🔨 Use some new 1.18.0 features in default config

MatthewVance · Oct 6, 2023 · 84088be · 84088be
1 parent c9f829b
commit 84088be
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/1.18.0/data/unbound.sh b/1.18.0/data/unbound.sh
@@ -60,6 +60,19 @@ server:
     # Set the working directory for the program.
     directory: "/opt/unbound/etc/unbound"
 
+    # If enabled, Unbound will respond with Extended DNS Error codes (RFC 8914).
+    # These EDEs attach informative error messages to a response for various
+    # errors.
+    # When the val-log-level: option is also set to 2, responses with Extended
+    # DNS Errors concerning DNSSEC failures that are not served from cache, will
+    # also contain a descriptive text message about the reason for the failure.
+    ede: yes
+
+    # If enabled, Unbound will attach an Extended DNS Error (RFC 8914)
+    # Code 3 - Stale Answer as EDNS0 option to the expired response.
+    # This will not attach the EDE code without setting ede: yes as well.
+    ede-serve-expired: yes
+
     # RFC 6891. Number  of bytes size to advertise as the EDNS reassembly buffer
     # size. This is the value put into  datagrams over UDP towards peers.
     # The actual buffer size is determined by msg-buffer-size (both for TCP and
@@ -172,6 +185,12 @@ server:
     # advertised in the DS record.
     harden-algo-downgrade: yes
 
+    # Harden against unknown records in the authority section and additional
+    # section. If no, such records are copied from the upstream and presented
+    # to the client together with the answer. If yes, it could hamper future
+    # protocol developments that want to add records.
+    harden-unknown-additional: yes
+
     # RFC 8020. returns nxdomain to queries for a name below another name that
     # is already known to be nxdomain.
     harden-below-nxdomain: yes
@@ -339,6 +358,14 @@ server:
     # actual resolution answer ends up in the cache later on.
     serve-expired: yes
 
+    # UDP queries that have waited in the socket buffer for a long time can be
+    # dropped. The time is set in seconds, 3 could be a good value to ignore old
+    # queries that likely the client does not need a reply for any more. This 
+    # could happen if the host has not been able to service the queries for a 
+    # while, i.e. Unbound is not running, and then is enabled again. It uses 
+    # timestamp socket options.
+    sock-queue-timeout: 3
+
     # Open dedicated listening sockets for incoming queries for each thread and
     # try to set the SO_REUSEPORT socket option on each socket. May distribute
     # incoming queries to threads more evenly.