net/unbound/patches/001-conf.patch

   1 diff --git a/doc/example.conf.in b/doc/example.conf.in
   2 index 5396029..cbb51ec 100644
   3 --- a/doc/example.conf.in
   4 +++ b/doc/example.conf.in
   5 @@ -1,9 +1,10 @@
   6 -#
   7 -# Example configuration file.
   8 -#
   9 -# See unbound.conf(5) man page, version 1.6.7.
  10 -#
  11 -# this is a comment.
  12 +##############################################################################
  13 +# MEMORY CONTROL EXAMPLE
  14 +# In the example config settings below memory usage is reduced. Some ser-
  15 +# vice levels are lower, notable very large data and a high TCP load are
  16 +# no longer supported ... are exceptional for the DNS.
  17 +# (http://unbound.net/documentation/unbound.conf.html)
  18 +##############################################################################
  19
  20  #Use this to include other text into the file.
  21  #include: "otherfile.conf"
  22 @@ -12,9 +13,71 @@
  23  server:
  24         # whitespace is not necessary, but looks cleaner.
  25
  26 -       # verbosity number, 0 is least verbose. 1 is default.
  27 +       # verbosity 1 is default
  28         verbosity: 1
  29
  30 +       # Self jail Unbound with user "unbound" to /var/lib/unbound
  31 +       # The script /etc/init.d/unbound will setup the location
  32 +       username: "unbound"
  33 +       directory: "/var/lib/unbound"
  34 +       chroot: "/var/lib/unbound"
  35 +
  36 +       # The pid file is created before privleges drop so no concern
  37 +       pidfile: "/var/run/unbound.pid"
  38 +
  39 +       # no threads and no memory slabs for threads
  40 +       num-threads: 1
  41 +       msg-cache-slabs: 1
  42 +       rrset-cache-slabs: 1
  43 +       infra-cache-slabs: 1
  44 +       key-cache-slabs: 1
  45 +
  46 +       # don't be picky about interfaces but consider your firewall
  47 +       interface: 0.0.0.0
  48 +       interface: ::0
  49 +       access-control: 0.0.0.0/0 allow
  50 +       access-control: ::0/0 allow
  51 +
  52 +       # this limits TCP service but uses less buffers
  53 +       outgoing-num-tcp: 1
  54 +       incoming-num-tcp: 1
  55 +
  56 +       # use somewhat higher port numbers versus possible NAT issue
  57 +       outgoing-port-permit: "10240-65335"
  58 +
  59 +       # uses less memory but less performance
  60 +       outgoing-range: 60
  61 +       num-queries-per-thread: 30
  62 +
  63 +       # exclude large responses
  64 +       msg-buffer-size: 8192
  65 +
  66 +       # tiny memory cache
  67 +       infra-cache-numhosts: 200
  68 +       msg-cache-size: 100k
  69 +       rrset-cache-size: 100k
  70 +       key-cache-size: 100k
  71 +       neg-cache-size: 10k
  72 +
  73 +       # gentle on recursion
  74 +       target-fetch-policy: "2 1 0 0 0 0"
  75 +       harden-large-queries: yes
  76 +       harden-short-bufsize: yes
  77 +
  78 +       # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
  79 +       # -anchor-file:" The init script will copy root key to /var/lib/unbound.
  80 +       # See package documentation for crontab entry to copy RFC5011 results back.
  81 +       #module-config: "validator iterator"
  82 +       #auto-trust-anchor-file: "/var/lib/unbound/root.key"
  83 +
  84 +       # DNSSEC needs real time to validate signatures. If your device does not
  85 +       # have power off clock (reboot), then you may need this work around.
  86 +       #domain-insecure: "pool.ntp.org"
  87 +
  88 +##############################################################################
  89 +# Resume Stock example.conf.in
  90 +##############################################################################
  91 +
  92         # print statistics to the log (for every thread) every N seconds.
  93         # Set to "" or 0 to disable. Default is disabled.
  94         # statistics-interval: 0