#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.6.6.
+# See unbound.conf(5) man page, version 1.7.0.
#
# this is a comment.
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
- # service clients over TLS (on the TCP sockets), with plain DNS inside
- # the TLS stream. Give the certificate to use and private key.
+ # service clients over SSL (on the TCP sockets), with plain DNS inside
+ # the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# tls-service-key: "path/to/privatekeyfile.key"
# tls-service-pem: "path/to/publiccertfile.pem"
# tls-port: 853
- # request upstream over TLS (with plain DNS inside the TLS stream).
+ # request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
# tls-upstream: no
-.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound.conf" "5" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
.B ip\-transparent: \fI<yes or no>
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
is listening for incoming traffic. Default no. Allows you to bind to
-non\-local interfaces. For example for non\-existent IP addresses that
+non\-local interfaces. For example for non\-existant IP addresses that
are going to exist later on, with host failover configuration. This is
a lot like interface\-automatic, but that one services all interfaces
and with this option you can select which (future) interfaces unbound
but use udp to fetch data upstream.
.TP
.B tls\-upstream: \fI<yes or no>
-Enabled or disable whether the upstream queries use TLS only for transport.
-Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
+Enabled or disable whether the upstream queries use SSL only for transport.
+Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
TCP wireformat. The other server must support this (see
\fBtls\-service\-key\fR).
.TP
file the last is used.
.TP
.B tls\-service\-key: \fI<file>
-If enabled, the server provider TLS service on its TCP sockets. The clients
+If enabled, the server provider SSL service on its TCP sockets. The clients
have to use tls\-upstream: yes. The file is the private key for the TLS
session. The public certificate is in the tls\-service\-pem file. Default
is "", turned off. Requires a restart (a reload is not enough) if changed,
Alternate syntax for \fBtls\-service\-pem\fR.
.TP
.B tls\-port: \fI<number>
-The port number on which to provide TCP TLS service, default 853, only
-interfaces configured with that port number as @number get the TLS service.
+The port number on which to provide TCP SSL service, default 853, only
+interfaces configured with that port number as @number get the SSL service.
.TP
.B ssl\-port: \fI<number>
Alternate syntax for \fBtls\-port\fR.
.B aggressive\-nsec: \fI<yes or no>
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
and other denials, using information from previous NXDOMAINs answers.
-Default is no. It helps to reduce the query rate towards targets that get
-a very high nonexistent name lookup rate.
+Default is off. It helps to reduce the query rate towards targets that get
+a very high nonexistant name lookup rate.
.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
clause are the declarations for the remote control facility. If this is
enabled, the \fIunbound\-control\fR(8) utility can be used to send
commands to the running unbound server. The server uses these clauses
-to setup TLSv1 security for the connection. The
+to setup SSLv3 / TLSv1 security for the connection. The
\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
section for options. To setup the correct self\-signed certificates use the
\fIunbound\-control\-setup\fR(8) utility.
The default is no.
.TP
.B stub\-tls\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this stub use TLS for transport.
+Enabled or disable whether the queries to this stub use SSL for transport.
Default is no.
.TP
.B stub\-ssl\-upstream: \fI<yes or no>
The default is no.
.TP
.B forward\-tls\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this forwarder use TLS for transport.
+Enabled or disable whether the queries to this forwarder use SSL for transport.
Default is no.
.TP
.B forward\-ssl\-upstream: \fI<yes or no>
projects / openbsd / commitdiff