# The options configured in this file are supported by dnssec-trigger-script
# which is called due to various events in related services including
# dnssec-trigger and NetworkManager. As a result, dnssec-trigger-script,
# together with the dnssec-trigger daemon, reconfigures a running instance
# of Unbound, your local validating resolver.
#
# Changes in this file are typically applied on the next network change. To
# make them work immediately, restart the dnssec-trigger service. On many
# systems this is achieved by the following command:
#
# systemctl restart dnssec-triggerd
#
# To achieve a clean state of Unbound, you can just restart the unbound
# service and dnssec-trigger gets restarted automatically. Note that some
# other services like VPN clients may have reconfigured unbound at runtime
# and thus may need to be restarted as well.
#
# systemctl restart unbound
#
# In future some of the options may be interpretted by other services as well,
# so be careful to restart all of them. One such service may be a future
# version of NetworkManager.
#
# systemctl restart NetworkManager
#
# validate_connection_provided_zones:
# -----------------------------------
# Ensures that foward zones provided by NetworkManager connections will be
# validated by Unbound.
#
# Security notes:
#
# - If this option is turned off, the network you're connecting to
# can provide you a list of spoofed domains e.g. via DHCP. Those domains
# are then configured as insecure forward zones in your local validating
# resolver, constituting a downgrade attack on DNSSEC validation.
#
# - See also security notes on the `add_wifi_provided_zones` option.
#
# validate_connection_provided_zones=no
#
# - Connection provided zones will be configured in Unbound as secure forward
# zones, validated using DNSSEC.
#
# If the DNS servers for such a connection are not capable of forwarding
# DNSSEC queries and responses or the local zone is required to be signed
# according to the global DNSSEC database, local resources will not be
# resolved correctly and will appear inaccessible.
#
# Many networks use fake top level domains which fail DNSSEC validation
# as there is no way to validate them at all. Do not use this strict
# option if you want to access resources on such networks.
#
# validate_connection_provided_zones=no
#
# - Connection provided zones will be configured in Unbound as insecure
# forward zones, not validated using DNSSEC. This allows you to access
# local resources on networks with non-compliant DNS servers as well
# as networks that hijack domains that are either not in the global DNS
# tree at all or are required to be signed.
#
# Turning this option off has security implications, See the security
# notice above.
#
validate_connection_provided_zones=no
# add_wifi_provided_zones:
# ------------------------
# Ensures that wifi provided zones are accepted by dnssec-trigger-script just
# as any other connection provided zones. Wireless ethernet is special in
# that you often connect to network with no authentication or authentication
# based on a shared secret.
#
# Security notes:
#
# - Anyone knowing such a shared secret can set up an access point for the
# network and provide you a spoofed domain list via DHCP. When this option
# is turned on, the spoofed domains are configured as forward zones in your
# local validating resolver.
#
# - See also security notes on the `validate_connection_provided_zones` option.
#
# add_wifi_provided_zones=yes
#
# - Domains provided by WiFi connections will be configured as forward zones
# in your local validating resolver. See the security notice above.
#
# add_wifi_provided_zones=no
#
# - Domains provided by WiFi connection will be ignored.
#
add_wifi_provided_zones=no
# set_search_domains:
# -------------------
# Enable or disable writing of search domains to `/etc/resolv.conf`.
#
# set_search_domains=yes - Search domains are written to `/etc/resolv.conf`.
#
# set_search_domains=no - Search domains are not written to `/etc/resolv.conf`.
#
set_search_domains=no
# use_private_address_ranges:
# ---------------------------
# Enable or disable adding reverse name resolution zones derived from
# private IP addresses as defined in RFC 1918 and RFC 4193.
#
# use_private_address_ranges=yes - Use standard private IP address ranges to build
# reverse name resolution zones using the global
# forwarders.
#
# use_private_address_ranges=no - Ignore standard IP address ranges.
use_private_address_ranges=yes