|/1.16.2 /1.5.9 /1.6.1 /1.8.2 /1.8.3 /ChangeLog /DNSSEC /NXDOMAIN /additional毒 /cache-max-negative-ttl /harden-referral-path /install.log /log /qname minimisation /query.log /ubuntu /unbound.conf /キャッシュ|
Unbound 1.9.1 released Published: Mon 11 March 2019
Unbound /1.8.2 (12/4)
Unbound 1.8.1 https://unbound.nlnetlabs.nl/download.html
27 August 2018: Wouter
- - Set defaults to yes for a number of options to increase speed and
- resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file.
The Unbound-users Archives https://www.unbound.net/pipermail/unbound-users/
- $ unbound-control dump_cache
unbound.net/documentation/requirements.html … Requirements for Recursive Caching Resolver October 2006
Release 1.5.5 Tue Oct 6 09:50:14 CET 2015
1.1. About Unbound
Unbound is a validating, recursive, and caching DNS resolver.
The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
The source code is under a BSD License.
ubuntu 14.04 LTS に入れてみました。 /ubuntu
harden-below-nxdomain: <yes or no>
- From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC man- dates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. The nxdomain must be secure, this means nsec3 with optout is insufficient.
1.4. harden-referral-path option
Unbound 1.1.0 Date: 11 November, 2008
- harden-referral-path option implements
- draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations.
Default is off, because of added load it generates, and experimental status.
- harden-referral-path: handle cases where NS is in answer section.
念のために書いておくと、NS in answer section は referral ではない。
- CNAME query に関係するものを含め、リゾルバーがNSを問い合わせた場合にだけ返ってくるはずのもの。
- Fix so harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the target-fetch-policy, this increases the depth to which is checked.
minimal-responses: <yes or no>
- If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients.
<yes or no>
- Will trust glue only if it is within the servers authority. Default is on.
glueを誤解しているような記述です。-- ToshinoriMaeno 2018-03-18 01:22:15