Lines Matching +full:per +full:- +full:module
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
94 information including short information per query. Level 3 gives query level
95 information, output per query. Level 4 gives algorithm level information.
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B statistics\-inhibit\-zero: \fI<yes or no>
117 printing with \fIunbound\-control\fR(8).
123 .B num\-threads: \fI<number>
135 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
140 .B ip\-address: \fI<ip address or interface name [@port]>
143 .B interface\-automatic: \fI<yes or no>
146 ip\-transparent, but this option services all interfaces whilst with
147 ip\-transparent you can select which (future) interfaces Unbound provides
151 .B interface\-automatic\-ports: \fI<string>
152 List the port numbers that interface-automatic listens on. If empty, the
160 .B outgoing\-interface: \fI<ip address or ip6 netblock>
167 .B outgoing\-interface:
174 host running Unbound, and requires OS support for unprivileged non-local binds
177 .B outgoing\-interface:
180 .B prefer\-ip6: yes
184 ip \-6 addr add mynetblock/64 dev lo &&
185 ip \-6 route add local mynetblock/64 dev lo
187 .B outgoing\-range: \fI<number>
188 Number of ports to open. This number of file descriptors can be opened per
193 .B outgoing\-port\-permit: \fI<port number or range>
198 Give a port number or a range of the form "low\-high", without spaces.
200 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
206 .B outgoing\-port\-avoid: \fI<port number or range>
211 Give a port number or a range of the form "low\-high", without spaces.
213 .B outgoing\-num\-tcp: \fI<number>
214 Number of outgoing TCP buffers to allocate per thread. Default is 10. If
215 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
218 .B incoming\-num\-tcp: \fI<number>
219 Number of incoming TCP buffers to allocate per thread. Default is
220 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
223 .B edns\-buffer\-size: \fI<number>
226 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
233 .B max\-udp\-size: \fI<number>
237 same as the default for edns\-buffer\-size.
239 .B stream\-wait\-size: \fI<number>
246 that can be queued up per connection is also limited, with further requests
249 .B msg\-buffer\-size: \fI<number>
256 .B msg\-cache\-size: \fI<number>
261 .B msg\-cache\-slabs: \fI<number>
266 .B num\-queries\-per\-thread: \fI<number>
269 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
273 .B jostle\-timeout: \fI<msec>
280 The effect is that the qps for long-lasting queries is about
283 / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
286 .B delay\-close: \fI<msec>
290 closed ports and setting off all sort of close-port counters, with
295 .B udp\-connect: \fI<yes or no>
299 .B unknown\-server\-time\-limit: \fI<msec>
302 That would then avoid re\-querying every initial query because it times out.
305 .B discard\-timeout: \fI<msec>
309 larger than serve\-expired\-client\-timeout if that is enabled.
313 .B wait\-limit: \fI<number>
315 This makes a ratelimit per IP address of waiting replies for recursion.
319 .B wait\-limit\-cookie: \fI<number>
324 .B wait\-limit\-netblock: \fI<netblock> <number>
325 The wait limit for the netblock. If not given the wait\-limit value is
328 The value -1 disables wait limits for the netblock.
329 By default the loopback has a wait limit netblock of -1, it is not limited,
331 The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
333 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
335 If not given, the wait\-limit\-cookie value is used.
336 The value -1 disables wait limits for the netblock.
337 The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
339 .B so\-rcvbuf: \fI<number>
342 servers do not drop packets (see counter in netstat \-su). Default is
347 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
350 .B so\-sndbuf: \fI<number>
354 can get logged, the buffer overrun is also visible by netstat \-su.
359 to so\-rcvbuf.
361 .B so\-reuseport: \fI<yes or no>
373 .B ip\-transparent: \fI<yes or no>
376 non\-local interfaces. For example for non\-existent IP addresses that
378 a lot like interface\-automatic, but that one services all interfaces
384 .B ip\-freebind: \fI<yes or no>
389 ip\-transparent option is also available.
391 .B ip-dscp: \fI<number>
394 The field replaces the outdated IPv4 Type-Of-Service field and the
397 .B rrset\-cache\-size: \fI<number>
402 .B rrset\-cache\-slabs: \fI<number>
406 .B cache\-max\-ttl: \fI<seconds>
412 .B cache\-min\-ttl: \fI<seconds>
420 .B cache\-max\-negative\-ttl: \fI<seconds>
425 .B cache\-min\-negative\-ttl: \fI<seconds>
429 If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
434 .B infra\-host\-ttl: \fI<seconds>
438 .B infra\-cache\-slabs: \fI<number>
442 .B infra\-cache\-numhosts: \fI<number>
445 .B infra\-cache\-min\-rtt: \fI<msec>
450 .B infra\-cache\-max\-rtt: \fI<msec>
454 .B infra\-keep\-probing: \fI<yes or no>
458 it may take \fBinfra\-host\-ttl\fR time to get probed again.
460 .B define\-tag: \fI<"list of tags">
461 Define the tags that can be used with local\-zone and access\-control.
464 .B do\-ip4: \fI<yes or no>
467 .B do\-ip6: \fI<yes or no>
474 .B prefer\-ip4: \fI<yes or no>
481 .B prefer\-ip6: \fI<yes or no>
485 .B do\-udp: \fI<yes or no>
488 .B do\-tcp: \fI<yes or no>
491 .B tcp\-mss: \fI<number>
499 .B outgoing\-tcp\-mss: \fI<number>
507 .B tcp-idle-timeout: \fI<msec>\fR
518 It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
519 \fBedns\-tcp\-keepalive\fR is enabled.
521 .B tcp-reuse-timeout: \fI<msec>\fR
525 .B max-reuse-tcp-queries: \fI<number>\fR
530 .B tcp-auth-query-timeout: \fI<number>\fR
534 .B edns-tcp-keepalive: \fI<yes or no>\fR
537 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
538 Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
544 .B sock\-queue\-timeout: \fI<sec>\fR
552 .B tcp\-upstream: \fI<yes or no>
555 TCP transport only for selected forward or stub zones using forward-tcp-upstream
556 or stub-tcp-upstream respectively.
558 .B udp\-upstream\-without\-downstream: \fI<yes or no>
559 Enable udp upstream even if do-udp is no. Default is no, and this does not
563 .B tls\-upstream: \fI<yes or no>
567 \fBtls\-service\-key\fR).
568 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
569 tls\-system\-cert to load CA certs, otherwise the connections cannot be
572 forward\-tls\-upstream. And also with stub\-tls\-upstream.
573 If the tls\-upstream option is enabled, it is for all the forwards and stubs,
574 where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
577 .B ssl\-upstream: \fI<yes or no>
578 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
581 .B tls\-service\-key: \fI<file>
582 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
583 TCP ports marked implicitly or explicitly for these services with tls\-port or
584 https\-port. The file must contain the private key for the TLS session, the
585 public certificate is in the tls\-service\-pem file and it must also be
586 specified if tls\-service\-key is specified. The default is "", turned off.
589 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
590 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
591 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
593 .B ssl\-service\-key: \fI<file>
594 Alternate syntax for \fBtls\-service\-key\fR.
596 .B tls\-service\-pem: \fI<file>
600 .B ssl\-service\-pem: \fI<file>
601 Alternate syntax for \fBtls\-service\-pem\fR.
603 .B tls\-port: \fI<number>
607 .B ssl\-port: \fI<number>
608 Alternate syntax for \fBtls\-port\fR.
610 .B tls\-cert\-bundle: \fI<file>
612 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
613 for authenticating connections made to outside peers. For example auth\-zone
617 .B ssl\-cert\-bundle: \fI<file>
618 Alternate syntax for \fBtls\-cert\-bundle\fR.
620 .B tls\-win\-cert: \fI<yes or no>
624 the tls\-cert\-bundle option on other systems. On other systems, this option
627 .B tls\-system\-cert: \fI<yes or no>
628 This the same setting as the tls\-win\-cert setting, under a different name.
631 .B tls\-additional\-port: \fI<portnr>
632 List portnumbers as tls\-additional\-port, and when interfaces are defined,
636 .B tls-session-ticket-keys: \fI<file>
649 .B tls\-ciphers: \fI<string with cipher list>
653 .B tls\-ciphersuites: \fI<string with ciphersuites list>
657 .B pad\-responses: \fI<yes or no>
660 \fBpad\-responses\-block\-size\fR.
663 .B pad\-responses\-block\-size: \fI<number>
668 .B pad\-queries: \fI<yes or no>
670 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
673 .B pad\-queries\-block\-size: \fI<number>
677 .B tls\-use\-sni: \fI<yes or no>
682 .B https\-port: \fI<number>
683 The port number on which to provide DNS-over-HTTPS service, default 443, only
686 .B http\-endpoint: \fI<endpoint string>
687 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
689 .B http\-max\-streams: \fI<number of streams>
691 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
693 .B http\-query\-buffer\-size: \fI<size in bytes>
700 .B http\-response\-buffer\-size: \fI<size in bytes>
707 .B http\-nodelay: \fI<yes or no>
708 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
711 .B http\-notls\-downstream: \fI<yes or no>
712 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
715 .B proxy\-protocol\-port: \fI<portnr>
716 List port numbers as proxy\-protocol\-port, and when interfaces are defined,
726 .B quic\-port: \fI<number>
727 The port number on which to provide DNS-over-QUIC service, default 853, only
731 .B quic\-size: \fI<size in bytes>
738 .B use\-systemd: \fI<yes or no>
742 .B do\-daemonize: \fI<yes or no>
747 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
752 .B access\-control: \fI<IP netblock> <action>
764 The order of the access\-control statements therefore does not matter.
776 local\-data that is configured. The reason is that this does not involve
800 \fBanswer\-cookie\fR option is enabled.
806 \fBanswer\-cookie\fR setting.
812 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
817 only allowed to query for the authoritative local\-data, they are not
822 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
823 Assign tags to access-control elements. Clients using this access control
825 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
826 spaces between tags. If access\-control\-tag is configured for a netblock that
827 does not have an access\-control, an access\-control element with action
830 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
833 between access\-control\-tag and local\-zone\-tag where "first" comes from the
834 order of the define-tag values.
836 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
839 .B access\-control\-view: \fI<IP netblock> <view name>
842 .B interface\-action: \fI<ip address or interface name [@port]> <action>
843 Similar to \fBaccess\-control:\fR but for interfaces.
845 The action is the same as the ones defined under \fBaccess\-control:\fR.
849 \fBaccess\-control:\fR behavior.
850 This also means that any attempt to use the \fBinterface-*:\fR options for the
852 default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
855 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
858 .B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
859 Similar to \fBaccess\-control-tag:\fR but for interfaces.
862 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
865 .B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
866 Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
869 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
872 .B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
873 Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
876 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
879 .B interface\-view: \fI<ip address or interface name [@port]> <view name>
880 Similar to \fBaccess\-control-view:\fR but for interfaces.
883 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
934 If this option is given, the use\-syslog is option is set to "no".
938 .B use\-syslog: \fI<yes or no>
942 The logfile setting is overridden when use\-syslog is turned on.
945 .B log\-identity: \fI<string>
952 .B log\-time\-ascii: \fI<yes or no>
957 .B log\-time\-iso:\fR <yes or no>
958 Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
961 .B log\-queries: \fI<yes or no>
962 Prints one line per query to the log, with the log timestamp and IP address,
967 .B log\-replies: \fI<yes or no>
968 Prints one line per reply to the log, with the log timestamp and IP address,
974 .B log\-tag\-queryreply: \fI<yes or no>
975 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
979 .B log\-destaddr: \fI<yes or no>
980 Prints the destination address, port and type in the log\-replies output.
984 .B log\-local\-actions: \fI<yes or no>
986 local\-zone type inform prints out, but they are also printed for the other
989 .B log\-servfail: \fI<yes or no>
998 kill \-HUP `cat @UNBOUND_PIDFILE@`
1002 kill \-TERM `cat @UNBOUND_PIDFILE@`
1006 .B root\-hints: \fI<filename>
1010 when servers change, therefore it is good practice to use a root\-hints file.
1012 .B hide\-identity: \fI<yes or no>
1019 .B hide\-version: \fI<yes or no>
1026 .B hide\-http\-user\-agent: \fI<yes or no>
1027 If enabled the HTTP header User-Agent is not set. Use with caution as some
1030 .B http\-user\-agent
1033 .B http\-user\-agent: \fI<string>
1034 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
1042 .B hide\-trustanchor: \fI<yes or no>
1045 .B target\-fetch\-policy: \fI<"list of numbers">
1047 nameserver target addresses opportunistically. The policy is described per
1052 A value of \-1 means to fetch all targets opportunistically for that dependency
1058 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
1061 .B harden\-short\-bufsize: \fI<yes or no>
1065 .B harden\-large\-queries: \fI<yes or no>
1070 .B harden\-glue: \fI<yes or no>
1073 .B harden\-unverified\-glue: \fI<yes or no>
1074 Will trust only in-zone glue. Will try to resolve all out of zone
1078 .B harden\-dnssec\-stripped: \fI<yes or no>
1079 Require DNSSEC data for trust\-anchored zones, if such data is absent,
1088 .B harden\-below\-nxdomain: \fI<yes or no>
1095 this only DNSSEC-secure nxdomains are used, because the old software does not
1099 .B harden\-referral\-path: \fI<yes or no>
1108 If you enable it consider adding more numbers after the target\-fetch\-policy
1111 .B harden\-algo\-downgrade: \fI<yes or no>
1114 This works by first choosing only the strongest DS digest type as per RFC 4509
1127 Using this option may break DNSSEC resolution with non-RFC6840-conforming
1128 signers and/or in multi-signer configurations that don't send all the
1131 .B harden\-unknown\-additional: \fI<yes or no>
1137 .B use\-caps\-for\-id: \fI<yes or no>
1138 Use 0x20\-encoded random bits in the query to foil spoof attempts.
1142 This feature is an experimental implementation of draft dns\-0x20.
1144 .B caps\-exempt: \fI<domain>
1145 Exempt the domain so that it does not receive caps\-for\-id perturbed
1150 .B caps\-whitelist: \fI<domain>
1151 Alternate syntax for \fBcaps\-exempt\fR.
1153 .B qname\-minimisation: \fI<yes or no>
1160 .B qname\-minimisation\-strict: \fI<yes or no>
1161 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
1164 This option only has effect when qname-minimisation is enabled. Default is no.
1166 .B aggressive\-nsec: \fI<yes or no>
1172 .B private\-address: \fI<IP address or subnet>
1177 answers bogus. This protects against so\-called DNS Rebinding, where
1181 \fBlocal\-data\fR that you configured is allowed to, and you can specify
1182 additional names using \fBprivate\-domain\fR. No private addresses are
1189 stops IPv4-mapped IPv6 addresses from bypassing the filter.
1191 .B private\-domain: \fI<domain name>
1196 .B unwanted\-reply\-threshold: \fI<number>
1203 .B do\-not\-query\-address: \fI<IP address>
1208 .B do\-not\-query\-localhost: \fI<yes or no>
1209 If yes, localhost is added to the do\-not\-query\-address entries, both
1220 .B prefetch\-key: \fI<yes or no>
1225 .B deny\-any: \fI<yes or no>
1231 .B rrset\-roundrobin: \fI<yes or no>
1235 .B minimal-responses: \fI<yes or no>
1246 .B disable-dnssec-lame-check: \fI<yes or no>
1253 .B module\-config: \fI<"module names">
1254 Module configuration, a list of module names separated by spaces, surround
1257 Setting this to just "\fIiterator\fR" will result in a non\-validating
1262 You must also set \fItrust\-anchors\fR for validation to be useful.
1268 of the line. The subnetcachedb module has to be listed just before
1270 The python module can be listed in different places, it then processes the
1271 output of the module it is just before. The dynlib module can be listed pretty
1275 .B trust\-anchor\-file: \fI<filename>
1280 .B auto\-trust\-anchor\-file: \fI<filename>
1282 The probes are run several times per month, thus the machine must be online
1284 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1290 .B trust\-anchor: \fI<"Resource Record">
1292 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1298 .B trusted\-keys\-file: \fI<filename>
1300 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1301 but has a different file format. Format is BIND\-9 style format,
1302 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1306 .B trust\-anchor\-signaling: \fI<yes or no>
1309 .B root\-key\-sentinel: \fI<yes or no>
1312 .B domain\-insecure: \fI<domain name>
1325 .B val\-override\-date: \fI<rrsig\-style date spec>
1329 you are debugging signature inception and expiration. The value \-1 ignores
1332 .B val\-sig\-skew\-min: \fI<seconds>
1334 A value of 10% of the signature lifetime (expiration \- inception) is
1339 .B val\-sig\-skew\-max: \fI<seconds>
1341 A value of 10% of the signature lifetime (expiration \- inception)
1348 .B val\-max\-restart: \fI<number>
1352 .B val\-bogus\-ttl: \fI<number>
1358 .B val\-clean\-additional: \fI<yes or no>
1365 .B val\-log\-level: \fI<number>
1374 .B val\-permissive\-mode: \fI<yes or no>
1382 .B ignore\-cd\-flag: \fI<yes or no>
1390 .B disable\-edns\-do: \fI<yes or no>
1399 validation (i.e., the validator module is enabled; default) this option is
1404 .B serve\-expired: \fI<yes or no>
1406 TTL of \fBserve\-expired\-reply\-ttl\fR in the response.
1408 out or is taking more than serve\-expired\-client\-timeout to resolve.
1411 .B serve\-expired\-ttl: \fI<seconds>
1414 This option only applies when \fBserve\-expired\fR is enabled.
1415 A suggested value per RFC 8767 is between 86400 (1 day) and 259200 (3 days).
1418 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1419 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1424 .B serve\-expired\-reply\-ttl: \fI<seconds>
1426 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1429 .B serve\-expired\-client\-timeout: \fI<msec>
1431 This essentially enables the serve-stale behavior as specified in
1439 .B serve\-original\-ttl: \fI<yes or no>
1443 front-end to a hidden authoritative name server. Enabling this feature does
1448 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1452 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1461 .B zonemd\-permissive\-mode: \fI<yes or no>
1467 .B add\-holddown: \fI<seconds>
1468 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1470 visible for this time. Default is 30 days as per the RFC.
1472 .B del\-holddown: \fI<seconds>
1473 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1475 kept in the revoked list for this long. Default is 30 days as per
1478 .B keep\-missing: \fI<seconds>
1479 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1483 mechanism work with zones that perform regular (non\-5011) rollovers.
1485 as per the RFC.
1487 .B permit\-small\-holddown: \fI<yes or no>
1491 .B key\-cache\-size: \fI<number>
1496 .B key\-cache\-slabs: \fI<number>
1501 .B neg\-cache\-size: \fI<number>
1506 .B unblock\-lan\-zones: \fI<yes or no>
1513 as a (DHCP-) DNS network resolver for a group of machines, where such
1517 .B insecure\-lan\-zones: \fI<yes or no>
1520 \fIunblock\-lan\-zones\fR is used.
1522 .B local\-zone: \fI<zone> <type>
1524 there is no match from local\-data. The types are deny, refuse, static,
1528 are listed. Use local\-data: to enter data into the local zone. Answers for
1532 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1533 it as detailed in the stub zone section below. A stub\-zone can be used to
1535 fetch the information. With a forward\-zone, unbound sends queries to a server
1536 that is a recursive server to fetch the information. With an auth\-zone a
1537 zone can be loaded from file and used, it can be used like a local\-zone
1538 for users downstream, or the auth\-zone information can be used to fetch
1540 forward\-zone and auth\-zone options are described in their sections below.
1542 the local\-zone and local\-data statements allow for this, but also the
1557 as local\-data for the zone apex domain.
1564 If no local\-zone is given local\-data causes a transparent zone
1581 local\-zone: "example.com." redirect and
1582 local\-data: "example.com. A 127.0.0.1"
1589 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1647 can be turned off by specifying your own local\-zone of that name, or
1654 local\-zone: "localhost." redirect
1655 local\-data: "localhost. 10800 IN NS localhost."
1656 local\-data: "localhost. 10800 IN
1658 local\-data: "localhost. 10800 IN A 127.0.0.1"
1659 local\-data: "localhost. 10800 IN AAAA ::1"
1665 local\-zone: "127.in\-addr.arpa." static
1666 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1667 local\-data: "127.in\-addr.arpa. 10800 IN
1669 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1676 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1678 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1681 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1684 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1692 local\-zone: "home.arpa." static
1693 local\-data: "home.arpa. 10800 IN NS localhost."
1694 local\-data: "home.arpa. 10800 IN
1701 local\-zone: "resolver.arpa." static
1702 local\-data: "resolver.arpa. 10800 IN NS localhost."
1703 local\-data: "resolver.arpa. 10800 IN
1707 \h'5'\fIservice.arpa (draft-ietf-dnssd-srp-25)\fR
1710 local\-zone: "service.arpa." static
1711 local\-data: "service.arpa. 10800 IN NS localhost."
1712 local\-data: "service.arpa. 10800 IN
1719 local\-zone: "onion." static
1720 local\-data: "onion. 10800 IN NS localhost."
1721 local\-data: "onion. 10800 IN
1728 local\-zone: "test." static
1729 local\-data: "test. 10800 IN NS localhost."
1730 local\-data: "test. 10800 IN
1737 local\-zone: "invalid." static
1738 local\-data: "invalid. 10800 IN NS localhost."
1739 local\-data: "invalid. 10800 IN
1744 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1745 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1746 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1749 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1750 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1751 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1752 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1753 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1772 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1775 transparent with a local\-zone statement.
1777 .\" End of local-zone listing.
1779 .B local\-data: \fI"<resource record string>"
1781 The query has to match exactly unless you configure the local\-zone as
1782 redirect. If not matched exactly, the local\-zone type determines
1783 further processing. If local\-data is configured that is not a subdomain of
1784 a local\-zone, a transparent local\-zone is configured.
1786 local\-data: 'example. TXT "text"'.
1789 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1792 .B local\-data\-ptr: \fI"IPaddr name"
1797 .B local\-zone\-tag: \fI<zone> <"list of tags">
1799 used access-control element has a matching tag. Tags must be defined in
1800 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1802 list of tags for the query and local\-zone\-tag is non-empty.
1804 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1806 Use this localzone type, regardless the type configured for the local-zone
1808 access\-control\-tag\-action.
1810 .B response\-ip: \fI<IP-netblock> <action>
1811 This requires use of the "respip" module.
1817 \fIaccess-control-tag-action\fR, but there are some exceptions.
1819 Actions for \fIresponse-ip\fR are different from those for
1820 \fIlocal-zone\fR in that in case of the former there is no point of
1822 Because of this difference, the semantics of \fIresponse-ip\fR actions
1825 invalid for \fIresponse-ip\fR.
1827 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1832 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1833 This requires use of the "respip" module.
1835 This specifies the action data for \fIresponse-ip\fR with action being
1837 record string" is similar to that of \fIaccess-control-tag-action\fR,
1839 If the IP-netblock is an IPv6/IPv4 prefix, the record
1842 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1844 IP-netblock, following the normal rules for CNAME records.
1849 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1850 This requires use of the "respip" module.
1852 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1854 IP-netblock, the specified tags are assigned to the IP address.
1855 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1857 \fIaccess-control-tag-action\fR will apply.
1858 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1859 \fIlocal-zones\fR.
1860 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1861 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1863 If multiple \fIresponse-ip-tag\fR options are specified for the same
1864 IP-netblock in different statements, all but the first will be
1870 \fIaccess-control-tag-action\fR that has a matching tag with
1871 \fIresponse-ip-tag\fR can be those that are "invalid" for
1872 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1876 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1877 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1878 specific, and non-existence of data does not indicate anything about
1879 the existence or non-existence of the qname itself.
1881 no data for the corresponding \fIresponse-ip\fR configuration, then
1889 The ratelimit is in queries per second that are allowed. More queries are
1899 .B ratelimit\-size: \fI<memory size>
1905 .B ratelimit\-slabs: \fI<number>
1910 .B ratelimit\-factor: \fI<number>
1919 .B ratelimit\-backoff: \fI<yes or no>
1923 window. No traffic is allowed, except for ratelimit\-factor, until demand
1928 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1931 a top\-level\-domain you may want to have a higher limit than other names.
1934 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1939 is not changed, use ratelimit\-for\-domain to set that, you might want
1940 to use different settings for a top\-level\-domain and subdomains.
1943 .B ip\-ratelimit: \fI<number or 0>
1944 Enable global ratelimiting of queries accepted per IP address.
1946 The ratelimit is in queries per second that are allowed. More queries are
1951 If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
1955 .B ip\-ratelimit\-cookie: \fI<number or 0>
1956 Enable global ratelimiting of queries accepted per IP address with a valid DNS
1959 The ratelimit is in queries per second that are allowed.
1966 If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
1970 .B ip\-ratelimit\-size: \fI<memory size>
1976 .B ip\-ratelimit\-slabs: \fI<number>
1981 .B ip\-ratelimit\-factor: \fI<number>
1990 .B ip\-ratelimit\-backoff: \fI<yes or no>
1994 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1996 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1999 .B outbound\-msg\-retry: \fI<number>
2000 The number of retries, per upstream nameserver in a delegation, that Unbound
2003 If a forward/stub zone is used, this is the number of retries per nameserver in
2007 .B max\-sent\-count: \fI<number>
2014 .B max\-query\-restarts: \fI<number>
2022 .B iter\-scrub\-ns: \fI<number>
2027 .B iter\-scrub\-cname: \fI<number>
2033 .B max\-global\-quota: \fI<number>
2039 .B fast\-server\-permil: \fI<number>
2043 servers for the remaining time. When prefetch is enabled (or serve\-expired),
2046 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
2047 servers set. The default for fast\-server\-permil is 0.
2049 .B fast\-server\-num: \fI<number>
2051 use the fastest specified number of servers with the fast\-server\-permil
2054 .B answer\-cookie: \fI<yes or no>
2059 .B cookie\-secret: \fI<128 bit hex string>
2065 This option is ignored if a \fBcookie\-secret\-file\fR is
2069 .B cookie\-secret\-file: \fI<filename>
2072 \fBcookie-secret\fR option is ignored.
2076 \fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
2080 .B edns\-client\-string: \fI<IP netblock> <string>
2085 .B edns\-client\-string\-opcode: \fI<opcode>
2086 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
2087 A value from the `Reserved for Local/Experimental` range (65001-65534) should
2095 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
2100 .B ede\-serve\-expired: \fI<yes or no>
2101 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
2106 .B dns\-error\-reporting: \fI<yes or no>
2108 The name servers need to express support by attaching the Report-Channel EDNS0
2114 It is advised that the \fBqname\-minimisation\fR option is also enabled to
2119 .B remote\-control:
2121 enabled, the \fIunbound\-control\fR(8) utility can be used to send
2124 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
2125 section for options. To setup the correct self\-signed certificates use the
2126 \fIunbound\-control\-setup\fR(8) utility.
2128 .B control\-enable: \fI<yes or no>
2132 .B control\-interface: \fI<ip address or interface name or path>
2150 .B control\-port: \fI<port number>
2156 .B control\-use\-cert: \fI<yes or no>
2157 For localhost control-interface you can disable the use of TLS by setting
2161 .B server\-key\-file: \fI<private key file>
2163 This file is generated by the \fIunbound\-control\-setup\fR utility.
2164 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
2166 .B server\-cert\-file: \fI<certificate file.pem>
2168 This file is generated by the \fIunbound\-control\-setup\fR utility.
2169 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
2171 .B control\-key\-file: \fI<private key file>
2173 This file is generated by the \fIunbound\-control\-setup\fR utility.
2174 This file is used by \fIunbound\-control\fR.
2176 .B control\-cert\-file: \fI<certificate file.pem>
2179 This file is generated by the \fIunbound\-control\-setup\fR utility.
2180 This file is used by \fIunbound\-control\fR.
2184 .B stub\-zone:
2192 This is useful for company\-local data or private zones. Setup an
2195 .B stub\-addr:
2208 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
2209 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
2212 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
2217 .B stub\-host: \fI<domain name>
2223 configured tls\-port.
2225 .B stub\-addr: \fI<IP address>
2231 configured tls\-port.
2233 .B stub\-prime: \fI<yes or no>
2239 .B stub\-first: \fI<yes or no>
2245 .B stub\-tls\-upstream: \fI<yes or no>
2249 .B stub\-ssl\-upstream: \fI<yes or no>
2250 Alternate syntax for \fBstub\-tls\-upstream\fR.
2252 .B stub\-tcp\-upstream: \fI<yes or no>
2253 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2256 .B stub\-no\-cache: \fI<yes or no>
2262 .B forward\-zone:
2265 forward the queries to. The servers listed as \fBforward\-host:\fR and
2266 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
2273 A forward\-zone entry with name "." and a forward\-addr target will
2280 .B forward\-host: \fI<domain name>
2286 configured tls\-port.
2288 .B forward\-addr: \fI<IP address>
2294 configured tls\-port.
2297 If you leave out the '#' and auth name from the forward\-addr, any
2298 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
2300 .B forward\-first: \fI<yes or no>
2305 .B forward\-tls\-upstream: \fI<yes or no>
2308 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
2311 .B forward\-ssl\-upstream: \fI<yes or no>
2312 Alternate syntax for \fBforward\-tls\-upstream\fR.
2314 .B forward\-tcp\-upstream: \fI<yes or no>
2315 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2318 .B forward\-no\-cache: \fI<yes or no>
2323 Authority zones are configured with \fBauth\-zone:\fR, and each one must
2324 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
2326 Authority zones can be processed on two distinct, non-exclusive, configurable
2329 With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
2330 after \fBlocal\-zones\fR and before cache.
2336 With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
2347 An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
2348 \fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
2391 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2397 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2399 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2400 With allow\-notify you can specify additional sources of notifies.
2407 .B fallback\-enabled: \fI<yes or no>
2412 .B for\-downstream: \fI<yes or no>
2417 zone but have a local copy of zone data. If for\-downstream is no and
2418 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2422 .B for\-upstream: \fI<yes or no>
2429 .B zonemd\-check: \fI<yes or no>
2435 .B zonemd\-reject\-absence: \fI<yes or no>
2440 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2456 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2457 \fBlocal\-data\fR elements. Views can also contain view\-first,
2458 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2460 view name in an \fBaccess\-control\-view\fR element. Options from matching
2465 Name of the view. Must be unique. This name is used in access\-control\-view
2468 .B local\-zone: \fI<zone> <type>
2469 View specific local\-zone elements. Has the same types and behaviour as the
2470 global local\-zone elements. When there is at least one local\-zone specified
2471 and view\-first is no, the default local-zones will be added to this view.
2472 Defaults can be disabled using the nodefault type. When view\-first is yes or
2473 when a view does not have a local\-zone, the global local\-zone will be used
2476 .B local\-data: \fI"<resource record string>"
2477 View specific local\-data elements. Has the same behaviour as the global
2478 local\-data elements.
2480 .B local\-data\-ptr: \fI"IPaddr name"
2481 View specific local\-data\-ptr elements. Has the same behaviour as the global
2482 local\-data\-ptr elements.
2484 .B view\-first: \fI<yes or no>
2485 If enabled, it attempts to use the global local\-zone and local\-data if there
2488 .SS "Python Module Options"
2492 clause gives the settings for the \fIpython\fR(1) script module. This module
2494 To enable the script module it has to be compiled into the daemon,
2495 and the word "python" has to be put in the \fBmodule\-config:\fR option
2497 the python module are supported by adding the word "python" more than once.
2501 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2505 .B python\-script: \fI<python file>\fR
2506 The script file to load. Repeat this option for every python module instance
2507 added to the \fBmodule\-config:\fR option.
2508 .SS "Dynamic Library Module Options"
2512 clause gives the settings for the \fIdynlib\fR module. This module is only
2514 instead of being compiled into the application. To enable the dynlib module it
2516 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2519 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2523 .B dynlib\-file: \fI<dynlib file>\fR
2524 The dynamic library file to load. Repeat this option for every dynlib module
2525 instance added to the \fBmodule\-config:\fR option.
2526 .SS "DNS64 Module Options"
2528 The dns64 module must be configured in the \fBmodule\-config:\fR directive
2532 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2536 .B dns64\-synthall: \fI<yes or no>\fR
2540 .B dns64\-ignore\-aaaa: \fI<name>\fR
2543 new domain for which it applies, one per line. Applies also to names
2547 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
2550 .B do\-nat64: \fI<yes or no>\fR
2551 Use NAT64 to reach IPv4-only servers.
2552 Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
2556 .B nat64\-prefix: \fI<IPv6 prefix>\fR
2557 Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
2558 the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
2566 \fB\-\-enable\-dnscrypt\fR.
2568 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2569 dnscrypt-wrapper/blob/master/README.md#usage
2571 .B dnscrypt\-enable: \fI<yes or no>\fR
2576 .B dnscrypt\-port: \fI<port number>
2581 .B dnscrypt\-provider: \fI<provider name>\fR
2583 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2585 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2589 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2590 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2593 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2595 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2606 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2612 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2617 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2623 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2627 .SS "EDNS Client Subnet Module Options"
2629 The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
2641 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2643 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2646 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2655 Usage of the subnetcache module should only be enabled in installations that
2660 This module does not interact with the \fBserve\-expired*\fR and
2663 .B send\-client\-subnet: \fI<IP address>\fR
2666 be given multiple times. Authorities not listed will not receive edns-subnet
2667 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2669 .B client\-subnet\-zone: \fI<domain>\fR
2671 given multiple times. Zones not listed will not receive edns-subnet information,
2672 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2674 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2676 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2683 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2687 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2691 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2696 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2701 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2705 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2708 .SS "Opportunistic IPsec Support Module Options"
2710 The IPsec module must be configured in the \fBmodule\-config:\fR directive
2712 \fB\-\-enable\-ipsecmod\fR to be enabled.
2736 \fBipsecmod-max-ttl\fR.
2740 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2743 .B ipsecmod-enabled: \fI<yes or no>\fR
2744 Specifies whether the IPsec module is enabled or not. The IPsec module still
2745 needs to be defined in the \fBmodule\-config:\fR directive. This option
2746 facilitates turning on/off the module without restarting/reloading Unbound.
2749 .B ipsecmod\-hook: \fI<filename>\fR
2753 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2756 .B ipsecmod-strict: \fI<yes or no>\fR
2761 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2765 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2771 .B ipsecmod\-allow: \fI<domain>\fR
2772 Allow the ipsecmod functionality for the domain so that the module logic will be
2776 .B ipsecmod\-whitelist: \fI<domain>
2777 Alternate syntax for \fBipsecmod\-allow\fR.
2778 .SS "Cache DB Module Options"
2780 The Cache DB module must be configured in the \fBmodule\-config:\fR directive
2782 with \fB\-\-enable\-cachedb\fR.
2783 If this module is enabled and configured, the specified backend database
2785 When Unbound cannot find an answer to a query in its built-in in-memory
2792 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2796 \fB\-\-with\-libhiredis\fR
2806 preferably with some kind of least-recently-used eviction policy.
2807 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2809 in mind that some additional memory is used per key and that the expire
2827 clause gives custom settings of the cache DB module.
2831 The default database is the in-memory backend named "testframe", which,
2833 Depending on the build-time configuration, "redis" backend may also be
2836 .B secret-seed: \fI<"secret string">\fR
2845 .B cachedb-no-store: \fI<yes or no>\fR
2850 .B cachedb-check-when-serve-expired: \fI<yes or no>\fR
2852 When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
2856 If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
2864 .B redis-server-host: \fI<server address or name>\fR
2871 .B redis-server-port: \fI<port number>\fR
2875 .B redis-server-path: \fI<unix socket path>\fR
2880 .B redis-server-password: \fI"<password>"\fR
2885 .B redis-timeout: \fI<msec>\fR
2889 re-establish a new connection later.
2892 .B redis-command-timeout: \fI<msec>\fR
2894 If 0, it uses the \fBredis\-timeout\fR value.
2897 .B redis-connect-timeout: \fI<msec>\fR
2899 If 0, it uses the \fBredis\-timeout\fR value.
2902 .B redis-expire-records: \fI<yes or no>
2905 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2910 .B redis-logical-db: \fI<logical database index>
2921 .B redis-replica-server-host: \fI<server address or name>\fR
2926 This server is treated as a read-only replica server
2927 (https://redis.io/docs/management/replication/#read-only-replica).
2929 the write commands will go to the \fBredis-server-host\fR.
2932 .B redis-replica-server-port: \fI<port number>\fR
2936 .B redis-replica-server-path: \fI<unix socket path>\fR
2941 .B redis-replica-server-password: \fI"<password>"\fR
2946 .B redis-replica-timeout: \fI<msec>\fR
2950 re-establish a new connection later.
2953 .B redis-replica-command-timeout: \fI<msec>\fR
2955 If 0, it uses the \fBredis\-replica\-timeout\fR value.
2958 .B redis-replica-connect-timeout: \fI<msec>\fR
2960 If 0, it uses the \fBredis\-replica\-timeout\fR value.
2963 .B redis-replica-logical-db: \fI<logical database index>
2964 Same as \fBredis-logical-db\fR but for the Redis replica server.
2967 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2971 threading it does not spawn a thread, but connects per-process to the
2974 .B dnstap-enable: \fI<yes or no>
2976 and if any of the dnstap-log-..-messages options is enabled it sends logs
2979 .B dnstap-bidirectional: \fI<yes or no>
2983 .B dnstap-socket-path: \fI<file name>
2987 .B dnstap-ip: \fI<IPaddress[@port]>
2991 .B dnstap-tls: \fI<yes or no>
2992 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2995 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2996 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "".
2998 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
3003 .B dnstap-tls-client-key-file: \fI<file name>
3007 .B dnstap-tls-client-cert-file: \fI<file name>
3010 .B dnstap-send-identity: \fI<yes or no>
3014 .B dnstap-send-version: \fI<yes or no>
3018 .B dnstap-identity: \fI<string>
3022 .B dnstap-version: \fI<string>
3026 .B dnstap-sample-rate: \fI<number>
3033 .B dnstap-log-resolver-query-messages: \fI<yes or no>
3037 .B dnstap-log-resolver-response-messages: \fI<yes or no>
3041 .B dnstap-log-client-query-messages: \fI<yes or no>
3045 .B dnstap-log-client-response-messages: \fI<yes or no>
3049 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
3052 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
3061 The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
3062 \fBmodule-config: "respip validator iterator"\fR.
3065 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
3066 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
3067 before \fBauth\-zones\fR.
3085 netblock.rpz-client-ip client IP address
3086 netblock.rpz-ip response IP address in the answer
3087 name.rpz-nsdname nameserver name
3088 netblock.rpz-nsip nameserver IP address
3092 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
3093 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
3099 CNAME rpz-passthru. do nothing, allow to continue
3100 CNAME rpz-drop. the query is dropped
3101 CNAME rpz-tcp-only. answer over TCP
3104 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
3136 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
3139 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
3140 With allow\-notify you can specify additional sources of notifies.
3152 .B rpz\-action\-override: \fI<action>
3156 .B rpz\-cname\-override: \fI<domain>
3158 \fBrpz\-action\-override\fR.
3160 .B rpz\-log: \fI<yes or no>
3163 .B rpz\-log\-name: \fI<name>
3166 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
3171 .B for\-downstream: \fI<yes or no>
3179 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
3180 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
3190 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
3195 num\-threads: 1
3196 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
3197 incoming\-num\-tcp: 1
3198 outgoing\-range: 60 # uses less memory, but less performance.
3199 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
3200 msg\-cache\-size: 100k
3201 msg\-cache\-slabs: 1
3202 rrset\-cache\-size: 100k
3203 rrset\-cache\-slabs: 1
3204 infra\-cache\-numhosts: 200
3205 infra\-cache\-slabs: 1
3206 key\-cache\-size: 100k
3207 key\-cache\-slabs: 1
3208 neg\-cache\-size: 10k
3209 num\-queries\-per\-thread: 30
3210 target\-fetch\-policy: "2 1 0 0 0 0"
3211 harden\-large\-queries: "yes"
3212 harden\-short\-bufsize: "yes"
3235 \fIunbound\-checkconf\fR(8).