You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

81 lines
2.7 KiB

diff --git a/doc/example.conf.in b/doc/example.conf.in
index be83bda..7317b23 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -15,6 +15,76 @@ server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
+ ############################################################################
+ # MEMORY CONTROL EXAMPLE
+ # In the example config settings below memory usage is reduced. Some ser-
+ # vice levels are lower, notable very large data and a high TCP load are
+ # no longer supported ... are exceptional for the DNS.
+ # (http://unbound.net/documentation/unbound.conf.html)
+ ############################################################################
+
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
+ # The script /etc/init.d/unbound will setup the location
+ username: "unbound"
+ directory: "/var/lib/unbound"
+ chroot: "/var/lib/unbound"
+
+ # The pid file is created before privleges drop so no concern
+ pidfile: "/var/run/unbound.pid"
+
+ # no threads and no memory slabs for threads
+ num-threads: 1
+ msg-cache-slabs: 1
+ rrset-cache-slabs: 1
+ infra-cache-slabs: 1
+ key-cache-slabs: 1
+
+ # don't be picky about interfaces but consider your firewall
+ interface: 0.0.0.0
+ interface: ::0
+ access-control: 0.0.0.0/0 allow
+ access-control: ::0/0 allow
+
+ # this limits TCP service but uses less buffers
+ outgoing-num-tcp: 1
+ incoming-num-tcp: 1
+
+ # use somewhat higher port numbers versus possible NAT issue
+ outgoing-port-permit: "10240-65335"
+
+ # uses less memory but less performance
+ outgoing-range: 60
+ num-queries-per-thread: 30
+
+ # exclude large responses
+ msg-buffer-size: 8192
+
+ # tiny memory cache
+ infra-cache-numhosts: 200
+ msg-cache-size: 100k
+ rrset-cache-size: 100k
+ key-cache-size: 100k
+ neg-cache-size: 10k
+
+ # gentle on recursion
+ target-fetch-policy: "2 1 0 0 0 0"
+ harden-large-queries: yes
+ harden-short-bufsize: yes
+
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
+ # See package documentation for crontab entry to copy RFC5011 results back.
+ #module-config: "validator iterator"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ # DNSSEC needs real time to validate signatures. If your device does not
+ # have power off clock (reboot), then you may need this work around.
+ #domain-insecure: "pool.ntp.org"
+
+ ############################################################################
+ # Resume Stock example.conf.in
+ ############################################################################
+
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# statistics-interval: 0