diff --git a/doc/example.conf.in b/doc/example.conf.in index 5396029..cbb51ec 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,9 +1,10 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page, version 1.7.1. -# -# this is a comment. +############################################################################## +# MEMORY CONTROL EXAMPLE +# In the example config settings below memory usage is reduced. Some ser- +# vice levels are lower, notable very large data and a high TCP load are +# no longer supported ... are exceptional for the DNS. +# (http://unbound.net/documentation/unbound.conf.html) +############################################################################## #Use this to include other text into the file. #include: "otherfile.conf" @@ -12,9 +13,71 @@ server: # whitespace is not necessary, but looks cleaner. - # verbosity number, 0 is least verbose. 1 is default. + # verbosity 1 is default verbosity: 1 + # Self jail Unbound with user "unbound" to /var/lib/unbound + # The script /etc/init.d/unbound will setup the location + username: "unbound" + directory: "/var/lib/unbound" + chroot: "/var/lib/unbound" + + # The pid file is created before privleges drop so no concern + pidfile: "/var/run/unbound.pid" + + # no threads and no memory slabs for threads + num-threads: 1 + msg-cache-slabs: 1 + rrset-cache-slabs: 1 + infra-cache-slabs: 1 + key-cache-slabs: 1 + + # don't be picky about interfaces but consider your firewall + interface: 0.0.0.0 + interface: ::0 + access-control: 0.0.0.0/0 allow + access-control: ::0/0 allow + + # this limits TCP service but uses less buffers + outgoing-num-tcp: 1 + incoming-num-tcp: 1 + + # use somewhat higher port numbers versus possible NAT issue + outgoing-port-permit: "10240-65335" + + # uses less memory but less performance + outgoing-range: 60 + num-queries-per-thread: 30 + + # exclude large responses + msg-buffer-size: 8192 + + # tiny memory cache + infra-cache-numhosts: 200 + msg-cache-size: 100k + rrset-cache-size: 100k + key-cache-size: 100k + neg-cache-size: 10k + + # gentle on recursion + target-fetch-policy: "2 1 0 0 0 0" + harden-large-queries: yes + harden-short-bufsize: yes + + # DNSSEC enable by removing comments on "module-config:" and "auto-trust- + # -anchor-file:" The init script will copy root key to /var/lib/unbound. + # See package documentation for crontab entry to copy RFC5011 results back. + #module-config: "validator iterator" + #auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # DNSSEC needs real time to validate signatures. If your device does not + # have power off clock (reboot), then you may need this work around. + #domain-insecure: "pool.ntp.org" + +############################################################################## +# Resume Stock example.conf.in +############################################################################## + # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. # statistics-interval: 0