server: # Modules à utiliser. Par défaut subnetcache (edns client subnet) est activé module-config: "validator iterator" verbosity: 1 use-syslog: no logfile: "/var/log/unbound.log" log-time-ascii: yes nsid: "ascii_Unbound-Local" num-threads: 2 interface: 127.0.0.1 interface: ::1@853 interface: ::1 do-ip6: yes do-udp:yes do-tcp: yes edns-tcp-keepalive: yes #Préférer IPv6 pour discuter avec les NS # prefer-ip6: yes # TLS pour backend tls-service-pem: /etc/unbound/unbound_server.pem tls-service-key: /etc/unbound/unbound_server.key # TLS 1.2 ciphers tls-ciphers: ECDHE-RSA-CHACHA20-POLY1305:EECDH+AES:+AES128:+AES256:+SHA256:+SHA384:!SHA # TLS 1.3 ciphers tls-ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 # root-hints: "/var/lib/unbound/root.hints" # Cache and Memory # Slabs reduce lock contention by threads. Must be set to a power of 2. # Setting (close) to the number of cpus is a reasonable guess. msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2 key-cache-slabs: 2 # Increase the memory size of the cache. Use roughly twice as much rrset cache # memory as you use msg cache memory. Due to malloc overhead, the total memory # usage is likely to rise to double (or 2.5x) the total cache memory. # Default is 4m (!) for both rrset-cache-size: 256m msg-cache-size: 128m # Number of bytes size of the key cache. Default is 4 megabytes key-cache-size: 16m # Number of bytes size of the aggressive negative cache. Default is 1 megabyte neg-cache-size: 4m # Number of hosts for which information is cached. Default is 10000 infra-cache-numhosts: 100000 harden-referral-path: yes use-caps-for-id: yes hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes # Extended DNS Error code (RFC 8914) ede: yes ede-serve-expired: yes # the time to live (TTL) value lower bound, in seconds. Default 0. # If more than an hour could easily give trouble due to stale data. # cache-min-ttl: 3600 # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. cache-max-ttl: 86400 # RFC 8767 # Activation de serve-expired serve-expired: yes # Durée de conservation des enregistrements périmés. Le RFC suggère entre 86400 et 259200s serve-expired-ttl: 86400 # Mettre la valeur des enregistrements expirés à serve-expired-ttl après une # tentative échouée de récupérer l'enregistrement d'upstream ? Non serve-expired-ttl-reset: no # TTL des réponses avec des données expirées (le RFC RECOMMANDE 30s si serve-expired-client-timeout est utilisé) serve-expired-reply-ttl: 30 # Délai d'attente avant de servir des données expirées (le RFC recommande 1800ms) serve-expired-client-timeout: 1800 prefetch: yes prefetch-key: yes # If nonzero, unwanted replies are not only reported in statistics, but also # a running total is kept per thread. If it reaches the threshold, a warning # is printed and a defensive action is taken, the cache is cleared to flush # potential poison out of it. A suggested value is 10000000, the default is # 0 (turned off). We think 10K is a good value. unwanted-reply-threshold: 10000 # Should additional section of secure message also be kept clean of unsecure # data. Useful to shield the users of this validator from potential bogus # data in the additional section. All unsigned data in the additional section # is removed from secure messages. val-clean-additional: yes # Log validation failures # val-log-level: 2 # Qname minimization, harden-below-nxdomain is recommanded, see manpage for # details & https://lists.nlnetlabs.nl/pipermail/unbound-users/2015-December/004130.html harden-below-nxdomain: yes qname-minimisation: yes # qname-minimisation-strict: yes # Aggressive use of NSEC. RFC 8198. See http://www.bortzmeyer.org/8198.html aggressive-nsec: yes # Désactivé entre autre à cause de SMTP pourri faisant des EHLO pointant vers des adresses RFC 1918 # Ex: relay.navaho.fr # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 # private-address: 192.168.0.0/16 # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 # Stats pour Munin extended-statistics: yes statistics-cumulative: no statistics-interval: 0 #remote-control: ## Bound to localhost:8953 by default # control-enable: yes # control-use-cert: no