|
Packit |
723427 |
# The options configured in this file are supported by dnssec-trigger-script
|
|
Packit |
723427 |
# which is called due to various events in related services including
|
|
Packit |
723427 |
# dnssec-trigger and NetworkManager. As a result, dnssec-trigger-script,
|
|
Packit |
723427 |
# together with the dnssec-trigger daemon, reconfigures a running instance
|
|
Packit |
723427 |
# of Unbound, your local validating resolver.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# Changes in this file are typically applied on the next network change. To
|
|
Packit |
723427 |
# make them work immediately, restart the dnssec-trigger service. On many
|
|
Packit |
723427 |
# systems this is achieved by the following command:
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# systemctl restart dnssec-triggerd
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# To achieve a clean state of Unbound, you can just restart the unbound
|
|
Packit |
723427 |
# service and dnssec-trigger gets restarted automatically. Note that some
|
|
Packit |
723427 |
# other services like VPN clients may have reconfigured unbound at runtime
|
|
Packit |
723427 |
# and thus may need to be restarted as well.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# systemctl restart unbound
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# In future some of the options may be interpretted by other services as well,
|
|
Packit |
723427 |
# so be careful to restart all of them. One such service may be a future
|
|
Packit |
723427 |
# version of NetworkManager.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# systemctl restart NetworkManager
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
|
|
Packit |
723427 |
# validate_connection_provided_zones:
|
|
Packit |
723427 |
# -----------------------------------
|
|
Packit |
723427 |
# Ensures that foward zones provided by NetworkManager connections will be
|
|
Packit |
723427 |
# validated by Unbound.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# Security notes:
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - If this option is turned off, the network you're connecting to
|
|
Packit |
723427 |
# can provide you a list of spoofed domains e.g. via DHCP. Those domains
|
|
Packit |
723427 |
# are then configured as insecure forward zones in your local validating
|
|
Packit |
723427 |
# resolver, constituting a downgrade attack on DNSSEC validation.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - See also security notes on the `add_wifi_provided_zones` option.
|
|
Packit |
723427 |
#
|
|
Packit Service |
3df83d |
# validate_connection_provided_zones=no
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - Connection provided zones will be configured in Unbound as secure forward
|
|
Packit |
723427 |
# zones, validated using DNSSEC.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# If the DNS servers for such a connection are not capable of forwarding
|
|
Packit |
723427 |
# DNSSEC queries and responses or the local zone is required to be signed
|
|
Packit |
723427 |
# according to the global DNSSEC database, local resources will not be
|
|
Packit |
723427 |
# resolved correctly and will appear inaccessible.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# Many networks use fake top level domains which fail DNSSEC validation
|
|
Packit |
723427 |
# as there is no way to validate them at all. Do not use this strict
|
|
Packit |
723427 |
# option if you want to access resources on such networks.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# validate_connection_provided_zones=no
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - Connection provided zones will be configured in Unbound as insecure
|
|
Packit |
723427 |
# forward zones, not validated using DNSSEC. This allows you to access
|
|
Packit |
723427 |
# local resources on networks with non-compliant DNS servers as well
|
|
Packit |
723427 |
# as networks that hijack domains that are either not in the global DNS
|
|
Packit |
723427 |
# tree at all or are required to be signed.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# Turning this option off has security implications, See the security
|
|
Packit |
723427 |
# notice above.
|
|
Packit |
723427 |
#
|
|
Packit Service |
3df83d |
validate_connection_provided_zones=no
|
|
Packit |
723427 |
|
|
Packit |
723427 |
# add_wifi_provided_zones:
|
|
Packit |
723427 |
# ------------------------
|
|
Packit |
723427 |
# Ensures that wifi provided zones are accepted by dnssec-trigger-script just
|
|
Packit |
723427 |
# as any other connection provided zones. Wireless ethernet is special in
|
|
Packit |
723427 |
# that you often connect to network with no authentication or authentication
|
|
Packit |
723427 |
# based on a shared secret.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# Security notes:
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - Anyone knowing such a shared secret can set up an access point for the
|
|
Packit |
723427 |
# network and provide you a spoofed domain list via DHCP. When this option
|
|
Packit |
723427 |
# is turned on, the spoofed domains are configured as forward zones in your
|
|
Packit |
723427 |
# local validating resolver.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - See also security notes on the `validate_connection_provided_zones` option.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# add_wifi_provided_zones=yes
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - Domains provided by WiFi connections will be configured as forward zones
|
|
Packit |
723427 |
# in your local validating resolver. See the security notice above.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# add_wifi_provided_zones=no
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# - Domains provided by WiFi connection will be ignored.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
add_wifi_provided_zones=no
|
|
Packit |
723427 |
|
|
Packit |
723427 |
# set_search_domains:
|
|
Packit |
723427 |
# -------------------
|
|
Packit |
723427 |
# Enable or disable writing of search domains to `/etc/resolv.conf`.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# set_search_domains=yes - Search domains are written to `/etc/resolv.conf`.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# set_search_domains=no - Search domains are not written to `/etc/resolv.conf`.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
set_search_domains=no
|
|
Packit |
723427 |
|
|
Packit |
723427 |
# use_private_address_ranges:
|
|
Packit |
723427 |
# ---------------------------
|
|
Packit |
723427 |
# Enable or disable adding reverse name resolution zones derived from
|
|
Packit |
723427 |
# private IP addresses as defined in RFC 1918 and RFC 4193.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# use_private_address_ranges=yes - Use standard private IP address ranges to build
|
|
Packit |
723427 |
# reverse name resolution zones using the global
|
|
Packit |
723427 |
# forwarders.
|
|
Packit |
723427 |
#
|
|
Packit |
723427 |
# use_private_address_ranges=no - Ignore standard IP address ranges.
|
|
Packit |
723427 |
use_private_address_ranges=yes
|