From patchwork Mon Jan 20 19:36:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2710 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 481hkm1hW0z3xY8 for ; Mon, 20 Jan 2020 19:37:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 481hkk3Sf4z2f0; Mon, 20 Jan 2020 19:37:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 481hkk2PrMz2yK5; Mon, 20 Jan 2020 19:37:02 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 481hkh0BGJz2xn4 for ; Mon, 20 Jan 2020 19:37:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 481hkf5JZgz2f0 for ; Mon, 20 Jan 2020 19:36:58 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1579549019; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P3KbN6zN0pvXc8o1/8VX8gPpVBj9wh7jruBVnERD7/g=; b=s8faM5huLSHYrDY0PnQoUj10NvapdB3A8mqh5z/Q+NXr8YzTBO66qYF4TvbHgjnkXwXlpG 29JcTg4a1QyXvsAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1579549019; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P3KbN6zN0pvXc8o1/8VX8gPpVBj9wh7jruBVnERD7/g=; b=NbCaP9SaTN79FM18xqp6LqDL9eLoDRUhDJGmKf20880b9YO6RNfYzvUa2xaNOL162xFzq2 vGielkcVd3jbgPCReROZPVre5Rh1eve2H/1EuAeyGnyA18IsJIl8HxA9LNZ1k6AbGX8POt W5aIaMfkQa1ajve8jwUJXKFW6BjhlmAYi90+FzNIK0uvngsCX0B+KtqwDaLB3dItjbRlj0 a1+h7F6AoF4I9nFielDzMxDra5MA/pMiU4Ld4Nuag3a/cJF5wTv5NEUEfUcOS6L5CdLvBa IzLk47KV7TYZF3wJHWJCBYV490M36wlodn6wQOlEIrPVG/VzWLCUAH3dfjhLPQ== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: unbound.conf: Do not set defaults explicitly Message-ID: Date: Mon, 20 Jan 2020 19:36:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" In order to keep configuration files small and easy to review/audit, omitting defaults makes more sense than configure them explicitly (have changed my mind here). Unbound comes with a good default confiuration, and we should only make changes when they are necessary. In addition, this patch updates the documentation's URL to the current one. Signed-off-by: Peter Müller Cc: Michael Tremer Reviewed-by: Michael Tremer --- config/unbound/unbound.conf | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 24822ee67..c78ca1db7 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -2,7 +2,7 @@ # Unbound configuration file for IPFire # # The full documentation is available at: -# https://www.unbound.net/documentation/unbound.conf.html +# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ # server: @@ -10,26 +10,17 @@ server: chroot: "" directory: "/etc/unbound" username: "nobody" - port: 53 - do-ip4: yes do-ip6: no - do-udp: yes - do-tcp: yes - so-reuseport: yes - do-not-query-localhost: yes # System Tuning include: "/etc/unbound/tuning.conf" # Logging Options - verbosity: 1 use-syslog: yes log-time-ascii: yes - log-queries: no # Unbound Statistics statistics-interval: 86400 - statistics-cumulative: yes extended-statistics: yes # Prefetching @@ -42,26 +33,17 @@ server: # Privacy Options hide-identity: yes hide-version: yes - qname-minimisation: yes - minimal-responses: yes # DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" - val-permissive-mode: no - val-clean-additional: yes val-log-level: 1 + log-servfail: yes # Hardening Options - harden-glue: yes - harden-short-bufsize: no harden-large-queries: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes harden-referral-path: yes - harden-algo-downgrade: no use-caps-for-id: yes aggressive-nsec: yes - qname-minimisation: yes # TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt