- diff --git a/doc/example.conf.in b/doc/example.conf.in
- index 5396029..cbb51ec 100644
- --- a/doc/example.conf.in
- +++ b/doc/example.conf.in
- @@ -1,9 +1,10 @@
- -#
- -# Example configuration file.
- -#
- -# See unbound.conf(5) man page, version 1.7.0.
- -#
- -# this is a comment.
- +##############################################################################
- +# MEMORY CONTROL EXAMPLE
- +# In the example config settings below memory usage is reduced. Some ser-
- +# vice levels are lower, notable very large data and a high TCP load are
- +# no longer supported ... are exceptional for the DNS.
- +# (http://unbound.net/documentation/unbound.conf.html)
- +##############################################################################
-
- #Use this to include other text into the file.
- #include: "otherfile.conf"
- @@ -12,9 +13,71 @@
- server:
- # whitespace is not necessary, but looks cleaner.
-
- - # verbosity number, 0 is least verbose. 1 is default.
- + # verbosity 1 is default
- verbosity: 1
-
- + # Self jail Unbound with user "unbound" to /var/lib/unbound
- + # The script /etc/init.d/unbound will setup the location
- + username: "unbound"
- + directory: "/var/lib/unbound"
- + chroot: "/var/lib/unbound"
- +
- + # The pid file is created before privleges drop so no concern
- + pidfile: "/var/run/unbound.pid"
- +
- + # no threads and no memory slabs for threads
- + num-threads: 1
- + msg-cache-slabs: 1
- + rrset-cache-slabs: 1
- + infra-cache-slabs: 1
- + key-cache-slabs: 1
- +
- + # don't be picky about interfaces but consider your firewall
- + interface: 0.0.0.0
- + interface: ::0
- + access-control: 0.0.0.0/0 allow
- + access-control: ::0/0 allow
- +
- + # this limits TCP service but uses less buffers
- + outgoing-num-tcp: 1
- + incoming-num-tcp: 1
- +
- + # use somewhat higher port numbers versus possible NAT issue
- + outgoing-port-permit: "10240-65335"
- +
- + # uses less memory but less performance
- + outgoing-range: 60
- + num-queries-per-thread: 30
- +
- + # exclude large responses
- + msg-buffer-size: 8192
- +
- + # tiny memory cache
- + infra-cache-numhosts: 200
- + msg-cache-size: 100k
- + rrset-cache-size: 100k
- + key-cache-size: 100k
- + neg-cache-size: 10k
- +
- + # gentle on recursion
- + target-fetch-policy: "2 1 0 0 0 0"
- + harden-large-queries: yes
- + harden-short-bufsize: yes
- +
- + # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
- + # -anchor-file:" The init script will copy root key to /var/lib/unbound.
- + # See package documentation for crontab entry to copy RFC5011 results back.
- + #module-config: "validator iterator"
- + #auto-trust-anchor-file: "/var/lib/unbound/root.key"
- +
- + # DNSSEC needs real time to validate signatures. If your device does not
- + # have power off clock (reboot), then you may need this work around.
- + #domain-insecure: "pool.ntp.org"
- +
- +##############################################################################
- +# Resume Stock example.conf.in
- +##############################################################################
- +
- # print statistics to the log (for every thread) every N seconds.
- # Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
|