unbound.conf issue
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Thu Aug 1 12:26:09 UTC 2024
The first file enables remote control while the second configures the
trust anchor.
You can put your custom configuration file in this directory as well.
Without any include directives though.
So from your first email the contents of that file should only be:
```
server:
# send minimal amount of information to upstream servers to enhance
privacy
qname-minimisation: yes
# the interface that is used to connect to the network (this will
listen to all interfaces)
interface: 0.0.0.0
# interface: ::0
# addresses from the IP range that are allowed to connect to the
resolver
access-control: 192.168.1.0/26 allow
# access-control: 2001:DB8/64 allow
```
And the /etc/unbound/unbound.conf file should be left at the default:
```
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
```
Best regards,
-- Yorgos
On 01/08/2024 14:13, Alexandre Froissard wrote:
> I just check and in the /etc/unbound/unbound.conf.d/ directory, I found
> 2 files :
>
> afroissard at raspberrypi:/etc/unbound/unbound.conf.d
> <http://raspberrypi:/etc/unbound/unbound.conf.d>$ ls -al
> total 16
> drwxr-xr-x 2 root root 4096 Jul 31 18:30 .
> drwxr-xr-x 3 root root 4096 Aug 1 11:25 ..
> -rw-r--r-- 1 root root 195 Feb 26 13:47 remote-control.conf
> -rw-r--r-- 1 root root 190 Feb 26 13:47 root-auto-trust-anchor-file.conf
> afroissard at raspberrypi:/etc/unbound/unbound.conf.d
> <http://raspberrypi:/etc/unbound/unbound.conf.d>$
>
> When I cat them here's what's inside :
>
> afroissard at raspberrypi:/etc/unbound/unbound.conf.d
> <http://raspberrypi:/etc/unbound/unbound.conf.d>$ cat
> root-auto-trust-anchor-file.conf
> server:
> # The following line will configure unbound to perform cryptographic
> # DNSSEC validation using the root trust anchor.
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
> afroissard at raspberrypi:/etc/unbound/unbound.conf.d
> <http://raspberrypi:/etc/unbound/unbound.conf.d>$ cat remote-control.conf
> remote-control:
> control-enable: yes
> # by default the control interface is is 127.0.0.1 and ::1 and port 8953
> # it is possible to use a unix socket too
> control-interface: /run/unbound.ctl
> afroissard at raspberrypi:/etc/unbound/unbound.conf.d
> <http://raspberrypi:/etc/unbound/unbound.conf.d>$
>
>
>> Le 1 août 2024 à 12:13, Yorgos Thessalonikefs <yorgos at nlnetlabs.nl> a
>> écrit :
>>
>>
>>
>> On 01/08/2024 11:48, Alexandre Froissard wrote:
>>> I commented # the auto-trust-anchor-file from my configuration file ans
>>> it works just fine now.
>>> I'm not a Linux specialist.
>>> From what I understand, removing this line will tell Ubuntu to use what
>>> was installed by default, correct ?
>>> I'm trying to make sure removing this line has no consequences on the
>>> security of the system and/or dns service.
>> Removing this line does not explicitly tell anything to Unbound.
>> I believe one of the files under /etc/unbound/unbound.conf.d/ specifies
>> a trust-anchor and that should be the system installed one.
>> You can verify yourself by looking at the files under
>> /etc/unbound/unbound.conf.d/.
>>
>> Best regards,
>> -- Yorgos
>
More information about the Unbound-users
mailing list