Lines Matching +full:timeout +full:- +full:enable
13 #include-toplevel: "otherfile.conf"
24 # statistics-interval: 0
26 # enable shm for stats, default no. if you enable also enable
27 # statistics-interval, every time it also writes stats to the
28 # shared memory segment keyed with shm-key.
29 # shm-enable: no
32 # shm-key: 11777
34 # enable cumulative statistics, without clearing them after printing.
35 # statistics-cumulative: no
37 # enable extended statistics (query types, answer codes, status)
38 # printed from unbound-control. Default off, because of speed.
39 # extended-statistics: no
42 # rpz-actions) from printing if their value is 0.
44 # statistics-inhibit-zero: yes
47 # num-threads: 1
49 # specify the interfaces to answer queries from by ip-address.
60 # enable this feature to copy the source address of queries to reply.
62 # interface-automatic: no
65 # spaces when interface-automatic is enabled, by listing them here.
66 # interface-automatic-ports: ""
72 # server from by ip-address. If none, the default (all) interface
73 # is used. Specify every interface on a 'outgoing-interface:' line.
74 # outgoing-interface: 192.0.2.153
75 # outgoing-interface: 2001:DB8::5
76 # outgoing-interface: 2001:DB8::6
80 # outgoing-interface: 2001:DB8::/64
81 # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
82 # And: ip -6 route add local 2001:db8::/64 dev lo
83 # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
85 # prefer-ip6: no
88 # prefer-ip4: no
92 # num-queries-per-thread, or, use as many as the OS will allow you.
93 # outgoing-range: 4096
97 # outgoing-port-permit: 32768
103 # IANA-assigned port numbers.
104 # If multiple outgoing-port-permit and outgoing-port-avoid options
106 # outgoing-port-avoid: "3200-3208"
109 # outgoing-num-tcp: 10
112 # incoming-num-tcp: 10
116 # so-rcvbuf: 0
120 # so-sndbuf: 0
124 # so-reuseport: yes
126 # use IP_TRANSPARENT so the interface: addresses can be non-local
127 # and you can config non-existing IPs that are going to work later on
129 # ip-transparent: no
131 # use IP_FREEBIND so the interface: addresses can be non-local
133 # Linux only. On Linux you also have ip-transparent that is similar.
134 # ip-freebind: no
139 # ip-dscp: 0
142 # is set with msg-buffer-size).
143 # edns-buffer-size: 1232
147 # max-udp-size: 1232
150 # stream-wait-size: 4m
154 # msg-buffer-size: 65552
158 # msg-cache-size: 4m
163 # msg-cache-slabs: 4
166 # num-queries-per-thread: 1024
168 # if very busy, 50% queries run to completion, 50% get timeout in msec
169 # jostle-timeout: 200
171 # msec to wait before close of port on timeout UDP. 0 disables.
172 # delay-close: 0
175 # udp-connect: yes
179 # outbound-msg-retry: 5
184 # max-sent-count: 32
188 # max-query-restarts: 11
191 # iter-scrub-ns: 20
194 # iter-scrub-cname: 11
197 # max-global-quota: 200
201 # unknown-server-time-limit: 376
204 # discard-timeout: 1900
207 # wait-limit: 1000
210 # wait-limit-cookie: 10000
213 # wait-limit-netblock: 192.0.2.0/24 50000
216 # wait-limit-cookie-netblock: 192.0.2.0/24 50000
219 # wait-limit-netblock: 127.0.0.0/8 -1
220 # wait-limit-netblock: ::1/128 -1
221 # wait-limit-cookie-netblock: 127.0.0.0/8 -1
222 # wait-limit-cookie-netblock: ::1/128 -1
226 # rrset-cache-size: 4m
231 # rrset-cache-slabs: 4
235 # cache-min-ttl: 0
239 # cache-max-ttl: 86400
242 # cache-max-negative-ttl: 3600
246 # cache-min-ttl applies if configured.
247 # cache-min-negative-ttl: 0
251 # infra-host-ttl: 900
254 # infra-cache-min-rtt: 50
257 # infra-cache-max-rtt: 120000
259 # enable to make server probe down hosts more frequently.
260 # infra-keep-probing: no
265 # infra-cache-slabs: 4
268 # infra-cache-numhosts: 10000
270 # define a number of tags here, use with local-zone, access-control,
271 # interface-*.
272 # repeat the define-tag statement to add additional tags.
273 # define-tag: "tag1 tag2 tag3"
275 # Enable IPv4, "yes" or "no".
276 # do-ip4: yes
278 # Enable IPv6, "yes" or "no".
279 # do-ip6: yes
281 # If running unbound on an IPv6-only host, domains that only have
286 # Consider also enabling prefer-ip6 to prefer native IPv6 connections
288 # do-nat64: no
290 # NAT64 prefix. Defaults to using dns64-prefix value.
291 # nat64-prefix: 64:ff9b::0/96
293 # Enable UDP, "yes" or "no".
294 # do-udp: yes
296 # Enable TCP, "yes" or "no".
297 # do-tcp: yes
301 # tcp-upstream: no
303 # upstream connections also use UDP (even if do-udp is no).
305 # udp-upstream-without-downstream: no
309 # tcp-mss: 0
313 # outgoing-tcp-mss: 0
315 # Idle TCP timeout, connection closed in milliseconds
316 # tcp-idle-timeout: 30000
318 # Enable EDNS TCP keepalive option.
319 # edns-tcp-keepalive: no
321 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
322 # if edns-tcp-keepalive is set.
323 # edns-tcp-keepalive-timeout: 120000
327 # sock-queue-timeout: 0
330 # use-systemd: no
334 # do-daemonize: yes
343 # deny_non_local (drop queries unless can be answered from local-data)
345 # access-control: 127.0.0.0/8 allow
346 # access-control: ::1 allow
347 # access-control: ::ffff:127.0.0.1 allow
349 # tag access-control with list of tags (in "" with spaces between)
352 # access-control-tag: 192.0.2.0/24 "tag2 tag3"
356 # is the first tag match between access-control-tag and local-zone-tag
357 # where "first" comes from the order of the define-tag values.
358 # access-control-tag-action: 192.0.2.0/24 tag3 refuse
361 # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
364 # access-control-view: 192.0.2.0/24 viewname
366 # Similar to 'access-control:' but for interfaces.
371 # The actions are the same as 'access-control:' above.
373 # Note: any 'access-control*:' setting overrides all 'interface-*:'
375 # interface-action: 192.0.2.153 allow
376 # interface-action: 192.0.2.154 allow
377 # interface-action: 192.0.2.154@5003 allow
378 # interface-action: 2001:DB8::5 allow
379 # interface-action: eth0@5003 allow
381 # Similar to 'access-control-tag:' but for interfaces.
387 # Note: any 'access-control*:' setting overrides all 'interface-*:'
389 # interface-tag: eth0@5003 "tag2 tag3"
391 # Similar to 'access-control-tag-action:' but for interfaces.
394 # is the first tag match between interface-tag and local-zone-tag
395 # where "first" comes from the order of the define-tag values.
398 # Note: any 'access-control*:' setting overrides all 'interface-*:'
400 # interface-tag-action: eth0@5003 tag3 refuse
402 # Similar to 'access-control-tag-data:' but for interfaces.
406 # Note: any 'access-control*:' setting overrides all 'interface-*:'
408 # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
410 # Similar to 'access-control-view:' but for interfaces.
414 # Note: any 'access-control*:' setting overrides all 'interface-*:'
416 # interface-view: eth0@5003 viewname
456 # Use of this option sets use-syslog to "no".
461 # use-syslog: yes
465 # log-identity: ""
468 # log-time-ascii: no
470 # log timestamp in ISO8601 format if also log-time-ascii is enabled.
471 # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes)
472 # log-time-iso: no
475 # log-queries: no
479 # log-replies: no
482 # filtering log-queries and log-replies from the log.
483 # log-tag-queryreply: no
485 # log with destination address, port and type for log-replies.
486 # log-destaddr: no
488 # log the local-zone actions, like local-zone type inform is enabled
490 # log-local-actions: no
493 # log-servfail: no
500 # root-hints: ""
502 # enable to not answer id.server and hostname.bind queries.
503 # hide-identity: no
505 # enable to not answer version.server and version.bind queries.
506 # hide-version: no
508 # enable to not answer trustanchor.unbound queries.
509 # hide-trustanchor: no
511 # enable to not set the User-Agent HTTP header.
512 # hide-http-user-agent: no
523 # User-Agent HTTP header to use. Leave "" or default to use package name
525 # http-user-agent: ""
531 # -1 : fetch all targets opportunistically,
535 # target-fetch-policy: "3 2 1 0 0"
538 # harden-short-bufsize: yes
541 # harden-large-queries: no
544 # harden-glue: yes
546 # Harden against unverified (outside-zone, including sibling zone) glue rrsets
547 # harden-unverified-glue: no
549 # Harden against receiving dnssec-stripped data. If you turn it
552 # Default on, which insists on dnssec data for trust-anchored zones.
553 # harden-dnssec-stripped: yes
555 # Harden against queries that fall under dnssec-signed nxdomain names.
556 # harden-below-nxdomain: yes
561 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
562 # harden-referral-path: no
568 # harden-algo-downgrade: no
572 # harden-unknown-additional: no
577 # qname-minimisation: yes
579 # QNAME minimisation in strict mode. Do not fall-back to sending full
582 # This option only has effect when qname-minimisation is enabled.
583 # qname-minimisation-strict: no
587 # aggressive-nsec: yes
589 # Use 0x20-encoded random bits in the query to foil spoof attempts.
590 # This feature is an experimental implementation of draft dns-0x20.
591 # use-caps-for-id: no
593 # Domains (and domains in them) without support for dns-0x20 and
595 # caps-exempt: "licdn.com"
596 # caps-exempt: "senderbase.org"
601 # Only 'private-domain' and 'local-data' names are allowed to have
603 # private-address: 10.0.0.0/8
604 # private-address: 172.16.0.0/12
605 # private-address: 192.168.0.0/16
606 # private-address: 169.254.0.0/16
607 # private-address: fd00::/8
608 # private-address: fe80::/10
609 # private-address: ::ffff:0:0/96
612 # local-data statements are allowed to contain private addresses too.
613 # private-domain: "example.com"
620 # unwanted-reply-threshold: 0
624 # do-not-query-address: 127.0.0.1/8
625 # do-not-query-address: ::1
627 # if yes, the above default do-not-query-address entries are present.
629 # do-not-query-localhost: yes
635 # prefetch-key: no
638 # deny-any: no
641 # rrset-roundrobin: yes
645 # minimal-responses: yes
648 # disable-dnssec-lame-check: no
655 # module-config: "validator iterator"
658 # initial file like trust-anchor-file, then it stores metadata.
661 # If you want to perform DNSSEC validation, run unbound-anchor before
663 # And then enable the auto-trust-anchor-file config item.
664 # Please note usage of unbound-anchor root anchor is at your own risk
666 # auto-trust-anchor-file: "/var/unbound/root.key"
669 # trust-anchor-signaling: yes
671 # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
672 # root-key-sentinel: yes
677 # Note this gets out of date, use auto-trust-anchor-file please.
678 # trust-anchor-file: ""
682 # Note this gets out of date, use auto-trust-anchor-file please.
684 …# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6…
685 # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
688 # with several entries, one file per entry. Like trust-anchor-file
689 # but has a different file format. Format is BIND-9 style format,
690 # the trusted-keys { name flag proto algo "key"; }; clauses are read.
692 # trusted-keys-file: ""
695 # domain-insecure: "example.com"
699 # and expiration. "" or "0" turns the feature off. -1 ignores date.
700 # val-override-date: ""
704 # val-bogus-ttl: 60
707 # by 10% of the signature lifetime (expir-incep) from our local clock.
709 # val-sig-skew-min: 3600
710 # val-sig-skew-max: 86400
714 # val-max-restart: 5
720 # val-clean-additional: yes
727 # val-permissive-mode: no
730 # Enable it if the only clients of Unbound are legacy servers (w2008)
732 # ignore-cd-flag: no
735 # devices that cannot handle DNSSEC information. But do not enable it
737 # disable-edns-do: no
739 # Serve expired responses from cache, with serve-expired-reply-ttl in
741 # Can be configured with serve-expired-client-timeout.
742 # serve-expired: no
746 # serve-expired-ttl: 86400
748 # Set the TTL of expired records to the serve-expired-ttl value after a
752 # serve-expired-ttl-reset: no
755 # serve-expired-reply-ttl: 30
758 # This essentially enables the serve-stale behavior as specified in
761 # serve-expired-client-timeout: 1800
768 # serve-original-ttl: no
772 # val-log-level: 0
778 # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
781 # zonemd-permissive-mode: no
783 # instruct the auto-trust-anchor-file probing to add anchors after ttl.
784 # add-holddown: 2592000 # 30 days
786 # instruct the auto-trust-anchor-file probing to del anchors after ttl.
787 # del-holddown: 2592000 # 30 days
789 # auto-trust-anchor-file probing removes missing anchors after ttl.
791 # keep-missing: 31622400 # 366 days
795 # permit-small-holddown: no
799 # key-cache-size: 4m
804 # key-cache-slabs: 4
808 # neg-cache-size: 1m
811 # reply is built-in. Query traffic is thus blocked. If you
814 # You may also have to use domain-insecure: zone to make DNSSEC work,
816 # local-zone: "localhost." nodefault
817 # local-zone: "127.in-addr.arpa." nodefault
818 # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
819 # local-zone: "home.arpa." nodefault
820 # local-zone: "resolver.arpa." nodefault
821 # local-zone: "service.arpa." nodefault
822 # local-zone: "onion." nodefault
823 # local-zone: "test." nodefault
824 # local-zone: "invalid." nodefault
825 # local-zone: "10.in-addr.arpa." nodefault
826 # local-zone: "16.172.in-addr.arpa." nodefault
827 # local-zone: "17.172.in-addr.arpa." nodefault
828 # local-zone: "18.172.in-addr.arpa." nodefault
829 # local-zone: "19.172.in-addr.arpa." nodefault
830 # local-zone: "20.172.in-addr.arpa." nodefault
831 # local-zone: "21.172.in-addr.arpa." nodefault
832 # local-zone: "22.172.in-addr.arpa." nodefault
833 # local-zone: "23.172.in-addr.arpa." nodefault
834 # local-zone: "24.172.in-addr.arpa." nodefault
835 # local-zone: "25.172.in-addr.arpa." nodefault
836 # local-zone: "26.172.in-addr.arpa." nodefault
837 # local-zone: "27.172.in-addr.arpa." nodefault
838 # local-zone: "28.172.in-addr.arpa." nodefault
839 # local-zone: "29.172.in-addr.arpa." nodefault
840 # local-zone: "30.172.in-addr.arpa." nodefault
841 # local-zone: "31.172.in-addr.arpa." nodefault
842 # local-zone: "168.192.in-addr.arpa." nodefault
843 # local-zone: "0.in-addr.arpa." nodefault
844 # local-zone: "254.169.in-addr.arpa." nodefault
845 # local-zone: "2.0.192.in-addr.arpa." nodefault
846 # local-zone: "100.51.198.in-addr.arpa." nodefault
847 # local-zone: "113.0.203.in-addr.arpa." nodefault
848 # local-zone: "255.255.255.255.in-addr.arpa." nodefault
849 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
850 # local-zone: "d.f.ip6.arpa." nodefault
851 # local-zone: "8.e.f.ip6.arpa." nodefault
852 # local-zone: "9.e.f.ip6.arpa." nodefault
853 # local-zone: "a.e.f.ip6.arpa." nodefault
854 # local-zone: "b.e.f.ip6.arpa." nodefault
855 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
856 # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
859 # local-zone: "example.com" ipset
862 # to perform lan-wide lookups to the upstream, and unblock the
863 # long list of local-zones above. If this Unbound is a dns server
866 # unblock-lan-zones: no
868 # The insecure-lan-zones option disables validation for
869 # these zones, as if they were all listed as domain-insecure.
870 # insecure-lan-zones: no
873 # local-zone: <zone> <type>
874 # local-data: "<resource record string>"
891 # o noview breaks out of that view towards global local-zones.
897 # If you configure local-data without specifying local-zone, by
898 # default a transparent local-zone is created for the data.
901 # local-zone: "local." static
902 # local-data: "mycomputer.local. IN A 192.0.2.51"
903 # local-data: 'mytext.local TXT "content of text record"'
906 # local-data: "adserver.example.com A 127.0.0.1"
910 # local-zone: "example.com" redirect
911 # local-data: "example.com A 192.0.2.3"
914 # You can also add PTR records using local-data directly, but then
916 # local-data-ptr: "192.0.2.3 www.example.com"
919 # local-zone-tag: "example.com" "tag2 tag3"
922 # local-zone-override: "example.com" 192.0.2.0/24 refuse
928 # tls-service-key: "path/to/privatekeyfile.key"
929 # tls-service-pem: "path/to/publiccertfile.pem"
930 # tls-port: 853
931 # https-port: 443
932 # quic-port: 853
935 …-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-R…
937 …# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AE…
940 # pad-responses: yes
943 # pad-responses-block-size: 468
947 # tls-use-sni: yes
954 # tls-session-ticket-keys: "path/to/secret_file1"
955 # tls-session-ticket-keys: "path/to/secret_file2"
958 # Default is no. Can be turned on and off with unbound-control.
959 # tls-upstream: no
962 # tls-cert-bundle: ""
965 # tls-win-cert: no
967 # tls-system-cert: no
970 # pad-queries: yes
973 # pad-queries-block-size: 128
976 # tls-additional-port: portno for each of the port numbers.
978 # HTTP endpoint to provide DNS-over-HTTPS service on.
979 # http-endpoint: "/dns-query"
982 # http-max-streams: 100
985 # http-query-buffer-size: 4m
988 # http-response-buffer-size: 4m
990 # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
992 # http-nodelay: yes
994 # Disable TLS for DNS-over-HTTP downstream service.
995 # http-notls-downstream: no
998 # quic-size: 8m
1002 # proxy-protocol-port: portno for each of the port numbers.
1005 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
1006 # dns64-prefix: 64:ff9b::0/96
1009 # dns64-ignore-aaaa: "example.com"
1017 # ratelimit-size: 4m
1019 # ratelimit-slabs: 4
1022 # ratelimit-factor: 10
1026 # ratelimit-backoff: no
1030 # ratelimit-for-domain: example.com 1000
1033 # ratelimit-below-domain: com 1000
1038 # ip-ratelimit: 0
1044 # If used, suggested to be higher than ip-ratelimit, tenfold.
1045 # ip-ratelimit-cookie: 0
1048 # ip-ratelimit-size: 4m
1050 # ip-ratelimit-slabs: 4
1053 # ip-ratelimit-factor: 10
1057 # ip-ratelimit-backoff: no
1060 # tcp-connection-limit: 192.0.2.0/24 12
1064 # fast-server-permil: 0
1066 # fast-server-num: 3
1069 # answer-cookie: no
1074 # cookie-secret: <128 bit random hex string>
1076 # File with cookie secrets, the 'cookie-secret:' option is ignored
1079 # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt"
1081 # Enable to attach Extended DNS Error codes (RFC8914) to responses.
1084 # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
1087 # ede-serve-expired: no
1089 # Enable DNS Error Reporting (RFC9567).
1090 # qname-minimisation is advised to be turned on as well to increase
1092 # dns-error-reporting: no
1095 # --enable-ipsecmod for these to take effect.
1097 # Enable or disable ipsecmod (it still needs to be defined in
1098 # module-config above). Can be used when ipsecmod needs to be
1099 # enabled/disabled via remote-control(below).
1100 # ipsecmod-enabled: yes
1103 # listed in module-config (above).
1104 # ipsecmod-hook: "./my_executable"
1107 # the ipsecmod-hook is not 0.
1108 # ipsecmod-strict: no
1111 # ipsecmod-max-ttl: 3600
1115 # ipsecmod-ignore-bogus: no
1119 # ipsecmod-allow: "example.com"
1120 # ipsecmod-allow: "nlnetlabs.nl"
1122 # Timeout for REUSE entries in milliseconds.
1123 # tcp-reuse-timeout: 60000
1125 # max-reuse-tcp-queries: 200
1126 # Timeout in milliseconds for TCP queries to auth servers.
1127 # tcp-auth-query-timeout: 3000
1130 # Python config section. To enable:
1131 # o use --with-pythonmodule to configure before compiling.
1132 # o list python in the module-config string (above) to enable.
1135 # o and give a python-script to run.
1138 # python-script: "/var/unbound/ubmodule-tst.py"
1140 # Dynamic library config section. To enable:
1141 # o use --with-dynlibmodule to configure before compiling.
1142 # o list dynlib in the module-config string (above) to enable.
1145 # o and give a dynlib-file to run. If more than one dynlib entry is listed in
1146 # the module-config then you need one dynlib-file per instance.
1149 # dynlib-file: "/var/unbound/dynlib.so"
1152 remote-control:
1153 # Enable remote control with unbound-control(8) here.
1154 # set up the keys and certificates with unbound-control-setup.
1155 # control-enable: no
1161 # control-interface: 127.0.0.1
1162 # control-interface: ::1
1165 # control-port: 8953
1169 # control-use-cert: "yes"
1172 # server-key-file: "/var/unbound/unbound_server.key"
1175 # server-cert-file: "/var/unbound/unbound_server.pem"
1177 # unbound-control key file.
1178 # control-key-file: "/var/unbound/unbound_control.key"
1180 # unbound-control certificate file.
1181 # control-cert-file: "/var/unbound/unbound_control.pem"
1186 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
1188 # With stub-first yes, it attempts without the stub if it fails.
1189 # Consider adding domain-insecure: name and local-zone: name nodefault
1191 # stub-zone:
1193 # stub-addr: 192.0.2.68
1194 # stub-prime: no
1195 # stub-first: no
1196 # stub-tcp-upstream: no
1197 # stub-tls-upstream: no
1198 # stub-no-cache: no
1199 # stub-zone:
1201 # stub-host: ns.example.com.
1208 # If you enable forward-first, it attempts without the forward if it fails.
1209 # forward-zone:
1211 # forward-addr: 192.0.2.68
1212 # forward-addr: 192.0.2.73@5355 # forward to port 5355.
1213 # forward-first: no
1214 # forward-tcp-upstream: no
1215 # forward-tls-upstream: no
1216 # forward-no-cache: no
1217 # forward-zone:
1219 # forward-host: fwd.example.com
1228 # With allow-notify: you can give additional (apart from primaries and urls)
1230 # auth-zone:
1232 # primary: 170.247.170.2 # b.root-servers.net
1233 # primary: 192.33.4.12 # c.root-servers.net
1234 # primary: 199.7.91.13 # d.root-servers.net
1235 # primary: 192.5.5.241 # f.root-servers.net
1236 # primary: 192.112.36.4 # g.root-servers.net
1237 # primary: 193.0.14.129 # k.root-servers.net
1240 # primary: 2801:1b8:10::b # b.root-servers.net
1241 # primary: 2001:500:2::c # c.root-servers.net
1242 # primary: 2001:500:2d::d # d.root-servers.net
1243 # primary: 2001:500:2f::f # f.root-servers.net
1244 # primary: 2001:500:12::d0d # g.root-servers.net
1245 # primary: 2001:7fd::1 # k.root-servers.net
1248 # fallback-enabled: yes
1249 # for-downstream: no
1250 # for-upstream: yes
1251 # auth-zone:
1253 # for-downstream: yes
1254 # for-upstream: yes
1255 # zonemd-check: no
1256 # zonemd-reject-absence: no
1261 # the access-control-view option. Views can contain zero or more local-zone
1262 # and local-data options. Options from matching views will override global
1264 # With view-first yes, it will try to answer using the global local-zone and
1265 # local-data elements if there is no view specific match.
1268 # local-zone: "example.com" redirect
1269 # local-data: "example.com A 192.0.2.3"
1270 # local-data-ptr: "192.0.2.3 www.example.com"
1271 # view-first: no
1274 # local-zone: "example.com" refuse
1277 # To enable, use --enable-dnscrypt to configure before compiling.
1279 # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
1280 # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
1282 # listen on `dnscrypt-port` with the follo0wing snippet:
1289 # dnscrypt-enable: yes
1290 # dnscrypt-port: 443
1291 # dnscrypt-provider: 2.dnscrypt-cert.example.com.
1292 # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
1293 # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
1294 # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
1295 # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
1299 # To enable, use --enable-cachedb to configure before compiling.
1302 # testing) and backend-specific options. The 'cachedb' module must be
1303 # included in module-config, just before the iterator module.
1307 # secret-seed: "default"
1309 # cachedb-no-store: no
1310 # # if the cachedb should be checked before a serve-expired response is
1311 # # given, when serve-expired is enabled.
1312 # cachedb-check-when-serve-expired: yes
1315 # # (to enable, use --with-libhiredis to configure before compiling)
1317 # redis-server-host: 127.0.0.1
1319 # redis-server-port: 6379
1321 # redis-server-path: "/var/lib/redis/redis-server.sock"
1323 # redis-server-password: ""
1324 # # timeout (in ms) for communication with the redis server
1325 # redis-timeout: 100
1326 # # timeout (in ms) for commands, if 0, uses redis-timeout.
1327 # redis-command-timeout: 0
1328 # # timeout (in ms) for connection set up, if 0, uses redis-timeout.
1329 # redis-connect-timeout: 0
1330 # # set timeout on redis records based on DNS response TTL
1331 # redis-expire-records: no
1333 # redis-logical-db: 0
1335 # redis-replica-server-host: 127.0.0.1
1337 # redis-replica-server-port: 6379
1339 # redis-replica-server-path: "/var/lib/redis/redis-server.sock"
1341 # redis-replica-server-password: ""
1342 # # timeout (in ms) for communication with the redis replica server
1343 # redis-replica-timeout: 100
1344 # # timeout (in ms) for redis replica commands, if 0, uses redis-replica-timeout.
1345 # redis-replica-command-timeout: 0
1346 # # timeout (in ms) for redis replica connection set up, if 0, uses redis-replica-timeout.
1347 # redis-replica-connect-timeout: 0
1349 # redis-replica-logical-db: 0
1353 # To enable:
1354 # o use --enable-ipset to configure before compiling;
1358 # name-v4: "list-v4"
1360 # name-v6: "list-v6"
1363 # Dnstap logging support, if compiled in by using --enable-dnstap to configure.
1364 # To enable, set the dnstap-enable to yes and also some of
1365 # dnstap-log-..-messages to yes. And select an upstream log destination, by
1368 # dnstap-enable: no
1370 # dnstap-bidirectional: yes
1371 # dnstap-socket-path: ""
1372 # # if "" use the unix socket in dnstap-socket-path, otherwise,
1374 # dnstap-ip: ""
1375 # # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
1376 # dnstap-tls: yes
1378 # dnstap-tls-server-name: ""
1380 # dnstap-tls-cert-bundle: ""
1382 # dnstap-tls-client-key-file: ""
1384 # dnstap-tls-client-cert-file: ""
1385 # dnstap-send-identity: no
1386 # dnstap-send-version: no
1388 # dnstap-identity: ""
1390 # dnstap-version: ""
1392 # dnstap-sample-rate: 0
1393 # dnstap-log-resolver-query-messages: no
1394 # dnstap-log-resolver-response-messages: no
1395 # dnstap-log-client-query-messages: no
1396 # dnstap-log-client-response-messages: no
1397 # dnstap-log-forwarder-query-messages: no
1398 # dnstap-log-forwarder-response-messages: no
1404 # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
1407 # to the module-config, e.g.: module-config: "respip validator iterator".
1412 # allow-notify: 192.0.2.0/32
1414 # rpz-action-override: cname
1415 # rpz-cname-override: www.example.org
1416 # rpz-log: yes
1417 # rpz-log-name: "example policy"
1418 # rpz-signal-nxdomain-ra: no
1419 # for-downstream: no