rh358/cr-network/files/unbound/unbound.conf

server:

	verbosity: 1
	statistics-interval: 0
	statistics-cumulative: no
	extended-statistics: yes

	num-threads: 4

	# Listen only on loopback and pvt.example.com IPv4/IPv6 interfaces.
	# The default is to listen to localhost (127.0.0.1 and ::1).
	# The listen interfaces are not changed on reload, only on restart.

	interface: 127.0.0.1
	interface: ::1
	interface:
	interface:

	interface-automatic: no

	outgoing-port-permit: 32768-60999
	outgoing-port-avoid: 0-32767
	so-reuseport: yes
	ip-transparent: yes

	max-udp-size: 3072

	# Control which clients are allowed to make (recursive) queries
	# to this server. Specify classless netblocks with /size and action.
	# By default everything is refused, except for localhost.

	access-control: 127.0.0.0/8 allow
	access-control: ::1 allow
	access-control:
	access-control:

	chroot: ""
	username: "unbound"
	directory: "/etc/unbound"
	log-time-ascii: yes
	pidfile: "/var/run/unbound/unbound.pid"

	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	qname-minimisation: yes
	aggressive-nsec: yes
	unwanted-reply-threshold: 10000000

	prefetch: yes
	prefetch-key: yes
	rrset-roundrobin: yes
	minimal-responses: yes

	module-config: "ipsecmod validator iterator"

	trust-anchor-signaling: yes
	root-key-sentinel: yes
	trusted-keys-file: /etc/unbound/keys.d/*.key
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

	# Ignore chain of trust. Domain is treated as insecure.

	domain-insecure:
	domain-insecure:
	domain-insecure: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"

	val-clean-additional: yes
	val-permissive-mode: no
	serve-expired: yes
	val-log-level: 1

	# By default, for a number of zones a small default 'nothing here'
	# reply is built-in.  Query traffic is thus blocked.  If you
	# wish to serve such zone you can unblock them by uncommenting one
	# of the nodefault statements below.
	# You may also have to use domain-insecure: zone to make DNSSEC work,
	# unless you have your own trust anchors for this zone.
	# local-zone: "localhost." nodefault
	# local-zone: "127.in-addr.arpa." nodefault
	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault

	local-zone:
	local-zone:
	local-zone: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa" nodefault

	include: /etc/unbound/local.d/*.conf

	ipsecmod-enabled: no
	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook

python:

remote-control:
	control-enable: yes
	server-key-file: "/etc/unbound/unbound_server.key"
	server-cert-file: "/etc/unbound/unbound_server.pem"
	control-key-file: "/etc/unbound/unbound_control.key"
	control-cert-file: "/etc/unbound/unbound_control.pem"

# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf

# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# Consider adding domain-insecure: name and local-zone: name nodefault
# to the server: section if the stub is a locally served zone.

stub-zone:
	name: ""
	stub-addr:
	stub-addr:

stub-zone:
	name: ""
	stub-addr:
	stub-addr:

stub-zone:
	name: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
	stub-addr: 192.168.62.10
	stub-addr: fc62:5265:6448:6174::a

# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ipaddress. Use an entry with name "." to forward all queries.

forward-zone:
	name: ""
	forward-addr:

auth-zone:
	name: "."
	for-downstream: no
	for-upstream: yes
	fallback-enabled: yes
	master: b.root-servers.net
	master: c.root-servers.net
	master: e.root-servers.net
	master: f.root-servers.net
	master: g.root-servers.net
	master: k.root-servers.net