Lines Matching +full:disable +full:- +full:port +full:- +full:power +full:- +full:control
41 --------
46 -----------
56 The utility :doc:`unbound-checkconf(8)</manpages/unbound-checkconf>` can be
60 -------
65 .. code-block:: text
67 $ unbound -c /etc/unbound/unbound.conf
72 .. code-block:: text
80 .. code-block:: text
88 # mount --bind -n /dev/urandom /etc/unbound/dev/urandom
89 # and mount --bind -n /dev/log /etc/unbound/dev/log
97 access-control: 10.0.0.0/8 allow
98 access-control: 2001:DB8::/64 allow
101 -----------
123 .. _unbound.conf.include-toplevel:
125 For a more structural include option, the **include-toplevel:** directive can
161 time via remote control. See :doc:`unbound(8)</manpages/unbound>` and
162 :doc:`unbound-control(8)</manpages/unbound-control>` respectively.
167 @@UAHL@unbound.conf@statistics-interval@@: *<seconds>*
170 Disable with value ``0`` or ``""``.
179 @@UAHL@unbound.conf@statistics-cumulative@@: *<yes or no>*
186 @@UAHL@unbound.conf@extended-statistics@@: *<yes or no>*
188 :doc:`unbound-control(8)</manpages/unbound-control>`.
190 :doc:`unbound-control(8)</manpages/unbound-control>`.
196 @@UAHL@unbound.conf@statistics-inhibit-zero@@: *<yes or no>*
199 :doc:`unbound-control(8)</manpages/unbound-control>`.
207 @@UAHL@unbound.conf@num-threads@@: *<number>*
213 @@UAHL@unbound.conf@port@@: *<port number>*
214 The port number on which the server responds to queries.
219 @@UAHL@unbound.conf@interface@@: *<IP address or interface name[@port]>*
228 The interfaces are not changed on a reload (``kill -HUP``) but only on
231 A port number can be specified with @port (without spaces between interface
232 and port number), if not specified the default port (from
233 :ref:`port<unbound.conf.port>`) is used.
236 @@UAHL@unbound.conf@ip-address@@: *<IP address or interface name[@port]>*
241 @@UAHL@unbound.conf@interface-automatic@@: *<yes or no>*
244 This is a lot like :ref:`ip-transparent<unbound.conf.ip-transparent>`, but
246 :ref:`ip-transparent<unbound.conf.ip-transparent>` you can select which
254 @@UAHL@unbound.conf@interface-automatic-ports@@: *"<string>"*
255 List the port numbers that
256 :ref:`interface-automatic<unbound.conf.interface-automatic>` listens on.
257 If empty, the default port is listened on.
258 The port numbers are separated by spaces in the string.
261 and listen on the normal port number, by including it in the list, and
262 also HTTPS or DNS-over-TLS port numbers by putting them in the list as
268 @@UAHL@unbound.conf@outgoing-interface@@: *<IPv4/IPv6 address or IPv6 netblock>*
276 :ref:`outgoing-interface<unbound.conf.outgoing-interface>` lines, the
285 requires OS support for unprivileged non-local binds (currently only
288 :ref:`outgoing-interface<unbound.conf.outgoing-interface>` options, but do
291 Consider combining with :ref:`prefer-ip6: yes<unbound.conf.prefer-ip6>` to
296 .. code-block:: text
298 ip -6 addr add mynetblock/64 dev lo && \
299 ip -6 route add local mynetblock/64 dev lo
302 @@UAHL@unbound.conf@outgoing-range@@: *<number>*
314 @@UAHL@unbound.conf@outgoing-port-permit@@: *<port number or range>*
315 Permit Unbound to open this port or range of ports for use to send queries.
321 Give a port number or a range of the form "low-high", without spaces.
323 The :ref:`outgoing-port-permit<unbound.conf.outgoing-port-permit>` and
324 :ref:`outgoing-port-avoid<unbound.conf.outgoing-port-avoid>` statements
331 @@UAHL@unbound.conf@outgoing-port-avoid@@: *<port number or range>*
332 Do not permit Unbound to open this port or range of ports for use to send
334 Use this to make sure Unbound does not grab a port that another daemon
336 The port is avoided on all outgoing interfaces, both IPv4 and IPv6.
339 Give a port number or a range of the form "low-high", without spaces.
342 @@UAHL@unbound.conf@outgoing-num-tcp@@: *<number>*
344 If set to 0, or if :ref:`do-tcp: no<unbound.conf.do-tcp>` is set, no TCP
351 @@UAHL@unbound.conf@incoming-num-tcp@@: *<number>*
353 If set to 0, or if :ref:`do-tcp: no<unbound.conf.do-tcp>` is set, no TCP
360 @@UAHL@unbound.conf@edns-buffer-size@@: *<number>*
364 :ref:`msg-buffer-size<unbound.conf.msg-buffer-size>` (both for TCP and
370 :ref:`outgoing-num-tcp<unbound.conf.outgoing-num-tcp>`).
376 @@UAHL@unbound.conf@max-udp-size@@: *<number>*
382 Default: 1232 (same as :ref:`edns-buffer-size<unbound.conf.edns-buffer-size>`)
385 @@UAHL@unbound.conf@stream-wait-size@@: *<number>*
399 @@UAHL@unbound.conf@msg-buffer-size@@: *<number>*
410 @@UAHL@unbound.conf@msg-cache-size@@: *<number>*
418 @@UAHL@unbound.conf@msg-cache-slabs@@: *<number>*
421 Must be set to a power of 2.
423 If left unconfigured, it will be configured automatically to be a power of
424 2 close to the number of configured threads in multi-threaded environments.
429 @@UAHL@unbound.conf@num-queries-per-thread@@: *<number>*
432 out (see :ref:`jostle-timeout<unbound.conf.jostle-timeout>`), then the
441 @@UAHL@unbound.conf@jostle-timeout@@: *<msec>*
452 The effect is that the qps for long-lasting queries is about:
454 .. code-block:: text
456 (num-queries-per-thread / 2) / (average time for such long queries) qps
460 .. code-block:: text
462 (num-queries-per-thread / 2) / (jostle-timeout in whole seconds) qps per thread
469 @@UAHL@unbound.conf@delay-close@@: *<msec>*
473 close-port counters, with eg. 1500 msec.
480 @@UAHL@unbound.conf@udp-connect@@: *<yes or no>*
487 @@UAHL@unbound.conf@unknown-server-time-limit@@: *<msec>*
490 That would then avoid re-querying every initial query because it times out.
495 @@UAHL@unbound.conf@discard-timeout@@: *<msec>*
500 :ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
508 @@UAHL@unbound.conf@wait-limit@@: *<number>*
518 @@UAHL@unbound.conf@wait-limit-cookie@@: *<number>*
526 @@UAHL@unbound.conf@wait-limit-netblock@@: *<netblock>* *<number>*
529 :ref:`wait-limit<unbound.conf.wait-limit>`
534 The value ``-1`` disables wait limits for the netblock.
535 By default the loopback has a wait limit netblock of ``-1``, it is not
538 The loopback addresses ``127.0.0.0/8`` and ``::1/128`` are default at ``-1``.
543 @@UAHL@unbound.conf@wait-limit-cookie-netblock@@: *<netblock>* *<number>*
546 :ref:`wait-limit-cookie<unbound.conf.wait-limit-cookie>`
548 The value ``-1`` disables wait limits for the netblock.
549 The loopback addresses ``127.0.0.0/8`` and ``::1/128`` are default at ``-1``.
554 @@UAHL@unbound.conf@so-rcvbuf@@: *<number>*
556 UDP port 53 incoming queries.
558 ``netstat -su``).
568 On Solaris ``ndd -set /dev/udp udp_max_buf 8388608``.
573 @@UAHL@unbound.conf@so-sndbuf@@: *<number>*
575 UDP port 53 outgoing queries.
578 .. code-block:: text
582 can get logged, the buffer overrun is also visible by ``netstat -su``.
594 :ref:`so-rcvbuf<unbound.conf.so-rcvbuf>`.
599 @@UAHL@unbound.conf@so-reuseport@@: *<yes or no>*
609 the port and passes the option if it was available at compile time, if that
619 @@UAHL@unbound.conf@ip-transparent@@: *<yes or no>*
622 Allows you to bind to non-local interfaces.
623 For example for non-existent IP addresses that are going to exist later on,
627 :ref:`interface-automatic<unbound.conf.interface-automatic>`, but that one
639 @@UAHL@unbound.conf@ip-freebind@@: *<yes or no>*
646 :ref:`ip-transparent<unbound.conf.ip-transparent>` option is also
652 @@UAHL@unbound.conf@ip-dscp@@: *<number>*
655 The field replaces the outdated IPv4 Type-Of-Service field and the IPv6
659 @@UAHL@unbound.conf@rrset-cache-size@@: *<number>*
667 @@UAHL@unbound.conf@rrset-cache-slabs@@: *<number>*
670 Must be set to a power of 2.
672 If left unconfigured, it will be configured automatically to be a power of
673 2 close to the number of configured threads in multi-threaded environments.
678 @@UAHL@unbound.conf@cache-max-ttl@@: *<seconds>*
689 @@UAHL@unbound.conf@cache-min-ttl@@: *<seconds>*
700 @@UAHL@unbound.conf@cache-max-negative-ttl@@: *<seconds>*
708 @@UAHL@unbound.conf@cache-min-negative-ttl@@: *<seconds>*
712 :ref:`cache-min-ttl<unbound.conf.cache-min-ttl>`
720 @@UAHL@unbound.conf@infra-host-ttl@@: *<seconds>*
728 @@UAHL@unbound.conf@infra-cache-slabs@@: *<number>*
731 Must be set to a power of 2.
733 If left unconfigured, it will be configured automatically to be a power of
734 2 close to the number of configured threads in multi-threaded environments.
739 @@UAHL@unbound.conf@infra-cache-numhosts@@: *<number>*
745 @@UAHL@unbound.conf@infra-cache-min-rtt@@: *<msec>*
754 @@UAHL@unbound.conf@infra-cache-max-rtt@@: *<msec>*
761 @@UAHL@unbound.conf@infra-keep-probing@@: *<yes or no>*
766 :ref:`infra-host-ttl<unbound.conf.infra-host-ttl>` time to get probed
772 @@UAHL@unbound.conf@define-tag@@: *"<list of tags>"*
774 :ref:`local-zone<unbound.conf.local-zone>` and
775 :ref:`access-control<unbound.conf.access-control>`.
779 @@UAHL@unbound.conf@do-ip4@@: *<yes or no>*
780 Enable or disable whether IPv4 queries are answered or issued.
785 @@UAHL@unbound.conf@do-ip6@@: *<yes or no>*
786 Enable or disable whether IPv6 queries are answered or issued.
789 With this option you can disable the IPv6 transport for sending DNS
796 @@UAHL@unbound.conf@prefer-ip4@@: *<yes or no>*
806 @@UAHL@unbound.conf@prefer-ip6@@: *<yes or no>*
813 @@UAHL@unbound.conf@do-udp@@: *<yes or no>*
814 Enable or disable whether UDP queries are answered or issued.
819 @@UAHL@unbound.conf@do-tcp@@: *<yes or no>*
820 Enable or disable whether TCP queries are answered or issued.
825 @@UAHL@unbound.conf@tcp-mss@@: *<number>*
835 @@UAHL@unbound.conf@outgoing-tcp-mss@@: *<number>*
845 @@UAHL@unbound.conf@tcp-idle-timeout@@: *<msec>*
857 :ref:`edns-tcp-keepalive-timeout<unbound.conf.edns-tcp-keepalive-timeout>`
859 :ref:`edns-tcp-keepalive<unbound.conf.edns-tcp-keepalive>`
865 @@UAHL@unbound.conf@tcp-reuse-timeout@@: *<msec>*
872 @@UAHL@unbound.conf@max-reuse-tcp-queries@@: *<number>*
879 @@UAHL@unbound.conf@tcp-auth-query-timeout@@: *<number>*
885 @@UAHL@unbound.conf@edns-tcp-keepalive@@: *<yes or no>*
886 Enable or disable EDNS TCP Keepalive.
891 @@UAHL@unbound.conf@edns-tcp-keepalive-timeout@@: *<msec>*
893 :ref:`tcp-idle-timeout<unbound.conf.tcp-idle-timeout>`
895 :ref:`edns-tcp-keepalive<unbound.conf.edns-tcp-keepalive>`
905 @@UAHL@unbound.conf@sock-queue-timeout@@: *<sec>*
918 @@UAHL@unbound.conf@tcp-upstream@@: *<yes or no>*
919 Enable or disable whether the upstream queries use TCP only for transport.
923 :ref:`forward-tcp-upstream<unbound.conf.forward.forward-tcp-upstream>` or
924 :ref:`stub-tcp-upstream<unbound.conf.stub.stub-tcp-upstream>`
930 @@UAHL@unbound.conf@udp-upstream-without-downstream@@: *<yes or no>*
931 Enable UDP upstream even if :ref:`do-udp: no<unbound.conf.do-udp>` is set.
938 @@UAHL@unbound.conf@tls-upstream@@: *<yes or no>*
939 Enabled or disable whether the upstream queries use TLS only for transport.
943 :ref:`tls-service-key<unbound.conf.tls-service-key>`).
946 :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>` or use
947 :ref:`tls-win-cert<unbound.conf.tls-win-cert>` or
948 :ref:`tls-system-cert<unbound.conf.tls-system-cert>` to load CA certs,
953 :ref:`forward-tls-upstream<unbound.conf.forward.forward-tls-upstream>`.
955 :ref:`stub-tls-upstream<unbound.conf.stub.stub-tls-upstream>`.
957 :ref:`tls-upstream<unbound.conf.tls-upstream>`
959 :ref:`forward-tls-upstream<unbound.conf.forward.forward-tls-upstream>`
961 :ref:`stub-tls-upstream<unbound.conf.stub.stub-tls-upstream>`
967 @@UAHL@unbound.conf@ssl-upstream@@: *<yes or no>*
968 Alternate syntax for :ref:`tls-upstream<unbound.conf.tls-upstream>`.
972 @@UAHL@unbound.conf@tls-service-key@@: *<file>*
973 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on
975 :ref:`tls-port<unbound.conf.tls-port>` or
976 :ref:`https-port<unbound.conf.https-port>`.
978 certificate is in the :ref:`tls-service-pem<unbound.conf.tls-service-pem>`
980 :ref:`tls-service-key<unbound.conf.tls-service-key>` is specified.
985 :ref:`tls-port<unbound.conf.tls-port>` and
986 :ref:`https-port<unbound.conf.https-port>` do not provide normal DNS TCP
991 DNS-over-HTTPS.
996 @@UAHL@unbound.conf@ssl-service-key@@: *<file>*
997 Alternate syntax for :ref:`tls-service-key<unbound.conf.tls-service-key>`.
1000 @@UAHL@unbound.conf@tls-service-pem@@: *<file>*
1006 @@UAHL@unbound.conf@ssl-service-pem@@: *<file>*
1007 Alternate syntax for :ref:`tls-service-pem<unbound.conf.tls-service-pem>`.
1010 @@UAHL@unbound.conf@tls-port@@: *<number>*
1011 The port number on which to provide TCP TLS service.
1012 Only interfaces configured with that port number as @number get the TLS
1018 @@UAHL@unbound.conf@ssl-port@@: *<number>*
1019 Alternate syntax for :ref:`tls-port<unbound.conf.tls-port>`.
1022 @@UAHL@unbound.conf@tls-cert-bundle@@: *<file>*
1025 :file:`/etc/pki/tls/certs/ca-bundle.crt`.
1028 For example :ref:`auth-zone urls<unbound.conf.auth.url>`, and also
1029 DNS-over-TLS connections.
1035 @@UAHL@unbound.conf@ssl-cert-bundle@@: *<file>*
1036 Alternate syntax for :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>`.
1039 @@UAHL@unbound.conf@tls-win-cert@@: *<yes or no>*
1044 Use the :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>` option on
1051 @@UAHL@unbound.conf@tls-system-cert@@: *<yes or no>*
1053 :ref:`tls-win-cert<unbound.conf.tls-win-cert>` attribute, under a
1058 @@UAHL@unbound.conf@tls-additional-port@@: *<portnr>*
1059 List port numbers as
1060 :ref:`tls-additional-port<unbound.conf.tls-additional-port>`, and when
1061 interfaces are defined, eg. with the @port suffix, as this port number,
1062 they provide DNS-over-TLS service.
1066 @@UAHL@unbound.conf@tls-session-ticket-keys@@: *<file>*
1079 .. code-block:: text
1091 @@UAHL@unbound.conf@tls-ciphers@@: *<string with cipher list>*
1098 @@UAHL@unbound.conf@tls-ciphersuites@@: *<string with ciphersuites list>*
1106 @@UAHL@unbound.conf@pad-responses@@: *<yes or no>*
1109 :ref:`pad-responses-block-size<unbound.conf.pad-responses-block-size>`.
1114 @@UAHL@unbound.conf@pad-responses-block-size@@: *<number>*
1121 @@UAHL@unbound.conf@pad-queries@@: *<yes or no>*
1124 :ref:`pad-queries-block-size<unbound.conf.pad-queries-block-size>`.
1129 @@UAHL@unbound.conf@pad-queries-block-size@@: *<number>*
1135 @@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
1136 Enable or disable sending the SNI extension on TLS connections.
1143 @@UAHL@unbound.conf@https-port@@: *<number>*
1144 The port number on which to provide DNS-over-HTTPS service.
1145 Only interfaces configured with that port number as @number get the HTTPS
1151 @@UAHL@unbound.conf@http-endpoint@@: *<endpoint string>*
1152 The HTTP endpoint to provide DNS-over-HTTPS service on.
1154 Default: /dns-query
1157 @@UAHL@unbound.conf@http-max-streams@@: *<number of streams>*
1159 SETTINGS frame for DNS-over-HTTPS connections.
1164 @@UAHL@unbound.conf@http-query-buffer-size@@: *<size in bytes>*
1175 @@UAHL@unbound.conf@http-response-buffer-size@@: *<size in bytes>*
1186 @@UAHL@unbound.conf@http-nodelay@@: *<yes or no>*
1187 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS
1194 @@UAHL@unbound.conf@http-notls-downstream@@: *<yes or no>*
1195 Disable use of TLS for the downstream DNS-over-HTTP connections.
1201 @@UAHL@unbound.conf@proxy-protocol-port@@: *<portnr>*
1202 List port numbers as
1203 :ref:`proxy-protocol-port<unbound.conf.proxy-protocol-port>`, and when
1204 interfaces are defined, eg. with the @port suffix, as this port number,
1222 @@UAHL@unbound.conf@quic-port@@: *<number>*
1223 The port number on which to provide DNS-over-QUIC service.
1224 Only interfaces configured with that port number as @number get the QUIC
1226 The interface uses QUIC for the UDP traffic on that port number.
1231 @@UAHL@unbound.conf@quic-size@@: *<size in bytes>*
1241 @@UAHL@unbound.conf@use-systemd@@: *<yes or no>*
1242 Enable or disable systemd socket activation.
1247 @@UAHL@unbound.conf@do-daemonize@@: *<yes or no>*
1248 Enable or disable whether the Unbound server forks into the background as a
1255 @@UAHL@unbound.conf@tcp-connection-limit@@: *<IP netblock> <limit>*
1263 @@UAHL@unbound.conf@access-control@@: *<IP netblock> <action>*
1273 :ref:`refuse<unbound.conf.access-control.action.refuse>` is used.
1274 The order of the access-control statements therefore does not matter.
1276 :ref:`deny<unbound.conf.access-control.action.deny>`,
1277 :ref:`refuse<unbound.conf.access-control.action.refuse>`,
1278 :ref:`allow<unbound.conf.access-control.action.allow>`,
1279 :ref:`allow_setrd<unbound.conf.access-control.action.allow_setrd>`,
1280 :ref:`allow_snoop<unbound.conf.access-control.action.allow_snoop>`,
1281 :ref:`allow_cookie<unbound.conf.access-control.action.allow_cookie>`,
1282 :ref:`deny_non_local<unbound.conf.access-control.action.deny_non_local>` or
1283 :ref:`refuse_non_local<unbound.conf.access-control.action.refuse_non_local>`.
1286 @@UAHL@unbound.conf.access-control.action@deny@@
1289 @@UAHL@unbound.conf.access-control.action@refuse@@
1292 @@UAHL@unbound.conf.access-control.action@allow@@
1296 Non-recursive queries are refused.
1298 The :ref:`allow<unbound.conf.access-control.action.allow>` action does
1299 allow non-recursive queries to access the local-data that is
1303 This supports normal operations where non-recursive queries are made
1305 For non-recursive queries any replies from the dynamic cache are
1308 @@UAHL@unbound.conf.access-control.action@allow_setrd@@
1321 @@UAHL@unbound.conf.access-control.action@allow_snoop@@
1322 Gives non-recursive access too.
1325 non-recursive queries to examine the cache contents (for malicious
1327 However, non-recursive queries can also be a valuable debugging tool
1331 :ref:`allow_snoop<unbound.conf.access-control.action.allow_snoop>` for
1334 @@UAHL@unbound.conf.access-control.action@allow_cookie@@
1337 :ref:`answer-cookie<unbound.conf.answer-cookie>` option is enabled.
1344 of the :ref:`answer-cookie<unbound.conf.answer-cookie>` setting.
1348 @@UAHL@unbound.conf.access-control.action@deny_non_local@@
1350 :ref:`deny_non_local<unbound.conf.access-control.action.deny_non_local>`
1352 authoritative :ref:`local-data<unbound.conf.local-data>`, they are not
1356 @@UAHL@unbound.conf.access-control.action@refuse_non_local@@
1358 :ref:`refuse_non_local<unbound.conf.access-control.action.refuse_non_local>`
1360 authoritative :ref:`local-data<unbound.conf.local-data>`, they are not
1367 The default is *refused*, because that is protocol-friendly.
1372 @@UAHL@unbound.conf@access-control-tag@@: *<IP netblock> "<list of tags>"*
1373 Assign tags to :ref:`access-control<unbound.conf.access-control>`
1375 Clients using this access control element use localzones that are tagged
1378 Tags must be defined in :ref:`define-tag<unbound.conf.define-tag>`.
1381 If :ref:`access-control-tag<unbound.conf.access-control-tag>` is
1383 :ref:`access-control<unbound.conf.access-control>`, an access-control
1384 element with action :ref:`allow<unbound.conf.access-control.action.allow>`
1388 @@UAHL@unbound.conf@access-control-tag-action@@: *<IP netblock> <tag> <action>*
1389 Set action for particular tag for given access control element.
1392 :ref:`access-control-tag<unbound.conf.access-control-tag>` and
1393 :ref:`local-zone-tag<unbound.conf.local-zone-tag>` where "first" comes
1394 from the order of the :ref:`define-tag<unbound.conf.define-tag>` values.
1397 @@UAHL@unbound.conf@access-control-tag-data@@: *<IP netblock> <tag> "<resource record string>"*
1398 Set redirect data for particular tag for given access control element.
1401 @@UAHL@unbound.conf@access-control-view@@: *<IP netblock> <view name>*
1402 Set view for given access control element.
1405 @@UAHL@unbound.conf@interface-action@@: *<ip address or interface name [@port]> <action>*
1406 Similar to :ref:`access-control<unbound.conf.access-control>` but for
1410 :ref:`access-control<unbound.conf.access-control>`.
1413 :ref:`refuse<unbound.conf.access-control.action.refuse>`.
1416 :ref:`access-control<unbound.conf.access-control>` behavior.
1417 This also means that any attempt to use the **interface-\*:** options for
1419 implicit default "access-control: 127.0.0.0/8 allow" option.
1424 **access-control\*:** attribute overrides all **interface-\*:**
1428 @@UAHL@unbound.conf@interface-tag@@: *<ip address or interface name [@port]> <"list of tags">*
1429 Similar to :ref:`access-control-tag<unbound.conf.access-control-tag>` but
1435 **access-control\*:** attribute overrides all **interface-\*:**
1439 @@UAHL@unbound.conf@interface-tag-action@@: *<ip address or interface name [@port]> <tag> <action>*
1441 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`
1447 **access-control\*:** attribute overrides all **interface-\*:**
1451 @@UAHL@unbound.conf@interface-tag-data@@: *<ip address or interface name [@port]> <tag> <"resource …
1453 :ref:`access-control-tag-data<unbound.conf.access-control-tag-data>` but
1459 **access-control\*:** attribute overrides all **interface-\*:**
1463 @@UAHL@unbound.conf@interface-view@@: *<ip address or interface name [@port]> <view name>*
1464 Similar to :ref:`access-control-view<unbound.conf.access-control-view>`
1470 **access-control\*:** attribute overrides all **interface-\*:**
1504 If given, after binding the port the user privileges are dropped.
1507 If this user is not capable of binding the port, reloads (by signal HUP)
1509 If you change the port number in the config file, and that new port number
1531 .. code-block:: text
1535 If this option is given, the :ref:`use-syslog<unbound.conf.use-syslog>`
1544 @@UAHL@unbound.conf@use-syslog@@: *<yes or no>*
1548 :ref:`use-syslog: yes<unbound.conf.use-syslog>` is set.
1553 @@UAHL@unbound.conf@log-identity@@: *<string>*
1563 @@UAHL@unbound.conf@log-time-ascii@@: *<yes or no>*
1571 @@UAHL@unbound.conf@log-time-iso@@: *<yes or no>*
1573 :ref:`log-time-ascii: yes<unbound.conf.log-time-ascii>`
1579 @@UAHL@unbound.conf@log-queries@@: *<yes or no>*
1589 @@UAHL@unbound.conf@log-replies@@: *<yes or no>*
1600 @@UAHL@unbound.conf@log-tag-queryreply@@: *<yes or no>*
1602 :ref:`log-queries<unbound.conf.log-queries>` and
1603 :ref:`log-replies<unbound.conf.log-replies>`.
1609 @@UAHL@unbound.conf@log-destaddr@@: *<yes or no>*
1610 Prints the destination address, port and type in the
1611 :ref:`log-replies<unbound.conf.log-replies>` output.
1613 port the traffic was sent to.
1618 @@UAHL@unbound.conf@log-local-actions@@: *<yes or no>*
1620 These lines are like the :ref:`local-zone type
1621 inform<unbound.conf.local-zone.type.inform>` print outs, but they are also
1627 @@UAHL@unbound.conf@log-servfail@@: *<yes or no>*
1640 .. code-block:: text
1642 kill -HUP `cat @UNBOUND_PIDFILE@`
1646 .. code-block:: text
1648 kill -TERM `cat @UNBOUND_PIDFILE@`
1655 @@UAHL@unbound.conf@root-hints@@: *<filename>*
1666 @@UAHL@unbound.conf@hide-identity@@: *<yes or no>*
1679 @@UAHL@unbound.conf@hide-version@@: *<yes or no>*
1692 @@UAHL@unbound.conf@hide-http-user-agent@@: *<yes or no>*
1693 If enabled the HTTP header User-Agent is not set.
1697 :ref:`http-user-agent<unbound.conf.http-user-agent>` below.
1702 @@UAHL@unbound.conf@http-user-agent@@: *<string>*
1703 Set the HTTP User-Agent header for outgoing HTTP requests.
1718 @@UAHL@unbound.conf@hide-trustanchor@@: *<yes or no>*
1724 @@UAHL@unbound.conf@target-fetch-policy@@: *<"list of numbers">*
1731 A value of -1 means to fetch all targets opportunistically for that
1738 while setting "-1 -1 -1 -1 -1" gives behaviour rumoured to be closer to
1744 @@UAHL@unbound.conf@harden-short-bufsize@@: *<yes or no>*
1750 @@UAHL@unbound.conf@harden-large-queries@@: *<yes or no>*
1758 @@UAHL@unbound.conf@harden-glue@@: *<yes or no>*
1764 @@UAHL@unbound.conf@harden-unverified-glue@@: *<yes or no>*
1765 Will trust only in-zone glue.
1772 @@UAHL@unbound.conf@harden-dnssec-stripped@@: *<yes or no>*
1773 Require DNSSEC data for trust-anchored zones, if such data is absent, the
1787 @@UAHL@unbound.conf@harden-below-nxdomain@@: *<yes or no>*
1795 To try to avoid this only DNSSEC-secure NXDOMAINs are used, because the old
1805 @@UAHL@unbound.conf@harden-referral-path@@: *<yes or no>*
1817 :ref:`target-fetch-policy<unbound.conf.target-fetch-policy>` to increase
1823 @@UAHL@unbound.conf@harden-algo-downgrade@@: *<yes or no>*
1842 conforming signers and/or in multi-signer configurations that don't
1848 @@UAHL@unbound.conf@harden-unknown-additional@@: *<yes or no>*
1859 @@UAHL@unbound.conf@use-caps-for-id@@: *<yes or no>*
1860 Use 0x20-encoded random bits in the query to foil spoof attempts.
1863 This feature is an experimental implementation of draft dns-0x20.
1868 @@UAHL@unbound.conf@caps-exempt@@: *<domain>*
1869 Exempt the domain so that it does not receive caps-for-id perturbed
1876 @@UAHL@unbound.conf@caps-whitelist@@: *<domain>*
1877 Alternate syntax for :ref:`caps-exempt<unbound.conf.caps-exempt>`.
1880 @@UAHL@unbound.conf@qname-minimisation@@: *<yes or no>*
1891 @@UAHL@unbound.conf@qname-minimisation-strict@@: *<yes or no>*
1893 Do not fall-back to sending full QNAME to potentially broken nameservers.
1897 :ref:`qname-minimisation<unbound.conf.qname-minimisation>` is enabled.
1902 @@UAHL@unbound.conf@aggressive-nsec@@: *<yes or no>*
1911 @@UAHL@unbound.conf@private-address@@: *<IP address or subnet>*
1917 This protects against so-called DNS Rebinding, where a user browser is
1922 the :ref:`local-data<unbound.conf.local-data>` that you configured is
1924 :ref:`private-domain<unbound.conf.private-domain>`.
1936 Adding ``::ffff:0:0/96`` stops IPv4-mapped IPv6 addresses from bypassing
1940 @@UAHL@unbound.conf@private-domain@@: *<domain name>*
1948 @@UAHL@unbound.conf@unwanted-reply-threshold@@: *<number>*
1960 @@UAHL@unbound.conf@do-not-query-address@@: *<IP address>*
1969 @@UAHL@unbound.conf@do-not-query-localhost@@: *<yes or no>*
1971 :ref:`do-not-query-address<unbound.conf.do-not-query-address>` entries,
1987 @@UAHL@unbound.conf@prefetch-key@@: *<yes or no>*
1997 @@UAHL@unbound.conf@deny-any@@: *<yes or no>*
2006 @@UAHL@unbound.conf@rrset-roundrobin@@: *<yes or no>*
2013 @@UAHL@unbound.conf@minimal-responses@@: *<yes or no>*
2028 @@UAHL@unbound.conf@disable-dnssec-lame-check@@: *<yes or no>*
2038 @@UAHL@unbound.conf@module-config@@: *"<module names>"*
2048 Setting this to just "iterator" will result in a non-validating server.
2052 You must also set trust-anchors for validation to be useful.
2071 @@UAHL@unbound.conf@trust-anchor-file@@: *<filename>*
2079 @@UAHL@unbound.conf@auto-trust-anchor-file@@: *<filename>*
2085 :ref:`trust-anchor-file<unbound.conf.trust-anchor-file>`.
2096 @@UAHL@unbound.conf@trust-anchor@@: *"<Resource Record>"*
2099 to the :ref:`trust-anchor-file<unbound.conf.trust-anchor-file>`.
2109 @@UAHL@unbound.conf@trusted-keys-file@@: *<filename>*
2112 Like :ref:`trust-anchor-file<unbound.conf.trust-anchor-file>` but has a
2114 Format is BIND-9 style format, the ``trusted-keys { name flag proto algo
2122 @@UAHL@unbound.conf@trust-anchor-signaling@@: *<yes or no>*
2128 @@UAHL@unbound.conf@root-key-sentinel@@: *<yes or no>*
2134 @@UAHL@unbound.conf@domain-insecure@@: *<domain name>*
2152 @@UAHL@unbound.conf@val-override-date@@: *<rrsig-style date spec>*
2159 The value -1 ignores the date altogether, useful for some special
2165 @@UAHL@unbound.conf@val-sig-skew-min@@: *<seconds>*
2167 A value of 10% of the signature lifetime (expiration - inception) is used,
2175 @@UAHL@unbound.conf@val-sig-skew-max@@: *<seconds>*
2177 A value of 10% of the signature lifetime (expiration - inception) is used,
2188 @@UAHL@unbound.conf@val-max-restart@@: *<number>*
2195 @@UAHL@unbound.conf@val-bogus-ttl@@: *<seconds>*
2205 @@UAHL@unbound.conf@val-clean-additional@@: *<yes or no>*
2216 @@UAHL@unbound.conf@val-log-level@@: *<number>*
2231 @@UAHL@unbound.conf@val-permissive-mode@@: *<yes or no>*
2243 @@UAHL@unbound.conf@ignore-cd-flag@@: *<yes or no>*
2246 Thus, the CD (Checking Disabled) flag does not disable checking any more.
2254 @@UAHL@unbound.conf@disable-edns-do@@: *<yes or no>*
2255 Disable the EDNS DO flag in upstream requests.
2270 @@UAHL@unbound.conf@serve-expired@@: *<yes or no>*
2272 of :ref:`serve-expired-reply-ttl<unbound.conf.serve-expired-reply-ttl>` in
2276 :ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
2282 @@UAHL@unbound.conf@serve-expired-ttl@@: *<seconds>*
2286 :ref:`serve-expired<unbound.conf.serve-expired>` is enabled.
2293 @@UAHL@unbound.conf@serve-expired-ttl-reset@@: *<yes or no>*
2295 :ref:`serve-expired-ttl<unbound.conf.serve-expired-ttl>` value after a
2303 @@UAHL@unbound.conf@serve-expired-reply-ttl@@: *<seconds>*
2306 :ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
2312 @@UAHL@unbound.conf@serve-expired-client-timeout@@: *<msec>*
2314 This essentially enables the serve-stale behavior as specified in
2317 Setting this to ``0`` will disable this behavior and instead serve the
2324 @@UAHL@unbound.conf@serve-original-ttl@@: *<yes or no>*
2328 This feature may be useful if Unbound serves as a front-end to a hidden
2340 The values set using :ref:`cache-min-ttl<unbound.conf.cache-min-ttl>`
2341 and :ref:`cache-max-ttl<unbound.conf.cache-max-ttl>` are ignored.
2346 @@UAHL@unbound.conf@val-nsec3-keysize-iterations@@: <"list of values">
2363 @@UAHL@unbound.conf@zonemd-permissive-mode@@: *<yes or no>*
2372 @@UAHL@unbound.conf@add-holddown@@: *<seconds>*
2374 :ref:`auto-trust-anchor-file<unbound.conf.auto-trust-anchor-file>` probe
2381 @@UAHL@unbound.conf@del-holddown@@: *<seconds>*
2383 :ref:`auto-trust-anchor-file<unbound.conf.auto-trust-anchor-file>` probe
2390 @@UAHL@unbound.conf@keep-missing@@: *<seconds>*
2392 :ref:`auto-trust-anchor-file<unbound.conf.auto-trust-anchor-file>` probe
2397 that perform regular (non-5011) rollovers.
2403 @@UAHL@unbound.conf@permit-small-holddown@@: *<yes or no>*
2410 @@UAHL@unbound.conf@key-cache-size@@: *<number>*
2418 @@UAHL@unbound.conf@key-cache-slabs@@: *<number>*
2421 Must be set to a power of 2.
2423 If left unconfigured, it will be configured automatically to be a power of
2424 2 close to the number of configured threads in multi-threaded environments.
2429 @@UAHL@unbound.conf@neg-cache-size@@: *<number>*
2437 @@UAHL@unbound.conf@unblock-lan-zones@@: *<yes or no>*
2445 Disable the option when Unbound is running as a (DHCP-) DNS network
2453 @@UAHL@unbound.conf@insecure-lan-zones@@: *<yes or no>*
2457 :ref:`unblock-lan-zones<unbound.conf.unblock-lan-zones>` is used.
2462 @@UAHL@unbound.conf@local-zone@@: *<zone> <type>*
2465 :ref:`local-data<unbound.conf.local-data>`.
2467 :ref:`deny<unbound.conf.local-zone.type.deny>`,
2468 :ref:`refuse<unbound.conf.local-zone.type.refuse>`,
2469 :ref:`static<unbound.conf.local-zone.type.static>`,
2470 :ref:`transparent<unbound.conf.local-zone.type.transparent>`,
2471 :ref:`redirect<unbound.conf.local-zone.type.redirect>`,
2472 :ref:`nodefault<unbound.conf.local-zone.type.nodefault>`,
2473 :ref:`typetransparent<unbound.conf.local-zone.type.typetransparent>`,
2474 :ref:`inform<unbound.conf.local-zone.type.inform>`,
2475 :ref:`inform_deny<unbound.conf.local-zone.type.inform_deny>`,
2476 :ref:`inform_redirect<unbound.conf.local-zone.type.inform_redirect>`,
2477 :ref:`always_transparent<unbound.conf.local-zone.type.always_transparent>`,
2478 :ref:`block_a<unbound.conf.local-zone.type.block_a>`,
2479 :ref:`always_refuse<unbound.conf.local-zone.type.always_refuse>`,
2480 :ref:`always_nxdomain<unbound.conf.local-zone.type.always_nxdomain>`,
2481 :ref:`always_null<unbound.conf.local-zone.type.always_null>`,
2482 :ref:`noview<unbound.conf.local-zone.type.noview>`,
2485 Use :ref:`local-data<unbound.conf.local-data>` to enter data into the
2492 setup a :ref:`stub-zone<unbound.conf.stub>` for it as detailed in the
2494 A :ref:`stub-zone<unbound.conf.stub>` can be used to have unbound
2497 With a :ref:`forward-zone<unbound.conf.forward>`, unbound sends
2499 With an :ref:`auth-zone<unbound.conf.auth>` a zone can be loaded from
2501 the :ref:`auth-zone<unbound.conf.auth>` information can be used to fetch
2503 The :ref:`forward-zone<unbound.conf.forward>` and
2504 :ref:`auth-zone<unbound.conf.auth>` options are described in their
2507 fetch, the :ref:`local-zone<unbound.conf.local-zone>` and
2508 :ref:`local-data<unbound.conf.local-data>` statements allow for this, but
2512 @@UAHL@unbound.conf.local-zone.type@deny@@
2516 @@UAHL@unbound.conf.local-zone.type@refuse@@
2520 @@UAHL@unbound.conf.local-zone.type@static@@
2524 :ref:`local-data<unbound.conf.local-data>` for the zone apex domain.
2526 @@UAHL@unbound.conf.local-zone.type@transparent@@
2527 If there is a match from :ref:`local-data<unbound.conf.local-data>`,
2532 :ref:`local-data<unbound.conf.local-data>` but no such type of data is
2534 If no :ref:`local-zone<unbound.conf.local-zone>` is given
2535 :ref:`local-data<unbound.conf.local-data>` causes a transparent zone
2538 @@UAHL@unbound.conf.local-zone.type@typetransparent@@
2543 :ref:`transparent<unbound.conf.local-zone.type.transparent>` but types
2548 @@UAHL@unbound.conf.local-zone.type@redirect@@
2556 .. code-block:: text
2558 local-zone: "example.com." redirect
2559 local-data: "example.com. A 127.0.0.1"
2565 @@UAHL@unbound.conf.local-zone.type@inform@@
2567 :ref:`transparent<unbound.conf.local-zone.type.transparent>`.
2571 .. code-block:: text
2573 timestamp, unbound-pid, info: zonename inform IP@port queryname type class.
2578 @@UAHL@unbound.conf.local-zone.type@inform_deny@@
2580 :ref:`deny<unbound.conf.local-zone.type.deny>`, and logged, like
2581 :ref:`inform<unbound.conf.local-zone.type.inform>`.
2584 @@UAHL@unbound.conf.local-zone.type@inform_redirect@@
2586 :ref:`redirect<unbound.conf.local-zone.type.redirect>`, and logged,
2587 like :ref:`inform<unbound.conf.local-zone.type.inform>`.
2590 @@UAHL@unbound.conf.local-zone.type@always_transparent@@
2591 Like :ref:`transparent<unbound.conf.local-zone.type.transparent>`, but
2594 @@UAHL@unbound.conf.local-zone.type@block_a@@
2595 Like :ref:`transparent<unbound.conf.local-zone.type.transparent>`, but
2601 @@UAHL@unbound.conf.local-zone.type@always_refuse@@
2602 Like :ref:`refuse<unbound.conf.local-zone.type.refuse>`, but ignores
2605 @@UAHL@unbound.conf.local-zone.type@always_nxdomain@@
2606 Like :ref:`static<unbound.conf.local-zone.type.static>`, but ignores
2609 @@UAHL@unbound.conf.local-zone.type@always_nodata@@
2610 Like :ref:`static<unbound.conf.local-zone.type.static>`, but ignores
2613 @@UAHL@unbound.conf.local-zone.type@always_deny@@
2614 Like :ref:`deny<unbound.conf.local-zone.type.deny>`, but ignores local
2617 @@UAHL@unbound.conf.local-zone.type@always_null@@
2619 Like :ref:`redirect<unbound.conf.local-zone.type.redirect>` with zero
2624 @@UAHL@unbound.conf.local-zone.type@noview@@
2627 If the :ref:`view-first<unbound.conf.view.view-first>` is no, it'll
2629 If :ref:`view-first<unbound.conf.view.view-first>` is enabled, it'll
2634 @@UAHL@unbound.conf.local-zone.type@nodefault@@
2637 The :ref:`nodefault<unbound.conf.local-zone.type.nodefault>` option has
2639 Use :ref:`nodefault<unbound.conf.local-zone.type.nodefault>` if you use
2641 :ref:`transparent<unbound.conf.local-zone.type.transparent>`.
2653 :ref:`local-zone<unbound.conf.local-zone>` of that name, or using the
2654 :ref:`nodefault<unbound.conf.local-zone.type.nodefault>` type.
2657 @@UAHL@unbound.conf.local-zone.defaults@localhost@@
2663 .. code-block:: text
2665 local-zone: "localhost." redirect
2666 local-data: "localhost. 10800 IN NS localhost."
2667 … local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2668 local-data: "localhost. 10800 IN A 127.0.0.1"
2669 local-data: "localhost. 10800 IN AAAA ::1"
2671 @@UAHL@unbound.conf.local-zone.defaults@reverse IPv4 loopback@@
2674 .. code-block:: text
2676 local-zone: "127.in-addr.arpa." static
2677 local-data: "127.in-addr.arpa. 10800 IN NS localhost."
2678 … local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2679 local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
2681 @@UAHL@unbound.conf.local-zone.defaults@reverse IPv6 loopback@@
2684 .. code-block:: text
2686 … local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
2687 …local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN NS…
2688 …local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN SO…
2689 …local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN PT…
2691 @@UAHL@unbound.conf.local-zone.defaults@home.arpa@@ (:rfc:`8375`)
2694 .. code-block:: text
2696 local-zone: "home.arpa." static
2697 local-data: "home.arpa. 10800 IN NS localhost."
2698 … local-data: "home.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2700 @@UAHL@unbound.conf.local-zone.defaults@resolver.arpa@@ (:rfc:`9462`)
2703 .. code-block:: text
2705 local-zone: "resolver.arpa." static
2706 local-data: "resolver.arpa. 10800 IN NS localhost."
2707 … local-data: "resolver.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2709 @@UAHL@unbound.conf.local-zone.defaults@service.arpa@@ (draft-ietf-dnssd-srp-25)
2712 .. code-block:: text
2714 local-zone: "service.arpa." static
2715 local-data: "service.arpa. 10800 IN NS localhost."
2716 … local-data: "service.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2718 @@UAHL@unbound.conf.local-zone.defaults@onion@@ (:rfc:`7686`)
2721 .. code-block:: text
2723 local-zone: "onion." static
2724 local-data: "onion. 10800 IN NS localhost."
2725 local-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2727 @@UAHL@unbound.conf.local-zone.defaults@test@@ (:rfc:`6761`)
2730 .. code-block:: text
2732 local-zone: "test." static
2733 local-data: "test. 10800 IN NS localhost."
2734 local-data: "test. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2736 @@UAHL@unbound.conf.local-zone.defaults@invalid@@ (:rfc:`6761`)
2739 .. code-block:: text
2741 local-zone: "invalid." static
2742 local-data: "invalid. 10800 IN NS localhost."
2743 local-data: "invalid. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
2745 @@UAHL@unbound.conf.local-zone.defaults@reverse local use zones@@ (:rfc:`1918`)
2746 Reverse data for zones ``10.in-addr.arpa``, ``16.172.in-addr.arpa`` to
2747 ``31.172.in-addr.arpa``, ``168.192.in-addr.arpa``.
2748 The :ref:`local-zone<unbound.conf.local-zone>` is set static and as
2749 :ref:`local-data<unbound.conf.local-data>` SOA and NS records are
2752 @@UAHL@unbound.conf.local-zone.defaults@special-use IPv4 Addresses@@ (:rfc:`3330`)
2753 Reverse data for zones ``0.in-addr.arpa`` (this), ``254.169.in-addr.arpa`` (link-local),
2754 ``2.0.192.in-addr.arpa`` (TEST NET 1), ``100.51.198.in-addr.arpa``
2755 (TEST NET 2), ``113.0.203.in-addr.arpa`` (TEST NET 3),
2756 ``255.255.255.255.in-addr.arpa`` (broadcast).
2757 And from ``64.100.in-addr.arpa`` to ``127.100.in-addr.arpa`` (Shared
2760 @@UAHL@unbound.conf.local-zone.defaults@reverse IPv6 unspecified@@ (:rfc:`4291`)
2764 …@@UAHL@unbound.conf.local-zone.defaults@reverse IPv6 Locally Assigned Local Addresses@@ (:rfc:`419…
2767 @@UAHL@unbound.conf.local-zone.defaults@reverse IPv6 Link Local Addresses@@ (:rfc:`4291`)
2770 @@UAHL@unbound.conf.local-zone.defaults@reverse IPv6 Example Prefix@@
2775 .. code-block:: text
2777 local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
2780 transparent with a :ref:`local-zone<unbound.conf.local-zone>` statement.
2784 @@UAHL@unbound.conf@local-data@@: *"<resource record string>"*
2787 :ref:`local-zone<unbound.conf.local-zone>` as redirect.
2788 If not matched exactly, the :ref:`local-zone<unbound.conf.local-zone>`
2790 If :ref:`local-data<unbound.conf.local-data>` is configured that is not a
2791 subdomain of a :ref:`local-zone<unbound.conf.local-zone>`, a
2792 :ref:`transparent local-zone<unbound.conf.local-zone.type.transparent>` is
2796 .. code-block:: text
2798 local-data: 'example. TXT "text"'
2803 a :ref:`stub-zone<unbound.conf.stub>` for it as detailed in the stub
2807 @@UAHL@unbound.conf@local-data-ptr@@: *"IPaddr name"*
2814 @@UAHL@unbound.conf@local-zone-tag@@: *<zone> <"list of tags">*
2817 :ref:`access-control<unbound.conf.access-control>` element has a matching
2819 Tags must be defined in :ref:`define-tag<unbound.conf.define-tag>`.
2822 tags for the query and :ref:`local-zone-tag<unbound.conf.local-zone-tag>`
2823 is non-empty.
2826 @@UAHL@unbound.conf@local-zone-override@@: *<zone> <IP netblock> <type>*
2830 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`.
2833 @@UAHL@unbound.conf@response-ip@@: *<IP-netblock> <action>*
2839 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`,
2842 Actions for :ref:`response-ip<unbound.conf.response-ip>` are different
2843 from those for :ref:`local-zone<unbound.conf.local-zone>` in that in case
2847 :ref:`response-ip<unbound.conf.response-ip>` actions are modified or
2849 *typetransparent*, and *nodefault* actions are invalid for *response-ip*.
2851 The *deny* action is non-conditional, i.e. it always results in dropping
2857 @@UAHL@unbound.conf@response-ip-data@@: *<IP-netblock> <"resource record string">*
2861 :ref:`response-ip<unbound.conf.response-ip>` with action being to redirect
2864 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`,
2866 If the *<IP-netblock>* is an IPv6/IPv4 prefix, the record must be AAAA/A
2870 :ref:`response-ip-data<unbound.conf.response-ip-data>` for the same
2871 *<IP-netblock>*.
2873 *<IP-netblock>*, following the normal rules for CNAME records.
2879 @@UAHL@unbound.conf@response-ip-tag@@: *<IP-netblock> <"list of tags">*
2882 Assign tags to response *<IP-netblock>*.
2884 matches the specified *<IP-netblock>*, the specified tags are assigned to
2886 Then, if an :ref:`access-control-tag<unbound.conf.access-control-tag>` is
2889 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`
2892 :ref:`access-control-tag<unbound.conf.access-control-tag>` and
2893 :ref:`local-zone<unbound.conf.local-zone>`.
2894 Unlike :ref:`local-zone-tag<unbound.conf.local-zone-tag>`,
2895 :ref:`response-ip-tag<unbound.conf.response-ip-tag>` can be defined for an
2896 *<IP-netblock>* even if no :ref:`response-ip<unbound.conf.response-ip>` is
2898 If multiple :ref:`response-ip-tag<unbound.conf.response-ip-tag>` options
2899 are specified for the same *<IP-netblock>* in different statements, all but
2905 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`
2907 :ref:`response-ip-tag<unbound.conf.response-ip-tag>` can be those that are
2908 "invalid" for :ref:`response-ip<unbound.conf.response-ip>` listed above,
2910 :ref:`access-control-tag-action<unbound.conf.access-control-tag-action>`
2914 :ref:`response-ip-data<unbound.conf.response-ip-data>` will generally
2916 :ref:`response-ip<unbound.conf.response-ip>` data are inherently type
2917 specific, and non-existence of data does not indicate anything about the
2918 existence or non-existence of the qname itself.
2920 the corresponding :ref:`response-ip<unbound.conf.response-ip>`
2923 :ref:`always_nxdomain<unbound.conf.local-zone.type.always_nxdomain>`
2949 @@UAHL@unbound.conf@ratelimit-size@@: *<memory size>*
2959 @@UAHL@unbound.conf@ratelimit-slabs@@: *<number>*
2962 Must be set to a power of 2.
2964 If left unconfigured, it will be configured automatically to be a power of
2965 2 close to the number of configured threads in multi-threaded environments.
2970 @@UAHL@unbound.conf@ratelimit-factor@@: *<number>*
2983 @@UAHL@unbound.conf@ratelimit-backoff@@: *<yes or no>*
2989 :ref:`ratelimit-factor<unbound.conf.ratelimit-factor>`, until demand
2997 @@UAHL@unbound.conf@ratelimit-for-domain@@: *<domain> <number qps or 0>*
3001 For example, for a top-level-domain you may want to have a higher limit
3003 A value of 0 will disable ratelimiting for that domain.
3006 @@UAHL@unbound.conf@ratelimit-below-domain@@: *<domain> <number qps or 0>*
3013 :ref:`ratelimit-for-domain<unbound.conf.ratelimit-for-domain>` to set
3014 that, you might want to use different settings for a top-level-domain and
3016 A value of 0 will disable ratelimiting for domain names that end in this
3020 @@UAHL@unbound.conf@ip-ratelimit@@: *<number or 0>*
3030 :ref:`ip-ratelimit-cookie<unbound.conf.ip-ratelimit-cookie>`
3036 @@UAHL@unbound.conf@ip-ratelimit-cookie@@: *<number or 0>*
3045 :ref:`allow_cookie<unbound.conf.access-control.action.allow_cookie>`, in an
3050 :ref:`ip-ratelimit<unbound.conf.ip-ratelimit>` e.g., tenfold.
3055 @@UAHL@unbound.conf@ip-ratelimit-size@@: *<memory size>*
3065 @@UAHL@unbound.conf@ip-ratelimit-slabs@@: *<number>*
3068 Must be set to a power of 2.
3070 If left unconfigured, it will be configured automatically to be a power of
3071 2 close to the number of configured threads in multi-threaded environments.
3076 @@UAHL@unbound.conf@ip-ratelimit-factor@@: *<number>*
3089 @@UAHL@unbound.conf@ip-ratelimit-backoff@@: *<yes or no>*
3095 :ref:`ip-ratelimit-factor<unbound.conf.ip-ratelimit-factor>`, until demand
3097 Useful to set :ref:`ip-ratelimit<unbound.conf.ip-ratelimit>` to a
3103 @@UAHL@unbound.conf@outbound-msg-retry@@: *<number>*
3113 @@UAHL@unbound.conf@max-sent-count@@: *<number>*
3122 @@UAHL@unbound.conf@max-query-restarts@@: *<number>*
3132 @@UAHL@unbound.conf@iter-scrub-ns@@: *<number>*
3140 @@UAHL@unbound.conf@iter-scrub-cname@@: *<number>*
3150 @@UAHL@unbound.conf@max-global-quota@@: *<number>*
3159 @@UAHL@unbound.conf@iter-scrub-promiscuous@@: *<yes or no>*
3167 @@UAHL@unbound.conf@fast-server-permil@@: *<number>*
3174 :ref:`serve-expired<unbound.conf.serve-expired>`), such prefetches are not
3177 The :ref:`fast-server-num<unbound.conf.fast-server-num>` option can be
3183 @@UAHL@unbound.conf@fast-server-num@@: *<number>*
3186 :ref:`fast-server-permil<unbound.conf.fast-server-permil>` option, that
3192 @@UAHL@unbound.conf@answer-cookie@@: *<yes or no>*
3199 @@UAHL@unbound.conf@cookie-secret@@: *"<128 bit hex string>"*
3207 :ref:`cookie-secret-file<unbound.conf.cookie-secret-file>` is present.
3214 @@UAHL@unbound.conf@cookie-secret-file@@: *<filename>*
3218 :ref:`cookie-secret<unbound.conf.cookie-secret>` option is ignored.
3222 :ref:`add_cookie_secret<unbound-control.commands.add_cookie_secret>`,
3223 :ref:`drop_cookie_secret<unbound-control.commands.drop_cookie_secret>` and
3224 :ref:`activate_cookie_secret<unbound-control.commands.activate_cookie_secret>`
3225 commands to the :doc:`unbound-control(8)</manpages/unbound-control>` tool.
3231 @@UAHL@unbound.conf@edns-client-string@@: *<IP netblock> <string>*
3238 @@UAHL@unbound.conf@edns-client-string-opcode@@: *<opcode>*
3240 :ref:`edns-client-string<unbound.conf.edns-client-string>` option, from 0
3242 A value from the 'Reserved for Local/Experimental' range (65001-65534)
3254 When the :ref:`val-log-level<unbound.conf.val-log-level>` option is also
3262 @@UAHL@unbound.conf@ede-serve-expired@@: *<yes or no>*
3264 - Stale Answer* as EDNS0 option to the expired response.
3273 @@UAHL@unbound.conf@dns-error-reporting@@: *<yes or no>*
3275 The name servers need to express support by attaching the Report-Channel
3285 :ref:`qname-minimisation<unbound.conf.qname-minimisation>` option is also
3292 Remote Control Options
3295 In the **remote-control:** clause are the declarations for the remote control
3297 If this is enabled, the :doc:`unbound-control(8)</manpages/unbound-control>`
3300 The :doc:`unbound-control(8)</manpages/unbound-control>` utility also reads the
3301 **remote-control:** section for options.
3302 To setup the correct self-signed certificates use the
3303 *unbound-control-setup(8)* utility.
3306 @@UAHL@unbound.conf.remote@control-enable@@: *<yes or no>*
3307 The option is used to enable remote control.
3308 If turned off, the server does not listen for control commands.
3313 @@UAHL@unbound.conf.remote@control-interface@@: *<IP address or interface name or path>*
3314 Give IPv4 or IPv6 addresses or local socket path to listen on for control
3329 members to access the control socket file.
3331 To restrict access further, create a directory to put the control socket in
3335 @@UAHL@unbound.conf.remote@control-port@@: *<port number>*
3336 The port number to listen on for IPv4 or IPv6 control interfaces.
3345 @@UAHL@unbound.conf.remote@control-use-cert@@: *<yes or no>*
3347 :ref:`control-interface<unbound.conf.remote.control-interface>` you can
3348 disable the use of TLS by setting this option to "no".
3354 @@UAHL@unbound.conf.remote@server-key-file@@: *<private key file>*
3357 :doc:`unbound-control-setup(8)</manpages/unbound-control>` utility.
3359 :doc:`unbound-control(8)</manpages/unbound-control>`.
3364 @@UAHL@unbound.conf.remote@server-cert-file@@: *<certificate file.pem>*
3367 :doc:`unbound-control-setup(8)</manpages/unbound-control>` utility.
3369 :doc:`unbound-control(8)</manpages/unbound-control>`.
3374 @@UAHL@unbound.conf.remote@control-key-file@@: *<private key file>*
3375 Path to the control client private key.
3377 :doc:`unbound-control-setup(8)</manpages/unbound-control>` utility.
3378 This file is used by :doc:`unbound-control(8)</manpages/unbound-control>`.
3383 @@UAHL@unbound.conf.remote@control-cert-file@@: *<certificate file.pem>*
3384 Path to the control client certificate.
3387 :doc:`unbound-control-setup(8)</manpages/unbound-control>` utility.
3388 This file is used by :doc:`unbound-control(8)</manpages/unbound-control>`.
3397 There may be multiple **stub-zone:** clauses.
3407 This is useful for company-local data or private zones.
3408 Setup an authoritative server on a different host (or different port).
3411 .. code-block:: text
3413 stub-addr: <ip address of host[@port]>
3427 :ref:`domain-insecure<unbound.conf.domain-insecure>` and for
3428 :ref:`local-zone: \<name\> nodefault<unbound.conf.local-zone.type.nodefault>`
3431 The :ref:`local-zone: nodefault<unbound.conf.local-zone.type.nodefault>` (or
3432 :ref:`transparent<unbound.conf.local-zone.type.transparent>`) clause makes the
3433 (reverse-) zone bypass Unbound's filtering of :rfc:`1918` zones.
3441 @@UAHL@unbound.conf.stub@stub-host@@: *<domain name>*
3445 To use a non-default port for DNS communication append ``'@'`` with the
3446 port number.
3452 If only ``'#'`` is used the default port is the configured
3453 :ref:`tls-port<unbound.conf.tls-port>`.
3456 @@UAHL@unbound.conf.stub@stub-addr@@: *<IP address>*
3460 To use a non-default port for DNS communication append ``'@'`` with the
3461 port number.
3467 If only ``'#'`` is used the default port is the configured
3468 :ref:`tls-port<unbound.conf.tls-port>`.
3471 @@UAHL@unbound.conf.stub@stub-prime@@: *<yes or no>*
3481 @@UAHL@unbound.conf.stub@stub-first@@: *<yes or no>*
3489 @@UAHL@unbound.conf.stub@stub-tls-upstream@@: *<yes or no>*
3490 Enabled or disable whether the queries to this stub use TLS for transport.
3495 @@UAHL@unbound.conf.stub@stub-ssl-upstream@@: *<yes or no>*
3497 :ref:`stub-tls-upstream<unbound.conf.stub.stub-tls-upstream>`.
3500 @@UAHL@unbound.conf.stub@stub-tcp-upstream@@: *<yes or no>*
3502 regardless of global flag :ref:`tcp-upstream<unbound.conf.tcp-upstream>`.
3507 @@UAHL@unbound.conf.stub@stub-no-cache@@: *<yes or no>*
3518 There may be multiple **forward-zone:** clauses.
3523 The servers listed as :ref:`forward-host<unbound.conf.forward.forward-host>`
3524 and :ref:`forward-addr<unbound.conf.forward.forward-addr>` have to handle
3533 A :ref:`forward-zone<unbound.conf.forward>` entry with name
3534 ``"."`` and a :ref:`forward-addr<unbound.conf.forward.forward-addr>` target
3544 @@UAHL@unbound.conf.forward@forward-host@@: *<domain name>*
3548 To use a non-default port for DNS communication append ``'@'`` with the
3549 port number.
3555 If only ``'#'`` is used the default port is the configured
3556 :ref:`tls-port<unbound.conf.tls-port>`.
3559 @@UAHL@unbound.conf.forward@forward-addr@@: *<IP address>*
3563 To use a non-default port for DNS communication append ``'@'`` with the
3564 port number.
3570 If only ``'#'`` is used the default port is the configured
3571 :ref:`tls-port<unbound.conf.tls-port>`.
3575 :ref:`forward-addr<unbound.conf.forward.forward-addr>`, any name is
3578 :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>`.
3581 @@UAHL@unbound.conf.forward@forward-first@@: *<yes or no>*
3589 @@UAHL@unbound.conf.forward@forward-tls-upstream@@: *<yes or no>*
3590 Enabled or disable whether the queries to this forwarder use TLS for
3593 :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>` or use
3594 :ref:`tls-win-cert<unbound.conf.tls-win-cert>` to load CA certs, otherwise
3600 @@UAHL@unbound.conf.forward@forward-ssl-upstream@@: *<yes or no>*
3602 :ref:`forward-tls-upstream<unbound.conf.forward.forward-tls-upstream>`.
3605 @@UAHL@unbound.conf.forward@forward-tcp-upstream@@: *<yes or no>*
3607 regardless of global flag :ref:`tcp-upstream<unbound.conf.tcp-upstream>`.
3612 @@UAHL@unbound.conf.forward@forward-no-cache@@: *<yes or no>*
3623 Authority zones are configured with **auth-zone:**, and each one must have a
3625 There can be multiple ones, by listing multiple auth-zone clauses, each with a
3628 Authority zones can be processed on two distinct, non-exclusive, configurable
3631 With :ref:`for-downstream: yes<unbound.conf.auth.for-downstream>` (default),
3632 authority zones are processed after **local-zones** and before cache.
3638 With :ref:`for-upstream: yes<unbound.conf.auth.for-upstream>` (default),
3650 :ref:`for-downstream: no<unbound.conf.auth.for-downstream>`,
3651 :ref:`for-upstream: yes<unbound.conf.auth.for-upstream>`
3681 To use a non-default port for DNS communication append ``'@'`` with the
3682 port number.
3707 .. code-block:: text
3720 For HTTPS, the :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>` and
3729 ``"http://192.0.2.1/unbound-primaries/example.com.zone"``, with an explicit
3733 @@UAHL@unbound.conf.auth@allow-notify@@: *<IP address or host name or netblockIP/prefix>*
3734 With :ref:`allow-notify<unbound.conf.auth.allow-notify>` you can specify
3748 @@UAHL@unbound.conf.auth@fallback-enabled@@: *<yes or no>*
3756 @@UAHL@unbound.conf.auth@for-downstream@@: *<yes or no>*
3765 If :ref:`for-downstream: no<unbound.conf.auth.for-downstream>` and
3766 :ref:`for-upstream: yes<unbound.conf.auth.for-upstream>` are set, then
3774 @@UAHL@unbound.conf.auth@for-upstream@@: *<yes or no>*
3786 @@UAHL@unbound.conf.auth@zonemd-check@@: *<yes or no>*
3796 @@UAHL@unbound.conf.auth@zonemd-reject-absence@@: *<yes or no>*
3800 It is useful to enable for a non-DNSSEC signed zone where the operator
3805 :ref:`zonemd-permissive-mode<unbound.conf.zonemd-permissive-mode>` option,
3830 :ref:`local-zone<unbound.conf.view.local-zone>` and
3831 :ref:`local-data<unbound.conf.view.local-data>` attributes.
3832 Views can also contain :ref:`view-first<unbound.conf.view.view-first>`,
3833 :ref:`response-ip<unbound.conf.response-ip>`,
3834 :ref:`response-ip-data<unbound.conf.response-ip-data>` and
3835 :ref:`local-data-ptr<unbound.conf.view.local-data-ptr>` attributes.
3837 :ref:`access-control-view<unbound.conf.access-control-view>` attribute.
3847 :ref:`access-control-view<unbound.conf.access-control-view>` attribute.
3850 @@UAHL@unbound.conf.view@local-zone@@: *<zone> <type>*
3853 :ref:`local-zone<unbound.conf.local-zone>` elements.
3854 When there is at least one *local-zone:* specified and :ref:`view-first:
3855 no<unbound.conf.view.view-first>` is set, the default local-zones will be
3858 When :ref:`view-first: yes<unbound.conf.view.view-first>` is set or when a
3859 view does not have a :ref:`local-zone<unbound.conf.view.local-zone>`, the
3860 global :ref:`local-zone<unbound.conf.local-zone>` will be used including
3864 @@UAHL@unbound.conf.view@local-data@@: *"<resource record string>"*
3867 :ref:`local-data<unbound.conf.local-data>` elements.
3870 @@UAHL@unbound.conf.view@local-data-ptr@@: *"IPaddr name"*
3871 View specific local-data-ptr elements.
3873 :ref:`local-data-ptr<unbound.conf.local-data-ptr>` elements.
3876 @@UAHL@unbound.conf.view@view-first@@: *<yes or no>*
3878 :ref:`local-zone<unbound.conf.local-zone>` and
3879 :ref:`local-data<unbound.conf.local-data>` if there is no match in the
3892 :ref:`module-config<unbound.conf.module-config>` option (usually first, or
3900 Also the :ref:`python-script<unbound.conf.python.python-script>` path should
3905 @@UAHL@unbound.conf.python@python-script@@: *<python file>*
3908 :ref:`module-config<unbound.conf.module-config>` option.
3918 :ref:`module-config<unbound.conf.module-config>` attribute.
3922 The :ref:`dynlib-file<unbound.conf.dynlib.dynlib-file>` path should be
3928 @@UAHL@unbound.conf.dynlib@dynlib-file@@: *<dynlib file>*
3931 :ref:`module-config<unbound.conf.module-config>` option.
3937 :ref:`module-config<unbound.conf.module-config>` directive, e.g.:
3939 .. code-block:: text
3941 module-config: "dns64 validator iterator"
3949 @@UAHL@unbound.conf.dns64@dns64-prefix@@: *<IPv6 prefix>*
3956 @@UAHL@unbound.conf.dns64@dns64-synthall@@: *<yes or no>*
3965 @@UAHL@unbound.conf.dns64@dns64-ignore-aaaa@@: *<domain name>*
3975 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
3981 @@UAHL@unbound.conf.nat64@do-nat64@@: *<yes or no>*
3982 Use NAT64 to reach IPv4-only servers.
3983 Consider also enabling :ref:`prefer-ip6<unbound.conf.prefer-ip6>`
3989 @@UAHL@unbound.conf.nat64@nat64-prefix@@: *<IPv6 prefix>*
3990 Use a specific NAT64 prefix to reach IPv4-only servers.
3993 Default: 64:ff9b::/96 (same as :ref:`dns64-prefix<unbound.conf.dns64.dns64-prefix>`)
4000 compiled with ``--enable-dnscrypt``.
4002 You can use dnscrypt-wrapper to generate those:
4003 https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
4006 @@UAHL@unbound.conf.dnscrypt@dnscrypt-enable@@: *<yes or no>*
4013 @@UAHL@unbound.conf.dnscrypt@dnscrypt-port@@: *<port number>*
4014 On which port should dnscrypt should be activated.
4018 :ref:`server:<unbound.conf.server>` section for this port.
4021 @@UAHL@unbound.conf.dnscrypt@dnscrypt-provider@@: *<provider name>*
4025 .. code-block:: text
4027 2.dnscrypt-cert.example.com.
4032 @@UAHL@unbound.conf.dnscrypt@dnscrypt-secret-key@@: *<path to secret key file>*
4037 @@UAHL@unbound.conf.dnscrypt@dnscrypt-provider-cert@@: *<path to cert file>*
4039 :ref:`dnscrypt-secret-key<unbound.conf.dnscrypt.dnscrypt-secret-key>`.
4043 @@UAHL@unbound.conf.dnscrypt@dnscrypt-provider-cert-rotated@@: *<path to cert file>*
4046 :ref:`dnscrypt-provider<unbound.conf.dnscrypt.dnscrypt-provider>` 's TXT
4063 @@UAHL@unbound.conf.dnscrypt@dnscrypt-shared-secret-cache-size@@: *<memory size>*
4074 @@UAHL@unbound.conf.dnscrypt@dnscrypt-shared-secret-cache-slabs@@: *<number>*
4077 Must be set to a power of 2.
4079 If left unconfigured, it will be configured automatically to be a power of
4080 2 close to the number of configured threads in multi-threaded environments.
4085 @@UAHL@unbound.conf.dnscrypt@dnscrypt-nonce-cache-size@@: *<memory size>*
4094 @@UAHL@unbound.conf.dnscrypt@dnscrypt-nonce-cache-slabs@@: *<number>*
4097 Must be set to a power of 2.
4099 If left unconfigured, it will be configured automatically to be a power of
4100 2 close to the number of configured threads in multi-threaded environments.
4108 :ref:`module-config<unbound.conf.module-config>` directive, e.g.:
4110 .. code-block:: text
4112 module-config: "subnetcache validator iterator"
4129 :ref:`send-client-subnet<unbound.conf.ecs.send-client-subnet>`.
4131 :ref:`client-subnet-always-forward: yes<unbound.conf.ecs.client-subnet-always-forward>`
4136 :ref:`msg-cache-size<unbound.conf.msg-cache-size>` in the configuration file.
4151 :ref:`serve-expired\*<unbound.conf.serve-expired>` and
4155 @@UAHL@unbound.conf.ecs@send-client-subnet@@: *<IP address>*
4160 Authorities not listed will not receive edns-subnet information, unless
4162 :ref:`client-subnet-zone<unbound.conf.ecs.client-subnet-zone>`.
4165 @@UAHL@unbound.conf.ecs@client-subnet-zone@@: *<domain>*
4168 Zones not listed will not receive edns-subnet information, unless hosted by
4170 :ref:`send-client-subnet<unbound.conf.ecs.send-client-subnet>`.
4173 @@UAHL@unbound.conf.ecs@client-subnet-always-forward@@: *<yes or no>*
4175 :ref:`send-client-subnet<unbound.conf.ecs.send-client-subnet>`) is applied
4186 @@UAHL@unbound.conf.ecs@max-client-subnet-ipv6@@: *<number>*
4193 @@UAHL@unbound.conf.ecs@max-client-subnet-ipv4@@: *<number>*
4200 @@UAHL@unbound.conf.ecs@min-client-subnet-ipv6@@: *<number>*
4209 @@UAHL@unbound.conf.ecs@min-client-subnet-ipv4@@: *<number>*
4217 @@UAHL@unbound.conf.ecs@max-ecs-tree-size-ipv4@@: *<number>*
4225 @@UAHL@unbound.conf.ecs@max-ecs-tree-size-ipv6@@: *<number>*
4236 :ref:`module-config<unbound.conf.module-config>` directive, e.g.:
4238 .. code-block:: text
4240 module-config: "ipsecmod validator iterator"
4242 and be compiled into Unbound by using ``--enable-ipsecmod`` to be enabled.
4270 :ref:`ipsecmod-max-ttl<unbound.conf.ipsecmod-max-ttl>`.
4275 :ref:`ipsecmod-max-ttl<unbound.conf.ipsecmod-max-ttl>` ensures that the A/AAAA
4279 @@UAHL@unbound.conf@ipsecmod-enabled@@: *<yes or no>*
4282 :ref:`module-config<unbound.conf.module-config>` directive.
4289 @@UAHL@unbound.conf@ipsecmod-hook@@: *<filename>*
4295 :ref:`module-config<unbound.conf.module-config>` directive.
4298 @@UAHL@unbound.conf@ipsecmod-strict@@: *<yes or no>*
4307 @@UAHL@unbound.conf@ipsecmod-max-ttl@@: *<seconds>*
4314 @@UAHL@unbound.conf@ipsecmod-ignore-bogus@@: *<yes or no>*
4325 @@UAHL@unbound.conf@ipsecmod-allow@@: *<domain>*
4333 @@UAHL@unbound.conf@ipsecmod-whitelist@@: *<domain>*
4334 Alternate syntax for :ref:`ipsecmod-allow<unbound.conf.ipsecmod-allow>`.
4340 :ref:`module-config<unbound.conf.module-config>` directive, e.g.:
4342 .. code-block:: text
4344 module-config: "validator cachedb iterator"
4346 and be compiled into the daemon with ``--enable-cachedb``.
4350 built-in in-memory cache, it consults the specified backend.
4356 This module interacts with the *serve-expired-\** options and will reply with
4359 If Unbound was built with ``--with-libhiredis`` on a system that has installed
4369 size, preferably with some kind of least-recently-used eviction policy.
4372 :ref:`redis-expire-records<unbound.conf.cachedb.redis-expire-records>` option
4394 The default database is the in-memory backend named ``testframe``, which,
4396 Depending on the build-time configuration, ``redis`` backend may also be
4402 @@UAHL@unbound.conf.cachedb@secret-seed@@: *"<secret string>"*
4413 @@UAHL@unbound.conf.cachedb@cachedb-no-store@@: *<yes or no>*
4421 @@UAHL@unbound.conf.cachedb@cachedb-check-when-serve-expired@@: *<yes or no>*
4424 :ref:`serve-expired<unbound.conf.serve-expired>`
4426 :ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
4431 :ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
4440 @@UAHL@unbound.conf.cachedb@redis-server-host@@: *<server address or name>*
4449 @@UAHL@unbound.conf.cachedb@redis-server-port@@: *<port number>*
4450 The TCP port number of the Redis server.
4455 @@UAHL@unbound.conf.cachedb@redis-server-path@@: *<unix socket path>*
4462 @@UAHL@unbound.conf.cachedb@redis-server-password@@: *"<password>"*
4469 @@UAHL@unbound.conf.cachedb@redis-timeout@@: *<msec>*
4472 Redis server does not have the requested data, and will try to re-establish
4478 @@UAHL@unbound.conf.cachedb@redis-command-timeout@@: *<msec>*
4481 :ref:`redis-timeout<unbound.conf.cachedb.redis-timeout>`
4487 @@UAHL@unbound.conf.cachedb@redis-connect-timeout@@: *<msec>*
4490 :ref:`redis-timeout<unbound.conf.cachedb.redis-timeout>`
4496 @@UAHL@unbound.conf.cachedb@redis-expire-records@@: *<yes or no>*
4501 :ref:`serve-expired<unbound.conf.serve-expired>` and
4502 :ref:`serve-expired-ttl: 0<unbound.conf.serve-expired-ttl>`, this option is
4511 @@UAHL@unbound.conf.cachedb@redis-logical-db@@: *<logical database index>*
4524 @@UAHL@unbound.conf.cachedb@redis-replica-server-host@@: *<server address or name>*
4530 This server is treated as a read-only replica server
4531 (https://redis.io/docs/management/replication/#read-only-replica).
4534 :ref:`redis-server-host<unbound.conf.cachedb.redis-server-host>`.
4539 @@UAHL@unbound.conf.cachedb@redis-replica-server-port@@: *<port number>*
4540 The TCP port number of the Redis replica server.
4545 @@UAHL@unbound.conf.cachedb@redis-replica-server-path@@: *<unix socket path>*
4552 @@UAHL@unbound.conf.cachedb@redis-replica-server-password@@: *"<password>"*
4559 @@UAHL@unbound.conf.cachedb@redis-replica-timeout@@: *<msec>*
4563 Redis server does not have the requested data, and will try to re-establish
4569 @@UAHL@unbound.conf.cachedb@redis-replica-command-timeout@@: *<msec>*
4572 :ref:`redis-replica-timeout<unbound.conf.cachedb.redis-replica-timeout>`
4578 @@UAHL@unbound.conf.cachedb@redis-replica-connect-timeout@@: *<msec>*
4581 :ref:`redis-replica-timeout<unbound.conf.cachedb.redis-replica-timeout>`
4587 @@UAHL@unbound.conf.cachedb@redis-replica-logical-db@@: *<logical database index>*
4588 Same as :ref:`redis-logical-db<unbound.conf.cachedb.redis-logical-db>` but
4599 DNSTAP support, when compiled in by using ``--enable-dnstap``, is enabled in
4604 connects per-process to the destination.
4607 @@UAHL@unbound.conf.dnstap@dnstap-enable@@: *<yes or no>*
4610 *dnstap-log-..-messages:* options is enabled it sends logs for those
4616 @@UAHL@unbound.conf.dnstap@dnstap-bidirectional@@: *<yes or no>*
4622 @@UAHL@unbound.conf.dnstap@dnstap-socket-path@@: *<file name>*
4629 @@UAHL@unbound.conf.dnstap@dnstap-ip@@: *<IPaddress[@port]>*
4636 @@UAHL@unbound.conf.dnstap@dnstap-tls@@: *<yes or no>*
4638 :ref:`dnstap-ip<unbound.conf.dnstap.dnstap-ip>`.
4644 @@UAHL@unbound.conf.dnstap@dnstap-tls-server-name@@: *<name of TLS authentication>*
4646 Used when :ref:`dnstap-tls: yes<unbound.conf.dnstap.dnstap-tls>` is set.
4652 @@UAHL@unbound.conf.dnstap@dnstap-tls-cert-bundle@@: *<file name of cert bundle>*
4660 @@UAHL@unbound.conf.dnstap@dnstap-tls-client-key-file@@: *<file name>*
4667 @@UAHL@unbound.conf.dnstap@dnstap-tls-client-cert-file@@: *<file name>*
4673 @@UAHL@unbound.conf.dnstap@dnstap-send-identity@@: *<yes or no>*
4679 @@UAHL@unbound.conf.dnstap@dnstap-send-version@@: *<yes or no>*
4685 @@UAHL@unbound.conf.dnstap@dnstap-identity@@: *<string>*
4691 @@UAHL@unbound.conf.dnstap@dnstap-version@@: *<string>*
4697 @@UAHL@unbound.conf.dnstap@dnstap-sample-rate@@: *<number>*
4708 @@UAHL@unbound.conf.dnstap@dnstap-log-resolver-query-messages@@: *<yes or no>*
4715 @@UAHL@unbound.conf.dnstap@dnstap-log-resolver-response-messages@@: *<yes or no>*
4722 @@UAHL@unbound.conf.dnstap@dnstap-log-client-query-messages@@: *<yes or no>*
4729 @@UAHL@unbound.conf.dnstap@dnstap-log-client-response-messages@@: *<yes or no>*
4736 @@UAHL@unbound.conf.dnstap@dnstap-log-forwarder-query-messages@@: *<yes or no>*
4742 @@UAHL@unbound.conf.dnstap@dnstap-log-forwarder-response-messages@@: *<yes or no>*
4760 :ref:`module-config<unbound.conf.module-config>`, e.g.:
4762 .. code-block:: text
4764 module-config: "respip validator iterator"
4767 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
4770 :ref:`local-zone<unbound.conf.local-zone>` and before any
4771 :ref:`auth-zone<unbound.conf.auth>`.
4783 .. code-block:: text
4789 .. code-block:: text
4792 netblock.rpz-client-ip client IP address
4793 netblock.rpz-ip response IP address in the answer
4794 name.rpz-nsdname nameserver name
4795 netblock.rpz-nsip nameserver IP address
4800 For example, ``24.10.100.51.198.rpz-ip`` is ``198.51.100.10/24`` and
4801 ``32.10.zz.db8.2001.rpz-ip`` is ``2001:db8:0:0:0:0:0:10/32``.
4805 .. code-block:: text
4809 CNAME rpz-passthru. do nothing, allow to continue
4810 CNAME rpz-drop. the query is dropped
4811 CNAME rpz-tcp-only. answer over TCP
4814 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
4830 To use a non-default port for DNS communication append ``'@'`` with the
4831 port number.
4856 .. code-block:: text
4869 For HTTPS, the :ref:`tls-cert-bundle<unbound.conf.tls-cert-bundle>` and
4873 @@UAHL@unbound.conf.rpz@allow-notify@@: *<IP address or host name or netblockIP/prefix>*
4874 With :ref:`allow-notify<unbound.conf.rpz.allow-notify>` you can specify
4895 @@UAHL@unbound.conf.rpz@rpz-action-override@@: *<action>*
4901 @@UAHL@unbound.conf.rpz@rpz-cname-override@@: *<domain>*
4903 :ref:`rpz-action-override<unbound.conf.rpz.rpz-action-override>`.
4906 @@UAHL@unbound.conf.rpz@rpz-log@@: *<yes or no>*
4912 @@UAHL@unbound.conf.rpz@rpz-log-name@@: *<name>*
4916 @@UAHL@unbound.conf.rpz@rpz-signal-nxdomain-ra@@: *<yes or no>*
4925 @@UAHL@unbound.conf.rpz@for-downstream@@: *<yes or no>*
4937 Tags need to be defined in :ref:`define-tag<unbound.conf.define-tag>` and
4939 :ref:`access-control-tag<unbound.conf.access-control-tag>` or
4940 :ref:`interface-tag<unbound.conf.interface-tag>`.
4946 Memory Control Example
4947 ----------------------
4956 Use the defaults to receive full service, which on BSD-32bit tops out at 30-40
4959 .. code-block:: text
4963 num-threads: 1
4964 outgoing-num-tcp: 1 # this limits TCP service, uses less buffers.
4965 incoming-num-tcp: 1
4966 outgoing-range: 60 # uses less memory, but less performance.
4967 msg-buffer-size: 8192 # note this limits service, 'no huge stuff'.
4968 msg-cache-size: 100k
4969 msg-cache-slabs: 1
4970 rrset-cache-size: 100k
4971 rrset-cache-slabs: 1
4972 infra-cache-numhosts: 200
4973 infra-cache-slabs: 1
4974 key-cache-size: 100k
4975 key-cache-slabs: 1
4976 neg-cache-size: 10k
4977 num-queries-per-thread: 30
4978 target-fetch-policy: "2 1 0 0 0 0"
4979 harden-large-queries: "yes"
4980 harden-short-bufsize: "yes"
4983 -----
5002 --------
5005 :doc:`unbound-checkonf(8)</manpages/unbound-checkconf>`.