Lines Matching +full:wait +full:- +full:monitoring +full:- +full:ns
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B statistics\-inhibit\-zero: \fI<yes or no>
117 printing with \fIunbound\-control\fR(8).
123 .B num\-threads: \fI<number>
135 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
140 .B ip\-address: \fI<ip address or interface name [@port]>
143 .B interface\-automatic: \fI<yes or no>
146 ip\-transparent, but this option services all interfaces whilst with
147 ip\-transparent you can select which (future) interfaces Unbound provides
151 .B interface\-automatic\-ports: \fI<string>
152 List the port numbers that interface-automatic listens on. If empty, the
160 .B outgoing\-interface: \fI<ip address or ip6 netblock>
167 .B outgoing\-interface:
174 host running Unbound, and requires OS support for unprivileged non-local binds
177 .B outgoing\-interface:
180 .B prefer\-ip6: yes
184 ip \-6 addr add mynetblock/64 dev lo &&
185 ip \-6 route add local mynetblock/64 dev lo
187 .B outgoing\-range: \fI<number>
193 .B outgoing\-port\-permit: \fI<port number or range>
198 Give a port number or a range of the form "low\-high", without spaces.
200 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
206 .B outgoing\-port\-avoid: \fI<port number or range>
211 Give a port number or a range of the form "low\-high", without spaces.
213 .B outgoing\-num\-tcp: \fI<number>
215 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
218 .B incoming\-num\-tcp: \fI<number>
220 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
223 .B edns\-buffer\-size: \fI<number>
226 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
233 .B max\-udp\-size: \fI<number>
237 same as the default for edns\-buffer\-size.
239 .B stream\-wait\-size: \fI<number>
249 .B msg\-buffer\-size: \fI<number>
256 .B msg\-cache\-size: \fI<number>
261 .B msg\-cache\-slabs: \fI<number>
266 .B num\-queries\-per\-thread: \fI<number>
269 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
273 .B jostle\-timeout: \fI<msec>
280 The effect is that the qps for long-lasting queries is about
286 .B delay\-close: \fI<msec>
290 closed ports and setting off all sort of close-port counters, with
295 .B udp\-connect: \fI<yes or no>
299 .B unknown\-server\-time\-limit: \fI<msec>
300 The wait time in msec for waiting for an unknown server to reply.
302 That would then avoid re\-querying every initial query because it times out.
305 .B discard\-timeout: \fI<msec>
306 The wait time in msec where recursion requests are dropped. This is
309 larger than serve\-expired\-client\-timeout if that is enabled.
313 .B wait\-limit: \fI<number>
314 The number of replies that can wait for recursion, for an IP address.
317 destination. The value 0 disables wait limits. Default is 1000.
319 .B wait\-limit\-cookie: \fI<number>
320 The number of replies that can wait for recursion, for an IP address
324 .B wait\-limit\-netblock: \fI<netblock> <number>
325 The wait limit for the netblock. If not given the wait\-limit value is
328 The value -1 disables wait limits for the netblock.
329 By default the loopback has a wait limit netblock of -1, it is not limited,
331 The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
333 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
334 The wait limit for the netblock, when the query has a DNS cookie.
335 If not given, the wait\-limit\-cookie value is used.
336 The value -1 disables wait limits for the netblock.
337 The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
339 .B so\-rcvbuf: \fI<number>
342 servers do not drop packets (see counter in netstat \-su). Default is
347 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
350 .B so\-sndbuf: \fI<number>
354 can get logged, the buffer overrun is also visible by netstat \-su.
359 to so\-rcvbuf.
361 .B so\-reuseport: \fI<yes or no>
373 .B ip\-transparent: \fI<yes or no>
376 non\-local interfaces. For example for non\-existent IP addresses that
378 a lot like interface\-automatic, but that one services all interfaces
384 .B ip\-freebind: \fI<yes or no>
389 ip\-transparent option is also available.
391 .B ip-dscp: \fI<number>
394 The field replaces the outdated IPv4 Type-Of-Service field and the
397 .B rrset\-cache\-size: \fI<number>
402 .B rrset\-cache\-slabs: \fI<number>
406 .B cache\-max\-ttl: \fI<seconds>
412 .B cache\-min\-ttl: \fI<seconds>
420 .B cache\-max\-negative\-ttl: \fI<seconds>
425 .B cache\-min\-negative\-ttl: \fI<seconds>
429 If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
434 .B infra\-host\-ttl: \fI<seconds>
438 .B infra\-cache\-slabs: \fI<number>
442 .B infra\-cache\-numhosts: \fI<number>
445 .B infra\-cache\-min\-rtt: \fI<msec>
450 .B infra\-cache\-max\-rtt: \fI<msec>
454 .B infra\-keep\-probing: \fI<yes or no>
458 it may take \fBinfra\-host\-ttl\fR time to get probed again.
460 .B define\-tag: \fI<"list of tags">
461 Define the tags that can be used with local\-zone and access\-control.
464 .B do\-ip4: \fI<yes or no>
467 .B do\-ip6: \fI<yes or no>
474 .B prefer\-ip4: \fI<yes or no>
481 .B prefer\-ip6: \fI<yes or no>
485 .B do\-udp: \fI<yes or no>
488 .B do\-tcp: \fI<yes or no>
491 .B tcp\-mss: \fI<number>
499 .B outgoing\-tcp\-mss: \fI<number>
507 .B tcp-idle-timeout: \fI<msec>\fR
508 The period Unbound will wait for a query on a TCP connection.
518 It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
519 \fBedns\-tcp\-keepalive\fR is enabled.
521 .B tcp-reuse-timeout: \fI<msec>\fR
525 .B max-reuse-tcp-queries: \fI<number>\fR
530 .B tcp-auth-query-timeout: \fI<number>\fR
534 .B edns-tcp-keepalive: \fI<yes or no>\fR
537 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
538 Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
544 .B sock\-queue\-timeout: \fI<sec>\fR
552 .B tcp\-upstream: \fI<yes or no>
555 TCP transport only for selected forward or stub zones using forward-tcp-upstream
556 or stub-tcp-upstream respectively.
558 .B udp\-upstream\-without\-downstream: \fI<yes or no>
559 Enable udp upstream even if do-udp is no. Default is no, and this does not
563 .B tls\-upstream: \fI<yes or no>
567 \fBtls\-service\-key\fR).
568 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
569 tls\-system\-cert to load CA certs, otherwise the connections cannot be
572 forward\-tls\-upstream. And also with stub\-tls\-upstream.
573 If the tls\-upstream option is enabled, it is for all the forwards and stubs,
574 where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
577 .B ssl\-upstream: \fI<yes or no>
578 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
581 .B tls\-service\-key: \fI<file>
582 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
583 TCP ports marked implicitly or explicitly for these services with tls\-port or
584 https\-port. The file must contain the private key for the TLS session, the
585 public certificate is in the tls\-service\-pem file and it must also be
586 specified if tls\-service\-key is specified. The default is "", turned off.
589 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
590 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
591 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
593 .B ssl\-service\-key: \fI<file>
594 Alternate syntax for \fBtls\-service\-key\fR.
596 .B tls\-service\-pem: \fI<file>
600 .B ssl\-service\-pem: \fI<file>
601 Alternate syntax for \fBtls\-service\-pem\fR.
603 .B tls\-port: \fI<number>
607 .B ssl\-port: \fI<number>
608 Alternate syntax for \fBtls\-port\fR.
610 .B tls\-cert\-bundle: \fI<file>
612 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
613 for authenticating connections made to outside peers. For example auth\-zone
617 .B ssl\-cert\-bundle: \fI<file>
618 Alternate syntax for \fBtls\-cert\-bundle\fR.
620 .B tls\-win\-cert: \fI<yes or no>
624 the tls\-cert\-bundle option on other systems. On other systems, this option
627 .B tls\-system\-cert: \fI<yes or no>
628 This the same setting as the tls\-win\-cert setting, under a different name.
631 .B tls\-additional\-port: \fI<portnr>
632 List portnumbers as tls\-additional\-port, and when interfaces are defined,
636 .B tls-session-ticket-keys: \fI<file>
643 listing it after the first file for some time, after the wait clients are not
649 .B tls\-ciphers: \fI<string with cipher list>
653 .B tls\-ciphersuites: \fI<string with ciphersuites list>
657 .B pad\-responses: \fI<yes or no>
660 \fBpad\-responses\-block\-size\fR.
663 .B pad\-responses\-block\-size: \fI<number>
668 .B pad\-queries: \fI<yes or no>
670 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
673 .B pad\-queries\-block\-size: \fI<number>
677 .B tls\-use\-sni: \fI<yes or no>
682 .B https\-port: \fI<number>
683 The port number on which to provide DNS-over-HTTPS service, default 443, only
686 .B http\-endpoint: \fI<endpoint string>
687 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
689 .B http\-max\-streams: \fI<number of streams>
691 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
693 .B http\-query\-buffer\-size: \fI<size in bytes>
700 .B http\-response\-buffer\-size: \fI<size in bytes>
707 .B http\-nodelay: \fI<yes or no>
708 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
711 .B http\-notls\-downstream: \fI<yes or no>
712 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
715 .B proxy\-protocol\-port: \fI<portnr>
716 List port numbers as proxy\-protocol\-port, and when interfaces are defined,
726 .B quic\-port: \fI<number>
727 The port number on which to provide DNS-over-QUIC service, default 853, only
731 .B quic\-size: \fI<size in bytes>
738 .B use\-systemd: \fI<yes or no>
742 .B do\-daemonize: \fI<yes or no>
747 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
752 .B access\-control: \fI<IP netblock> <action>
764 The order of the access\-control statements therefore does not matter.
776 local\-data that is configured. The reason is that this does not involve
800 \fBanswer\-cookie\fR option is enabled.
806 \fBanswer\-cookie\fR setting.
812 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
817 only allowed to query for the authoritative local\-data, they are not
822 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
823 Assign tags to access-control elements. Clients using this access control
825 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
826 spaces between tags. If access\-control\-tag is configured for a netblock that
827 does not have an access\-control, an access\-control element with action
830 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
833 between access\-control\-tag and local\-zone\-tag where "first" comes from the
834 order of the define-tag values.
836 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
839 .B access\-control\-view: \fI<IP netblock> <view name>
842 .B interface\-action: \fI<ip address or interface name [@port]> <action>
843 Similar to \fBaccess\-control:\fR but for interfaces.
845 The action is the same as the ones defined under \fBaccess\-control:\fR.
849 \fBaccess\-control:\fR behavior.
850 This also means that any attempt to use the \fBinterface-*:\fR options for the
852 default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
855 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
858 .B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
859 Similar to \fBaccess\-control-tag:\fR but for interfaces.
862 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
865 .B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
866 Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
869 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
872 .B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
873 Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
876 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
879 .B interface\-view: \fI<ip address or interface name [@port]> <view name>
880 Similar to \fBaccess\-control-view:\fR but for interfaces.
883 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
934 If this option is given, the use\-syslog is option is set to "no".
938 .B use\-syslog: \fI<yes or no>
942 The logfile setting is overridden when use\-syslog is turned on.
945 .B log\-identity: \fI<string>
952 .B log\-time\-ascii: \fI<yes or no>
957 .B log\-time\-iso:\fR <yes or no>
958 Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
961 .B log\-queries: \fI<yes or no>
967 .B log\-replies: \fI<yes or no>
974 .B log\-tag\-queryreply: \fI<yes or no>
975 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
979 .B log\-destaddr: \fI<yes or no>
980 Prints the destination address, port and type in the log\-replies output.
984 .B log\-local\-actions: \fI<yes or no>
986 local\-zone type inform prints out, but they are also printed for the other
989 .B log\-servfail: \fI<yes or no>
998 kill \-HUP `cat @UNBOUND_PIDFILE@`
1002 kill \-TERM `cat @UNBOUND_PIDFILE@`
1006 .B root\-hints: \fI<filename>
1010 when servers change, therefore it is good practice to use a root\-hints file.
1012 .B hide\-identity: \fI<yes or no>
1019 .B hide\-version: \fI<yes or no>
1026 .B hide\-http\-user\-agent: \fI<yes or no>
1027 If enabled the HTTP header User-Agent is not set. Use with caution as some
1030 .B http\-user\-agent
1033 .B http\-user\-agent: \fI<string>
1034 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
1042 .B hide\-trustanchor: \fI<yes or no>
1045 .B target\-fetch\-policy: \fI<"list of numbers">
1052 A value of \-1 means to fetch all targets opportunistically for that dependency
1058 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
1061 .B harden\-short\-bufsize: \fI<yes or no>
1065 .B harden\-large\-queries: \fI<yes or no>
1070 .B harden\-glue: \fI<yes or no>
1073 .B harden\-unverified\-glue: \fI<yes or no>
1074 Will trust only in-zone glue. Will try to resolve all out of zone
1078 .B harden\-dnssec\-stripped: \fI<yes or no>
1079 Require DNSSEC data for trust\-anchored zones, if such data is absent,
1088 .B harden\-below\-nxdomain: \fI<yes or no>
1095 this only DNSSEC-secure nxdomains are used, because the old software does not
1099 .B harden\-referral\-path: \fI<yes or no>
1103 NS sets and the nameserver addresses that are encountered on the referral
1108 If you enable it consider adding more numbers after the target\-fetch\-policy
1111 .B harden\-algo\-downgrade: \fI<yes or no>
1127 Using this option may break DNSSEC resolution with non-RFC6840-conforming
1128 signers and/or in multi-signer configurations that don't send all the
1131 .B harden\-unknown\-additional: \fI<yes or no>
1137 .B use\-caps\-for\-id: \fI<yes or no>
1138 Use 0x20\-encoded random bits in the query to foil spoof attempts.
1142 This feature is an experimental implementation of draft dns\-0x20.
1144 .B caps\-exempt: \fI<domain>
1145 Exempt the domain so that it does not receive caps\-for\-id perturbed
1150 .B caps\-whitelist: \fI<domain>
1151 Alternate syntax for \fBcaps\-exempt\fR.
1153 .B qname\-minimisation: \fI<yes or no>
1160 .B qname\-minimisation\-strict: \fI<yes or no>
1161 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
1164 This option only has effect when qname-minimisation is enabled. Default is no.
1166 .B aggressive\-nsec: \fI<yes or no>
1172 .B private\-address: \fI<IP address or subnet>
1177 answers bogus. This protects against so\-called DNS Rebinding, where
1181 \fBlocal\-data\fR that you configured is allowed to, and you can specify
1182 additional names using \fBprivate\-domain\fR. No private addresses are
1189 stops IPv4-mapped IPv6 addresses from bypassing the filter.
1191 .B private\-domain: \fI<domain name>
1196 .B unwanted\-reply\-threshold: \fI<number>
1203 .B do\-not\-query\-address: \fI<IP address>
1208 .B do\-not\-query\-localhost: \fI<yes or no>
1209 If yes, localhost is added to the do\-not\-query\-address entries, both
1220 .B prefetch\-key: \fI<yes or no>
1225 .B deny\-any: \fI<yes or no>
1231 .B rrset\-roundrobin: \fI<yes or no>
1235 .B minimal-responses: \fI<yes or no>
1246 .B disable-dnssec-lame-check: \fI<yes or no>
1253 .B module\-config: \fI<"module names">
1257 Setting this to just "\fIiterator\fR" will result in a non\-validating
1262 You must also set \fItrust\-anchors\fR for validation to be useful.
1275 .B trust\-anchor\-file: \fI<filename>
1280 .B auto\-trust\-anchor\-file: \fI<filename>
1284 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1290 .B trust\-anchor: \fI<"Resource Record">
1292 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1298 .B trusted\-keys\-file: \fI<filename>
1300 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1301 but has a different file format. Format is BIND\-9 style format,
1302 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1306 .B trust\-anchor\-signaling: \fI<yes or no>
1309 .B root\-key\-sentinel: \fI<yes or no>
1312 .B domain\-insecure: \fI<domain name>
1325 .B val\-override\-date: \fI<rrsig\-style date spec>
1329 you are debugging signature inception and expiration. The value \-1 ignores
1332 .B val\-sig\-skew\-min: \fI<seconds>
1334 A value of 10% of the signature lifetime (expiration \- inception) is
1339 .B val\-sig\-skew\-max: \fI<seconds>
1341 A value of 10% of the signature lifetime (expiration \- inception)
1348 .B val\-max\-restart: \fI<number>
1352 .B val\-bogus\-ttl: \fI<number>
1358 .B val\-clean\-additional: \fI<yes or no>
1365 .B val\-log\-level: \fI<number>
1374 .B val\-permissive\-mode: \fI<yes or no>
1382 .B ignore\-cd\-flag: \fI<yes or no>
1390 .B disable\-edns\-do: \fI<yes or no>
1404 .B serve\-expired: \fI<yes or no>
1406 TTL of \fBserve\-expired\-reply\-ttl\fR in the response.
1408 out or is taking more than serve\-expired\-client\-timeout to resolve.
1411 .B serve\-expired\-ttl: \fI<seconds>
1414 This option only applies when \fBserve\-expired\fR is enabled.
1418 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1419 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1424 .B serve\-expired\-reply\-ttl: \fI<seconds>
1426 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1429 .B serve\-expired\-client\-timeout: \fI<msec>
1431 This essentially enables the serve-stale behavior as specified in
1439 .B serve\-original\-ttl: \fI<yes or no>
1443 front-end to a hidden authoritative name server. Enabling this feature does
1448 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1452 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1461 .B zonemd\-permissive\-mode: \fI<yes or no>
1467 .B add\-holddown: \fI<seconds>
1468 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1472 .B del\-holddown: \fI<seconds>
1473 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1478 .B keep\-missing: \fI<seconds>
1479 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1483 mechanism work with zones that perform regular (non\-5011) rollovers.
1487 .B permit\-small\-holddown: \fI<yes or no>
1491 .B key\-cache\-size: \fI<number>
1496 .B key\-cache\-slabs: \fI<number>
1501 .B neg\-cache\-size: \fI<number>
1506 .B unblock\-lan\-zones: \fI<yes or no>
1513 as a (DHCP-) DNS network resolver for a group of machines, where such
1517 .B insecure\-lan\-zones: \fI<yes or no>
1520 \fIunblock\-lan\-zones\fR is used.
1522 .B local\-zone: \fI<zone> <type>
1524 there is no match from local\-data. The types are deny, refuse, static,
1528 are listed. Use local\-data: to enter data into the local zone. Answers for
1532 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1533 it as detailed in the stub zone section below. A stub\-zone can be used to
1535 fetch the information. With a forward\-zone, unbound sends queries to a server
1536 that is a recursive server to fetch the information. With an auth\-zone a
1537 zone can be loaded from file and used, it can be used like a local\-zone
1538 for users downstream, or the auth\-zone information can be used to fetch
1540 forward\-zone and auth\-zone options are described in their sections below.
1542 the local\-zone and local\-data statements allow for this, but also the
1557 as local\-data for the zone apex domain.
1564 If no local\-zone is given local\-data causes a transparent zone
1581 local\-zone: "example.com." redirect and
1582 local\-data: "example.com. A 127.0.0.1"
1589 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1647 can be turned off by specifying your own local\-zone of that name, or
1651 The IP4 and IP6 localhost information is given. NS and SOA records are provided
1654 local\-zone: "localhost." redirect
1655 local\-data: "localhost. 10800 IN NS localhost."
1656 local\-data: "localhost. 10800 IN
1658 local\-data: "localhost. 10800 IN A 127.0.0.1"
1659 local\-data: "localhost. 10800 IN AAAA ::1"
1665 local\-zone: "127.in\-addr.arpa." static
1666 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1667 local\-data: "127.in\-addr.arpa. 10800 IN
1669 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1676 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1678 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1680 NS localhost."
1681 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1684 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1692 local\-zone: "home.arpa." static
1693 local\-data: "home.arpa. 10800 IN NS localhost."
1694 local\-data: "home.arpa. 10800 IN
1701 local\-zone: "resolver.arpa." static
1702 local\-data: "resolver.arpa. 10800 IN NS localhost."
1703 local\-data: "resolver.arpa. 10800 IN
1707 \h'5'\fIservice.arpa (draft-ietf-dnssd-srp-25)\fR
1710 local\-zone: "service.arpa." static
1711 local\-data: "service.arpa. 10800 IN NS localhost."
1712 local\-data: "service.arpa. 10800 IN
1719 local\-zone: "onion." static
1720 local\-data: "onion. 10800 IN NS localhost."
1721 local\-data: "onion. 10800 IN
1728 local\-zone: "test." static
1729 local\-data: "test. 10800 IN NS localhost."
1730 local\-data: "test. 10800 IN
1737 local\-zone: "invalid." static
1738 local\-data: "invalid. 10800 IN NS localhost."
1739 local\-data: "invalid. 10800 IN
1744 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1745 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1746 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1749 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1750 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1751 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1752 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1753 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1772 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1775 transparent with a local\-zone statement.
1777 .\" End of local-zone listing.
1779 .B local\-data: \fI"<resource record string>"
1781 The query has to match exactly unless you configure the local\-zone as
1782 redirect. If not matched exactly, the local\-zone type determines
1783 further processing. If local\-data is configured that is not a subdomain of
1784 a local\-zone, a transparent local\-zone is configured.
1786 local\-data: 'example. TXT "text"'.
1789 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1792 .B local\-data\-ptr: \fI"IPaddr name"
1797 .B local\-zone\-tag: \fI<zone> <"list of tags">
1799 used access-control element has a matching tag. Tags must be defined in
1800 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1802 list of tags for the query and local\-zone\-tag is non-empty.
1804 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1806 Use this localzone type, regardless the type configured for the local-zone
1808 access\-control\-tag\-action.
1810 .B response\-ip: \fI<IP-netblock> <action>
1817 \fIaccess-control-tag-action\fR, but there are some exceptions.
1819 Actions for \fIresponse-ip\fR are different from those for
1820 \fIlocal-zone\fR in that in case of the former there is no point of
1822 Because of this difference, the semantics of \fIresponse-ip\fR actions
1825 invalid for \fIresponse-ip\fR.
1827 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1832 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1835 This specifies the action data for \fIresponse-ip\fR with action being
1837 record string" is similar to that of \fIaccess-control-tag-action\fR,
1839 If the IP-netblock is an IPv6/IPv4 prefix, the record
1842 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1844 IP-netblock, following the normal rules for CNAME records.
1849 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1852 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1854 IP-netblock, the specified tags are assigned to the IP address.
1855 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1857 \fIaccess-control-tag-action\fR will apply.
1858 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1859 \fIlocal-zones\fR.
1860 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1861 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1863 If multiple \fIresponse-ip-tag\fR options are specified for the same
1864 IP-netblock in different statements, all but the first will be
1870 \fIaccess-control-tag-action\fR that has a matching tag with
1871 \fIresponse-ip-tag\fR can be those that are "invalid" for
1872 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1876 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1877 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1878 specific, and non-existence of data does not indicate anything about
1879 the existence or non-existence of the qname itself.
1881 no data for the corresponding \fIresponse-ip\fR configuration, then
1899 .B ratelimit\-size: \fI<memory size>
1905 .B ratelimit\-slabs: \fI<number>
1910 .B ratelimit\-factor: \fI<number>
1919 .B ratelimit\-backoff: \fI<yes or no>
1923 window. No traffic is allowed, except for ratelimit\-factor, until demand
1928 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1931 a top\-level\-domain you may want to have a higher limit than other names.
1934 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1939 is not changed, use ratelimit\-for\-domain to set that, you might want
1940 to use different settings for a top\-level\-domain and subdomains.
1943 .B ip\-ratelimit: \fI<number or 0>
1951 If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
1955 .B ip\-ratelimit\-cookie: \fI<number or 0>
1966 If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
1970 .B ip\-ratelimit\-size: \fI<memory size>
1976 .B ip\-ratelimit\-slabs: \fI<number>
1981 .B ip\-ratelimit\-factor: \fI<number>
1990 .B ip\-ratelimit\-backoff: \fI<yes or no>
1994 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1996 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1999 .B outbound\-msg\-retry: \fI<number>
2007 .B max\-sent\-count: \fI<number>
2009 a name, making sure large NS sets do not loop.
2014 .B max\-query\-restarts: \fI<number>
2022 .B iter\-scrub\-ns: \fI<number>
2023 Limit on the number of NS records allowed in an rrset of type NS, from the
2025 large NS sets. Default is 20.
2027 .B iter\-scrub\-cname: \fI<number>
2033 .B max\-global\-quota: \fI<number>
2039 .B fast\-server\-permil: \fI<number>
2043 servers for the remaining time. When prefetch is enabled (or serve\-expired),
2046 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
2047 servers set. The default for fast\-server\-permil is 0.
2049 .B fast\-server\-num: \fI<number>
2051 use the fastest specified number of servers with the fast\-server\-permil
2054 .B answer\-cookie: \fI<yes or no>
2059 .B cookie\-secret: \fI<128 bit hex string>
2065 This option is ignored if a \fBcookie\-secret\-file\fR is
2069 .B cookie\-secret\-file: \fI<filename>
2072 \fBcookie-secret\fR option is ignored.
2076 \fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
2080 .B edns\-client\-string: \fI<IP netblock> <string>
2085 .B edns\-client\-string\-opcode: \fI<opcode>
2086 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
2087 A value from the `Reserved for Local/Experimental` range (65001-65534) should
2095 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
2100 .B ede\-serve\-expired: \fI<yes or no>
2101 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
2106 .B dns\-error\-reporting: \fI<yes or no>
2108 The name servers need to express support by attaching the Report-Channel EDNS0
2114 It is advised that the \fBqname\-minimisation\fR option is also enabled to
2119 .B remote\-control:
2121 enabled, the \fIunbound\-control\fR(8) utility can be used to send
2124 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
2125 section for options. To setup the correct self\-signed certificates use the
2126 \fIunbound\-control\-setup\fR(8) utility.
2128 .B control\-enable: \fI<yes or no>
2132 .B control\-interface: \fI<ip address or interface name or path>
2150 .B control\-port: \fI<port number>
2156 .B control\-use\-cert: \fI<yes or no>
2157 For localhost control-interface you can disable the use of TLS by setting
2161 .B server\-key\-file: \fI<private key file>
2163 This file is generated by the \fIunbound\-control\-setup\fR utility.
2164 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
2166 .B server\-cert\-file: \fI<certificate file.pem>
2168 This file is generated by the \fIunbound\-control\-setup\fR utility.
2169 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
2171 .B control\-key\-file: \fI<private key file>
2173 This file is generated by the \fIunbound\-control\-setup\fR utility.
2174 This file is used by \fIunbound\-control\fR.
2176 .B control\-cert\-file: \fI<certificate file.pem>
2179 This file is generated by the \fIunbound\-control\-setup\fR utility.
2180 This file is used by \fIunbound\-control\fR.
2184 .B stub\-zone:
2192 This is useful for company\-local data or private zones. Setup an
2195 .B stub\-addr:
2208 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
2209 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
2212 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
2217 .B stub\-host: \fI<domain name>
2223 configured tls\-port.
2225 .B stub\-addr: \fI<IP address>
2231 configured tls\-port.
2233 .B stub\-prime: \fI<yes or no>
2234 This option is by default no. If enabled it performs NS set priming,
2239 .B stub\-first: \fI<yes or no>
2245 .B stub\-tls\-upstream: \fI<yes or no>
2249 .B stub\-ssl\-upstream: \fI<yes or no>
2250 Alternate syntax for \fBstub\-tls\-upstream\fR.
2252 .B stub\-tcp\-upstream: \fI<yes or no>
2253 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2256 .B stub\-no\-cache: \fI<yes or no>
2262 .B forward\-zone:
2265 forward the queries to. The servers listed as \fBforward\-host:\fR and
2266 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
2273 A forward\-zone entry with name "." and a forward\-addr target will
2280 .B forward\-host: \fI<domain name>
2286 configured tls\-port.
2288 .B forward\-addr: \fI<IP address>
2294 configured tls\-port.
2297 If you leave out the '#' and auth name from the forward\-addr, any
2298 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
2300 .B forward\-first: \fI<yes or no>
2305 .B forward\-tls\-upstream: \fI<yes or no>
2308 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
2311 .B forward\-ssl\-upstream: \fI<yes or no>
2312 Alternate syntax for \fBforward\-tls\-upstream\fR.
2314 .B forward\-tcp\-upstream: \fI<yes or no>
2315 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2318 .B forward\-no\-cache: \fI<yes or no>
2323 Authority zones are configured with \fBauth\-zone:\fR, and each one must
2324 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
2326 Authority zones can be processed on two distinct, non-exclusive, configurable
2329 With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
2330 after \fBlocal\-zones\fR and before cache.
2336 With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
2347 An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
2348 \fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
2387 the SOA refresh timer is used to wait for making new downloads. If also
2391 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2397 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2399 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2400 With allow\-notify you can specify additional sources of notifies.
2407 .B fallback\-enabled: \fI<yes or no>
2412 .B for\-downstream: \fI<yes or no>
2417 zone but have a local copy of zone data. If for\-downstream is no and
2418 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2422 .B for\-upstream: \fI<yes or no>
2429 .B zonemd\-check: \fI<yes or no>
2435 .B zonemd\-reject\-absence: \fI<yes or no>
2440 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2456 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2457 \fBlocal\-data\fR elements. Views can also contain view\-first,
2458 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2460 view name in an \fBaccess\-control\-view\fR element. Options from matching
2465 Name of the view. Must be unique. This name is used in access\-control\-view
2468 .B local\-zone: \fI<zone> <type>
2469 View specific local\-zone elements. Has the same types and behaviour as the
2470 global local\-zone elements. When there is at least one local\-zone specified
2471 and view\-first is no, the default local-zones will be added to this view.
2472 Defaults can be disabled using the nodefault type. When view\-first is yes or
2473 when a view does not have a local\-zone, the global local\-zone will be used
2476 .B local\-data: \fI"<resource record string>"
2477 View specific local\-data elements. Has the same behaviour as the global
2478 local\-data elements.
2480 .B local\-data\-ptr: \fI"IPaddr name"
2481 View specific local\-data\-ptr elements. Has the same behaviour as the global
2482 local\-data\-ptr elements.
2484 .B view\-first: \fI<yes or no>
2485 If enabled, it attempts to use the global local\-zone and local\-data if there
2495 and the word "python" has to be put in the \fBmodule\-config:\fR option
2501 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2505 .B python\-script: \fI<python file>\fR
2507 added to the \fBmodule\-config:\fR option.
2516 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2519 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2523 .B dynlib\-file: \fI<dynlib file>\fR
2525 instance added to the \fBmodule\-config:\fR option.
2528 The dns64 module must be configured in the \fBmodule\-config:\fR directive
2532 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2536 .B dns64\-synthall: \fI<yes or no>\fR
2540 .B dns64\-ignore\-aaaa: \fI<name>\fR
2547 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
2550 .B do\-nat64: \fI<yes or no>\fR
2551 Use NAT64 to reach IPv4-only servers.
2552 Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
2556 .B nat64\-prefix: \fI<IPv6 prefix>\fR
2557 Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
2558 the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
2566 \fB\-\-enable\-dnscrypt\fR.
2568 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2569 dnscrypt-wrapper/blob/master/README.md#usage
2571 .B dnscrypt\-enable: \fI<yes or no>\fR
2576 .B dnscrypt\-port: \fI<port number>
2581 .B dnscrypt\-provider: \fI<provider name>\fR
2583 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2585 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2589 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2590 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2593 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2595 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2606 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2612 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2617 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2623 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2629 The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
2641 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2643 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2646 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2660 This module does not interact with the \fBserve\-expired*\fR and
2663 .B send\-client\-subnet: \fI<IP address>\fR
2666 be given multiple times. Authorities not listed will not receive edns-subnet
2667 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2669 .B client\-subnet\-zone: \fI<domain>\fR
2671 given multiple times. Zones not listed will not receive edns-subnet information,
2672 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2674 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2676 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2683 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2687 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2691 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2696 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2701 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2705 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2710 The IPsec module must be configured in the \fBmodule\-config:\fR directive
2712 \fB\-\-enable\-ipsecmod\fR to be enabled.
2736 \fBipsecmod-max-ttl\fR.
2740 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2743 .B ipsecmod-enabled: \fI<yes or no>\fR
2745 needs to be defined in the \fBmodule\-config:\fR directive. This option
2749 .B ipsecmod\-hook: \fI<filename>\fR
2753 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2756 .B ipsecmod-strict: \fI<yes or no>\fR
2761 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2765 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2771 .B ipsecmod\-allow: \fI<domain>\fR
2776 .B ipsecmod\-whitelist: \fI<domain>
2777 Alternate syntax for \fBipsecmod\-allow\fR.
2780 The Cache DB module must be configured in the \fBmodule\-config:\fR directive
2782 with \fB\-\-enable\-cachedb\fR.
2785 When Unbound cannot find an answer to a query in its built-in in-memory
2792 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2796 \fB\-\-with\-libhiredis\fR
2806 preferably with some kind of least-recently-used eviction policy.
2807 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2831 The default database is the in-memory backend named "testframe", which,
2833 Depending on the build-time configuration, "redis" backend may also be
2836 .B secret-seed: \fI<"secret string">\fR
2845 .B cachedb-no-store: \fI<yes or no>\fR
2850 .B cachedb-check-when-serve-expired: \fI<yes or no>\fR
2852 When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
2856 If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
2864 .B redis-server-host: \fI<server address or name>\fR
2871 .B redis-server-port: \fI<port number>\fR
2875 .B redis-server-path: \fI<unix socket path>\fR
2880 .B redis-server-password: \fI"<password>"\fR
2885 .B redis-timeout: \fI<msec>\fR
2889 re-establish a new connection later.
2892 .B redis-command-timeout: \fI<msec>\fR
2894 If 0, it uses the \fBredis\-timeout\fR value.
2897 .B redis-connect-timeout: \fI<msec>\fR
2899 If 0, it uses the \fBredis\-timeout\fR value.
2902 .B redis-expire-records: \fI<yes or no>
2905 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2910 .B redis-logical-db: \fI<logical database index>
2921 .B redis-replica-server-host: \fI<server address or name>\fR
2926 This server is treated as a read-only replica server
2927 (https://redis.io/docs/management/replication/#read-only-replica).
2929 the write commands will go to the \fBredis-server-host\fR.
2932 .B redis-replica-server-port: \fI<port number>\fR
2936 .B redis-replica-server-path: \fI<unix socket path>\fR
2941 .B redis-replica-server-password: \fI"<password>"\fR
2946 .B redis-replica-timeout: \fI<msec>\fR
2950 re-establish a new connection later.
2953 .B redis-replica-command-timeout: \fI<msec>\fR
2955 If 0, it uses the \fBredis\-replica\-timeout\fR value.
2958 .B redis-replica-connect-timeout: \fI<msec>\fR
2960 If 0, it uses the \fBredis\-replica\-timeout\fR value.
2963 .B redis-replica-logical-db: \fI<logical database index>
2964 Same as \fBredis-logical-db\fR but for the Redis replica server.
2967 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2971 threading it does not spawn a thread, but connects per-process to the
2974 .B dnstap-enable: \fI<yes or no>
2976 and if any of the dnstap-log-..-messages options is enabled it sends logs
2979 .B dnstap-bidirectional: \fI<yes or no>
2983 .B dnstap-socket-path: \fI<file name>
2987 .B dnstap-ip: \fI<IPaddress[@port]>
2991 .B dnstap-tls: \fI<yes or no>
2992 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2995 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2996 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "".
2998 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
3003 .B dnstap-tls-client-key-file: \fI<file name>
3007 .B dnstap-tls-client-cert-file: \fI<file name>
3010 .B dnstap-send-identity: \fI<yes or no>
3014 .B dnstap-send-version: \fI<yes or no>
3018 .B dnstap-identity: \fI<string>
3022 .B dnstap-version: \fI<string>
3026 .B dnstap-sample-rate: \fI<number>
3033 .B dnstap-log-resolver-query-messages: \fI<yes or no>
3037 .B dnstap-log-resolver-response-messages: \fI<yes or no>
3041 .B dnstap-log-client-query-messages: \fI<yes or no>
3045 .B dnstap-log-client-response-messages: \fI<yes or no>
3049 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
3052 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
3061 The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
3062 \fBmodule-config: "respip validator iterator"\fR.
3065 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
3066 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
3067 before \fBauth\-zones\fR.
3085 netblock.rpz-client-ip client IP address
3086 netblock.rpz-ip response IP address in the answer
3087 name.rpz-nsdname nameserver name
3088 netblock.rpz-nsip nameserver IP address
3092 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
3093 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
3099 CNAME rpz-passthru. do nothing, allow to continue
3100 CNAME rpz-drop. the query is dropped
3101 CNAME rpz-tcp-only. answer over TCP
3104 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
3132 the SOA refresh timer is used to wait for making new downloads. If also
3136 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
3139 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
3140 With allow\-notify you can specify additional sources of notifies.
3152 .B rpz\-action\-override: \fI<action>
3156 .B rpz\-cname\-override: \fI<domain>
3158 \fBrpz\-action\-override\fR.
3160 .B rpz\-log: \fI<yes or no>
3163 .B rpz\-log\-name: \fI<name>
3166 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
3171 .B for\-downstream: \fI<yes or no>
3174 monitoring scripts, that can then access the SOA information to check if
3179 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
3180 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
3190 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
3195 num\-threads: 1
3196 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
3197 incoming\-num\-tcp: 1
3198 outgoing\-range: 60 # uses less memory, but less performance.
3199 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
3200 msg\-cache\-size: 100k
3201 msg\-cache\-slabs: 1
3202 rrset\-cache\-size: 100k
3203 rrset\-cache\-slabs: 1
3204 infra\-cache\-numhosts: 200
3205 infra\-cache\-slabs: 1
3206 key\-cache\-size: 100k
3207 key\-cache\-slabs: 1
3208 neg\-cache\-size: 10k
3209 num\-queries\-per\-thread: 30
3210 target\-fetch\-policy: "2 1 0 0 0 0"
3211 harden\-large\-queries: "yes"
3212 harden\-short\-bufsize: "yes"
3235 \fIunbound\-checkconf\fR(8).