diff --git a/doc/example.conf.in b/doc/example.conf.in index c520c88..af92a87 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,20 +1,81 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page, version 1.5.10. -# -# this is a comment. +############################################################################## +# MEMORY CONTROL EXAMPLE +# In the example config settings below memory usage is reduced. Some ser- +# vice levels are lower, notable very large data and a high TCP load are +# no longer supported ... are exceptional for the DNS. +# (http://unbound.net/documentation/unbound.conf.html) +############################################################################## #Use this to include other text into the file. #include: "otherfile.conf" # The server clause sets the main parameters. server: - # whitespace is not necessary, but looks cleaner. - # verbosity number, 0 is least verbose. 1 is default. + # verbosity 1 is default verbosity: 1 + # prevent any upstream core surprises (OpenWrt assumptions) + username: "unbound" + pidfile: "/var/run/unbound.pid" + directory: "/etc/unbound" + chroot: "" + + # no threads and no memory slabs for threads + num-threads: 1 + msg-cache-slabs: 1 + rrset-cache-slabs: 1 + infra-cache-slabs: 1 + key-cache-slabs: 1 + + # don't be picky about interfaces but consider your firewall + interface: 0.0.0.0 + interface: ::0 + access-control: 0.0.0.0/0 allow + access-control: ::0/0 allow + + # this limits TCP service but uses less buffers + outgoing-num-tcp: 1 + incoming-num-tcp: 1 + + # use somewhat higher port numbers versus possible NAT issue + outgoing-port-permit: "10240-65335" + + # uses less memory, but less performance + outgoing-range: 60 + num-queries-per-thread: 30 + + # exclude large responses + msg-buffer-size: 8192 + + # tiny memory cache + infra-cache-numhosts: 200 + msg-cache-size: 100k + rrset-cache-size: 100k + key-cache-size: 100k + neg-cache-size: 10k + + # gentle on recursion + target-fetch-policy: "2 1 0 0 0 0" + harden-large-queries: yes + harden-short-bufsize: yes + + # Enable a trust anchor and modules "validator iterator." However, Unbound + # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM. + # "/etc/unbound" (directory & files) needs chown for write access. Else, use + # plain "trust-anchor-" to treat the key file as static. + #module-config: "validator iterator" + #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # DNSSEC needs real time to validate signatures. If your device does not + # have power off clock (reboot), then you may need this work around. + #domain-insecure: "pool.ntp.org" + +############################################################################## +# Resume Stock example.conf.in +############################################################################## + # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. # statistics-interval: 0