From: Frank Brehm Date: Sat, 17 Dec 2016 17:45:40 +0000 (+0100) Subject: saving uncommitted changes in /etc prior to emerge run X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=0e76f3f1d0c4950e85dc3e8deb9d6515391fe715;p=config%2Fbruni%2Fetc.git saving uncommitted changes in /etc prior to emerge run --- diff --git a/init.d/unbound b/init.d/unbound index f17d0720..a1682800 100755 --- a/init.d/unbound +++ b/init.d/unbound @@ -1,4 +1,4 @@ -#!/sbin/runscript +#!/sbin/openrc-run # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ diff --git a/unbound/unbound.conf b/unbound/unbound.conf index 1d78e03d..632bc592 100644 --- a/unbound/unbound.conf +++ b/unbound/unbound.conf @@ -1,14 +1,14 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.1. +# See unbound.conf(5) man page, version 1.5.10. # # this is a comment. #Use this to include other text into the file. #include: "otherfile.conf" -# The server clause sets the main parameters. +# The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -40,7 +40,7 @@ server: # interface: 2001:DB8::5 # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. + # Socket options are not supported on all platforms. experimental. # interface-automatic: no # port to answer queries from @@ -52,6 +52,15 @@ server: # outgoing-interface: 192.0.2.153 # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 + + # Specify a netblock to use remainder 64 bits as random bits for + # upstream queries. Uses freebind option (Linux). + # outgoing-interface: 2001:DB8::/64 + # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo + # And: ip -6 route add local 2001:db8::/64 dev lo + # And set prefer-ip6: yes to use the ip6 randomness from a netblock. + # Set this to yes to prefer ipv6 upstream servers over ipv4. + # prefer-ip6: no # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the @@ -84,10 +93,20 @@ server: # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 - + # use SO_REUSEPORT to distribute queries over threads. # so-reuseport: no + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + # ip-transparent: no + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. + # Linux only. On Linux you also have ip-transparent that is similar. + # ip-freebind: no + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -101,7 +120,7 @@ server: # msg-buffer-size: 65552 # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. @@ -114,12 +133,12 @@ server: # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 - + # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. @@ -135,10 +154,16 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 + # minimum wait time for responses, increase if uplink is long. In msec. + # infra-cache-min-rtt: 50 + # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. @@ -146,6 +171,10 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 + + # define a number of tags here, use with local-zone, access-control. + # repeat the define-tag statement to add additional tags. + # define-tag: "tag1 tag2 tag3" # Enable IPv4, "yes" or "no". # do-ip4: yes @@ -163,6 +192,14 @@ server: # useful for tunneling scenarios, default no. # tcp-upstream: no + # Maximum segment size (MSS) of TCP socket on which the server + # responds to queries. Default is 0, system default MSS. + # tcp-mss: 0 + + # Maximum segment size (MSS) of TCP socket for outgoing queries. + # Default is 0, system default MSS. + # outgoing-tcp-mss: 0 + # Detach from the terminal, run in background, "yes" or "no". # do-daemonize: yes @@ -179,14 +216,28 @@ server: # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow + # tag access-control with list of tags (in "" with spaces between) + # Clients using this access control element use localzones that + # are tagged with one of these tags. + # access-control-tag: 192.0.2.0/24 "tag2 tag3" + + # set action for particular tag for given access control element + # if you have multiple tag values, the tag used to lookup the action + # is the first tag match between access-control-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # access-control-tag-action: 192.0.2.0/24 tag3 refuse + + # set redirect data for particular tag for access control element + # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: @@ -195,7 +246,7 @@ server: # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # - # The pid file can be absolute and outside of the chroot, it is + # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). @@ -209,22 +260,24 @@ server: # If you give "" no privileges are dropped. # username: "unbound" - # the working directory. The relative files in this config are + # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. # directory: "/etc/unbound" - # the log file, "" means log to stderr. + # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. - # use-syslog: yes + # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no - + # print one line with time, IP, name, type, class for every query. # log-queries: no @@ -232,7 +285,7 @@ server: # pidfile: "/var/run/unbound.pid" # file to read root hints from. - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # get one from https://www.internic.net/domain/named.cache # root-hints: "" # enable to not answer id.server and hostname.bind queries. @@ -248,8 +301,8 @@ server: # version: "" # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, @@ -257,17 +310,17 @@ server: # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" - # Harden against very small EDNS buffer sizes. + # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no # Harden against unseemly large queries. # harden-large-queries: no - # Harden against out of zone rrsets, to avoid spoofing attempts. + # Harden against out of zone rrsets, to avoid spoofing attempts. # harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will + # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. # harden-dnssec-stripped: yes @@ -277,18 +330,33 @@ server: # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental + # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to NS when possible. + # qname-minimisation: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-whitelist: "licdn.com" + # caps-whitelist: "senderbase.org" + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 @@ -296,6 +364,7 @@ server: # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. @@ -330,6 +399,9 @@ server: # into response messages when those sections are not required. # minimal-responses: no + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" # module-config: "validator iterator" @@ -346,7 +418,7 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key + # DLV is going to be decommissioned. Please do not use it any more. # dlv-anchor-file: "dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file @@ -354,7 +426,7 @@ server: # Zone file format, with DS and DNSKEY entries. # Note this gets out of date, use auto-trust-anchor-file please. # trust-anchor-file: "/etc/dnssec/root-anchors.txt" - + # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # Note this gets out of date, use auto-trust-anchor-file please. @@ -364,7 +436,7 @@ server: # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, + # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" @@ -389,7 +461,7 @@ server: # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data + # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. # val-clean-additional: yes @@ -414,7 +486,7 @@ server: # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" - + # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -425,8 +497,12 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover, + # otherwise the RFC mandates probe intervals must be at least 1 hour. + # permit-small-holddown: no + # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". + # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. @@ -435,9 +511,9 @@ server: # key-cache-slabs: 4 # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". + # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m - + # By default, for a number of zones a small default 'nothing here' # reply is built-in. Query traffic is thus blocked. If you # wish to serve such zone you can unblock them by uncommenting one @@ -447,6 +523,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "onion." nodefault # local-zone: "10.in-addr.arpa." nodefault # local-zone: "16.172.in-addr.arpa." nodefault # local-zone: "17.172.in-addr.arpa." nodefault @@ -479,29 +556,37 @@ server: # local-zone: "b.e.f.ip6.arpa." nodefault # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - - # if unbound is running service for the local host then it is useful + + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + # a number of locally served zones can be configured. # local-zone: # local-data: "" - # o deny serves local data (if any), else, drops queries. + # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent gives local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names + # o inform resolves normally, but logs client IP address + # o inform_deny drops queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, resolve in + # that way but ignore local data for that name. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. - # + # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # @@ -523,12 +608,18 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + + # add a netblock specific override to a localzone, with zone type + # local-zone-override: "example.com" 192.0.2.0/24 refuse + # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # ssl-service-key: "path/to/privatekeyfile.key" # ssl-service-pem: "path/to/publiccertfile.pem" - # ssl-port: 443 + # ssl-port: 853 # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. @@ -538,6 +629,26 @@ server: # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: com 1000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -546,12 +657,16 @@ python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" -# Remote control config section. +# Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. # control-enable: no + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes + # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # control-interface: 127.0.0.1 @@ -573,11 +688,13 @@ remote-control: # control-cert-file: "/etc/unbound/unbound_control.pem" # Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68