MoinQ: DNS/実装/unbound/1.6.1

DNS/実装/unbound/1.6.1について、ここに記述してください。

https://www.unbound.net/documentation/unbound.conf.html

   harden-below-nxdomain: <yes or no>
              From RFC 8020 (with title "NXDOMAIN:  There  Really  Is  Nothing
              Underneath"),  returns  nxdomain  to  queries  for  a name below
              another name that is already known to be nxdomain.  DNSSEC  man-
              dates  noerror  for  empty nonterminals, hence this is possible.
              Very old software might return nxdomain for  empty  nonterminals
              (that  usually  happen for reverse IP address lookups), and thus
              may be incompatible with  this.   To  try  to  avoid  this  only
              DNSSEC-secure  nxdomains are used, because the old software does
              not have DNSSEC.  Default is off.  The nxdomain must be  secure,
              this means nsec3 with optout is insufficient.

harden-referral-path: <yes or no>

• Harden the referral path by performing additional queries for infrastructure data. Validates the replies if trust anchors are configured and the zones are signed. This enforces DNSSEC vali- dation on nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the tar- get-fetch-policy to increase the max depth that is checked to.

• qname-minimisation: <yes or no>

  • Send minimum amount of information to upstream servers to enhance privacy. Only sent minimum required labels of the QNAME and set QTYPE to NS when possible. Best effort approach; full QNAME and original QTYPE will be sent when upstream replies with a RCODE other than NOERROR, except when receiving NXDOMAIN from a DNSSEC signed zone. Default is off.

  qname-minimisation-strict: <yes or no>

  • QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is off.