Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

harden & prefetch unbound #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

harden & prefetch unbound #4

wants to merge 1 commit into from

Conversation

4-FLOSS-Free-Libre-Open-Source-Software
Copy link
Contributor

prefetch-key for dnssec

@4-FLOSS-Free-Libre-Open-Source-Software
harden & prefetch unbound
b3fbb78 
prefetch-key for dnssec
ryru
ryru reviewed Aug 8, 2019
View reviewed changes
Copy link
Collaborator

@ryru ryru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your suggestions!
Can you please elaborate what the benefits of the later two settings are?

unbound.conf Show resolved Hide resolved
unbound.conf
@@ -24,7 +24,10 @@ server:
do-daemonize: no

prefetch: yes
prefetch-key: yes
target-fetch-policy: "-1 -1 -1 -1 -1"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite understand the meaning of this setting. What is the benefit of setting it to "-1 -1 -1 -1 -1"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems to remove limit on rule of how deep to go down with queries while prefetching

-1 == prefetch all

Recommended for enabling the latter:

If you enable it consider adding more numbers after the tar-get-fetch-policy to increase the max depth that is checked to.

unbound.conf
qname-minimisation: yes
harden-referral-path: yes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is experimental. I have no experience with this setting and feel a bit uncomfortable setting it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice to have benefits:

enforces DNSSEC validation on nameserver NS sets and the nameserver addresses

according to documentation and as far i understand this, it must be safe. Because just generating some more queries and additional validation for and is only disabled because more queries can produce a bit more load

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryru ryru ryru left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@4-FLOSS-Free-Libre-Open-Source-Software @ryru