unbound.conf.5.in - OpenGrok cross reference for /freebsd/contrib/unbound/doc/unbound.conf.5.in

Lines Matching +full:disable +full:- +full:port +full:- +full:power +full:- +full:control
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 	$ unbound \-c /etc/unbound/unbound.conf
53 	#      mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 	# and  mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 	access\-control: 10.0.0.0/8 allow
63 	access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
99 .B statistics\-interval: \fI<seconds>
101 Disable with value 0 or "". Default is disabled.  The histogram statistics
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B statistics\-inhibit\-zero: \fI<yes or no>
117 printing with \fIunbound\-control\fR(8).
123 .B num\-threads: \fI<number>
126 .B port: \fI<port number>
127 The port number, default 53, on which the server responds to queries.
129 .B interface: \fI<ip address or interface name [@port]>
135 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
136 A port number can be specified with @port (without spaces between
137 interface and port number), if not specified the default port (from
138 \fBport\fR) is used.
140 .B ip\-address: \fI<ip address or interface name [@port]>
143 .B interface\-automatic: \fI<yes or no>
146 ip\-transparent, but this option services all interfaces whilst with
147 ip\-transparent you can select which (future) interfaces Unbound provides
151 .B interface\-automatic\-ports: \fI<string>
152 List the port numbers that interface-automatic listens on. If empty, the
153 default port is listened on. The port numbers are separated by spaces in the
157 and listen on the normal port number, by including it in the list, and
158 also https or dns over tls port numbers by putting them in the list as well.
160 .B outgoing\-interface: \fI<ip address or ip6 netblock>
167 .B outgoing\-interface:
174 host running Unbound, and requires OS support for unprivileged non-local binds
177 .B outgoing\-interface:
180 .B prefer\-ip6: yes
184 ip \-6 addr add mynetblock/64 dev lo &&
185 ip \-6 route add local mynetblock/64 dev lo
187 .B outgoing\-range: \fI<number>
193 .B outgoing\-port\-permit: \fI<port number or range>
194 Permit Unbound to open this port or range of ports for use to send queries.
198 Give a port number or a range of the form "low\-high", without spaces.
200 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
206 .B outgoing\-port\-avoid: \fI<port number or range>
207 Do not permit Unbound to open this port or range of ports for use to send
208 queries. Use this to make sure Unbound does not grab a port that another
209 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
211 Give a port number or a range of the form "low\-high", without spaces.
213 .B outgoing\-num\-tcp: \fI<number>
215 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
218 .B incoming\-num\-tcp: \fI<number>
220 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
223 .B edns\-buffer\-size: \fI<number>
226 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
233 .B max\-udp\-size: \fI<number>
237 same as the default for edns\-buffer\-size.
239 .B stream\-wait\-size: \fI<number>
249 .B msg\-buffer\-size: \fI<number>
256 .B msg\-cache\-size: \fI<number>
261 .B msg\-cache\-slabs: \fI<number>
263 Must be set to a power of 2. Setting (close) to the number of cpus is a
266 .B num\-queries\-per\-thread: \fI<number>
269 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
273 .B jostle\-timeout: \fI<msec>
280 The effect is that the qps for long-lasting queries is about
286 .B delay\-close: \fI<msec>
290 closed ports and setting off all sort of close-port counters, with
295 .B udp\-connect: \fI<yes or no>
299 .B unknown\-server\-time\-limit: \fI<msec>
302 That would then avoid re\-querying every initial query because it times out.
305 .B discard\-timeout: \fI<msec>
309 larger than serve\-expired\-client\-timeout if that is enabled.
313 .B wait\-limit: \fI<number>
319 .B wait\-limit\-cookie: \fI<number>
324 .B wait\-limit\-netblock: \fI<netblock> <number>
325 The wait limit for the netblock. If not given the wait\-limit value is
328 The value -1 disables wait limits for the netblock.
330 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
332 If not given, the wait\-limit\-cookie value is used.
333 The value -1 disables wait limits for the netblock.
335 .B so\-rcvbuf: \fI<number>
337 space on UDP port 53 incoming queries.  So that short spikes on busy
338 servers do not drop packets (see counter in netstat \-su).  Default is
343 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
346 .B so\-sndbuf: \fI<number>
348 UDP port 53 outgoing queries.  This for very busy servers handles spikes
350 can get logged, the buffer overrun is also visible by netstat \-su.
355 to so\-rcvbuf.
357 .B so\-reuseport: \fI<yes or no>
363 it then attempts to open the port and passes the option if it was available
369 .B ip\-transparent: \fI<yes or no>
372 non\-local interfaces.  For example for non\-existent IP addresses that
374 a lot like interface\-automatic, but that one services all interfaces
380 .B ip\-freebind: \fI<yes or no>
385 ip\-transparent option is also available.
387 .B ip-dscp: \fI<number>
390 The field replaces the outdated IPv4 Type-Of-Service field and the
393 .B rrset\-cache\-size: \fI<number>
398 .B rrset\-cache\-slabs: \fI<number>
400 Must be set to a power of 2.
402 .B cache\-max\-ttl: \fI<seconds>
408 .B cache\-min\-ttl: \fI<seconds>
416 .B cache\-max\-negative\-ttl: \fI<seconds>
421 .B cache\-min\-negative\-ttl: \fI<seconds>
425 If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
430 .B infra\-host\-ttl: \fI<seconds>
434 .B infra\-cache\-slabs: \fI<number>
436 by threads. Must be set to a power of 2.
438 .B infra\-cache\-numhosts: \fI<number>
441 .B infra\-cache\-min\-rtt: \fI<msec>
446 .B infra\-cache\-max\-rtt: \fI<msec>
450 .B infra\-keep\-probing: \fI<yes or no>
454 it may take \fBinfra\-host\-ttl\fR time to get probed again.
456 .B define\-tag: \fI<"list of tags">
457 Define the tags that can be used with local\-zone and access\-control.
460 .B do\-ip4: \fI<yes or no>
461 Enable or disable whether ip4 queries are answered or issued. Default is yes.
463 .B do\-ip6: \fI<yes or no>
464 Enable or disable whether ip6 queries are answered or issued. Default is yes.
466 IPv6 to the internet nameservers.  With this option you can disable the
470 .B prefer\-ip4: \fI<yes or no>
477 .B prefer\-ip6: \fI<yes or no>
481 .B do\-udp: \fI<yes or no>
482 Enable or disable whether UDP queries are answered or issued. Default is yes.
484 .B do\-tcp: \fI<yes or no>
485 Enable or disable whether TCP queries are answered or issued. Default is yes.
487 .B tcp\-mss: \fI<number>
495 .B outgoing\-tcp\-mss: \fI<number>
503 .B tcp-idle-timeout: \fI<msec>\fR
514 It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
515 \fBedns\-tcp\-keepalive\fR is enabled.
517 .B tcp-reuse-timeout: \fI<msec>\fR
521 .B max-reuse-tcp-queries: \fI<number>\fR
526 .B tcp-auth-query-timeout: \fI<number>\fR
530 .B edns-tcp-keepalive: \fI<yes or no>\fR
531 Enable or disable EDNS TCP Keepalive. Default is no.
533 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
534 Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
540 .B sock\-queue\-timeout: \fI<sec>\fR
548 .B tcp\-upstream: \fI<yes or no>
549 Enable or disable whether the upstream queries use TCP only for transport.
551 TCP transport only for selected forward or stub zones using forward-tcp-upstream
552 or stub-tcp-upstream respectively.
554 .B udp\-upstream\-without\-downstream: \fI<yes or no>
555 Enable udp upstream even if do-udp is no.  Default is no, and this does not
559 .B tls\-upstream: \fI<yes or no>
560 Enabled or disable whether the upstream queries use TLS only for transport.
563 \fBtls\-service\-key\fR).
564 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
565 tls\-system\-cert to load CA certs, otherwise the connections cannot be
568 forward\-tls\-upstream.  And also with stub\-tls\-upstream.
569 If the tls\-upstream option is enabled, it is for all the forwards and stubs,
570 where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
573 .B ssl\-upstream: \fI<yes or no>
574 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
577 .B tls\-service\-key: \fI<file>
578 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
579 TCP ports marked implicitly or explicitly for these services with tls\-port or
580 https\-port. The file must contain the private key for the TLS session, the
581 public certificate is in the tls\-service\-pem file and it must also be
582 specified if tls\-service\-key is specified.  The default is "", turned off.
585 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
586 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
587 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
589 .B ssl\-service\-key: \fI<file>
590 Alternate syntax for \fBtls\-service\-key\fR.
592 .B tls\-service\-pem: \fI<file>
596 .B ssl\-service\-pem: \fI<file>
597 Alternate syntax for \fBtls\-service\-pem\fR.
599 .B tls\-port: \fI<number>
600 The port number on which to provide TCP TLS service, default 853, only
601 interfaces configured with that port number as @number get the TLS service.
603 .B ssl\-port: \fI<number>
604 Alternate syntax for \fBtls\-port\fR.
606 .B tls\-cert\-bundle: \fI<file>
608 for example "/etc/pki/tls/certs/ca\-bundle.crt".  These certificates are used
609 for authenticating connections made to outside peers.  For example auth\-zone
613 .B ssl\-cert\-bundle: \fI<file>
614 Alternate syntax for \fBtls\-cert\-bundle\fR.
616 .B tls\-win\-cert: \fI<yes or no>
620 the tls\-cert\-bundle option on other systems. On other systems, this option
623 .B tls\-system\-cert: \fI<yes or no>
624 This the same setting as the tls\-win\-cert setting, under a different name.
627 .B tls\-additional\-port: \fI<portnr>
628 List portnumbers as tls\-additional\-port, and when interfaces are defined,
629 eg. with the @port suffix, as this port number, they provide dns over TLS
632 .B tls-session-ticket-keys: \fI<file>
645 .B tls\-ciphers: \fI<string with cipher list>
649 .B tls\-ciphersuites: \fI<string with ciphersuites list>
653 .B pad\-responses: \fI<yes or no>
656 \fBpad\-responses\-block\-size\fR.
659 .B pad\-responses\-block\-size: \fI<number>
664 .B pad\-queries: \fI<yes or no>
666 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
669 .B pad\-queries\-block\-size: \fI<number>
673 .B tls\-use\-sni: \fI<yes or no>
674 Enable or disable sending the SNI extension on TLS connections.
678 .B https\-port: \fI<number>
679 The port number on which to provide DNS-over-HTTPS service, default 443, only
680 interfaces configured with that port number as @number get the HTTPS service.
682 .B http\-endpoint: \fI<endpoint string>
683 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
685 .B http\-max\-streams: \fI<number of streams>
687 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
689 .B http\-query\-buffer\-size: \fI<size in bytes>
696 .B http\-response\-buffer\-size: \fI<size in bytes>
703 .B http\-nodelay: \fI<yes or no>
704 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
707 .B http\-notls\-downstream: \fI<yes or no>
708 Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
711 .B proxy\-protocol\-port: \fI<portnr>
712 List port numbers as proxy\-protocol\-port, and when interfaces are defined,
713 eg. with the @port suffix, as this port number, they support and expect PROXYv2.
722 .B quic\-port: \fI<number>
723 The port number on which to provide DNS-over-QUIC service, default 853, only
724 interfaces configured with that port number as @number get the QUIC service.
725 The interface uses QUIC for the UDP traffic on that port number.
727 .B quic\-size: \fI<size in bytes>
734 .B use\-systemd: \fI<yes or no>
735 Enable or disable systemd socket activation.
738 .B do\-daemonize: \fI<yes or no>
739 Enable or disable whether the Unbound server forks into the background as
743 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
748 .B access\-control: \fI<IP netblock> <action>
760 The order of the access\-control statements therefore does not matter.
772 local\-data that is configured.  The reason is that this does not involve
796 \fBanswer\-cookie\fR option is enabled.
802 \fBanswer\-cookie\fR setting.
808 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
813 only allowed to query for the authoritative local\-data, they are not
818 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
819 Assign tags to access-control elements. Clients using this access control
821 defined in \fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put
822 spaces between tags. If access\-control\-tag is configured for a netblock that
823 does not have an access\-control, an access\-control element with action
826 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
827 Set action for particular tag for given access control element. If you have
829 between access\-control\-tag and local\-zone\-tag where "first" comes from the
830 order of the define-tag values.
832 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
833 Set redirect data for particular tag for given access control element.
835 .B access\-control\-view: \fI<IP netblock> <view name>
836 Set view for given access control element.
838 .B interface\-action: \fI<ip address or interface name [@port]> <action>
839 Similar to \fBaccess\-control:\fR but for interfaces.
841 The action is the same as the ones defined under \fBaccess\-control:\fR.
845 \fBaccess\-control:\fR behavior.
846 This also means that any attempt to use the \fBinterface-*:\fR options for the
848 default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
851 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
854 .B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
855 Similar to \fBaccess\-control-tag:\fR but for interfaces.
858 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
861 .B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
862 Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
865 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
868 .B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
869 Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
872 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
875 .B interface\-view: \fI<ip address or interface name [@port]> <view name>
876 Similar to \fBaccess\-control-view:\fR but for interfaces.
879 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
910 If given, after binding the port the user privileges are dropped. Default is
914 port, reloads (by signal HUP) will still retain the opened ports.
915 If you change the port number in the config file, and that new port number
931 If this option is given, the use\-syslog is option is set to "no".
935 .B use\-syslog: \fI<yes or no>
939 The logfile setting is overridden when use\-syslog is turned on.
942 .B log\-identity: \fI<string>
949 .B log\-time\-ascii: \fI<yes or no>
954 .B log\-time\-iso:\fR <yes or no>
955 Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
958 .B log\-queries: \fI<yes or no>
964 .B log\-replies: \fI<yes or no>
971 .B log\-tag\-queryreply: \fI<yes or no>
972 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
976 .B log\-destaddr: \fI<yes or no>
977 Prints the destination address, port and type in the log\-replies output.
979 port the traffic was sent to.
981 .B log\-local\-actions: \fI<yes or no>
983 local\-zone type inform prints out, but they are also printed for the other
986 .B log\-servfail: \fI<yes or no>
995 kill \-HUP `cat @UNBOUND_PIDFILE@`
999 kill \-TERM `cat @UNBOUND_PIDFILE@`
1003 .B root\-hints: \fI<filename>
1007 when servers change, therefore it is good practice to use a root\-hints file.
1009 .B hide\-identity: \fI<yes or no>
1016 .B hide\-version: \fI<yes or no>
1023 .B hide\-http\-user\-agent: \fI<yes or no>
1024 If enabled the HTTP header User-Agent is not set. Use with caution as some
1027 .B http\-user\-agent
1030 .B http\-user\-agent: \fI<string>
1031 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
1039 .B hide\-trustanchor: \fI<yes or no>
1042 .B target\-fetch\-policy: \fI<"list of numbers">
1049 A value of \-1 means to fetch all targets opportunistically for that dependency
1055 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
1058 .B harden\-short\-bufsize: \fI<yes or no>
1062 .B harden\-large\-queries: \fI<yes or no>
1067 .B harden\-glue: \fI<yes or no>
1070 .B harden\-unverified\-glue: \fI<yes or no>
1071 Will trust only in-zone glue. Will try to resolve all out of zone
1075 .B harden\-dnssec\-stripped: \fI<yes or no>
1076 Require DNSSEC data for trust\-anchored zones, if such data is absent,
1085 .B harden\-below\-nxdomain: \fI<yes or no>
1092 this only DNSSEC-secure nxdomains are used, because the old software does not
1096 .B harden\-referral\-path: \fI<yes or no>
1105 If you enable it consider adding more numbers after the target\-fetch\-policy
1108 .B harden\-algo\-downgrade: \fI<yes or no>
1115 .B harden\-unknown\-additional: \fI<yes or no>
1121 .B use\-caps\-for\-id: \fI<yes or no>
1122 Use 0x20\-encoded random bits in the query to foil spoof attempts.
1126 This feature is an experimental implementation of draft dns\-0x20.
1128 .B caps\-exempt: \fI<domain>
1129 Exempt the domain so that it does not receive caps\-for\-id perturbed
1134 .B caps\-whitelist: \fI<yes or no>
1135 Alternate syntax for \fBcaps\-exempt\fR.
1137 .B qname\-minimisation: \fI<yes or no>
1144 .B qname\-minimisation\-strict: \fI<yes or no>
1145 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
1148 This option only has effect when qname-minimisation is enabled. Default is no.
1150 .B aggressive\-nsec: \fI<yes or no>
1156 .B private\-address: \fI<IP address or subnet>
1161 answers bogus. This protects against so\-called DNS Rebinding, where
1165 \fBlocal\-data\fR that you configured is allowed to, and you can specify
1166 additional names using \fBprivate\-domain\fR.  No private addresses are
1173 stops IPv4-mapped IPv6 addresses from bypassing the filter.
1175 .B private\-domain: \fI<domain name>
1180 .B unwanted\-reply\-threshold: \fI<number>
1187 .B do\-not\-query\-address: \fI<IP address>
1192 .B do\-not\-query\-localhost: \fI<yes or no>
1193 If yes, localhost is added to the do\-not\-query\-address entries, both
1204 .B prefetch\-key: \fI<yes or no>
1209 .B deny\-any: \fI<yes or no>
1215 .B rrset\-roundrobin: \fI<yes or no>
1219 .B minimal-responses: \fI<yes or no>
1230 .B disable-dnssec-lame-check: \fI<yes or no>
1237 .B module\-config: \fI<"module names">
1241 Setting this to just "\fIiterator\fR" will result in a non\-validating
1246 You must also set \fItrust\-anchors\fR for validation to be useful.
1262 .B trust\-anchor\-file: \fI<filename>
1267 .B auto\-trust\-anchor\-file: \fI<filename>
1271 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
1277 .B trust\-anchor: \fI<"Resource Record">
1279 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1285 .B trusted\-keys\-file: \fI<filename>
1287 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1288 but has a different file format. Format is BIND\-9 style format,
1289 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1293 .B trust\-anchor\-signaling: \fI<yes or no>
1296 .B root\-key\-sentinel: \fI<yes or no>
1299 .B domain\-insecure: \fI<domain name>
1312 .B val\-override\-date: \fI<rrsig\-style date spec>
1316 you are debugging signature inception and expiration. The value \-1 ignores
1319 .B val\-sig\-skew\-min: \fI<seconds>
1321 A value of 10% of the signature lifetime (expiration \- inception) is
1326 .B val\-sig\-skew\-max: \fI<seconds>
1328 A value of 10% of the signature lifetime (expiration \- inception)
1335 .B val\-max\-restart: \fI<number>
1339 .B val\-bogus\-ttl: \fI<number>
1345 .B val\-clean\-additional: \fI<yes or no>
1352 .B val\-log\-level: \fI<number>
1361 .B val\-permissive\-mode: \fI<yes or no>
1369 .B ignore\-cd\-flag: \fI<yes or no>
1372 does not disable checking any more.  This is useful if legacy (w2008)
1377 .B disable\-edns\-do: \fI<yes or no>
1378 Disable the EDNS DO flag in upstream requests.
1391 .B serve\-expired: \fI<yes or no>
1393 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1397 .B serve\-expired\-ttl: \fI<seconds>
1399 disables the limit.  This option only applies when \fBserve\-expired\fR is
1403 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1404 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1409 .B serve\-expired\-reply\-ttl: \fI<seconds>
1411 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1414 .B serve\-expired\-client\-timeout: \fI<msec>
1416 essentially enables the serve-stale behavior as specified in
1419 RFC 8767 is 1800.  Setting this to 0 will disable this
1422 .B serve\-original\-ttl: \fI<yes or no>
1426 front-end to a hidden authoritative name server. Enabling this feature does
1431 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1435 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1444 .B zonemd\-permissive\-mode: \fI<yes or no>
1450 .B add\-holddown: \fI<seconds>
1451 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1455 .B del\-holddown: \fI<seconds>
1456 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1461 .B keep\-missing: \fI<seconds>
1462 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1466 mechanism work with zones that perform regular (non\-5011) rollovers.
1470 .B permit\-small\-holddown: \fI<yes or no>
1474 .B key\-cache\-size: \fI<number>
1479 .B key\-cache\-slabs: \fI<number>
1481 Must be set to a power of 2. Setting (close) to the number of cpus is a
1484 .B neg\-cache\-size: \fI<number>
1489 .B unblock\-lan\-zones: \fI<yes or no>
1495 with default local zones.  Disable the option when Unbound is running
1496 as a (DHCP-) DNS network resolver for a group of machines, where such
1500 .B insecure\-lan\-zones: \fI<yes or no>
1503 \fIunblock\-lan\-zones\fR is used.
1505 .B local\-zone: \fI<zone> <type>
1507 there is no match from local\-data. The types are deny, refuse, static,
1511 are listed. Use local\-data: to enter data into the local zone. Answers for
1515 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1516 it as detailed in the stub zone section below. A stub\-zone can be used to
1518 fetch the information. With a forward\-zone, unbound sends queries to a server
1519 that is a recursive server to fetch the information. With an auth\-zone a
1520 zone can be loaded from file and used, it can be used like a local\-zone
1521 for users downstream, or the auth\-zone information can be used to fetch
1523 forward\-zone and auth\-zone options are described in their sections below.
1525 the local\-zone and local\-data statements allow for this, but also the
1540 as local\-data for the zone apex domain.
1547 If no local\-zone is given local\-data causes a transparent zone
1564 local\-zone: "example.com." redirect and
1565 local\-data: "example.com. A 127.0.0.1"
1572 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1629 can be turned off by specifying your own local\-zone of that name, or
1636 local\-zone: "localhost." redirect
1637 local\-data: "localhost. 10800 IN NS localhost."
1638 local\-data: "localhost. 10800 IN
1640 local\-data: "localhost. 10800 IN A 127.0.0.1"
1641 local\-data: "localhost. 10800 IN AAAA ::1"
1647 local\-zone: "127.in\-addr.arpa." static
1648 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1649 local\-data: "127.in\-addr.arpa. 10800 IN
1651 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1658 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1660 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1663 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1666 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1674 local\-zone: "home.arpa." static
1675 local\-data: "home.arpa. 10800 IN NS localhost."
1676 local\-data: "home.arpa. 10800 IN
1683 local\-zone: "onion." static
1684 local\-data: "onion. 10800 IN NS localhost."
1685 local\-data: "onion. 10800 IN
1692 local\-zone: "test." static
1693 local\-data: "test. 10800 IN NS localhost."
1694 local\-data: "test. 10800 IN
1701 local\-zone: "invalid." static
1702 local\-data: "invalid. 10800 IN NS localhost."
1703 local\-data: "invalid. 10800 IN
1708 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1709 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1710 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1713 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1714 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1715 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1716 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1717 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1736   local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1739 transparent with a local\-zone statement.
1741 .\" End of local-zone listing.
1743 .B local\-data: \fI"<resource record string>"
1745 The query has to match exactly unless you configure the local\-zone as
1746 redirect. If not matched exactly, the local\-zone type determines
1747 further processing. If local\-data is configured that is not a subdomain of
1748 a local\-zone, a transparent local\-zone is configured.
1750 local\-data: 'example. TXT "text"'.
1753 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1756 .B local\-data\-ptr: \fI"IPaddr name"
1761 .B local\-zone\-tag: \fI<zone> <"list of tags">
1763 used access-control element has a matching tag. Tags must be defined in
1764 \fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put spaces between
1766 list of tags for the query and local\-zone\-tag is non-empty.
1768 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1770 Use this localzone type, regardless the type configured for the local-zone
1772 access\-control\-tag\-action.
1774 .B response\-ip: \fI<IP-netblock> <action>
1781 \fIaccess-control-tag-action\fR, but there are some exceptions.
1783 Actions for \fIresponse-ip\fR are different from those for
1784 \fIlocal-zone\fR in that in case of the former there is no point of
1786 Because of this difference, the semantics of \fIresponse-ip\fR actions
1789 invalid for \fIresponse-ip\fR.
1791 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1796 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1799 This specifies the action data for \fIresponse-ip\fR with action being
1801 record string" is similar to that of \fIaccess-control-tag-action\fR,
1803 If the IP-netblock is an IPv6/IPv4 prefix, the record
1806 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1808 IP-netblock, following the normal rules for CNAME records.
1813 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1816 Assign tags to response IP-netblocks.  If the IP address in an AAAA or
1818 IP-netblock, the specified tags are assigned to the IP address.
1819 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1821 \fIaccess-control-tag-action\fR will apply.
1822 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1823 \fIlocal-zones\fR.
1824 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1825 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1827 If multiple \fIresponse-ip-tag\fR options are specified for the same
1828 IP-netblock in different statements, all but the first will be
1834 \fIaccess-control-tag-action\fR that has a matching tag with
1835 \fIresponse-ip-tag\fR can be those that are "invalid" for
1836 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1840 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1841 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1842 specific, and non-existence of data does not indicate anything about
1843 the existence or non-existence of the qname itself.
1845 no data for the corresponding \fIresponse-ip\fR configuration, then
1863 .B ratelimit\-size: \fI<memory size>
1869 .B ratelimit\-slabs: \fI<number>
1870 Give power of 2 number of slabs, this is used to reduce lock contention
1874 .B ratelimit\-factor: \fI<number>
1883 .B ratelimit\-backoff: \fI<yes or no>
1887 window.  No traffic is allowed, except for ratelimit\-factor, until demand
1892 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1895 a top\-level\-domain you may want to have a higher limit than other names.
1896 A value of 0 will disable ratelimiting for that domain.
1898 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1903 is not changed, use ratelimit\-for\-domain to set that, you might want
1904 to use different settings for a top\-level\-domain and subdomains.
1905 A value of 0 will disable ratelimiting for domain names that end in this name.
1907 .B ip\-ratelimit: \fI<number or 0>
1915 If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
1919 .B ip\-ratelimit\-cookie: \fI<number or 0>
1930 If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
1934 .B ip\-ratelimit\-size: \fI<memory size>
1940 .B ip\-ratelimit\-slabs: \fI<number>
1941 Give power of 2 number of slabs, this is used to reduce lock contention
1945 .B ip\-ratelimit\-factor: \fI<number>
1954 .B ip\-ratelimit\-backoff: \fI<yes or no>
1958 window.  No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1960 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1963 .B outbound\-msg\-retry: \fI<number>
1971 .B max\-sent\-count: \fI<number>
1978 .B max\-query\-restarts: \fI<number>
1986 .B iter\-scrub\-ns: \fI<number>
1991 .B iter\-scrub\-cname: \fI<number>
1997 .B max\-global\-quota: \fI<number>
2003 .B fast\-server\-permil: \fI<number>
2007 servers for the remaining time. When prefetch is enabled (or serve\-expired),
2010 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
2011 servers set. The default for fast\-server\-permil is 0.
2013 .B fast\-server\-num: \fI<number>
2015 use the fastest specified number of servers with the fast\-server\-permil
2018 .B answer\-cookie: \fI<yes or no>
2023 .B cookie\-secret: \fI<128 bit hex string>
2029 This option is ignored if a \fBcookie\-secret\-file\fR is
2033 .B cookie\-secret\-file: \fI<filename>
2036 \fBcookie-secret\fR option is ignored.
2040 \fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
2044 .B edns\-client\-string: \fI<IP netblock> <string>
2049 .B edns\-client\-string\-opcode: \fI<opcode>
2050 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
2051 A value from the `Reserved for Local/Experimental` range (65001-65534) should
2059 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
2063 .B ede\-serve\-expired: \fI<yes or no>
2064 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
2068 .SS "Remote Control Options"
2070 .B remote\-control:
2071 clause are the declarations for the remote control facility.  If this is
2072 enabled, the \fIunbound\-control\fR(8) utility can be used to send
2075 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
2076 section for options.  To setup the correct self\-signed certificates use the
2077 \fIunbound\-control\-setup\fR(8) utility.
2079 .B control\-enable: \fI<yes or no>
2080 The option is used to enable remote control, default is "no".
2081 If turned off, the server does not listen for control commands.
2083 .B control\-interface: \fI<ip address or interface name or path>
2085 control commands.
2097 to access the control socket file.  Put users that need to access the socket
2099 the control socket in and restrict access to that directory.
2101 .B control\-port: \fI<port number>
2102 The port number to listen on for IPv4 or IPv6 control interfaces,
2107 .B control\-use\-cert: \fI<yes or no>
2108 For localhost control-interface you can disable the use of TLS by setting
2112 .B server\-key\-file: \fI<private key file>
2114 This file is generated by the \fIunbound\-control\-setup\fR utility.
2115 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
2117 .B server\-cert\-file: \fI<certificate file.pem>
2119 This file is generated by the \fIunbound\-control\-setup\fR utility.
2120 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
2122 .B control\-key\-file: \fI<private key file>
2123 Path to the control client private key, by default unbound_control.key.
2124 This file is generated by the \fIunbound\-control\-setup\fR utility.
2125 This file is used by \fIunbound\-control\fR.
2127 .B control\-cert\-file: \fI<certificate file.pem>
2128 Path to the control client certificate, by default unbound_control.pem.
2130 This file is generated by the \fIunbound\-control\-setup\fR utility.
2131 This file is used by \fIunbound\-control\fR.
2135 .B stub\-zone:
2143 This is useful for company\-local data or private zones. Setup an
2144 authoritative server on a different host (or different port). Enter a config
2146 .B stub\-addr:
2147 <ip address of host[@port]>.
2159 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
2160 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
2163 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
2168 .B stub\-host: \fI<domain name>
2170 To use a nondefault port for DNS communication append '@' with the port number.
2173 and '#', the '@' comes first.  If only '#' is used the default port is the
2174 configured tls\-port.
2176 .B stub\-addr: \fI<IP address>
2178 To use a nondefault port for DNS communication append '@' with the port number.
2181 and '#', the '@' comes first.  If only '#' is used the default port is the
2182 configured tls\-port.
2184 .B stub\-prime: \fI<yes or no>
2190 .B stub\-first: \fI<yes or no>
2196 .B stub\-tls\-upstream: \fI<yes or no>
2197 Enabled or disable whether the queries to this stub use TLS for transport.
2200 .B stub\-ssl\-upstream: \fI<yes or no>
2201 Alternate syntax for \fBstub\-tls\-upstream\fR.
2203 .B stub\-tcp\-upstream: \fI<yes or no>
2204 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2207 .B stub\-no\-cache: \fI<yes or no>
2213 .B forward\-zone:
2216 forward the queries to. The servers listed as \fBforward\-host:\fR and
2217 \fBforward\-addr:\fR have to handle further recursion for the query.  Thus,
2224 A forward\-zone entry with name "." and a forward\-addr target will
2231 .B forward\-host: \fI<domain name>
2233 To use a nondefault port for DNS communication append '@' with the port number.
2236 and '#', the '@' comes first.  If only '#' is used the default port is the
2237 configured tls\-port.
2239 .B forward\-addr: \fI<IP address>
2241 To use a nondefault port for DNS communication append '@' with the port number.
2244 and '#', the '@' comes first.  If only '#' is used the default port is the
2245 configured tls\-port.
2248 If you leave out the '#' and auth name from the forward\-addr, any
2249 name is accepted.  The cert must also match a CA from the tls\-cert\-bundle.
2251 .B forward\-first: \fI<yes or no>
2256 .B forward\-tls\-upstream: \fI<yes or no>
2257 Enabled or disable whether the queries to this forwarder use TLS for transport.
2259 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
2262 .B forward\-ssl\-upstream: \fI<yes or no>
2263 Alternate syntax for \fBforward\-tls\-upstream\fR.
2265 .B forward\-tcp\-upstream: \fI<yes or no>
2266 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2269 .B forward\-no\-cache: \fI<yes or no>
2274 Authority zones are configured with \fBauth\-zone:\fR, and each one must
2275 have a \fBname:\fR.  There can be multiple ones, by listing multiple auth\-zone clauses, each with …
2277 Authority zones can be processed on two distinct, non-exclusive, configurable
2280 With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
2281 after \fBlocal\-zones\fR and before cache.
2287 With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
2298 An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
2299 \fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
2321 To use a nondefault port for DNS communication append '@' with the port number.
2342 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2348 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2350 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2351 With allow\-notify you can specify additional sources of notifies.
2358 .B fallback\-enabled: \fI<yes or no>
2363 .B for\-downstream: \fI<yes or no>
2368 zone but have a local copy of zone data.  If for\-downstream is no and
2369 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2373 .B for\-upstream: \fI<yes or no>
2380 .B zonemd\-check: \fI<yes or no>
2386 .B zonemd\-reject\-absence: \fI<yes or no>
2391 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2407 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2408 \fBlocal\-data\fR elements. Views can also contain view\-first,
2409 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2411 view name in an \fBaccess\-control\-view\fR element. Options from matching
2416 Name of the view. Must be unique. This name is used in access\-control\-view
2419 .B local\-zone: \fI<zone> <type>
2420 View specific local\-zone elements. Has the same types and behaviour as the
2421 global local\-zone elements. When there is at least one local\-zone specified
2422 and view\-first is no, the default local-zones will be added to this view.
2423 Defaults can be disabled using the nodefault type. When view\-first is yes or
2424 when a view does not have a local\-zone, the global local\-zone will be used
2427 .B local\-data: \fI"<resource record string>"
2428 View specific local\-data elements. Has the same behaviour as the global
2429 local\-data elements.
2431 .B local\-data\-ptr: \fI"IPaddr name"
2432 View specific local\-data\-ptr elements. Has the same behaviour as the global
2433 local\-data\-ptr elements.
2435 .B view\-first: \fI<yes or no>
2436 If enabled, it attempts to use the global local\-zone and local\-data if there
2446 and the word "python" has to be put in the \fBmodule\-config:\fR option
2452 \fImount\fR(8).  Also the \fBpython\-script:\fR path should be specified as an
2456 .B python\-script: \fI<python file>\fR
2458 added to the \fBmodule\-config:\fR option.
2467 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2470 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2474 .B dynlib\-file: \fI<dynlib file>\fR
2476 instance added to the \fBmodule\-config:\fR option.
2479 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2483 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2487 .B dns64\-synthall: \fI<yes or no>\fR
2491 .B dns64\-ignore\-aaaa: \fI<name>\fR
2498 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
2501 .B do\-nat64: \fI<yes or no>\fR
2502 Use NAT64 to reach IPv4-only servers.
2503 Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
2507 .B nat64\-prefix: \fI<IPv6 prefix>\fR
2508 Use a specific NAT64 prefix to reach IPv4-only servers.  Defaults to using
2509 the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
2517 \fB\-\-enable\-dnscrypt\fR.
2519 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2520 dnscrypt-wrapper/blob/master/README.md#usage
2522 .B dnscrypt\-enable: \fI<yes or no>\fR
2527 .B dnscrypt\-port: \fI<port number>
2528 On which port should \fBdnscrypt\fR should be activated. Note that you should
2530 this port.
2532 .B dnscrypt\-provider: \fI<provider name>\fR
2534 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2536 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2540 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2541 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2544 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2546 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2557 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2563 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2564 Give power of 2 number of slabs, this is used to reduce lock contention
2568 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2574 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2575 Give power of 2 number of slabs, this is used to reduce lock contention
2580 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2592 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2594 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2597 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2602 This module does not interact with the \fBserve\-expired*\fR and
2605 .B send\-client\-subnet: \fI<IP address>\fR
2608 be given multiple times. Authorities not listed will not receive edns-subnet
2609 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2611 .B client\-subnet\-zone: \fI<domain>\fR
2613 given multiple times. Zones not listed will not receive edns-subnet information,
2614 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2616 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2618 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2625 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2629 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2633 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2638 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2643 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2647 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2652 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2654 \fB\-\-enable\-ipsecmod\fR to be enabled.
2678 \fBipsecmod-max-ttl\fR.
2682 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2685 .B ipsecmod-enabled: \fI<yes or no>\fR
2687 needs to be defined in the \fBmodule\-config:\fR directive.  This option
2691 .B ipsecmod\-hook: \fI<filename>\fR
2695 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2698 .B ipsecmod-strict: \fI<yes or no>\fR
2703 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2707 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2713 .B ipsecmod\-allow: \fI<domain>\fR
2718 .B ipsecmod\-whitelist: \fI<yes or no>
2719 Alternate syntax for \fBipsecmod\-allow\fR.
2722 The Cache DB module must be configured in the \fBmodule\-config:\fR
2724 with \fB\-\-enable\-cachedb\fR.
2727 When Unbound cannot find an answer to a query in its built-in in-memory
2734 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2738 \fB\-\-with\-libhiredis\fR
2748 preferably with some kind of least-recently-used eviction policy.
2749 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2773 The default database is the in-memory backend named "testframe", which,
2775 Depending on the build-time configuration, "redis" backend may also be
2778 .B secret-seed: \fI<"secret string">\fR
2787 .B cachedb-no-store: \fI<yes or no>\fR
2792 .B cachedb-check-when-serve-expired: \fI<yes or no>\fR
2794 When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
2798 If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
2806 .B redis-server-host: \fI<server address or name>\fR
2813 .B redis-server-port: \fI<port number>\fR
2814 The TCP port number of the Redis server.
2817 .B redis-server-path: \fI<unix socket path>\fR
2822 .B redis-server-password: \fI"<password>"\fR
2827 .B redis-timeout: \fI<msec>\fR
2831 re-establish a new connection later.
2834 .B redis-command-timeout: \fI<msec>\fR
2836 redis\-timeout value. The default is 0.
2838 .B redis-connect-timeout: \fI<msec>\fR
2840 uses the redis\-timeout value. The default is 0.
2842 .B redis-expire-records: \fI<yes or no>
2845 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2850 .B redis-logical-db: \fI<logical database index>
2861 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2865 threading it does not spawn a thread, but connects per-process to the
2868 .B dnstap-enable: \fI<yes or no>
2870 and if any of the dnstap-log-..-messages options is enabled it sends logs
2873 .B dnstap-bidirectional: \fI<yes or no>
2877 .B dnstap-socket-path: \fI<file name>
2881 .B dnstap-ip: \fI<IPaddress[@port]>
2885 .B dnstap-tls: \fI<yes or no>
2886 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2889 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2890 The TLS server name to authenticate the server with.  Used when \fBdnstap-tls\fR is enabled.  If ""…
2892 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2897 .B dnstap-tls-client-key-file: \fI<file name>
2901 .B dnstap-tls-client-cert-file: \fI<file name>
2904 .B dnstap-send-identity: \fI<yes or no>
2908 .B dnstap-send-version: \fI<yes or no>
2912 .B dnstap-identity: \fI<string>
2916 .B dnstap-version: \fI<string>
2920 .B dnstap-sample-rate: \fI<number>
2927 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2931 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2935 .B dnstap-log-client-query-messages: \fI<yes or no>
2939 .B dnstap-log-client-response-messages: \fI<yes or no>
2943 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2946 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2955 The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2956 \fBmodule-config: "respip validator iterator"\fR.
2959 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2960 and drop.  RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2961 before \fBauth\-zones\fR.
2979 	netblock.rpz-client-ip        client IP address
2980 	netblock.rpz-ip               response IP address in the answer
2981 	name.rpz-nsdname              nameserver name
2982 	netblock.rpz-nsip             nameserver IP address
2986 of 32 or 128.  For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2987 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2993 	CNAME rpz-passthru.          do nothing, allow to continue
2994 	CNAME rpz-drop.              the query is dropped
2995 	CNAME rpz-tcp-only.          answer over TCP
2998 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
3009 To use a nondefault port for DNS communication append '@' with the port number.
3030 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
3033 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
3034 With allow\-notify you can specify additional sources of notifies.
3046 .B rpz\-action\-override: \fI<action>
3050 .B rpz\-cname\-override: \fI<domain>
3052 \fBrpz\-action\-override\fR.
3054 .B rpz\-log: \fI<yes or no>
3057 .B rpz\-log\-name: \fI<name>
3060 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
3065 .B for\-downstream: \fI<yes or no>
3073 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
3074 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
3077 .SH "MEMORY CONTROL EXAMPLE"
3084 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
3089 	num\-threads: 1
3090 	outgoing\-num\-tcp: 1	# this limits TCP service, uses less buffers.
3091 	incoming\-num\-tcp: 1
3092 	outgoing\-range: 60	# uses less memory, but less performance.
3093 	msg\-buffer\-size: 8192   # note this limits service, 'no huge stuff'.
3094 	msg\-cache\-size: 100k
3095 	msg\-cache\-slabs: 1
3096 	rrset\-cache\-size: 100k
3097 	rrset\-cache\-slabs: 1
3098 	infra\-cache\-numhosts: 200
3099 	infra\-cache\-slabs: 1
3100 	key\-cache\-size: 100k
3101 	key\-cache\-slabs: 1
3102 	neg\-cache\-size: 10k
3103 	num\-queries\-per\-thread: 30
3104 	target\-fetch\-policy: "2 1 0 0 0 0"
3105 	harden\-large\-queries: "yes"
3106 	harden\-short\-bufsize: "yes"
3129 \fIunbound\-checkconf\fR(8).