# /etc/unbound/unbound.conf : unbound conf. file for cantal
#
# Last edition : 2025-07-17
# Last editor : @Campanu
#

server:
	# Modules
	module-config: "validator iterator"
	
	# General
	## Run as daemon
	do-daemonize: yes
	
	## Listening interfaces
	interface: 127.0.0.1
	interface: ::1
	port: 53
	
	## ACLs
	access-control: 127.0.0.0/8 allow
	access-control: ::1/128 allow
	
	## Network protocols
	do-ip4: yes
	do-ip6: yes
	do-udp: yes
	do-tcp: yes
	prefer-ip6: yes
	edns-tcp-keepalive: yes
	
	## Root hints file
	root-hints: "/etc/unbound/root.hints"
	
	# Security & privacy
	harden-algo-downgrade: yes 
	harden-glue: yes
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	val-clean-additional: yes
	
	# DNSSEC
	harden-below-nxdomain: yes
	harden-dnssec-stripped: yes
	
	auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
	
	## Disabling capitalization randomization to avoid DNSSEC issues
	use-caps-for-id: no
	
	## RFC 8198: Aggressive Use of DNSSEC-Validated Cache
	aggressive-nsec: yes
	
	# Tweaks
	num-threads: 2
	so-reuseport: yes
	
	so-rcvbuf: 4m
	so-sndbuf: 4m
	
	prefetch: yes
	prefetch-key: yes
	
	unwanted-reply-threshold: 10000
	
	# Cache & memory
	msg-cache-slabs: 2
	rrset-cache-slabs: 2
	infra-cache-slabs: 2
	key-cache-slabs: 2
	
	neg-cache-size: 4m
	key-cache-size: 16m
	msg-cache-size: 64m
	rrset-cache-size: 128m
	
	infra-cache-numhosts: 100000
	
	## TTL
	cache-min-ttl: 60
	cache-max-ttl: 86400
	
	# RFC 8914: Extended DNS Errors
	ede: yes
	ede-serve-expired: yes
	
	# RFC 8767: Serving Stale Data
	serve-expired: yes
	serve-expired-ttl: 86400
	serve-expired-ttl-reset: no
	serve-expired-reply-ttl: 30
	serve-expired-client-timeout: 1800
	
	# Logging
	logfile: "/var/log/unbound.log"
	verbosity: 1
	log-time-ascii: yes
	
	log-queries: no
	log-replies: no
	log-servfail: no
	log-local-actions: no

remote-control:
	control-enable: no