limit-cookie-netblock: 127.0.0.0/8 -1
226 # wait-limit-cookie-netblock: ::1/128 -1
230 # rrset-cache-size: 4m
235 # rrset-cache-slabs: 4
239 # cache-min-ttl: 0
243 # cache-max-ttl: 86400
246 # cache-max-negative-ttl: 3600
250 # cache-min-ttl applies if configured.
251 # cache-min-negative-ttl: 0
255 # infra-host-ttl: 900
258 # infra-cache-min-rtt: 50
261 # infra-cache-max-rtt: 120000
263 # enable to make server probe down hosts more frequently.
264 # infra-keep-probing: no
269 # infra-cache-slabs: 4
272 # infra-cache-numhosts: 10000
274 # define a number of tags here, use with local-zone, access-control,
275 # interface-*.
276 # repeat the define-tag statement to add additional tags.
277 # define-tag: "tag1 tag2 tag3"
279 # Enable IPv4, "yes" or "no".
280 # do-ip4: yes
282 # Enable IPv6, "yes" or "no".
283 # do-ip6: yes
285 # If running unbound on an IPv6-only host, domains that only have
290 # Consider also enabling prefer-ip6 to prefer native IPv6 connections
292 # do-nat64: no
294 # NAT64 prefix. Defaults to using dns64-prefix value.
295 # nat64-prefix: 64:ff9b::0/96
297 # Enable UDP, "yes" or "no".
298 # do-udp: yes
300 # Enable TCP, "yes" or "no".
301 # do-tcp: yes
305 # tcp-upstream: no
307 # upstream connections also use UDP (even if do-udp is no).
309 # udp-upstream-without-downstream: no
313 # tcp-mss: 0
317 # outgoing-tcp-mss: 0
319 # Idle TCP timeout, connection closed in milliseconds
320 # tcp-idle-timeout: 30000
322 # Enable EDNS TCP keepalive option.
323 # edns-tcp-keepalive: no
325 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
326 # if edns-tcp-keepalive is set.
327 # edns-tcp-keepalive-timeout: 120000
331 # sock-queue-timeout: 0
334 # use-systemd: no
338 # do-daemonize: yes
347 # deny_non_local (drop queries unless can be answered from local-data)
349 # access-control: 127.0.0.0/8 allow
350 # access-control: ::1 allow
351 # access-control: ::ffff:127.0.0.1 allow
353 # tag access-control with list of tags (in "" with spaces between)
356 # access-control-tag: 192.0.2.0/24 "tag2 tag3"
360 # is the first tag match between access-control-tag and local-zone-tag
361 # where "first" comes from the order of the define-tag values.
362 # access-control-tag-action: 192.0.2.0/24 tag3 refuse
365 # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
368 # access-control-view: 192.0.2.0/24 viewname
370 # Similar to 'access-control:' but for interfaces.
375 # The actions are the same as 'access-control:' above.
377 # Note: any 'access-control*:' setting overrides all 'interface-*:'
379 # interface-action: 192.0.2.153 allow
380 # interface-action: 192.0.2.154 allow
381 # interface-action: 192.0.2.154@5003 allow
382 # interface-action: 2001:DB8::5 allow
383 # interface-action: eth0@5003 allow
385 # Similar to 'access-control-tag:' but for interfaces.
391 # Note: any 'access-control*:' setting overrides all 'interface-*:'
393 # interface-tag: eth0@5003 "tag2 tag3"
395 # Similar to 'access-control-tag-action:' but for interfaces.
398 # is the first tag match between interface-tag and local-zone-tag
399 # where "first" comes from the order of the define-tag values.
402 # Note: any 'access-control*:' setting overrides all 'interface-*:'
404 # interface-tag-action: eth0@5003 tag3 refuse
406 # Similar to 'access-control-tag-data:' but for interfaces.
410 # Note: any 'access-control*:' setting overrides all 'interface-*:'
412 # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
414 # Similar to 'access-control-view:' but for interfaces.
418 # Note: any 'access-control*:' setting overrides all 'interface-*:'
420 # interface-view: eth0@5003 viewname
460 # Use of this option sets use-syslog to "no".
465 # use-syslog: yes
469 # log-identity: ""
472 # log-time-ascii: no
474 # log timestamp in ISO8601 format if also log-time-ascii is enabled.
475 # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes)
476 # log-time-iso: no
479 # log-queries: no
483 # log-replies: no
486 # filtering log-queries and log-replies from the log.
487 # log-tag-queryreply: no
489 # log with destination address, port and type for log-replies.
490 # log-destaddr: no
492 # log the local-zone actions, like local-zone type inform is enabled
494 # log-local-actions: no
497 # log-servfail: no
504 # root-hints: ""
506 # enable to not answer id.server and hostname.bind queries.
507 # hide-identity: no
509 # enable to not answer version.server and version.bind queries.
510 # hide-version: no
512 # enable to not answer trustanchor.unbound queries.
513 # hide-trustanchor: no
515 # enable to not set the User-Agent HTTP header.
516 # hide-http-user-agent: no
527 # User-Agent HTTP header to use. Leave "" or default to use package name
529 # http-user-agent: ""
535 # -1 : fetch all targets opportunistically,
539 # target-fetch-policy: "3 2 1 0 0"
542 # harden-short-bufsize: yes
545 # harden-large-queries: no
548 # harden-glue: yes
550 # Harden against unverified (outside-zone, including sibling zone) glue rrsets
551 # harden-unverified-glue: no
553 # Harden against receiving dnssec-stripped data. If you turn it
556 # Default on, which insists on dnssec data for trust-anchored zones.
557 # harden-dnssec-stripped: yes
559 # Harden against queries that fall under dnssec-signed nxdomain names.
560 # harden-below-nxdomain: yes
565 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
566 # harden-referral-path: no
572 # harden-algo-downgrade: no
576 # harden-unknown-additional: no
581 # qname-minimisation: yes
583 # QNAME minimisation in strict mode. Do not fall-back to sending full
586 # This option only has effect when qname-minimisation is enabled.
587 # qname-minimisation-strict: no
591 # aggressive-nsec: yes
593 # Use 0x20-encoded random bits in the query to foil spoof attempts.
594 # This feature is an experimental implementation of draft dns-0x20.
595 # use-caps-for-id: no
597 # Domains (and domains in them) without support for dns-0x20 and
599 # caps-exempt: "licdn.com"
600 # caps-exempt: "senderbase.org"
605 # Only 'private-domain' and 'local-data' names are allowed to have
607 # private-address: 10.0.0.0/8
608 # private-address: 172.16.0.0/12
609 # private-address: 192.168.0.0/16
610 # private-address: 169.254.0.0/16
611 # private-address: fd00::/8
612 # private-address: fe80::/10
613 # private-address: ::ffff:0:0/96
616 # local-data statements are allowed to contain private addresses too.
617 # private-domain: "example.com"
624 # unwanted-reply-threshold: 0
628 # do-not-query-address: 127.0.0.1/8
629 # do-not-query-address: ::1
631 # if yes, the above default do-not-query-address entries are present.
633 # do-not-query-localhost: yes
639 # prefetch-key: no
642 # deny-any: no
645 # rrset-roundrobin: yes
649 # minimal-responses: yes
652 # disable-dnssec-lame-check: no
659 # module-config: "validator iterator"
662 # initial file like trust-anchor-file, then it stores metadata.
665 # If you want to perform DNSSEC validation, run unbound-anchor before
667 # And then enable the auto-trust-anchor-file config item.
668 # Please note usage of unbound-anchor root anchor is at your own risk
670 # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
673 # trust-anchor-signaling: yes
675 # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
676 # root-key-sentinel: yes
681 # Note this gets out of date, use auto-trust-anchor-file please.
682 # trust-anchor-file: ""
686 # Note this gets out of date, use auto-trust-anchor-file please.
688 …# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6…
689 # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
692 # with several entries, one file per entry. Like trust-anchor-file
693 # but has a different file format. Format is BIND-9 style format,
694 # the trusted-keys { name flag proto algo "key"; }; clauses are read.
696 # trusted-keys-file: ""
699 # domain-insecure: "example.com"
703 # and expiration. "" or "0" turns the feature off. -1 ignores date.
704 # val-override-date: ""
708 # val-bogus-ttl: 60
711 # by 10% of the signature lifetime (expir-incep) from our local clock.
713 # val-sig-skew-min: 3600
714 # val-sig-skew-max: 86400
718 # val-max-restart: 5
724 # val-clean-additional: yes
731 # val-permissive-mode: no
734 # Enable it if the only clients of Unbound are legacy servers (w2008)
736 # ignore-cd-flag: no
739 # devices that cannot handle DNSSEC information. But do not enable it
741 # disable-edns-do: no
743 # Serve expired responses from cache, with serve-expired-reply-ttl in
745 # Can be configured with serve-expired-client-timeout.
746 # serve-expired: no
750 # serve-expired-ttl: 86400
752 # Set the TTL of expired records to the serve-expired-ttl value after a
756 # serve-expired-ttl-reset: no
759 # serve-expired-reply-ttl: 30
762 # This essentially enables the serve-stale behavior as specified in
765 # serve-expired-client-timeout: 1800
772 # serve-original-ttl: no
776 # val-log-level: 0
782 # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
785 # zonemd-permissive-mode: no
787 # instruct the auto-trust-anchor-file probing to add anchors after ttl.
788 # add-holddown: 2592000 # 30 days
790 # instruct the auto-trust-anchor-file probing to del anchors after ttl.
791 # del-holddown: 2592000 # 30 days
793 # auto-trust-anchor-file probing removes missing anchors after ttl.
795 # keep-missing: 31622400 # 366 days
799 # permit-small-holddown: no
803 # key-cache-size: 4m
808 # key-cache-slabs: 4
812 # neg-cache-size: 1m
815 # reply is built-in. Query traffic is thus blocked. If you
818 # You may also have to use domain-insecure: zone to make DNSSEC work,
820 # local-zone: "localhost." nodefault
821 # local-zone: "127.in-addr.arpa." nodefault
822 # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
823 # local-zone: "home.arpa." nodefault
824 # local-zone: "resolver.arpa." nodefault
825 # local-zone: "service.arpa." nodefault
826 # local-zone: "onion." nodefault
827 # local-zone: "test." nodefault
828 # local-zone: "invalid." nodefault
829 # local-zone: "10.in-addr.arpa." nodefault
830 # local-zone: "16.172.in-addr.arpa." nodefault
831 # local-zone: "17.172.in-addr.arpa." nodefault
832 # local-zone: "18.172.in-addr.arpa." nodefault
833 # local-zone: "19.172.in-addr.arpa." nodefault
834 # local-zone: "20.172.in-addr.arpa." nodefault
835 # local-zone: "21.172.in-addr.arpa." nodefault
836 # local-zone: "22.172.in-addr.arpa." nodefault
837 # local-zone: "23.172.in-addr.arpa." nodefault
838 # local-zone: "24.172.in-addr.arpa." nodefault
839 # local-zone: "25.172.in-addr.arpa." nodefault
840 # local-zone: "26.172.in-addr.arpa." nodefault
841 # local-zone: "27.172.in-addr.arpa." nodefault
842 # local-zone: "28.172.in-addr.arpa." nodefault
843 # local-zone: "29.172.in-addr.arpa." nodefault
844 # local-zone: "30.172.in-addr.arpa." nodefault
845 # local-zone: "31.172.in-addr.arpa." nodefault
846 # local-zone: "168.192.in-addr.arpa." nodefault
847 # local-zone: "0.in-addr.arpa." nodefault
848 # local-zone: "254.169.in-addr.arpa." nodefault
849 # local-zone: "2.0.192.in-addr.arpa." nodefault
850 # local-zone: "100.51.198.in-addr.arpa." nodefault
851 # local-zone: "113.0.203.in-addr.arpa." nodefault
852 # local-zone: "255.255.255.255.in-addr.arpa." nodefault
853 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
854 # local-zone: "d.f.ip6.arpa." nodefault
855 # local-zone: "8.e.f.ip6.arpa." nodefault
856 # local-zone: "9.e.f.ip6.arpa." nodefault
857 # local-zone: "a.e.f.ip6.arpa." nodefault
858 # local-zone: "b.e.f.ip6.arpa." nodefault
859 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
860 # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
863 # local-zone: "example.com" ipset
866 # to perform lan-wide lookups to the upstream, and unblock the
867 # long list of local-zones above. If this Unbound is a dns server
870 # unblock-lan-zones: no
872 # The insecure-lan-zones option disables validation for
873 # these zones, as if they were all listed as domain-insecure.
874 # insecure-lan-zones: no
877 # local-zone: <zone> <type>
878 # local-data: "<resource record string>"
895 # o noview breaks out of that view towards global local-zones.
901 # If you configure local-data without specifying local-zone, by
902 # default a transparent local-zone is created for the data.
905 # local-zone: "local." static
906 # local-data: "mycomputer.local. IN A 192.0.2.51"
907 # local-data: 'mytext.local TXT "content of text record"'
910 # local-data: "adserver.example.com A 127.0.0.1"
914 # local-zone: "example.com" redirect
915 # local-data: "example.com A 192.0.2.3"
918 # You can also add PTR records using local-data directly, but then
920 # local-data-ptr: "192.0.2.3 www.example.com"
923 # local-zone-tag: "example.com" "tag2 tag3"
926 # local-zone-override: "example.com" 192.0.2.0/24 refuse
932 # tls-service-key: "path/to/privatekeyfile.key"
933 # tls-service-pem: "path/to/publiccertfile.pem"
934 # tls-port: 853
935 # https-port: 443
936 # quic-port: 853
939 …-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-R…
941 …# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AE…
944 # pad-responses: yes
947 # pad-responses-block-size: 468
951 # tls-use-sni: yes
958 # tls-session-ticket-keys: "path/to/secret_file1"
959 # tls-session-ticket-keys: "path/to/secret_file2"
962 # Default is no. Can be turned on and off with unbound-control.
963 # tls-upstream: no
966 # tls-cert-bundle: ""
969 # tls-win-cert: no
971 # tls-system-cert: no
974 # pad-queries: yes
977 # pad-queries-block-size: 128
980 # tls-additional-port: portno for each of the port numbers.
982 # HTTP endpoint to provide DNS-over-HTTPS service on.
983 # http-endpoint: "/dns-query"
986 # http-max-streams: 100
989 # http-query-buffer-size: 4m
992 # http-response-buffer-size: 4m
994 # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
996 # http-nodelay: yes
998 # Disable TLS for DNS-over-HTTP downstream service.
999 # http-notls-downstream: no
1002 # quic-size: 8m
1006 # proxy-protocol-port: portno for each of the port numbers.
1009 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
1010 # dns64-prefix: 64:ff9b::0/96
1013 # dns64-ignore-aaaa: "example.com"
1021 # ratelimit-size: 4m
1023 # ratelimit-slabs: 4
1026 # ratelimit-factor: 10
1030 # ratelimit-backoff: no
1034 # ratelimit-for-domain: example.com 1000
1037 # ratelimit-below-domain: com 1000
1042 # ip-ratelimit: 0
1048 # If used, suggested to be higher than ip-ratelimit, tenfold.
1049 # ip-ratelimit-cookie: 0
1052 # ip-ratelimit-size: 4m
1054 # ip-ratelimit-slabs: 4
1057 # ip-ratelimit-factor: 10
1061 # ip-ratelimit-backoff: no
1064 # tcp-connection-limit: 192.0.2.0/24 12
1068 # fast-server-permil: 0
1070 # fast-server-num: 3
1073 # answer-cookie: no
1078 # cookie-secret: <128 bit random hex string>
1080 # File with cookie secrets, the 'cookie-secret:' option is ignored
1083 # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt"
1085 # Enable to attach Extended DNS Error codes (RFC8914) to responses.
1088 # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
1091 # ede-serve-expired: no
1093 # Enable DNS Error Reporting (RFC9567).
1094 # qname-minimisation is advised to be turned on as well to increase
1096 # dns-error-reporting: no
1099 # --enable-ipsecmod for these to take effect.
1101 # Enable or disable ipsecmod (it still needs to be defined in
1102 # module-config above). Can be used when ipsecmod needs to be
1103 # enabled/disabled via remote-control(below).
1104 # ipsecmod-enabled: yes
1107 # listed in module-config (above).
1108 # ipsecmod-hook: "./my_executable"
1111 # the ipsecmod-hook is not 0.
1112 # ipsecmod-strict: no
1115 # ipsecmod-max-ttl: 3600
1119 # ipsecmod-ignore-bogus: no
1123 # ipsecmod-allow: "example.com"
1124 # ipsecmod-allow: "nlnetlabs.nl"
1126 # Timeout for REUSE entries in milliseconds.
1127 # tcp-reuse-timeout: 60000
1129 # max-reuse-tcp-queries: 200
1130 # Timeout in milliseconds for TCP queries to auth servers.
1131 # tcp-auth-query-timeout: 3000
1134 # Python config section. To enable:
1135 # o use --with-pythonmodule to configure before compiling.
1136 # o list python in the module-config string (above) to enable.
1139 # o and give a python-script to run.
1142 # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
1144 # Dynamic library config section. To enable:
1145 # o use --with-dynlibmodule to configure before compiling.
1146 # o list dynlib in the module-config string (above) to enable.
1149 # o and give a dynlib-file to run. If more than one dynlib entry is listed in
1150 # the module-config then you need one dynlib-file per instance.
1153 # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
1156 remote-control:
1157 # Enable remote control with unbound-control(8) here.
1158 # set up the keys and certificates with unbound-control-setup.
1159 # control-enable: no
1165 # control-interface: 127.0.0.1
1166 # control-interface: ::1
1169 # control-port: 8953
1173 # control-use-cert: "yes"
1176 # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
1179 # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
1181 # unbound-control key file.
1182 # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
1184 # unbound-control certificate file.
1185 # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
1190 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
1192 # With stub-first yes, it attempts without the stub if it fails.
1193 # Consider adding domain-insecure: name and local-zone: name nodefault
1195 # stub-zone:
1197 # stub-addr: 192.0.2.68
1198 # stub-prime: no
1199 # stub-first: no
1200 # stub-tcp-upstream: no
1201 # stub-tls-upstream: no
1202 # stub-no-cache: no
1203 # stub-zone:
1205 # stub-host: ns.example.com.
1212 # If you enable forward-first, it attempts without the forward if it fails.
1213 # forward-zone:
1215 # forward-addr: 192.0.2.68
1216 # forward-addr: 192.0.2.73@5355 # forward to port 5355.
1217 # forward-first: no
1218 # forward-tcp-upstream: no
1219 # forward-tls-upstream: no
1220 # forward-no-cache: no
1221 # forward-zone:
1223 # forward-host: fwd.example.com
1232 # With allow-notify: you can give additional (apart from primaries and urls)
1234 # auth-zone:
1236 # primary: 170.247.170.2 # b.root-servers.net
1237 # primary: 192.33.4.12 # c.root-servers.net
1238 # primary: 199.7.91.13 # d.root-servers.net
1239 # primary: 192.5.5.241 # f.root-servers.net
1240 # primary: 192.112.36.4 # g.root-servers.net
1241 # primary: 193.0.14.129 # k.root-servers.net
1244 # primary: 2801:1b8:10::b # b.root-servers.net
1245 # primary: 2001:500:2::c # c.root-servers.net
1246 # primary: 2001:500:2d::d # d.root-servers.net
1247 # primary: 2001:500:2f::f # f.root-servers.net
1248 # primary: 2001:500:12::d0d # g.root-servers.net
1249 # primary: 2001:7fd::1 # k.root-servers.net
1252 # fallback-enabled: yes
1253 # for-downstream: no
1254 # for-upstream: yes
1255 # auth-zone:
1257 # for-downstream: yes
1258 # for-upstream: yes
1259 # zonemd-check: no
1260 # zonemd-reject-absence: no
1265 # the access-control-view option. Views can contain zero or more local-zone
1266 # and local-data options. Options from matching views will override global
1268 # With view-first yes, it will try to answer using the global local-zone and
1269 # local-data elements if there is no view specific match.
1272 # local-zone: "example.com" redirect
1273 # local-data: "example.com A 192.0.2.3"
1274 # local-data-ptr: "192.0.2.3 www.example.com"
1275 # view-first: no
1278 # local-zone: "example.com" refuse
1281 # To enable, use --enable-dnscrypt to configure before compiling.
1283 # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
1284 # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
1286 # listen on `dnscrypt-port` with the follo0wing snippet:
1293 # dnscrypt-enable: yes
1294 # dnscrypt-port: 443
1295 # dnscrypt-provider: 2.dnscrypt-cert.example.com.
1296 # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
1297 # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
1298 # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
1299 # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
1303 # To enable, use --enable-cachedb to configure before compiling.
1306 # testing) and backend-specific options. The 'cachedb' module must be
1307 # included in module-config, just before the iterator module.
1311 # secret-seed: "default"
1313 # cachedb-no-store: no
1314 # # if the cachedb should be checked before a serve-expired response is
1315 # # given, when serve-expired is enabled.
1316 # cachedb-check-when-serve-expired: yes
1319 # # (to enable, use --with-libhiredis to configure before compiling)
1321 # redis-server-host: 127.0.0.1
1323 # redis-server-port: 6379
1325 # redis-server-path: "/var/lib/redis/redis-server.sock"
1327 # redis-server-password: ""
1328 # # timeout (in ms) for communication with the redis server
1329 # redis-timeout: 100
1330 # # timeout (in ms) for commands, if 0, uses redis-timeout.
1331 # redis-command-timeout: 0
1332 # # timeout (in ms) for connection set up, if 0, uses redis-timeout.
1333 # redis-connect-timeout: 0
1334 # # set timeout on redis records based on DNS response TTL
1335 # redis-expire-records: no
1337 # redis-logical-db: 0
1339 # redis-replica-server-host: 127.0.0.1
1341 # redis-replica-server-port: 6379
1343 # redis-replica-server-path: "/var/lib/redis/redis-server.sock"
1345 # redis-replica-server-password: ""
1346 # # timeout (in ms) for communication with the redis replica server
1347 # redis-replica-timeout: 100
1348 # # timeout (in ms) for redis replica commands, if 0, uses redis-replica-timeout.
1349 # redis-replica-command-timeout: 0
1350 # # timeout (in ms) for redis replica connection set up, if 0, uses redis-replica-timeout.
1351 # redis-replica-connect-timeout: 0
1353 # redis-replica-logical-db: 0
1357 # To enable:
1358 # o use --enable-ipset to configure before compiling;
1362 # name-v4: "list-v4"
1364 # name-v6: "list-v6"
1367 # Dnstap logging support, if compiled in by using --enable-dnstap to configure.
1368 # To enable, set the dnstap-enable to yes and also some of
1369 # dnstap-log-..-messages to yes. And select an upstream log destination, by
1372 # dnstap-enable: no
1374 # dnstap-bidirectional: yes
1375 # dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
1376 # # if "" use the unix socket in dnstap-socket-path, otherwise,
1378 # dnstap-ip: ""
1379 # # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
1380 # dnstap-tls: yes
1382 # dnstap-tls-server-name: ""
1384 # dnstap-tls-cert-bundle: ""
1386 # dnstap-tls-client-key-file: ""
1388 # dnstap-tls-client-cert-file: ""
1389 # dnstap-send-identity: no
1390 # dnstap-send-version: no
1392 # dnstap-identity: ""
1394 # dnstap-version: ""
1396 # dnstap-sample-rate: 0
1397 # dnstap-log-resolver-query-messages: no
1398 # dnstap-log-resolver-response-messages: no
1399 # dnstap-log-client-query-messages: no
1400 # dnstap-log-client-response-messages: no
1401 # dnstap-log-forwarder-query-messages: no
1402 # dnstap-log-forwarder-response-messages: no
1408 # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
1411 # to the module-config, e.g.: module-config: "respip validator iterator".
1416 # allow-notify: 192.0.2.0/32
1418 # rpz-action-override: cname
1419 # rpz-cname-override: www.example.org
1420 # rpz-log: yes
1421 # rpz-log-name: "example policy"
1422 # rpz-signal-nxdomain-ra: no
1423 # for-downstream: no