d12d2e31d3
A vulnerability was discovered in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions. (see https://unbound.net/downloads/CVE-2017-15105.txt) Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
94 lines
3 KiB
Diff
94 lines
3 KiB
Diff
diff --git a/doc/example.conf.in b/doc/example.conf.in
|
|
index 5396029..cbb51ec 100644
|
|
--- a/doc/example.conf.in
|
|
+++ b/doc/example.conf.in
|
|
@@ -1,9 +1,10 @@
|
|
-#
|
|
-# Example configuration file.
|
|
-#
|
|
-# See unbound.conf(5) man page, version 1.6.8.
|
|
-#
|
|
-# this is a comment.
|
|
+##############################################################################
|
|
+# MEMORY CONTROL EXAMPLE
|
|
+# In the example config settings below memory usage is reduced. Some ser-
|
|
+# vice levels are lower, notable very large data and a high TCP load are
|
|
+# no longer supported ... are exceptional for the DNS.
|
|
+# (http://unbound.net/documentation/unbound.conf.html)
|
|
+##############################################################################
|
|
|
|
#Use this to include other text into the file.
|
|
#include: "otherfile.conf"
|
|
@@ -12,9 +13,71 @@
|
|
server:
|
|
# whitespace is not necessary, but looks cleaner.
|
|
|
|
- # verbosity number, 0 is least verbose. 1 is default.
|
|
+ # verbosity 1 is default
|
|
verbosity: 1
|
|
|
|
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
|
|
+ # The script /etc/init.d/unbound will setup the location
|
|
+ username: "unbound"
|
|
+ directory: "/var/lib/unbound"
|
|
+ chroot: "/var/lib/unbound"
|
|
+
|
|
+ # The pid file is created before privleges drop so no concern
|
|
+ pidfile: "/var/run/unbound.pid"
|
|
+
|
|
+ # no threads and no memory slabs for threads
|
|
+ num-threads: 1
|
|
+ msg-cache-slabs: 1
|
|
+ rrset-cache-slabs: 1
|
|
+ infra-cache-slabs: 1
|
|
+ key-cache-slabs: 1
|
|
+
|
|
+ # don't be picky about interfaces but consider your firewall
|
|
+ interface: 0.0.0.0
|
|
+ interface: ::0
|
|
+ access-control: 0.0.0.0/0 allow
|
|
+ access-control: ::0/0 allow
|
|
+
|
|
+ # this limits TCP service but uses less buffers
|
|
+ outgoing-num-tcp: 1
|
|
+ incoming-num-tcp: 1
|
|
+
|
|
+ # use somewhat higher port numbers versus possible NAT issue
|
|
+ outgoing-port-permit: "10240-65335"
|
|
+
|
|
+ # uses less memory but less performance
|
|
+ outgoing-range: 60
|
|
+ num-queries-per-thread: 30
|
|
+
|
|
+ # exclude large responses
|
|
+ msg-buffer-size: 8192
|
|
+
|
|
+ # tiny memory cache
|
|
+ infra-cache-numhosts: 200
|
|
+ msg-cache-size: 100k
|
|
+ rrset-cache-size: 100k
|
|
+ key-cache-size: 100k
|
|
+ neg-cache-size: 10k
|
|
+
|
|
+ # gentle on recursion
|
|
+ target-fetch-policy: "2 1 0 0 0 0"
|
|
+ harden-large-queries: yes
|
|
+ harden-short-bufsize: yes
|
|
+
|
|
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
|
|
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
|
|
+ # See package documentation for crontab entry to copy RFC5011 results back.
|
|
+ #module-config: "validator iterator"
|
|
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
+
|
|
+ # DNSSEC needs real time to validate signatures. If your device does not
|
|
+ # have power off clock (reboot), then you may need this work around.
|
|
+ #domain-insecure: "pool.ntp.org"
|
|
+
|
|
+##############################################################################
|
|
+# Resume Stock example.conf.in
|
|
+##############################################################################
|
|
+
|
|
# print statistics to the log (for every thread) every N seconds.
|
|
# Set to "" or 0 to disable. Default is disabled.
|
|
# statistics-interval: 0
|