Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
unbound.conf(5)			unbound	1.13.0		       unbound.conf(5)

NAME
       unbound.conf - Unbound configuration file.

SYNOPSIS
       unbound.conf

DESCRIPTION
       unbound.conf  is	used to	configure unbound(8).  The file	format has at-
       tributes	and values. Some attributes have attributes inside them.   The
       notation	is: attribute: value.

       Comments	 start with # and last to the end of line. Empty lines are ig-
       nored as	is whitespace at the beginning of a line.

       The utility unbound-checkconf(8)	can  be	 used  to  check  unbound.conf
       prior to	usage.

EXAMPLE
       An  example  config  file is shown below. Copy this to /etc/unbound/un-
       bound.conf and start the	server with:

	    $ unbound -c /etc/unbound/unbound.conf

       Most settings are the defaults. Stop the	server with:

	    $ kill `cat	/etc/unbound/unbound.pid`

       Below is	a minimal config file. The source distribution contains	an ex-
       tensive example.conf file with all the options.

       # unbound.conf(5) config	file for unbound(8).
       server:
	    directory: "/etc/unbound"
	    username: unbound
	    # make sure	unbound	can access entropy from	inside the chroot.
	    # e.g. on linux the	use these commands (on BSD, devfs(8) is	used):
	    #	   mount --bind	-n /dev/urandom	/etc/unbound/dev/urandom
	    # and  mount --bind	-n /dev/log /etc/unbound/dev/log
	    chroot: "/etc/unbound"
	    # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
	    pidfile: "/etc/unbound/unbound.pid"
	    # verbosity: 1	# uncomment and	increase to get	more logging.
	    # listen on	all interfaces,	answer queries from the	local subnet.
	    interface: 0.0.0.0
	    interface: ::0
	    access-control: 10.0.0.0/8 allow
	    access-control: 2001:DB8::/64 allow

FILE FORMAT
       There must be whitespace	between	keywords.  Attribute keywords end with
       a colon ':'.  An	attribute is followed by a value,  or  its  containing
       attributes in which case	it is referred to as a clause.	Clauses	can be
       repeated	throughout the file (or	included files)	 to  group  attributes
       under the same clause.

       Files  can be included using the	include: directive. It can appear any-
       where, it accepts a single file name as argument.  Processing continues
       as  if  the text	from the included file was copied into the config file
       at that point.  If also using chroot, using full	path names for the in-
       cluded  files  works, relative pathnames	for the	included names work if
       the directory where the daemon is started equals	its chroot/working di-
       rectory	or  is	specified before the include statement with directory:
       dir.  Wildcards can be used to include multiple files, see glob(7).

       For a more structural include option, the  include-toplevel:  directive
       can  be used.  This closes whatever clause is currently active (if any)
       and forces the use of clauses in	the included  files  and  right	 after
       this directive.

   Server Options
       These options are part of the server: clause.

       verbosity: _number_
	      The  verbosity  number, level 0 means no verbosity, only errors.
	      Level 1 gives operational	information. Level  2  gives  detailed
	      operational  information.	Level 3	gives query level information,
	      output per query.	 Level 4 gives	algorithm  level  information.
	      Level 5 logs client identification for cache misses.  Default is
	      level 1.	The verbosity can also be increased from the  command-
	      line, see	unbound(8).

       statistics-interval: _seconds_
	      The number of seconds between printing statistics	to the log for
	      every thread.  Disable with value	0 or "". Default is  disabled.
	      The  histogram  statistics are only printed if replies were sent
	      during  the  statistics  interval,  requestlist  statistics  are
	      printed  for every interval (but can be 0).  This	is because the
	      median calculation requires data to be present.

       statistics-cumulative: _yes or no_
	      If enabled, statistics are cumulative  since  starting  unbound,
	      without  clearing	the statistics counters	after logging the sta-
	      tistics. Default is no.

       extended-statistics: _yes or no_
	      If enabled, extended statistics are  printed  from  unbound-con-
	      trol(8).	 Default is off, because keeping track of more statis-
	      tics takes time.	The counters are listed	in unbound-control(8).

       num-threads: _number_
	      The number of threads to create to serve clients.	Use 1  for  no
	      threading.

       port: _port number_
	      The  port	 number,  default  53, on which	the server responds to
	      queries.

       interface: _ip address[@port]_
	      Interface	to use to connect to the network.  This	 interface  is
	      listened to for queries from clients, and	answers	to clients are
	      given from it.  Can be given multiple times to work  on  several
	      interfaces. If none are given the	default	is to listen to	local-
	      host.  If	an interface name is used instead of  an  ip  address,
	      the list of ip addresses on that interface are used.  The	inter-
	      faces are	not changed on	a  reload  (kill  -HUP)	 but  only  on
	      restart.	 A  port  number  can be specified with	@port (without
	      spaces between interface and port	number), if not	specified  the
	      default port (from port) is used.

       ip-address: _ip address[@port]_
	      Same as interface: (for ease of compatibility with nsd.conf).

       interface-automatic: _yes or no_
	      Listen  on all addresses on all (current and future) interfaces,
	      detect the source	interface on UDP  queries  and	copy  them  to
	      replies.	 This  is  a  lot like ip-transparent, but this	option
	      services all interfaces whilst with ip-transparent you  can  se-
	      lect  which  (future)  interfaces	 unbound  provides service on.
	      This feature is experimental, and	needs support in your  OS  for
	      particular socket	options.  Default value	is no.

       outgoing-interface: _ip address or ip6 netblock_
	      Interface	 to  use  to connect to	the network. This interface is
	      used to send queries to authoritative servers and	receive	 their
	      replies.	Can  be	given multiple times to	work on	several	inter-
	      faces. If	none are given the default  (all)  is  used.  You  can
	      specify  the  same  interfaces in	interface: and outgoing-inter-
	      face: lines, the interfaces are then  used  for  both  purposes.
	      Outgoing	queries	 are  sent  via	a random outgoing interface to
	      counter spoofing.

	      If an IPv6 netblock is specified instead of an  individual  IPv6
	      address,	outgoing  UDP queries will use a randomised source ad-
	      dress taken from the netblock to counter spoofing. Requires  the
	      IPv6  netblock to	be routed to the host running unbound, and re-
	      quires OS	support	for unprivileged  non-local  binds  (currently
	      only  supported  on  Linux).  Several netblocks may be specified
	      with multiple outgoing-interface:	options, but  do  not  specify
	      both  an	individual  IPv6  address and an IPv6 netblock,	or the
	      randomisation will be compromised.  Consider combining with pre-
	      fer-ip6:	yes to increase	the likelihood of IPv6 nameservers be-
	      ing selected for queries.	 On Linux you need these two  commands
	      to  be able to use the freebind socket option to receive traffic
	      for the ip6 netblock: ip -6 addr add mynetblock/64 dev lo	&&  ip
	      -6 route add local mynetblock/64 dev lo

       outgoing-range: _number_
	      Number  of ports to open.	This number of file descriptors	can be
	      opened per thread. Must be at least 1. Default depends  on  com-
	      pile options. Larger numbers need	extra resources	from the oper-
	      ating system.  For performance a very large value	is  best,  use
	      libevent to make this possible.

       outgoing-port-permit: _port number or range_
	      Permit  unbound  to  open	this port or range of ports for	use to
	      send queries.  A larger number of	permitted outgoing  ports  in-
	      creases  resilience  against  spoofing attempts. Make sure these
	      ports are	not needed by other daemons.  By  default  only	 ports
	      above 1024 that have not been assigned by	IANA are used.	Give a
	      port number or a range of	the form "low-high", without spaces.

	      The outgoing-port-permit and outgoing-port-avoid statements  are
	      processed	 in the	line order of the config file, adding the per-
	      mitted ports and subtracting the avoided ports from the  set  of
	      allowed  ports.	The  processing	starts with the	non IANA allo-
	      cated ports above	1024 in	the set	of allowed ports.

       outgoing-port-avoid: _port number or range_
	      Do not permit unbound to open this port or range	of  ports  for
	      use to send queries. Use this to make sure unbound does not grab
	      a	port that another daemon needs.	The port  is  avoided  on  all
	      outgoing	interfaces,  both  IP4 and IP6.	 By default only ports
	      above 1024 that have not been assigned by	IANA are used.	Give a
	      port number or a range of	the form "low-high", without spaces.

       outgoing-num-tcp: _number_
	      Number  of  outgoing TCP buffers to allocate per thread. Default
	      is 10. If	set to 0, or if	do-tcp is "no",	no TCP queries to  au-
	      thoritative servers are done.  For larger	installations increas-
	      ing this value is	a good idea.

       incoming-num-tcp: _number_
	      Number of	incoming TCP buffers to	allocate per  thread.  Default
	      is  10.  If  set to 0, or	if do-tcp is "no", no TCP queries from
	      clients are accepted. For	larger installations  increasing  this
	      value is a good idea.

       edns-buffer-size: _number_
	      Number  of bytes size to advertise as the	EDNS reassembly	buffer
	      size.  This is the value put into	 datagrams  over  UDP  towards
	      peers.   The actual buffer size is determined by msg-buffer-size
	      (both for	TCP and	UDP).  Do not set higher than that value.  De-
	      fault  is	 1232  which  is the DNS Flag Day 2020 recommendation.
	      Setting to 512 bypasses even the most stringent path  MTU	 prob-
	      lems,  but  is seen as extreme, since the	amount of TCP fallback
	      generated	is excessive (probably also for	 this  resolver,  con-
	      sider tuning the outgoing	tcp number).

       max-udp-size: _number_
	      Maximum  UDP response size (not applied to TCP response).	 65536
	      disables the udp response	size maximum, and uses the choice from
	      the  client,  always.  Suggested values are 512 to 4096. Default
	      is 4096.

       stream-wait-size: _number_
	      Number of	bytes size maximum to use for waiting stream  buffers.
	      Default is 4 megabytes.  A plain number is in bytes, append 'k',
	      'm' or 'g' for  kilobytes,  megabytes  or	 gigabytes  (1024*1024
	      bytes  in	a megabyte).  As TCP and TLS streams queue up multiple
	      results, the amount of memory used for these  buffers  does  not
	      exceed  this  number, otherwise the responses are	dropped.  This
	      manages the total	memory usage of	the server (under heavy	 use),
	      the  number  of requests that can	be queued up per connection is
	      also limited, with further requests waiting in TCP buffers.

       msg-buffer-size:	_number_
	      Number of	bytes size of the message buffers.  Default  is	 65552
	      bytes,  enough  for 64 Kb	packets, the maximum DNS message size.
	      No message larger	than this can be sent or received. Can be  re-
	      duced  to	 use less memory, but some requests for	DNS data, such
	      as for huge resource records, will result	in a SERVFAIL reply to
	      the client.

       msg-cache-size: _number_
	      Number  of  bytes	 size  of  the	message	 cache.	 Default  is 4
	      megabytes.  A plain number is in bytes, append 'k', 'm'  or  'g'
	      for  kilobytes,  megabytes  or  gigabytes	 (1024*1024 bytes in a
	      megabyte).

       msg-cache-slabs:	_number_
	      Number of	slabs in the message cache.  Slabs  reduce  lock  con-
	      tention  by  threads.   Must  be	set  to	 a power of 2. Setting
	      (close) to the number of cpus is a reasonable guess.

       num-queries-per-thread: _number_
	      The number of queries that every thread will service  simultane-
	      ously.   If  more	 queries  arrive  that	need servicing,	and no
	      queries can  be  jostled	out  (see  jostle-timeout),  then  the
	      queries  are  dropped.  This forces the client to	resend after a
	      timeout; allowing	the  server  time  to  work  on	 the  existing
	      queries. Default depends on compile options, 512 or 1024.

       jostle-timeout: _msec_
	      Timeout  used when the server is very busy.  Set to a value that
	      usually results in one roundtrip to the authority	 servers.   If
	      too  many	queries	arrive,	then 50% of the	queries	are allowed to
	      run to completion, and the other 50% are replaced	with  the  new
	      incoming	query  if  they	have already spent more	than their al-
	      lowed time.  This	protects against denial	 of  service  by  slow
	      queries or high query rates.  Default 200	milliseconds.  The ef-
	      fect is that the qps for long-lasting  queries  is  about	 (num-
	      queriesperthread	/  2)  /  (average time	for such long queries)
	      qps.  The	qps  for  short	 queries  can  be  about  (numqueries-
	      perthread	 /  2)	/  (jostletimeout  in  whole  seconds) qps per
	      thread, about (1024/2)*5 = 2560 qps by default.

       delay-close: _msec_
	      Extra delay for timeouted	UDP ports before they are  closed,  in
	      msec.   Default  is 0, and that disables it.  This prevents very
	      delayed answer packets from  the	upstream  (recursive)  servers
	      from  bouncing  against closed ports and setting off all sort of
	      close-port counters, with	eg. 1500 msec.	When  timeouts	happen
	      you  need	extra sockets, it checks the ID	and remote IP of pack-
	      ets, and unwanted	packets	 are  added  to	 the  unwanted	packet
	      counter.

       udp-connect: _yes or no_
	      Perform connect for UDP sockets that mitigates ICMP side channel
	      leakage.	Default	is yes.

       unknown-server-time-limit: _msec_
	      The wait time in msec for	waiting	for an unknown server  to  re-
	      ply.   Increase this if you are behind a slow satellite link, to
	      eg. 1128.	 That would then avoid re-querying every initial query
	      because it times out.  Default is	376 msec.

       so-rcvbuf: _number_
	      If  not 0, then set the SO_RCVBUF	socket option to get more buf-
	      fer space	on UDP port 53 incoming	queries.  So that short	spikes
	      on  busy	servers	 do  not  drop packets (see counter in netstat
	      -su).  Default is	0 (use system value).  Otherwise,  the	number
	      of  bytes	to ask for, try	"4m" on	a busy server.	The OS caps it
	      at a maximum, on linux unbound needs root	permission  to	bypass
	      the  limit,  or  the admin can use sysctl	net.core.rmem_max.  On
	      BSD change kern.ipc.maxsockbuf in	/etc/sysctl.conf.  On  OpenBSD
	      change header and	recompile kernel. On Solaris ndd -set /dev/udp
	      udp_max_buf 8388608.

       so-sndbuf: _number_
	      If not 0,	then set the SO_SNDBUF socket option to	get more  buf-
	      fer  space  on UDP port 53 outgoing queries.  This for very busy
	      servers handles spikes in	answer traffic,	otherwise  'send:  re-
	      source temporarily unavailable' can get logged, the buffer over-
	      run is also visible by netstat -su.  Default is  0  (use	system
	      value).	Specify	 the number of bytes to	ask for, try "4m" on a
	      very busy	server.	 The OS	caps it	at a maximum, on linux unbound
	      needs  root permission to	bypass the limit, or the admin can use
	      sysctl net.core.wmem_max.	 On BSD, Solaris changes  are  similar
	      to so-rcvbuf.

       so-reuseport: _yes or no_
	      If  yes,	then  open  dedicated  listening  sockets for incoming
	      queries for each thread and try to set the  SO_REUSEPORT	socket
	      option  on  each	socket.	  May  distribute  incoming queries to
	      threads more evenly.  Default is yes.  On	Linux it is  supported
	      in  kernels  >= 3.9.  On other systems, FreeBSD, OSX it may also
	      work.  You can enable it (on any platform	and kernel),  it  then
	      attempts to open the port	and passes the option if it was	avail-
	      able at compile time, if that works it is	used, if it fails,  it
	      continues	 silently (unless verbosity 3) without the option.  At
	      extreme load it could be better to turn it off to	distribute the
	      queries evenly, reported for Linux systems (4.4.x).

       ip-transparent: _yes or no_
	      If  yes,	then use IP_TRANSPARENT	socket option on sockets where
	      unbound is listening for incoming	traffic.  Default no.	Allows
	      you  to bind to non-local	interfaces.  For example for non-exis-
	      tent IP addresses	that are going to exist	later  on,  with  host
	      failover configuration.  This is a lot like interface-automatic,
	      but that one services all	interfaces and with  this  option  you
	      can  select  which  (future) interfaces unbound provides service
	      on.  This	option needs unbound to	be started with	 root  permis-
	      sions  on	 some  systems.	 The option uses IP_BINDANY on FreeBSD
	      systems and SO_BINDANY on	OpenBSD	systems.

       ip-freebind: _yes or no_
	      If yes, then use IP_FREEBIND socket option on sockets where  un-
	      bound is listening to incoming traffic.  Default no.  Allows you
	      to bind to IP addresses that are nonlocal	or do not exist,  like
	      when  the	 network interface or IP address is down.  Exists only
	      on Linux,	where the similar ip-transparent option	is also	avail-
	      able.

       ip-dscp:	_number_
	      The value	of the Differentiated Services Codepoint (DSCP)	in the
	      differentiated services field (DS) of  the  outgoing  IP	packet
	      headers.	 The  field replaces the outdated IPv4 Type-Of-Service
	      field and	the IPV6 traffic class field.

       rrset-cache-size: _number_
	      Number of	bytes size of the RRset	cache. Default is 4 megabytes.
	      A	 plain	number	is  in bytes, append 'k', 'm' or 'g' for kilo-
	      bytes, megabytes or gigabytes (1024*1024 bytes in	a megabyte).

       rrset-cache-slabs: _number_
	      Number of	slabs in the RRset cache. Slabs	reduce lock contention
	      by threads.  Must	be set to a power of 2.

       cache-max-ttl: _seconds_
	      Time  to	live maximum for RRsets	and messages in	the cache. De-
	      fault is 86400 seconds (1	day).  When the	TTL expires, the cache
	      item  has	 expired.   Can	 be set	lower to force the resolver to
	      query for	data often, and	not trust  (very  large)  TTL  values.
	      Downstream clients also see the lower TTL.

       cache-min-ttl: _seconds_
	      Time  to	live minimum for RRsets	and messages in	the cache. De-
	      fault is 0.  If the minimum kicks	in, the	 data  is  cached  for
	      longer than the domain owner intended, and thus less queries are
	      made to look up the data.	 Zero makes sure the data in the cache
	      is  as the domain	owner intended,	higher values, especially more
	      than an hour or so, can lead to trouble as the data in the cache
	      does not match up	with the actual	data any more.

       cache-max-negative-ttl: _seconds_
	      Time to live maximum for negative	responses, these have a	SOA in
	      the authority section that is limited in time.  Default is 3600.
	      This applies to nxdomain and nodata answers.

       infra-host-ttl: _seconds_
	      Time  to live for	entries	in the host cache. The host cache con-
	      tains roundtrip timing, lameness and EDNS	 support  information.
	      Default is 900.

       infra-cache-slabs: _number_
	      Number  of  slabs	in the infrastructure cache. Slabs reduce lock
	      contention by threads. Must be set to a power of 2.

       infra-cache-numhosts: _number_
	      Number of	hosts for which	 information  is  cached.  Default  is
	      10000.

       infra-cache-min-rtt: _msec_
	      Lower limit for dynamic retransmit timeout calculation in	infra-
	      structure	cache. Default is 50 milliseconds. Increase this value
	      if using forwarders needing more time to do recursive name reso-
	      lution.

       infra-keep-probing: _yes	or no_
	      If enabled the server keeps probing hosts	that are down, in  the
	      one  probe  at  a	 time  regime.	Default	is no.	Hosts that are
	      down, eg.	they did not respond during the	one probe  at  a  time
	      period,  are  marked as down and it may take infra-host-ttl time
	      to get probed again.

       define-tag: _"list of tags"_
	      Define the tags that can be used with local-zone and access-con-
	      trol.   Enclose  the list	between	quotes ("") and	put spaces be-
	      tween tags.

       do-ip4: _yes or no_
	      Enable or	disable	whether	ip4 queries are	 answered  or  issued.
	      Default is yes.

       do-ip6: _yes or no_
	      Enable  or  disable  whether ip6 queries are answered or issued.
	      Default is yes.  If disabled, queries are	not answered on	 IPv6,
	      and  queries  are	 not sent on IPv6 to the internet nameservers.
	      With this	option you can disable the ipv6	transport for  sending
	      DNS traffic, it does not impact the contents of the DNS traffic,
	      which may	have ip4 and ip6 addresses in it.

       prefer-ip4: _yes	or no_
	      If enabled, prefer IPv4 transport	for sending DNS	queries	to in-
	      ternet  nameservers. Default is no.  Useful if the IPv6 netblock
	      the server has, the entire /64 of	that is	not owned by one oper-
	      ator  and	 the reputation	of the netblock	/64 is an issue, using
	      IPv4 then	uses the IPv4 filters that the upstream	servers	have.

       prefer-ip6: _yes	or no_
	      If enabled, prefer IPv6 transport	for sending DNS	queries	to in-
	      ternet nameservers. Default is no.

       do-udp: _yes or no_
	      Enable  or  disable  whether UDP queries are answered or issued.
	      Default is yes.

       do-tcp: _yes or no_
	      Enable or	disable	whether	TCP queries are	 answered  or  issued.
	      Default is yes.

       tcp-mss:	_number_
	      Maximum segment size (MSS) of TCP	socket on which	the server re-
	      sponds to	queries. Value lower than common MSS on	Ethernet (1220
	      for  example)  will address path MTU problem.  Note that not all
	      platform supports	socket option to set  MSS  (TCP_MAXSEG).   De-
	      fault  is	system default MSS determined by interface MTU and ne-
	      gotiation	between	server and client.

       outgoing-tcp-mss: _number_
	      Maximum segment size (MSS) of TCP	socket	for  outgoing  queries
	      (from  Unbound to	other servers).	Value lower than common	MSS on
	      Ethernet (1220 for example) will address path MTU	problem.  Note
	      that  not	 all  platform	supports  socket  option  to  set  MSS
	      (TCP_MAXSEG).  Default is	system default MSS determined  by  in-
	      terface MTU and negotiation between Unbound and other servers.

       tcp-idle-timeout: _msec_
	      The  period  Unbound  will wait for a query on a TCP connection.
	      If this timeout expires Unbound closes the connection.  This op-
	      tion  defaults  to  30000	milliseconds.  When the	number of free
	      incoming TCP buffers falls below 50% of the total	number config-
	      ured,  the  option value used is progressively reduced, first to
	      1% of the	configured value, then to 0.2% of the configured value
	      if  the number of	free buffers falls below 35% of	the total num-
	      ber configured, and finally to 0 if the number of	 free  buffers
	      falls  below 20% of the total number configured. A minimum time-
	      out of 200 milliseconds is observed  regardless  of  the	option
	      value used.

       edns-tcp-keepalive: _yes	or no_
	      Enable or	disable	EDNS TCP Keepalive. Default is no.

       edns-tcp-keepalive-timeout: _msec_
	      The  period  Unbound  will  wait for a query on a	TCP connection
	      when EDNS	TCP Keepalive is active. If this timeout  expires  Un-
	      bound closes the connection. If the client supports the EDNS TCP
	      Keepalive	option,	Unbound	sends the timeout value	to the	client
	      to  encourage it to close	the connection before the server times
	      out.  This option	defaults to  120000  milliseconds.   When  the
	      number of	free incoming TCP buffers falls	below 50% of the total
	      number configured, the advertised	timeout	is  progressively  re-
	      duced to 1% of the configured value, then	to 0.2%	of the config-
	      ured value if the	number of free buffers falls below 35% of  the
	      total  number configured,	and finally to 0 if the	number of free
	      buffers falls below 20% of the total number configured.  A mini-
	      mum actual timeout of 200	milliseconds is	observed regardless of
	      the advertised timeout.

       tcp-upstream: _yes or no_
	      Enable or	disable	whether	the upstream queries use TCP only  for
	      transport.  Default is no.  Useful in tunneling scenarios.

       udp-upstream-without-downstream:	_yes or	no_
	      Enable  udp  upstream  even if do-udp is no.  Default is no, and
	      this  does  not  change  anything.   Useful  for	 TLS   service
	      providers, that want no udp downstream but use udp to fetch data
	      upstream.

       tls-upstream: _yes or no_
	      Enabled or disable whether the upstream queries use TLS only for
	      transport.   Default is no.  Useful in tunneling scenarios.  The
	      TLS contains plain DNS in	TCP wireformat.	 The other server must
	      support  this  (see  tls-service-key).  If you enable this, also
	      configure	a tls-cert-bundle  or  use  tls-win-cert  to  load  CA
	      certs,  otherwise	the connections	cannot be authenticated.  This
	      option enables TLS for all of them, but if you do	not  set  this
	      you  can	configure TLS specifically for some forward zones with
	      forward-tls-upstream.  And also with stub-tls-upstream.

       ssl-upstream: _yes or no_
	      Alternate	syntax for tls-upstream.  If both are present  in  the
	      config file the last is used.

       tls-service-key:	_file_
	      If  enabled,  the	server provides	DNS-over-TLS or	DNS-over-HTTPS
	      service on the TCP ports marked  implicitly  or  explicitly  for
	      these  services  with tls-port or	https-port. The	file must con-
	      tain the private key for the TLS session,	the public certificate
	      is  in the tls-service-pem file and it must also be specified if
	      tls-service-key is specified.  The default is  "",  turned  off.
	      Enabling	or disabling this service requires a restart (a	reload
	      is not enough), because the key is read while  root  permissions
	      are  held	and before chroot (if any).  The ports enabled implic-
	      itly or explicitly via tls-port: and https-port: do not  provide
	      normal  DNS  TCP service.	Unbound	needs to be compiled with lib-
	      nghttp2 in order to provide DNS-over-HTTPS.

       ssl-service-key:	_file_
	      Alternate	syntax for tls-service-key.

       tls-service-pem:	_file_
	      The public key certificate pem file for the  tls	service.   De-
	      fault is "", turned off.

       ssl-service-pem:	_file_
	      Alternate	syntax for tls-service-pem.

       tls-port: _number_
	      The  port	 number	 on  which to provide TCP TLS service, default
	      853, only	interfaces configured with that	port number as @number
	      get the TLS service.

       ssl-port: _number_
	      Alternate	syntax for tls-port.

       tls-cert-bundle:	_file_
	      If  null or "", no file is used.	Set it to the certificate bun-
	      dle file,	for example "/etc/pki/tls/certs/ca-bundle.crt".	 These
	      certificates  are	 used  for  authenticating connections made to
	      outside peers.  For example auth-zone urls, and  also  DNS  over
	      TLS  connections.	 It is read at start up	before permission drop
	      and chroot.

       ssl-cert-bundle:	_file_
	      Alternate	syntax for tls-cert-bundle.

       tls-win-cert: _yes or no_
	      Add the system certificates to the cert bundle certificates  for
	      authentication.	If no cert bundle, it uses only	these certifi-
	      cates.  Default is no.  On windows this option uses the certifi-
	      cates  from  the	cert store.  Use the tls-cert-bundle option on
	      other systems.

       tls-additional-port: _portnr_
	      List portnumbers as tls-additional-port, and when	interfaces are
	      defined,	eg.  with  the @port suffix, as	this port number, they
	      provide dns over TLS service.  Can list multiple,	each on	a  new
	      statement.

       tls-session-ticket-keys:	_file_
	      If not "", lists files with 80 bytes of random contents that are
	      used to perform TLS session resumption for clients using the un-
	      bound  server.   These  files contain the	secret key for the TLS
	      session tickets.	First key use to encrypt and decrypt TLS  ses-
	      sion  tickets.   Other  keys use to decrypt only.	 With this you
	      can roll over to new keys, by generating a new  first  file  and
	      allowing	decrypt	 of the	old file by listing it after the first
	      file for some time, after	the wait clients are not using the old
	      key  any more and	the old	key can	be removed.  One way to	create
	      the file is dd if=/dev/random bs=1  count=80  of=ticket.dat  The
	      first  16	bytes should be	different from the old one if you cre-
	      ate a second key,	that is	the name used  to  identify  the  key.
	      Then  there  is  32 bytes	random data for	an AES key and then 32
	      bytes random data	for the	HMAC key.

       tls-ciphers: _string with cipher	list_
	      Set the list of ciphers to allow when serving TLS.  Use  ""  for
	      defaults,	and that is the	default.

       tls-ciphersuites: _string with ciphersuites list_
	      Set the list of ciphersuites to allow when serving TLS.  This is
	      for newer	TLS 1.3	connections.  Use "" for defaults, and that is
	      the default.

       tls-use-sni: _yes or no_
	      Enable  or disable sending the SNI extension on TLS connections.
	      Default is yes.  Changing	the value requires a reload.

       https-port: _number_
	      The port number on which to provide DNS-over-HTTPS service,  de-
	      fault  443,  only	interfaces configured with that	port number as
	      @number get the HTTPS service.

       http-endpoint: _endpoint	string_
	      The HTTP endpoint	to provide DNS-over-HTTPS service on.  Default
	      "/dns-query".

       http-max-streams: _number of streams_
	      Number  used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in
	      the HTTP/2 SETTINGS frame	for  DNS-over-HTTPS  connections.  De-
	      fault 100.

       http-query-buffer-size: _size in	bytes_
	      Maximum  number  of bytes	used for all HTTP/2 query buffers com-
	      bined. These buffers contain (partial) DNS queries  waiting  for
	      request  stream completion.  An RST_STREAM frame will be send to
	      streams exceeding	this limit. Default is 4  megabytes.  A	 plain
	      number  is  in  bytes,  append  'k',  'm'	 or 'g'	for kilobytes,
	      megabytes	or gigabytes (1024*1024	bytes in a megabyte).

       http-response-buffer-size: _size	in bytes_
	      Maximum number of	bytes used for	all  HTTP/2  response  buffers
	      combined.	 These	buffers	 contain  DNS  responses waiting to be
	      written back to the clients.  An RST_STREAM frame	will  be  send
	      to streams exceeding this	limit. Default is 4 megabytes. A plain
	      number is	in bytes,  append  'k',	 'm'  or  'g'  for  kilobytes,
	      megabytes	or gigabytes (1024*1024	bytes in a megabyte).

       http-nodelay: _yes or no_
	      Set  TCP_NODELAY	socket	option on sockets used to provide DNS-
	      over-HTTPS service.  Ignored if the option is not	available. De-
	      fault is yes.

       http-notls-downstream: _yes or no_
	      Disable use of TLS for the downstream DNS-over-HTTP connections.
	      Useful for local back end	servers.  Default is no.

       use-systemd: _yes or no_
	      Enable or	disable	systemd	socket activation.  Default is no.

       do-daemonize: _yes or no_
	      Enable or	disable	whether	the  unbound  server  forks  into  the
	      background  as  a	daemon.	 Set the value to no when unbound runs
	      as systemd service.  Default is yes.

       tcp-connection-limit: _IP netblock_ _limit_
	      Allow up to limit	simultaneous TCP connections  from  the	 given
	      netblock.	  When	at the limit, further connections are accepted
	      but closed immediately.  This option  is	experimental  at  this
	      time.

       access-control: _IP netblock_ _action_
	      The  netblock  is	 given as an IP4 or IP6	address	with /size ap-
	      pended for a classless network block. The	action	can  be	 deny,
	      refuse,	allow,	allow_setrd,  allow_snoop,  deny_non_local  or
	      refuse_non_local.	 The most specific netblock match is used,  if
	      none match deny is used.	The order of the access-control	state-
	      ments therefore does not matter.

	      The action deny stops queries from hosts from that netblock.

	      The action refuse	stops queries too, but sends a DNS  rcode  RE-
	      FUSED error message back.

	      The action allow gives access to clients from that netblock.  It
	      gives only access	for recursion clients (which  is  what	almost
	      all clients need).  Nonrecursive queries are refused.

	      The  allow  action does allow nonrecursive queries to access the
	      local-data that is configured.  The reason is that this does not
	      involve  the  unbound  server  recursive	lookup	algorithm, and
	      static data is served in the reply.  This	supports normal	opera-
	      tions  where nonrecursive	queries	are made for the authoritative
	      data.  For nonrecursive queries any  replies  from  the  dynamic
	      cache are	refused.

	      The  allow_setrd	action	ignores	the recursion desired (RD) bit
	      and treats all requests as if the	recursion desired bit is  set.
	      Note  that  this	behavior violates RFC 1034 which states	that a
	      name server should never perform recursive service unless	 asked
	      via  the	RD  bit	since this interferes with trouble shooting of
	      name servers and their databases.	This prohibited	 behavior  may
	      be  useful  if another DNS server	must forward requests for spe-
	      cific zones to a resolver	DNS server, but	only supports stub do-
	      mains  and  sends	queries	to the resolver	DNS server with	the RD
	      bit cleared.

	      The action allow_snoop gives nonrecursive	access too.  This give
	      both  recursive  and non recursive access.  The name allow_snoop
	      refers to	 cache	snooping,  a  technique	 to  use  nonrecursive
	      queries  to  examine  the	 cache	contents (for malicious	acts).
	      However, nonrecursive queries can	also be	a  valuable  debugging
	      tool (when you want to examine the cache contents). In that case
	      use allow_snoop for your administration host.

	      By default only localhost	is allowed, the	rest is	refused.   The
	      default  is  refused, because that is protocol-friendly. The DNS
	      protocol is not designed to handle dropped packets due  to  pol-
	      icy,  and	 dropping  may	result in (possibly excessive) retried
	      queries.

	      The deny_non_local and refuse_non_local settings are  for	 hosts
	      that are only allowed to query for the authoritative local-data,
	      they are not allowed full	recursion but only  the	 static	 data.
	      With  deny_non_local,  messages that are disallowed are dropped,
	      with refuse_non_local they receive error code REFUSED.

       access-control-tag: _IP netblock_ _"list	of tags"_
	      Assign tags to access-control elements. Clients using  this  ac-
	      cess  control element use	localzones that	are tagged with	one of
	      these tags. Tags must be defined in define-tags.	 Enclose  list
	      of  tags	in  quotes  ("")  and  put spaces between tags.	If ac-
	      cess-control-tag is configured for a netblock that does not have
	      an  access-control,  an access-control element with action allow
	      is configured for	this netblock.

       access-control-tag-action: _IP netblock_	_tag_ _action_
	      Set action for particular	tag for	given access control  element.
	      If  you have multiple tag	values,	the tag	used to	lookup the ac-
	      tion is the first	tag match between access-control-tag  and  lo-
	      cal-zone-tag  where  "first" comes from the order	of the define-
	      tag values.

       access-control-tag-data:	_IP netblock_ _tag_ _"resource record string"_
	      Set redirect data	for particular tag for	given  access  control
	      element.

       access-control-view: _IP	netblock_ _view	name_
	      Set view for given access	control	element.

       chroot: _directory_
	      If  chroot  is enabled, you should pass the configfile (from the
	      commandline) as a	full path from the original  root.  After  the
	      chroot  has been performed the now defunct portion of the	config
	      file path	is removed to be able to reread	 the  config  after  a
	      reload.

	      All  other  file paths (working dir, logfile, roothints, and key
	      files) can be specified in several ways:	as  an	absolute  path
	      relative	to the new root, as a relative path to the working di-
	      rectory, or as an	absolute path relative to the  original	 root.
	      In  the last case	the path is adjusted to	remove the unused por-
	      tion.

	      The pidfile can be either	a relative path	to the working	direc-
	      tory,  or	 an absolute path relative to the original root. It is
	      written just prior to chroot and dropping	permissions. This  al-
	      lows the pidfile to be /var/run/unbound.pid and the chroot to be
	      /var/unbound, for	example. Note that Unbound is not able to  re-
	      move the pidfile after termination when it is located outside of
	      the chroot directory.

	      Additionally, unbound may	need to	access /dev/urandom  (for  en-
	      tropy) from inside the chroot.

	      If given a chroot	is done	to the given directory.	By default ch-
	      root is enabled and the default is "/usr/local/etc/unbound".  If
	      you give "" no chroot is performed.

       username: _name_
	      If  given,  after	 binding  the  port  the  user	privileges are
	      dropped. Default is "unbound". If	you give username: "" no  user
	      change is	performed.

	      If  this	user  is  not capable of binding the port, reloads (by
	      signal HUP) will still retain the	opened ports.  If  you	change
	      the port number in the config file, and that new port number re-
	      quires privileges, then a	reload will fail; a restart is needed.

       directory: _directory_
	      Sets the working directory for the program. Default is "/usr/lo-
	      cal/etc/unbound".	 On Windows the	string "%EXECUTABLE%" tries to
	      change to	the directory that unbound.exe	resides	 in.   If  you
	      give  a  server:	directory: dir before include: file statements
	      then those includes can be relative to the working directory.

       logfile:	_filename_
	      If "" is given, logging goes to stderr, or nowhere  once	daemo-
	      nized.  The logfile is appended to, in the following format:
	      [seconds since 1970] unbound[pid:tid]: type: message.
	      If  this	option	is  given,  the	use-syslog is option is	set to
	      "no".  The logfile is reopened (for append) when the config file
	      is reread, on SIGHUP.

       use-syslog: _yes	or no_
	      Sets  unbound  to	 send  log messages to the syslogd, using sys-
	      log(3).  The log facility	LOG_DAEMON is used, with identity "un-
	      bound".	The  logfile  setting is overridden when use-syslog is
	      turned on.  The default is to log	to syslog.

       log-identity: _string_
	      If "" is given (default),	then the name of the executable,  usu-
	      ally  "unbound" is used to report	to the log.  Enter a string to
	      override it with that, which is useful on	systems	that run  more
	      than  one	instance of unbound, with different configurations, so
	      that the logs can	be easily distinguished	against.

       log-time-ascii: _yes or no_
	      Sets logfile lines to use	a timestamp in UTC ascii.  Default  is
	      no,  which  prints the seconds since 1970	in brackets. No	effect
	      if using syslog, in  that	 case  syslog  formats	the  timestamp
	      printed into the log files.

       log-queries: _yes or no_
	      Prints one line per query	to the log, with the log timestamp and
	      IP address, name,	type and class.	 Default is no.	 Note that  it
	      takes time to print these	lines which makes the server (signifi-
	      cantly) slower.  Odd  (nonprintable)  characters	in  names  are
	      printed as '?'.

       log-replies: _yes or no_
	      Prints one line per reply	to the log, with the log timestamp and
	      IP address, name,	type, class, return  code,  time  to  resolve,
	      from  cache  and	response  size.	  Default is no.  Note that it
	      takes time to print these	lines which makes the server (signifi-
	      cantly)  slower.	 Odd  (nonprintable)  characters  in names are
	      printed as '?'.

       log-tag-queryreply: _yes	or no_
	      Prints  the  word	 'query'  and  'reply'	with  log-queries  and
	      log-replies.   This makes	filtering logs easier.	The default is
	      off (for backwards compatibility).

       log-local-actions: _yes or no_
	      Print log	lines to inform	about local zone actions.  These lines
	      are  like	 the  local-zone  type inform prints out, but they are
	      also printed for the other types of local	zones.

       log-servfail: _yes or no_
	      Print log	lines that say why queries return SERVFAIL to clients.
	      This  is	separate  from the verbosity debug logs, much smaller,
	      and printed at the error level, not the info level of debug info
	      from verbosity.

       pidfile:	_filename_
	      The  process  id	is  written  to	the file. Default is "/usr/lo-
	      cal/etc/unbound/unbound.pid".  So,
	      kill -HUP	`cat /usr/local/etc/unbound/unbound.pid`
	      triggers a reload,
	      kill -TERM `cat /usr/local/etc/unbound/unbound.pid`
	      gracefully terminates.

       root-hints: _filename_
	      Read the root hints from this file. Default  is  nothing,	 using
	      builtin  hints for the IN	class. The file	has the	format of zone
	      files, with root nameserver names	and addresses  only.  The  de-
	      fault  may become	outdated, when servers change, therefore it is
	      good practice to use a root-hints	file.

       hide-identity: _yes or no_
	      If enabled id.server and hostname.bind queries are refused.

       identity: _string_
	      Set the identity to report. If set to "",	the default, then  the
	      hostname of the server is	returned.

       hide-version: _yes or no_
	      If enabled version.server	and version.bind queries are refused.

       version:	_string_
	      Set  the	version	to report. If set to "", the default, then the
	      package version is returned.

       hide-trustanchor: _yes or no_
	      If enabled trustanchor.unbound queries are refused.

       target-fetch-policy: _"list of numbers"_
	      Set the target fetch policy used by unbound to determine	if  it
	      should  fetch nameserver target addresses	opportunistically. The
	      policy is	described per dependency depth.

	      The number of values determines  the  maximum  dependency	 depth
	      that  unbound  will  pursue in answering a query.	 A value of -1
	      means to fetch all targets opportunistically for that dependency
	      depth.  A	 value	of 0 means to fetch on demand only. A positive
	      value fetches that many targets opportunistically.

	      Enclose the list between quotes ("") and put spaces between num-
	      bers.   The default is "3	2 1 0 0". Setting all zeroes, "0 0 0 0
	      0" gives behaviour closer	to that	of BIND	9, while  setting  "-1
	      -1  -1  -1  -1" gives behaviour rumoured to be closer to that of
	      BIND 8.

       harden-short-bufsize: _yes or no_
	      Very small EDNS buffer sizes from	queries	are  ignored.  Default
	      is  off,	since it is legal protocol wise	to send	these, and un-
	      bound tries to give very small answers to	these  queries,	 where
	      possible.

       harden-large-queries: _yes or no_
	      Very  large queries are ignored. Default is off, since it	is le-
	      gal protocol wise	to send	these, and could be necessary for  op-
	      eration if TSIG or EDNS payload is very large.

       harden-glue: _yes or no_
	      Will  trust glue only if it is within the	servers	authority. De-
	      fault is yes.

       harden-dnssec-stripped: _yes or no_
	      Require DNSSEC data for trust-anchored zones, if	such  data  is
	      absent,  the  zone  becomes  bogus. If turned off, and no	DNSSEC
	      data is received (or the DNSKEY data fails  to  validate),  then
	      the  zone	 is made insecure, this	behaves	like there is no trust
	      anchor. You could	turn this off if you are sometimes  behind  an
	      intrusive	 firewall (of some sort) that removes DNSSEC data from
	      packets, or a zone changes from  signed  to  unsigned  to	 badly
	      signed  often. If	turned off you run the risk of a downgrade at-
	      tack that	disables security for a	zone. Default is yes.

       harden-below-nxdomain: _yes or no_
	      From RFC 8020 (with title	"NXDOMAIN: There Really	Is Nothing Un-
	      derneath"), returns nxdomain to queries for a name below another
	      name that	is already known to be nxdomain.  DNSSEC mandates  no-
	      error  for empty nonterminals, hence this	is possible.  Very old
	      software might return nxdomain for empty nonterminals (that usu-
	      ally happen for reverse IP address lookups), and thus may	be in-
	      compatible with this.  To	try to avoid this  only	 DNSSEC-secure
	      nxdomains	 are  used,  because  the  old	software does not have
	      DNSSEC.  Default is yes.	The  nxdomain  must  be	 secure,  this
	      means nsec3 with optout is insufficient.

       harden-referral-path: _yes or no_
	      Harden  the  referral  path by performing	additional queries for
	      infrastructure data.  Validates the replies if trust anchors are
	      configured and the zones are signed.  This enforces DNSSEC vali-
	      dation on	nameserver NS sets and the nameserver  addresses  that
	      are encountered on the referral path to the answer.  Default no,
	      because it burdens the authority servers,	 and  it  is  not  RFC
	      standard,	 and could lead	to performance problems	because	of the
	      extra query load that is generated.   Experimental  option.   If
	      you  enable  it  consider	 adding	 more  numbers	after the tar-
	      get-fetch-policy to increase the max depth that is checked to.

       harden-algo-downgrade: _yes or no_
	      Harden against algorithm downgrade when multiple algorithms  are
	      advertised  in  the  DS record.  If no, allows the weakest algo-
	      rithm to validate	the zone.  Default is no.  Zone	 signers  must
	      produce  zones  that  allow  this	feature	to work, but sometimes
	      they do not, and turning this option off avoids that  validation
	      failure.

       use-caps-for-id:	_yes or	no_
	      Use  0x20-encoded	 random	 bits  in  the query to	foil spoof at-
	      tempts.  This perturbs the  lowercase  and  uppercase  of	 query
	      names  sent  to  authority servers and checks if the reply still
	      has the correct casing.  Disabled	by default.  This  feature  is
	      an experimental implementation of	draft dns-0x20.

       caps-exempt: _domain_
	      Exempt  the  domain so that it does not receive caps-for-id per-
	      turbed queries.  For domains that	do not support 0x20  and  also
	      fail  with fallback because they keep sending different answers,
	      like some	load balancers.	 Can be	given multiple times, for dif-
	      ferent domains.

       caps-whitelist: _yes or no_
	      Alternate	syntax for caps-exempt.

       qname-minimisation: _yes	or no_
	      Send  minimum  amount  of	information to upstream	servers	to en-
	      hance privacy.  Only send	minimum	required labels	of  the	 QNAME
	      and  set	QTYPE  to  A when possible. Best effort	approach; full
	      QNAME and	original QTYPE will be sent when upstream replies with
	      a	 RCODE other than NOERROR, except when receiving NXDOMAIN from
	      a	DNSSEC signed zone. Default is yes.

       qname-minimisation-strict: _yes or no_
	      QNAME minimisation in strict mode. Do not	fall-back  to  sending
	      full  QNAME  to potentially broken nameservers. A	lot of domains
	      will not be resolvable when this option in enabled. Only use  if
	      you  know	 what you are doing.  This option only has effect when
	      qname-minimisation is enabled. Default is	no.

       aggressive-nsec:	_yes or	no_
	      Aggressive NSEC uses the DNSSEC NSEC chain to  synthesize	 NXDO-
	      MAIN  and	 other	denials, using information from	previous NXDO-
	      MAINs answers.  Default is no.  It helps	to  reduce  the	 query
	      rate  towards  targets  that  get	 a  very high nonexistent name
	      lookup rate.

       private-address:	_IP address or subnet_
	      Give IPv4	of IPv6	addresses or classless subnets.	These are  ad-
	      dresses  on  your	private	network, and are not allowed to	be re-
	      turned for public	internet names.	 Any occurrence	 of  such  ad-
	      dresses  are  removed from DNS answers. Additionally, the	DNSSEC
	      validator	may mark the  answers  bogus.  This  protects  against
	      so-called	 DNS  Rebinding, where a user browser is turned	into a
	      network proxy, allowing remote access  through  the  browser  to
	      other  parts of your private network.  Some names	can be allowed
	      to contain your private addresses, by default all	the local-data
	      that  you	 configured  is	 allowed to, and you can specify addi-
	      tional names using private-domain.  No private addresses are en-
	      abled  by	 default.   We consider	to enable this for the RFC1918
	      private IP address space by  default  in	later  releases.  That
	      would  enable  private  addresses	 for  10.0.0.0/8 172.16.0.0/12
	      192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since  the
	      RFC  standards  say these	addresses should not be	visible	on the
	      public internet.	Turning	on 127.0.0.0/8 would hinder many spam-
	      blocklists   as  they  use  that.	  Adding  ::ffff:0:0/96	 stops
	      IPv4-mapped IPv6 addresses from bypassing	the filter.

       private-domain: _domain name_
	      Allow this domain, and all its subdomains	to contain private ad-
	      dresses.	 Give multiple times to	allow multiple domain names to
	      contain private addresses. Default is none.

       unwanted-reply-threshold: _number_
	      If set, a	total number of	unwanted replies is kept track	of  in
	      every thread.  When it reaches the threshold, a defensive	action
	      is taken and a warning is	printed	to the log.  The defensive ac-
	      tion  is to clear	the rrset and message caches, hopefully	flush-
	      ing away any poison.  A value of 10 million is  suggested.   De-
	      fault is 0 (turned off).

       do-not-query-address: _IP address_
	      Do  not  query  the  given IP address. Can be IP4	or IP6.	Append
	      /num to indicate a classless delegation  netblock,  for  example
	      like 10.2.3.4/24 or 2001::11/64.

       do-not-query-localhost: _yes or no_
	      If  yes, localhost is added to the do-not-query-address entries,
	      both IP6 ::1 and IP4 127.0.0.1/8.	If no, then localhost  can  be
	      used to send queries to. Default is yes.

       prefetch: _yes or no_
	      If yes, message cache elements are prefetched before they	expire
	      to keep the cache	up to date.  Default is	 no.   Turning	it  on
	      gives about 10 percent more traffic and load on the machine, but
	      popular items do not expire from the cache.

       prefetch-key: _yes or no_
	      If yes, fetch the	DNSKEYs	earlier	 in  the  validation  process,
	      when a DS	record is encountered.	This lowers the	latency	of re-
	      quests.  It does use a little more CPU.  Also if	the  cache  is
	      set to 0,	it is no use. Default is no.

       deny-any: _yes or no_
	      If  yes,	deny  queries of type ANY with an empty	response.  De-
	      fault is no.  If disabled, unbound responds with a short list of
	      resource records if some can be found in the cache and makes the
	      upstream type ANY	query if there are none.

       rrset-roundrobin: _yes or no_
	      If yes, Unbound rotates RRSet order in response (the random num-
	      ber  is  taken  from the query ID, for speed and thread safety).
	      Default is yes.

       minimal-responses: _yes or no_
	      If yes, Unbound  doesn't	insert	authority/additional  sections
	      into  response  messages	when  those sections are not required.
	      This reduces response size  significantly,  and  may  avoid  TCP
	      fallback	for  some responses.  This may cause a slight speedup.
	      The default is yes, even though the DNS  protocol	 RFCs  mandate
	      these  sections,	and the	additional content could be of use and
	      save roundtrips for clients.  Because they are not used, and the
	      saved  roundtrips	are easier saved with prefetch,	whilst this is
	      faster.

       disable-dnssec-lame-check: _yes or no_
	      If true, disables	the DNSSEC lameness  check  in	the  iterator.
	      This check sees if RRSIGs	are present in the answer, when	dnssec
	      is expected, and retries another authority if RRSIGs  are	 unex-
	      pectedly	missing.   The	validator  will	 insist	 in RRSIGs for
	      DNSSEC signed domains regardless of this setting,	if a trust an-
	      chor is loaded.

       module-config: _"module names"_
	      Module  configuration,  a	list of	module names separated by spa-
	      ces, surround the	string with quotes (""). The  modules  can  be
	      validator,  iterator.  Setting this to "iterator"	will result in
	      a	non-validating server.	Setting	this to	 "validator  iterator"
	      will  turn on DNSSEC validation.	The ordering of	the modules is
	      important.  You must also	set trust-anchors for validation to be
	      useful.	The  default is	"validator iterator".  When the	server
	      is built with EDNS client	subnet support the default is "subnet-
	      cache  validator iterator".  Most	modules	that need to be	listed
	      here have	to be listed  at  the  beginning  of  the  line.   The
	      cachedb  module  has to be listed	just before the	iterator.  The
	      python module can	be listed in different places,	it  then  pro-
	      cesses  the  output  of the module it is just before. The	dynlib
	      module can be listed pretty much anywhere, it  is	 only  a  very
	      thin wrapper that	allows dynamic libraries to run	in its place.

       trust-anchor-file: _filename_
	      File  with  trusted  keys	for validation.	Both DS	and DNSKEY en-
	      tries can	appear in the file. The	format	of  the	 file  is  the
	      standard	DNS  Zone file format.	Default	is "", or no trust an-
	      chor file.

       auto-trust-anchor-file: _filename_
	      File with	trust anchor for  one  zone,  which  is	 tracked  with
	      RFC5011  probes.	 The  probes  are run several times per	month,
	      thus the machine must be online frequently.   The	 initial  file
	      can be one with contents as described in trust-anchor-file.  The
	      file is written to when the anchor is updated,  so  the  unbound
	      user  must have write permission.	 Write permission to the file,
	      but also to the directory	it is in (to create a temporary	 file,
	      which is necessary to deal with filesystem full events), it must
	      also be inside the chroot	(if that is used).

       trust-anchor: _"Resource	Record"_
	      A	DS or DNSKEY RR	for a key to use for validation. Multiple  en-
	      tries can	be given to specify multiple trusted keys, in addition
	      to the trust-anchor-files.  The resource record  is  entered  in
	      the same format as 'dig' or 'drill' prints them, the same	format
	      as in the	zone file. Has to be on	a single line, with ""	around
	      it. A TTL	can be specified for ease of cut and paste, but	is ig-
	      nored.  A	class can be specified,	but class IN is	default.

       trusted-keys-file: _filename_
	      File with	trusted	keys for validation.  Specify  more  than  one
	      file  with  several  entries, one	file per entry.	Like trust-an-
	      chor-file	but has	a different  file  format.  Format  is	BIND-9
	      style  format, the trusted-keys {	name flag proto	algo "key"; };
	      clauses are read.	 It is possible	to  use	 wildcards  with  this
	      statement, the wildcard is expanded on start and on reload.

       trust-anchor-signaling: _yes or no_
	      Send  RFC8145  key tag query after trust anchor priming. Default
	      is yes.

       root-key-sentinel: _yes or no_
	      Root key trust anchor sentinel. Default is yes.

       domain-insecure:	_domain	name_
	      Sets domain name to be insecure, DNSSEC chain of	trust  is  ig-
	      nored  towards the domain	name.  So a trust anchor above the do-
	      main name	can not	make the domain	secure with a DS record,  such
	      a	 DS  record  is	 then ignored.	Can be given multiple times to
	      specify multiple domains that are	treated	as  if	unsigned.   If
	      you  set trust anchors for the domain they override this setting
	      (and the domain is secured).

	      This can be useful if you	want to	make sure a trust  anchor  for
	      external	lookups	does not affect	an (unsigned) internal domain.
	      A	DS record externally can create	validation failures  for  that
	      internal domain.

       val-override-date: _rrsig-style date spec_
	      Default  is "" or	"0", which disables this debugging feature. If
	      enabled by giving	a RRSIG	style date, that date is used for ver-
	      ifying RRSIG inception and expiration dates, instead of the cur-
	      rent date. Do not	set this unless	you  are  debugging  signature
	      inception	 and  expiration.  The value -1	ignores	the date alto-
	      gether, useful for some special applications.

       val-sig-skew-min: _seconds_
	      Minimum number of	seconds	of clock skew to  apply	 to  validated
	      signatures.   A  value of	10% of the signature lifetime (expira-
	      tion - inception)	is used, capped	by this	setting.   Default  is
	      3600  (1	hour)  which  allows for daylight savings differences.
	      Lower this value for more	strict checking	of short lived	signa-
	      tures.

       val-sig-skew-max: _seconds_
	      Maximum  number  of  seconds of clock skew to apply to validated
	      signatures.  A value of 10% of the signature  lifetime  (expira-
	      tion  -  inception) is used, capped by this setting.  Default is
	      86400 (24	hours) which allows for	timezone setting  problems  in
	      stable  domains.	Setting	both min and max very low disables the
	      clock skew allowances.  Setting both min and max very high makes
	      the validator check the signature	timestamps less	strictly.

       val-bogus-ttl: _number_
	      The  time	 to  live for bogus data. This is data that has	failed
	      validation; due to invalid signatures or other checks.  The  TTL
	      from  that  data	cannot	be trusted, and	this value is used in-
	      stead. The value is in seconds, default 60.  The	time  interval
	      prevents repeated	revalidation of	bogus data.

       val-clean-additional: _yes or no_
	      Instruct	the  validator to remove data from the additional sec-
	      tion of secure messages that are not signed  properly.  Messages
	      that are insecure, bogus,	indeterminate or unchecked are not af-
	      fected. Default is yes. Use this setting to  protect  the	 users
	      that  rely on this validator for authentication from potentially
	      bad data in the additional section.

       val-log-level: _number_
	      Have the validator print validation failures to  the  log.   Re-
	      gardless	of  the	 verbosity setting.  Default is	0, off.	 At 1,
	      for every	user query that	fails a	line is	printed	to  the	 logs.
	      This  way	 you  can monitor what happens with validation.	 Use a
	      diagnosis	tool, such as dig or drill, to find out	why validation
	      is  failing  for	these  queries.	 At 2, not only	the query that
	      failed is	printed	but also the reason why	unbound	thought	it was
	      wrong and	which server sent the faulty data.

       val-permissive-mode: _yes or no_
	      Instruct	the validator to mark bogus messages as	indeterminate.
	      The security checks are performed, but if	the  result  is	 bogus
	      (failed  security),  the	reply  is not withheld from the	client
	      with SERVFAIL as usual. The client receives the bogus data.  For
	      messages	that  are  found  to  be  secure  the AD bit is	set in
	      replies. Also logging is performed as for	full validation.   The
	      default value is "no".

       ignore-cd-flag: _yes or no_
	      Instruct	unbound	 to ignore the CD flag from clients and	refuse
	      to return	bogus answers to them.	Thus, the  CD  (Checking  Dis-
	      abled)  flag does	not disable checking any more.	This is	useful
	      if legacy	(w2008)	servers	that set the CD	flag but cannot	 vali-
	      date  DNSSEC  themselves	are the	clients, and then unbound pro-
	      vides them with DNSSEC protection.  The default value is "no".

       serve-expired: _yes or no_
	      If enabled, unbound attempts to serve old	responses  from	 cache
	      with  a  TTL  of serve-expired-reply-ttl in the response without
	      waiting for the actual resolution	to finish.  The	actual resolu-
	      tion answer ends up in the cache later on.  Default is "no".

       serve-expired-ttl: _seconds_
	      Limit  serving  of expired responses to configured seconds after
	      expiration. 0 disables the limit.	 This option only applies when
	      serve-expired is enabled.	 A suggested value per RFC 8767	is be-
	      tween 86400 (1 day) and 259200 (3	days).	The default is 0.

       serve-expired-ttl-reset:	_yes or	no_
	      Set the TTL of expired records to	 the  serve-expired-ttl	 value
	      after  a	failed	attempt	 to retrieve the record	from upstream.
	      This makes sure that the expired records will be served as  long
	      as there are queries for it.  Default is "no".

       serve-expired-reply-ttl:	_seconds_
	      TTL  value to use	when replying with expired data.  If serve-ex-
	      pired-client-timeout is also used	then it	is RECOMMENDED to  use
	      30 as the	value (RFC 8767).  The default is 30.

       serve-expired-client-timeout: _msec_
	      Time  in milliseconds before replying to the client with expired
	      data.  This essentially  enables	the  serve-stale  behavior  as
	      specified	in RFC 8767 that first tries to	resolve	before immedi-
	      ately responding with expired data.  A recommended value per RFC
	      8767  is	1800.	Setting	 this to 0 will	disable	this behavior.
	      Default is 0.

       val-nsec3-keysize-iterations: _"list of values"_
	      List of keysize and iteration count values, separated by spaces,
	      surrounded  by quotes. Default is	"1024 150 2048 500 4096	2500".
	      This determines the maximum allowed NSEC3	iteration count	before
	      a	 message  is  simply marked insecure instead of	performing the
	      many hashing iterations. The list	must be	in ascending order and
	      have  at least one entry.	If you set it to "1024 65535" there is
	      no restriction to	NSEC3 iteration	values.	 This  table  must  be
	      kept short; a very long list could cause slower operation.

       add-holddown: _seconds_
	      Instruct	the auto-trust-anchor-file probe mechanism for RFC5011
	      autotrust	updates	to add new trust anchors only after they  have
	      been visible for this time.  Default is 30 days as per the RFC.

       del-holddown: _seconds_
	      Instruct	the auto-trust-anchor-file probe mechanism for RFC5011
	      autotrust	updates	to remove revoked  trust  anchors  after  they
	      have been	kept in	the revoked list for this long.	 Default is 30
	      days as per the RFC.

       keep-missing: _seconds_
	      Instruct the auto-trust-anchor-file probe	mechanism for  RFC5011
	      autotrust	 updates  to  remove  missing trust anchors after they
	      have been	unseen for this	long.  This cleans up the  state  file
	      if  the target zone does not perform trust anchor	revocation, so
	      this makes the auto probe	mechanism work with zones that perform
	      regular  (non-5011)  rollovers.	The  default is	366 days.  The
	      value 0 does not remove missing anchors, as per the RFC.

       permit-small-holddown: _yes or no_
	      Debug option that	allows the autotrust 5011 rollover  timers  to
	      assume very small	values.	 Default is no.

       key-cache-size: _number_
	      Number  of  bytes	size of	the key	cache. Default is 4 megabytes.
	      A	plain number is	in bytes, append 'k', 'm'  or  'g'  for	 kilo-
	      bytes, megabytes or gigabytes (1024*1024 bytes in	a megabyte).

       key-cache-slabs:	_number_
	      Number  of  slabs	in the key cache. Slabs	reduce lock contention
	      by threads.  Must	be set to a power of 2.	Setting	(close)	to the
	      number of	cpus is	a reasonable guess.

       neg-cache-size: _number_
	      Number  of  bytes	size of	the aggressive negative	cache. Default
	      is 1 megabyte.  A	plain number is	in bytes, append 'k',  'm'  or
	      'g'  for kilobytes, megabytes or gigabytes (1024*1024 bytes in a
	      megabyte).

       unblock-lan-zones: _yes or no_
	      Default is disabled.   If	 enabled,  then	 for  private  address
	      space,  the reverse lookups are no longer	filtered.  This	allows
	      unbound when running as dns service on a host where it  provides
	      service  for  that  host,	 to put	out all	of the queries for the
	      'lan' upstream.  When enabled, only localhost, 127.0.0.1 reverse
	      and  ::1	reverse	zones are configured with default local	zones.
	      Disable the option when unbound is running as a (DHCP-) DNS net-
	      work resolver for	a group	of machines, where such	lookups	should
	      be filtered (RFC compliance), this  also	stops  potential  data
	      leakage about the	local network to the upstream DNS servers.

       insecure-lan-zones: _yes	or no_
	      Default  is  disabled.  If enabled, then reverse lookups in pri-
	      vate address space are not validated.  This is usually  required
	      whenever unblock-lan-zones is used.

       local-zone: _zone_ _type_
	      Configure	 a  local zone.	The type determines the	answer to give
	      if there is no  match  from  local-data.	The  types  are	 deny,
	      refuse,  static, transparent, redirect, nodefault, typetranspar-
	      ent, inform, inform_deny,	 inform_redirect,  always_transparent,
	      always_refuse, always_nxdomain, noview, and are explained	below.
	      After that the default settings are listed. Use  local-data:  to
	      enter  data into the local zone. Answers for local zones are au-
	      thoritative DNS answers. By default the zones are	class IN.

	      If you need more complicated authoritative data, with referrals,
	      wildcards, CNAME/DNAME support, or DNSSEC	authoritative service,
	      setup a stub-zone	for it as detailed in the  stub	 zone  section
	      below.

	    deny Do  not  send an answer, drop the query.  If there is a match
		 from local data, the query is answered.

	    refuse
		 Send an error message reply, with rcode REFUSED.  If there is
		 a match from local data, the query is answered.

	    static
		 If  there  is a match from local data,	the query is answered.
		 Otherwise, the	query is answered  with	 nodata	 or  nxdomain.
		 For  a	 negative  answer  a  SOA is included in the answer if
		 present as local-data for the zone apex domain.

	    transparent
		 If there is a match from local	data, the query	 is  answered.
		 Otherwise if the query	has a different	name, the query	is re-
		 solved	normally.  If the query	is for a name given in	local-
		 data  but  no such type of data is given in localdata,	then a
		 noerror nodata	answer is returned.  If	no local-zone is given
		 local-data  causes  a	transparent  zone to be	created	by de-
		 fault.

	    typetransparent
		 If there is a match from local	data, the query	 is  answered.
		 If  the  query	 is for	a different name, or for the same name
		 but for a different type, the	query  is  resolved  normally.
		 So,  similar  to transparent but types	that are not listed in
		 local data are	resolved normally, so if an A record is	in the
		 local	data  that  does  not  cause  a	 nodata	reply for AAAA
		 queries.

	    redirect
		 The query is answered from the	local data for the zone	 name.
		 There	may  be	no local data beneath the zone name.  This an-
		 swers queries for the zone, and all subdomains	 of  the  zone
		 with the local	data for the zone.  It can be used to redirect
		 a domain to return a different	 address  record  to  the  end
		 user,	 with  local-zone:  "example.com."  redirect  and  lo-
		 cal-data: "example.com. A 127.0.0.1"  queries	for  www.exam-
		 ple.com and www.foo.example.com are redirected, so that users
		 with web browsers  cannot  access  sites  with	 suffix	 exam-
		 ple.com.

	    inform
		 The  query  is	 answered  normally, same as transparent.  The
		 client	IP address (@portnumber) is printed  to	 the  logfile.
		 The  log  message  is:	timestamp, unbound-pid,	info: zonename
		 inform	IP@port	queryname type class.  This option can be used
		 for normal resolution,	but machines looking up	infected names
		 are logged, eg. to run	antivirus on them.

	    inform_deny
		 The query is dropped, like 'deny', and	logged,	like 'inform'.
		 Ie. find infected machines without answering the queries.

	    inform_redirect
		 The  query  is	 redirected, like 'redirect', and logged, like
		 'inform'.  Ie.	answer queries with fixed data	and  also  log
		 the machines that ask.

	    always_transparent
		 Like  transparent,  but  ignores local	data and resolves nor-
		 mally.

	    always_refuse
		 Like refuse, but ignores local	data and refuses the query.

	    always_nxdomain
		 Like static, but ignores local	data and returns nxdomain  for
		 the query.

	    noview
		 Breaks	 out  of  that view and	moves towards the global local
		 zones for answer to the query.	 If  the  view	first  is  no,
		 it'll	resolve	 normally.   If	 view  first is	enabled, it'll
		 break perform that step and check the	global	answers.   For
		 when  the  view has view specific overrides but some zone has
		 to be answered	from global local zone contents.

	    nodefault
		 Used to turn off default contents for AS112 zones. The	 other
		 types also turn off default contents for the zone. The	'node-
		 fault'	option has no other effect than	 turning  off  default
		 contents  for	the  given zone.  Use nodefault	if you use ex-
		 actly that zone, if you want to use a subzone,	use  transpar-
		 ent.

       The  default zones are localhost, reverse 127.0.0.1 and ::1, the	onion,
       test, invalid and the AS112 zones. The  AS112  zones  are  reverse  DNS
       zones  for  private use and reserved IP addresses for which the servers
       on the internet cannot provide correct answers. They are	configured  by
       default to give nxdomain	(no reverse information) answers. The defaults
       can be turned off by specifying your own	local-zone of  that  name,  or
       using  the  'nodefault'	type. Below is a list of the default zone con-
       tents.

	    localhost
		 The IP4 and IP6 localhost information is given.  NS  and  SOA
		 records are provided for completeness and to satisfy some DNS
		 update	tools. Default content:
		 local-zone: "localhost." redirect
		 local-data: "localhost. 10800 IN NS localhost."
		 local-data: "localhost. 10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"
		 local-data: "localhost. 10800 IN A 127.0.0.1"
		 local-data: "localhost. 10800 IN AAAA ::1"

	    reverse IPv4 loopback
		 Default content:
		 local-zone: "127.in-addr.arpa." static
		 local-data: "127.in-addr.arpa.	10800 IN NS localhost."
		 local-data: "127.in-addr.arpa.	10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"
		 local-data: "1.0.0.127.in-addr.arpa. 10800 IN
		     PTR localhost."

	    reverse IPv6 loopback
		 Default content:
		 local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
		     0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
		 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
		     0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
		     NS	localhost."
		 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
		     0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"
		 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
		     0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
		     PTR localhost."

	    onion (RFC 7686)
		 Default content:
		 local-zone: "onion." static
		 local-data: "onion. 10800 IN NS localhost."
		 local-data: "onion. 10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"

	    test (RFC 6761)
		 Default content:
		 local-zone: "test." static
		 local-data: "test. 10800 IN NS	localhost."
		 local-data: "test. 10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"

	    invalid (RFC 6761)
		 Default content:
		 local-zone: "invalid."	static
		 local-data: "invalid. 10800 IN	NS localhost."
		 local-data: "invalid. 10800 IN
		     SOA localhost. nobody.invalid. 1 3600 1200	604800 10800"

	    reverse RFC1918 local use zones
		 Reverse data for zones	 10.in-addr.arpa,  16.172.in-addr.arpa
		 to   31.172.in-addr.arpa,   168.192.in-addr.arpa.    The  lo-
		 cal-zone: is set static and as	local-data: SOA	and NS records
		 are provided.

	    reverse RFC3330 IP4	this, link-local, testnet and broadcast
		 Reverse  data for zones 0.in-addr.arpa, 254.169.in-addr.arpa,
		 2.0.192.in-addr.arpa (TEST  NET  1),  100.51.198.in-addr.arpa
		 (TEST	 NET   2),   113.0.203.in-addr.arpa   (TEST   NET  3),
		 255.255.255.255.in-addr.arpa.	And  from  64.100.in-addr.arpa
		 to 127.100.in-addr.arpa (Shared Address Space).

	    reverse RFC4291 IP6	unspecified
		 Reverse data for zone
		 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
		 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.

	    reverse RFC4193 IPv6 Locally Assigned Local	Addresses
		 Reverse data for zone D.F.ip6.arpa.

	    reverse RFC4291 IPv6 Link Local Addresses
		 Reverse data for zones	8.E.F.ip6.arpa to B.E.F.ip6.arpa.

	    reverse IPv6 Example Prefix
		 Reverse  data for zone	8.B.D.0.1.0.0.2.ip6.arpa. This zone is
		 used for tutorials and	examples. You can remove the block  on
		 this zone with:
		   local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
		 You can also selectively unblock a part of the	zone by	making
		 that part transparent with a local-zone statement.  This also
		 works with the	other default zones.

       local-data: "_resource record string_"
	    Configure  local data, which is served in reply to queries for it.
	    The	query has to match exactly unless you configure	the local-zone
	    as	redirect.  If  not matched exactly, the	local-zone type	deter-
	    mines further processing. If local-data is configured that is  not
	    a  subdomain  of a local-zone, a transparent local-zone is config-
	    ured.  For record types such as TXT, use single quotes, as in  lo-
	    cal-data: 'example.	TXT "text"'.

	    If	you  need more complicated authoritative data, with referrals,
	    wildcards, CNAME/DNAME support, or DNSSEC  authoritative  service,
	    setup  a stub-zone for it as detailed in the stub zone section be-
	    low.

       local-data-ptr: "IPaddr name"
	    Configure local data shorthand for a PTR record with the  reversed
	    IPv4  or  IPv6  address and	the host name.	For example "192.0.2.4
	    www.example.com".  TTL can be  inserted  like  this:  "2001:DB8::4
	    7200 www.example.com"

       local-zone-tag: _zone_ _"list of	tags"_
	    Assign  tags to localzones.	Tagged localzones will only be applied
	    when the used access-control element has a matching	tag. Tags must
	    be	defined	 in  define-tags.  Enclose list	of tags	in quotes ("")
	    and	put spaces between tags.  When	there  are  multiple  tags  it
	    checks  if	the intersection of the	list of	tags for the query and
	    local-zone-tag is non-empty.

       local-zone-override: _zone_ _IP netblock_ _type_
	    Override the localzone type	for queries  from  addresses  matching
	    netblock.  Use this	localzone type,	regardless the type configured
	    for	the local-zone (both tagged and	untagged) and  regardless  the
	    type configured using access-control-tag-action.

       ratelimit: _number or 0_
	    Enable  ratelimiting  of queries sent to nameserver	for performing
	    recursion.	If 0, the default, it is disabled.  This option	is ex-
	    perimental	at  this time.	The ratelimit is in queries per	second
	    that are allowed.  More queries are	 turned	 away  with  an	 error
	    (servfail).	  This stops recursive floods, eg. random query	names,
	    but	not spoofed reflection floods.	Cached responses are not rate-
	    limited  by	 this setting.	The zone of the	query is determined by
	    examining the nameservers for it, the zone name is	used  to  keep
	    track  of  the rate.  For example, 1000 may	be a suitable value to
	    stop the server from being overloaded with random names, and keeps
	    unbound from sending traffic to the	nameservers for	those zones.

       ratelimit-size: _memory size_
	    Give  the  size of the data	structure in which the current ongoing
	    rates are kept track in.  Default 4m.  In bytes  or	 use  m(mega),
	    k(kilo),  g(giga).	The ratelimit structure	is small, so this data
	    structure likely does not need to be large.

       ratelimit-slabs:	_number_
	    Give power of 2 number of slabs, this is used to reduce lock  con-
	    tention  in	 the  ratelimit	tracking data structure.  Close	to the
	    number of cpus is a	fairly good setting.

       ratelimit-factor: _number_
	    Set	the amount of queries to rate limit  when  the	limit  is  ex-
	    ceeded.   If  set  to 0, all queries are dropped for domains where
	    the	limit is exceeded.  If set to another value, 1 in that	number
	    is	allowed	 through  to  complete.	  Default is 10, allowing 1/10
	    traffic to flow normally.  This can	make ordinary queries complete
	    (if	repeatedly queried for), and enter the cache, whilst also mit-
	    igating the	traffic	flow by	the factor given.

       ratelimit-for-domain: _domain_ _number qps or 0_
	    Override the global	ratelimit for an exact match domain name  with
	    the	 listed	 number.   You	can give this for any number of	names.
	    For	example, for a top-level-domain	you may	want to	have a	higher
	    limit  than	 other	names.	A value	of 0 will disable ratelimiting
	    for	that domain.

       ratelimit-below-domain: _domain_	_number	qps or 0_
	    Override the global	ratelimit for a	domain name that ends in  this
	    name.  You can give	this multiple times, it	then describes differ-
	    ent	settings in different parts of	the  namespace.	  The  closest
	    matching  suffix is	used to	determine the qps limit.  The rate for
	    the	 exact	matching  domain  name	is  not	 changed,  use	 rate-
	    limit-for-domain to	set that, you might want to use	different set-
	    tings for a	top-level-domain and subdomains.  A value  of  0  will
	    disable ratelimiting for domain names that end in this name.

       ip-ratelimit: _number or	0_
	    Enable global ratelimiting of queries accepted per ip address.  If
	    0, the default, it is disabled.  This option  is  experimental  at
	    this  time.	  The  ratelimit is in queries per second that are al-
	    lowed.  More queries are completely	dropped	and will not receive a
	    reply,  SERVFAIL  or  otherwise.   IP  ratelimiting	happens	before
	    looking in the cache. This may be useful for mitigating amplifica-
	    tion attacks.

       ip-ratelimit-size: _memory size_
	    Give  the  size of the data	structure in which the current ongoing
	    rates are kept track in.  Default 4m.  In bytes  or	 use  m(mega),
	    k(kilo),  g(giga).	 The  ip ratelimit structure is	small, so this
	    data structure likely does not need	to be large.

       ip-ratelimit-slabs: _number_
	    Give power of 2 number of slabs, this is used to reduce lock  con-
	    tention in the ip ratelimit	tracking data structure.  Close	to the
	    number of cpus is a	fairly good setting.

       ip-ratelimit-factor: _number_
	    Set	the amount of queries to rate limit  when  the	limit  is  ex-
	    ceeded.   If set to	0, all queries are dropped for addresses where
	    the	limit is exceeded.  If set to another value, 1 in that	number
	    is	allowed	 through  to  complete.	  Default is 10, allowing 1/10
	    traffic to flow normally.  This can	make ordinary queries complete
	    (if	repeatedly queried for), and enter the cache, whilst also mit-
	    igating the	traffic	flow by	the factor given.

       fast-server-permil: _number_
	    Specify how	many times out of 1000 to pick from the	set of fastest
	    servers.  0	turns the feature off.	A value	of 900 would pick from
	    the	fastest	servers	90 percent of the time,	and would perform nor-
	    mal	 exploration  of  random  servers for the remaining time. When
	    prefetch is	enabled	(or serve-expired), such  prefetches  are  not
	    sped up, because there is no one waiting for it, and it presents a
	    good moment	to perform server exploration. The fast-server-num op-
	    tion  can  be used to specify the size of the fastest servers set.
	    The	default	for fast-server-permil is 0.

       fast-server-num:	_number_
	    Set	the number of servers that should be used for fast server  se-
	    lection. Only use the fastest specified number of servers with the
	    fast-server-permil option, that turns this on or off. The  default
	    is to use the fastest 3 servers.

       edns-client-string: _IP netblock_ _string_
	    Include  an	 EDNS0	option	containing  configured ascii string in
	    queries with destination address matching the configured  IP  net-
	    block.   This configuration	option can be used multiple times. The
	    most specific match	will be	used.

       edns-client-string-opcode: _opcode_
	    EDNS0 option code for the edns-client-string  option,  from	 0  to
	    65535.   A	value from the `Reserved for Local/Experimental` range
	    (65001-65534) should be used.  Default is 65001.

   Remote Control Options
       In the remote-control: clause are the declarations for the remote  con-
       trol  facility.	If this	is enabled, the	unbound-control(8) utility can
       be used to send commands	to the running	unbound	 server.   The	server
       uses these clauses to setup TLSv1 security for the connection.  The un-
       bound-control(8)	utility	also reads the remote-control section for  op-
       tions.	To  setup  the	correct	 self-signed  certificates use the un-
       bound-control-setup(8) utility.

       control-enable: _yes or no_
	    The	option is used to enable remote	control, default is "no".   If
	    turned off,	the server does	not listen for control commands.

       control-interface: _ip address or path_
	    Give  IPv4 or IPv6 addresses or local socket path to listen	on for
	    control commands.  By default localhost  (127.0.0.1	 and  ::1)  is
	    listened to.  Use 0.0.0.0 and ::0 to listen	to all interfaces.  If
	    you	change this  and  permissions  have  been  dropped,  you  must
	    restart the	server for the change to take effect.

	    If	you  set  it to	an absolute path, a local socket is used.  The
	    local socket does not use the  certificates	 and  keys,  so	 those
	    files  need	not be present.	 To restrict access, unbound sets per-
	    missions on	the file to the	user and group that is configured, the
	    access  bits are set to allow the group members to access the con-
	    trol socket	file.  Put users that need to access the socket	in the
	    that group.	 To restrict access further, create a directory	to put
	    the	control	socket in and restrict access to that directory.

       control-port: _port number_
	    The	port number to listen on for IPv4 or IPv6 control  interfaces,
	    default  is	 8953.	 If  you change	this and permissions have been
	    dropped, you must restart the server for the change	 to  take  ef-
	    fect.

       control-use-cert: _yes or no_
	    For	 localhost control-interface you can disable the use of	TLS by
	    setting this option	to "no", default is "yes".  For	local sockets,
	    TLS	is disabled and	the value of this option is ignored.

       server-key-file:	_private key file_
	    Path  to  the  server  private key,	by default unbound_server.key.
	    This file is generated by the unbound-control-setup	utility.  This
	    file is used by the	unbound	server,	but not	by unbound-control.

       server-cert-file: _certificate file.pem_
	    Path  to  the  server  self	 signed	 certificate,  by  default un-
	    bound_server.pem.  This file  is  generated	 by  the  unbound-con-
	    trol-setup	utility.  This file is used by the unbound server, and
	    also by unbound-control.

       control-key-file: _private key file_
	    Path to the	control	client private key,  by	 default  unbound_con-
	    trol.key.	This  file  is	generated by the unbound-control-setup
	    utility.  This file	is used	by unbound-control.

       control-cert-file: _certificate file.pem_
	    Path to the	control	client certificate,  by	 default  unbound_con-
	    trol.pem.	This certificate has to	be signed with the server cer-
	    tificate.  This file is  generated	by  the	 unbound-control-setup
	    utility.  This file	is used	by unbound-control.

   Stub	Zone Options
       There may be multiple stub-zone:	clauses. Each with a name: and zero or
       more hostnames or IP addresses.	For the	stub zone this list  of	 name-
       servers	is used. Class IN is assumed.  The servers should be authority
       servers,	not recursors; unbound performs	the recursive  processing  it-
       self for	stub zones.

       The stub	zone can be used to configure authoritative data to be used by
       the resolver that cannot	be accessed using the public internet servers.
       This  is	 useful	 for company-local data	or private zones. Setup	an au-
       thoritative server on a different host (or  different  port).  Enter  a
       config  entry  for unbound with stub-addr: <ip address of host[@port]>.
       The unbound resolver can	then access the	data, without referring	to the
       public internet for it.

       This  setup  allows DNSSEC signed zones to be served by that authorita-
       tive server, in which case a trusted key	entry with the public key  can
       be  put in config, so that unbound can validate the data	and set	the AD
       bit on replies for the private zone (authoritative servers do  not  set
       the AD bit).  This setup	makes unbound capable of answering queries for
       the private zone, and can even set the AD bit ('authentic'), but	the AA
       ('authoritative') bit is	not set	on these replies.

       Consider	 adding	 server:  statements  for domain-insecure: and for lo-
       cal-zone: name nodefault	for the	zone if	it is a	locally	 served	 zone.
       The insecure clause stops DNSSEC	from invalidating the zone.  The local
       zone nodefault (or transparent) clause makes the	(reverse-) zone	bypass
       unbound's filtering of RFC1918 zones.

       name: _domain name_
	      Name of the stub zone.

       stub-host: _domain name_
	      Name  of	stub  zone nameserver. Is itself resolved before it is
	      used.

       stub-addr: _IP address_
	      IP address of stub zone nameserver. Can be IP 4 or IP 6.	To use
	      a	nondefault port	for DNS	communication append '@' with the port
	      number.  If tls is enabled, then you can	append	a  '#'	and  a
	      name,  then it'll	check the tls authentication certificates with
	      that name.  If you combine the '@' and '#', the '@' comes	first.

       stub-prime: _yes	or no_
	      This option is by	default	no.  If	enabled	 it  performs  NS  set
	      priming,	which  is similar to root hints, where it starts using
	      the list of nameservers currently	published by the zone.	 Thus,
	      if  the  hint list is slightly outdated, the resolver picks up a
	      correct list online.

       stub-first: _yes	or no_
	      If enabled, a query is attempted without the stub	clause	if  it
	      fails.   The  data  could	not be retrieved and would have	caused
	      SERVFAIL because the servers  are	 unreachable,  instead	it  is
	      tried without this clause.  The default is no.

       stub-tls-upstream: _yes or no_
	      Enabled  or disable whether the queries to this stub use TLS for
	      transport.  Default is no.

       stub-ssl-upstream: _yes or no_
	      Alternate	syntax for stub-tls-upstream.

       stub-no-cache: _yes or no_
	      Default is no.  If enabled, data inside the stub is not  cached.
	      This is useful when you want immediate changes to	be visible.

   Forward Zone	Options
       There may be multiple forward-zone: clauses. Each with a	name: and zero
       or more hostnames or IP addresses.  For the forward zone	this  list  of
       nameservers  is	used  to forward the queries to. The servers listed as
       forward-host: and forward-addr: have to handle  further	recursion  for
       the  query.   Thus,  those  servers  are	not authority servers, but are
       (just like unbound is) recursive	servers	too; unbound does not  perform
       recursion itself	for the	forward	zone, it lets the remote server	do it.
       Class IN	is assumed.  CNAMEs are	chased by unbound itself,  asking  the
       remote  server  for every name in the indirection chain,	to protect the
       local cache from	illegal	indirect referenced items.  A forward-zone en-
       try with	name "." and a forward-addr target will	forward	all queries to
       that other server (unless it can	answer from the	cache).

       name: _domain name_
	      Name of the forward zone.

       forward-host: _domain name_
	      Name of server to	forward	to. Is itself resolved	before	it  is
	      used.

       forward-addr: _IP address_
	      IP address of server to forward to. Can be IP 4 or IP 6.	To use
	      a	nondefault port	for DNS	communication append '@' with the port
	      number.	If  tls	 is  enabled,  then you	can append a '#' and a
	      name, then it'll check the tls authentication certificates  with
	      that name.  If you combine the '@' and '#', the '@' comes	first.

	      At high verbosity	it logs	the TLS	certificate, with TLS enabled.
	      If you leave out the '#' and auth	name  from  the	 forward-addr,
	      any  name	 is  accepted.	The cert must also match a CA from the
	      tls-cert-bundle.

       forward-first: _yes or no_
	      If a forwarded query is met with a SERVFAIL error, and this  op-
	      tion is enabled, unbound will fall back to normal	recursive res-
	      olution for this query as	if no query forwarding had been	speci-
	      fied.  The default is "no".

       forward-tls-upstream: _yes or no_
	      Enabled or disable whether the queries to	this forwarder use TLS
	      for transport.  Default is no.  If you enable this, also config-
	      ure a tls-cert-bundle or use tls-win-cert	to load	CA certs, oth-
	      erwise the connections cannot be authenticated.

       forward-ssl-upstream: _yes or no_
	      Alternate	syntax for forward-tls-upstream.

       forward-no-cache: _yes or no_
	      Default is no.  If enabled,  data	 inside	 the  forward  is  not
	      cached.	This  is  useful when you want immediate changes to be
	      visible.

   Authority Zone Options
       Authority zones are configured with auth-zone:, and each	one must  have
       a  name:.   There  can  be multiple ones, by listing multiple auth-zone
       clauses,	each with a different name, pertaining to  that	 part  of  the
       namespace.  The authority zone with the name closest to the name	looked
       up is used.  Authority zones are	processed after	local-zones and	before
       cache  (for-downstream: yes), and when used in this manner make unbound
       respond like an authority server.  Authority zones are  also  processed
       after  cache, just before going to the network to fetch information for
       recursion (for-upstream:	yes), and when used in this manner  provide  a
       local copy of an	authority server that speeds up	lookups	of that	data.

       Authority zones can be read from	zonefile.  And can be kept updated via
       AXFR and	IXFR.  After update the	zonefile  is  rewritten.   The	update
       mechanism uses the SOA timer values and performs	SOA UDP	queries	to de-
       tect zone changes.

       If the update fetch fails, the timers in	the SOA	 record	 are  used  to
       time  another  fetch  attempt.	Until the SOA expiry timer is reached.
       Then the	zone is	expired.  When a zone is expired,  queries  are	 SERV-
       FAIL,  and  any new serial number is accepted from the primary (even if
       older), and if fallback is enabled, the	fallback  activates  to	 fetch
       from the	upstream instead of the	SERVFAIL.

       name: _zone name_
	      Name of the authority zone.

       primary:	_IP address or host name_
	      Where  to	 download a copy of the	zone from, with	AXFR and IXFR.
	      Multiple primaries can be	specified.  They are all tried if  one
	      fails.  With the "ip#name" notation a AXFR over TLS can be used.
	      If you point it at another Unbound instance, it would  not  work
	      because that does	not support AXFR/IXFR for the zone, but	if you
	      used url:	to download the	zonefile as a text file	 from  a  web-
	      server that would	work.  If you specify the hostname, you	cannot
	      use the domain from the zonefile,	because	it may not  have  that
	      when  retrieving	that  data,  instead use a plain IP address to
	      avoid a circular dependency on retrieving	that IP	address.

       master: _IP address or host name_
	      Alternate	syntax for primary.

       url: _url to zonefile_
	      Where to download	a zonefile for the zone.  With http or	https.
	      An   example   for   the	url  is	 "http://www.example.com/exam-
	      ple.org.zone".  Multiple url statements can be given,  they  are
	      tried  in	turn.  If only urls are	given the SOA refresh timer is
	      used to wait for making new downloads.  If  also	primaries  are
	      listed,  the  primaries are first	probed with UDP	SOA queries to
	      see if the SOA serial number has changed,	reducing the number of
	      downloads.   If  none  of	the urls work, the primaries are tried
	      with IXFR	and AXFR.  For	https,	the  tls-cert-bundle  and  the
	      hostname	from  the url are used to authenticate the connection.
	      If you specify a hostname	in the URL, you	cannot use the	domain
	      from  the	zonefile, because it may not have that when retrieving
	      that data, instead use a plain IP	address	to  avoid  a  circular
	      dependency on retrieving that IP address.	 Avoid dependencies on
	      name lookups by using a notation like "http://192.0.2.1/unbound-
	      primaries/example.com.zone", with	an explicit IP address.

       allow-notify: _IP address or host name or netblockIP/prefix_
	      With  allow-notify  you  can specify additional sources of noti-
	      fies.  When notified, the	server attempts	 to  first  probe  and
	      then  zone  transfer.  If	the notify is from a primary, it first
	      attempts that primary.  Otherwise	other primaries	are attempted.
	      If there are no primaries, but only urls,	the file is downloaded
	      when notified.  The primaries from primary: statements  are  al-
	      lowed notify by default.

       fallback-enabled: _yes or no_
	      Default  no.  If enabled,	unbound	falls back to querying the in-
	      ternet as	a resolver for this zone when lookups fail.  For exam-
	      ple for DNSSEC validation	failures.

       for-downstream: _yes or no_
	      Default  yes.  If	enabled, unbound serves	authority responses to
	      downstream clients for this zone.	 This option makes unbound be-
	      have,  for  the queries with names in this zone, like one	of the
	      authority	servers	for that zone.	Turn it	off if	you  want  un-
	      bound to provide recursion for the zone but have a local copy of
	      zone data.  If for-downstream is no  and	for-upstream  is  yes,
	      then  unbound  will DNSSEC validate the contents of the zone be-
	      fore serving the zone contents to	clients	and  store  validation
	      results in the cache.

       for-upstream: _yes or no_
	      Default  yes.   If  enabled, unbound fetches data	from this data
	      collection for answering recursion queries.  Instead of  sending
	      queries  over  the  internet  to	the authority servers for this
	      zone, it'll fetch	the data directly from the zone	data.  Turn it
	      on  when	you  want  unbound to provide recursion	for downstream
	      clients, and use the zone	data as	 a  local  copy	 to  speed  up
	      lookups.

       zonefile: _filename_
	      The  filename  where  the	 zone is stored.  If not given then no
	      zonefile is used.	 If the	file does not exist or is  empty,  un-
	      bound  will  attempt  to	fetch  zone data (eg. from the primary
	      servers).

   View	Options
       There may be multiple view: clauses. Each with a	name: and zero or more
       local-zone  and local-data elements. Views can also contain view-first,
       response-ip, response-ip-data and local-data-ptr	elements.  View	can be
       mapped  to  requests  by	 specifying  the  view	name in	an access-con-
       trol-view element. Options from matching	views will override global op-
       tions.  Global  options	will  be used if no matching view is found, or
       when the	matching view does not have the	option specified.

       name: _view name_
	      Name of the view.	Must be	unique.	 This  name  is	 used  in  ac-
	      cess-control-view	elements.

       local-zone: _zone_ _type_
	      View specific local-zone elements. Has the same types and	behav-
	      iour as the global local-zone elements. When there is  at	 least
	      one  local-zone  specified and view-first	is no, the default lo-
	      cal-zones	will be	added to this view.  Defaults can be  disabled
	      using  the nodefault type. When view-first is yes	or when	a view
	      does not have a local-zone, the global local-zone	will  be  used
	      including	it's default zones.

       local-data: "_resource record string_"
	      View specific local-data elements. Has the same behaviour	as the
	      global local-data	elements.

       local-data-ptr: "IPaddr name"
	      View specific local-data-ptr elements. Has the same behaviour as
	      the global local-data-ptr	elements.

       view-first: _yes	or no_
	      If  enabled,  it	attempts  to use the global local-zone and lo-
	      cal-data if there	is no match in the view	specific options.  The
	      default is no.

   Python Module Options
       The  python: clause gives the settings for the python(1)	script module.
       This module acts	like the iterator and validator	modules	do, on queries
       and  answers.   To  enable the script module it has to be compiled into
       the daemon, and the word	"python" has to	be put in  the	module-config:
       option (usually first, or between the validator and iterator). Multiple
       instances of the	 python	 module	 are  supported	 by  adding  the  word
       "python"	more than once.

       If the chroot: option is	enabled, you should make sure Python's library
       directory structure is bind mounted in the new  root  environment,  see
       mount(8).  Also the python-script: path should be specified as an abso-
       lute path relative to the new root, or as a relative path to the	 work-
       ing directory.

       python-script: _python file_
	      The  script  file	 to  load. Repeat this option for every	python
	      module instance added to the module-config: option.

   Dynamic Library Module Options
       The dynlib: clause gives	the settings for the dynlib module.  This mod-
       ule  is	only  a	 very  small wrapper that allows dynamic modules to be
       loaded on runtime instead of being compiled into	 the  application.  To
       enable the dynlib module	it has to be compiled into the daemon, and the
       word "dynlib" has to be put in the module-config: option. Multiple  in-
       stances	of dynamic libraries are supported by adding the word "dynlib"
       more than once.

       The dynlib-file:	path should be specified as an absolute	path  relative
       to  the	new  path  set by chroot: option, or as	a relative path	to the
       working directory.

       dynlib-file: _dynlib file_
	      The dynamic library file to load.	Repeat this option  for	 every
	      dynlib module instance added to the module-config: option.

   DNS64 Module	Options
       The  dns64  module must be configured in	the module-config: "dns64 val-
       idator iterator"	directive and be compiled into the daemon  to  be  en-
       abled.  These settings go in the	server:	section.

       dns64-prefix: _IPv6 prefix_
	      This  sets  the  DNS64  prefix to	use to synthesize AAAA records
	      with.  It	must  be  /96  or  shorter.   The  default  prefix  is
	      64:ff9b::/96.

       dns64-synthall: _yes or no_
	      Debug  option,  default  no.   If	 enabled,  synthesize all AAAA
	      records despite the presence of actual AAAA records.

       dns64-ignore-aaaa: _name_
	      List domain for which the	AAAA records are  ignored  and	the  A
	      record is	used by	dns64 processing instead.  Can be entered mul-
	      tiple times, list	a new domain for which	it  applies,  one  per
	      line.  Applies also to names underneath the name given.

   DNSCrypt Options
       The  dnscrypt: clause gives the settings	of the dnscrypt	channel. While
       those options are available, they are only meaningful  if  unbound  was
       compiled	with --enable-dnscrypt.	 Currently certificate and secret/pub-
       lic keys	cannot be generated by unbound.	 You can use  dnscrypt-wrapper
       to  generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/mas-
       ter/README.md#usage

       dnscrypt-enable:	_yes or	no_
	      Whether or not the dnscrypt config should	be  enabled.  You  may
	      define configuration but not activate it.	 The default is	no.

       dnscrypt-port: _port number_
	      On which port should dnscrypt should be activated. Note that you
	      should have a matching interface option defined  in  the	server
	      section for this port.

       dnscrypt-provider: _provider name_
	      The  provider name to use	to distribute certificates. This is of
	      the form:	2.dnscrypt-cert.example.com.. The name MUST end	with a
	      dot.

       dnscrypt-secret-key: _path to secret key	file_
	      Path  to	the  time  limited secret key file. This option	may be
	      specified	multiple times.

       dnscrypt-provider-cert: _path to	cert file_
	      Path to the certificate  related	to  the	 dnscrypt-secret-keys.
	      This option may be specified multiple times.

       dnscrypt-provider-cert-rotated: _path to	cert file_
	      Path  to	a certificate that we should be	able to	serve existing
	      connection  from	 but   do   not	  want	 to   advertise	  over
	      dnscrypt-provider's  TXT	record	certs distribution.  A typical
	      use case is when rotating	 certificates,	existing  clients  may
	      still  use  the  client magic from the old cert in their queries
	      until they fetch and update the new cert.	Likewise, it would al-
	      low  one	to prime the new cert/key without distributing the new
	      cert yet,	this can be useful when	using a	network	of servers us-
	      ing  anycast  and	on which the configuration may not get updated
	      at the exact same	time. By priming the  cert,  the  servers  can
	      handle  both  old	 and new certs traffic while distributing only
	      one.  This option	may be specified multiple times.

       dnscrypt-shared-secret-cache-size: _memory size_
	      Give the size of the data	structure in which the	shared	secret
	      keys  are	 kept  in.   Default  4m.   In	bytes  or use m(mega),
	      k(kilo), g(giga).	 The shared secret cache is used when  a  same
	      client  is making	multiple queries using the same	public key. It
	      saves a substantial amount of CPU.

       dnscrypt-shared-secret-cache-slabs: _number_
	      Give power of 2 number of	slabs, this is	used  to  reduce  lock
	      contention  in  the dnscrypt shared secrets cache.  Close	to the
	      number of	cpus is	a fairly good setting.

       dnscrypt-nonce-cache-size: _memory size_
	      Give the size of the data	structure in which the	client	nonces
	      are  kept	 in.   Default	4m.  In	bytes or use m(mega), k(kilo),
	      g(giga).	The nonce cache	is used	to  prevent  dnscrypt  message
	      replaying.  Client nonce should be unique	for any	pair of	client
	      pk/server	sk.

       dnscrypt-nonce-cache-slabs: _number_
	      Give power of 2 number of	slabs, this is	used  to  reduce  lock
	      contention  in the dnscrypt nonce	cache.	Close to the number of
	      cpus is a	fairly good setting.

   EDNS	Client Subnet Module Options
       The ECS module must be configured in  the  module-config:  "subnetcache
       validator iterator" directive and be compiled into the daemon to	be en-
       abled.  These settings go in the	server:	section.

       If the destination address is allowed in	the configuration Unbound will
       add  the	 EDNS0 option to the query containing the relevant part	of the
       client's	address.  When an answer contains the ECS option the  response
       and  the	option are placed in a specialized cache. If the authority in-
       dicated no support, the response	is stored in the regular cache.

       Additionally, when a client includes the	option in its queries, Unbound
       will  forward  the  option when sending the query to addresses that are
       explicitly allowed in the configuration using  send-client-subnet.  The
       option  will  always be forwarded, regardless the allowed addresses, if
       client-subnet-always-forward is set to yes. In this case	the lookup  in
       the regular cache is skipped.

       The  maximum size of the	ECS cache is controlled	by 'msg-cache-size' in
       the configuration file. On top of that, for each	query only 100 differ-
       ent subnets are allowed to be stored for	each address family. Exceeding
       that number, older entries will be purged from cache.

       send-client-subnet: _IP address_
	      Send client source address to this authority. Append /num	to in-
	      dicate   a  classless  delegation	 netblock,  for	 example  like
	      10.2.3.4/24 or 2001::11/64. Can be given multiple	times. Author-
	      ities  not  listed will not receive edns-subnet information, un-
	      less domain in query is specified	in client-subnet-zone.

       client-subnet-zone: _domain_
	      Send client source address in queries for	this  domain  and  its
	      subdomains.  Can	be given multiple times. Zones not listed will
	      not receive edns-subnet information, unless hosted by  authority
	      specified	in send-client-subnet.

       client-subnet-always-forward: _yes or no_
	      Specify	whether	  the  ECS  address  check  (configured	 using
	      send-client-subnet) is applied for  all  queries,	 even  if  the
	      triggering query contains	an ECS record, or only for queries for
	      which the	ECS record is generated	using the querier address (and
	      therefore	 did not contain ECS data in the client	query).	If en-
	      abled, the address check is skipped when the client  query  con-
	      tains an ECS record. Default is no.

       max-client-subnet-ipv6: _number_
	      Specifies	the maximum prefix length of the client	source address
	      we are willing to	expose to third	parties	for IPv6.  Defaults to
	      56.

       max-client-subnet-ipv4: _number_
	      Specifies	the maximum prefix length of the client	source address
	      we are willing to	expose to third	parties	for IPv4. Defaults  to
	      24.

       min-client-subnet-ipv6: _number_
	      Specifies	 the  minimum prefix length of the IPv6	source mask we
	      are willing to accept in queries.	Shorter	source masks result in
	      REFUSED answers. Source mask of 0	is always accepted. Default is
	      0.

       min-client-subnet-ipv4: _number_
	      Specifies	the minimum prefix length of the IPv4 source  mask  we
	      are willing to accept in queries.	Shorter	source masks result in
	      REFUSED answers. Source mask of 0	is always accepted. Default is
	      0.

       max-ecs-tree-size-ipv4: _number_
	      Specifies	 the maximum number of subnets ECS answers kept	in the
	      ECS radix	tree.  This number applies for each qname/qclass/qtype
	      tuple. Defaults to 100.

       max-ecs-tree-size-ipv6: _number_
	      Specifies	 the maximum number of subnets ECS answers kept	in the
	      ECS radix	tree.  This number applies for each qname/qclass/qtype
	      tuple. Defaults to 100.

   Opportunistic IPsec Support Module Options
       The  IPsec  module  must	 be configured in the module-config: "ipsecmod
       validator iterator" directive and be compiled into the daemon to	be en-
       abled.  These settings go in the	server:	section.

       When  unbound  receives	an  A/AAAA  query that is not in the cache and
       finds a valid answer, it	will withhold returning	the answer and instead
       will generate an	IPSECKEY subquery for the same domain name.  If	an an-
       swer was	found, unbound will call an external hook passing the  follow-
       ing arguments:

	    QNAME
		 Domain	name of	the A/AAAA and IPSECKEY	query.	In string for-
		 mat.

	    IPSECKEY TTL
		 TTL of	the IPSECKEY RRset.

	    A/AAAA
		 String	of space separated IP addresses	present	in the	A/AAAA
		 RRset.	 The IP	addresses are in string	format.

	    IPSECKEY
		 String	 of  space  separated  IPSECKEY	 RDATA	present	in the
		 IPSECKEY RRset.  The IPSECKEY RDATA are in  DNS  presentation
		 format.

       The  A/AAAA  answer  is then cached and returned	to the client.	If the
       external	hook was called	the TTL	changes	to ensure it  doesn't  surpass
       ipsecmod-max-ttl.

       The  same  procedure  is	 also followed when prefetch: is used, but the
       A/AAAA answer is	given to the client before the hook is called.	ipsec-
       mod-max-ttl  ensures  that  the A/AAAA answer given from	cache is still
       relevant	for opportunistic IPsec.

       ipsecmod-enabled: _yes or no_
	      Specifies	whether	the IPsec module is enabled or not.  The IPsec
	      module  still  needs  to be defined in the module-config:	direc-
	      tive.  This option facilitates turning on/off the	module without
	      restarting/reloading unbound.  Defaults to yes.

       ipsecmod-hook: _filename_
	      Specifies	 the  external	hook  that unbound will	call with sys-
	      tem(3).  The file	can be specified as an absolute/relative path.
	      The  file	needs the proper permissions to	be able	to be executed
	      by the same user that runs unbound.  It must be present when the
	      IPsec module is defined in the module-config: directive.

       ipsecmod-strict:	_yes or	no_
	      If  enabled  unbound requires the	external hook to return	a suc-
	      cess value of 0.	Failing	to do so unbound will reply with SERV-
	      FAIL.   The  A/AAAA answer will also not be cached.  Defaults to
	      no.

       ipsecmod-max-ttl: _seconds_
	      Time to live maximum for A/AAAA cached records after calling the
	      external hook.  Defaults to 3600.

       ipsecmod-ignore-bogus: _yes or no_
	      Specifies	 the  behaviour	of unbound when	the IPSECKEY answer is
	      bogus.  If set to	yes, the hook will be called  and  the	A/AAAA
	      answer  will  be returned	to the client.	If set to no, the hook
	      will not be called and the answer	to the A/AAAA  query  will  be
	      SERVFAIL.	 Mainly	used for testing.  Defaults to no.

       ipsecmod-allow: _domain_
	      Allow the	ipsecmod functionality for the domain so that the mod-
	      ule logic	will be	executed.  Can be given	 multiple  times,  for
	      different	 domains.  If the option is not	specified, all domains
	      are treated as being allowed (default).

       ipsecmod-whitelist: _yes	or no_
	      Alternate	syntax for ipsecmod-allow.

   Cache DB Module Options
       The Cache DB module must	be configured in the module-config: "validator
       cachedb	iterator" directive and	be compiled into the daemon with --en-
       able-cachedb.  If this module is	enabled	and configured,	the  specified
       backend	database  works	 as  a second level cache: When	Unbound	cannot
       find an answer to a query in its	built-in in-memory cache, it  consults
       the  specified backend.	If it finds a valid answer in the backend, Un-
       bound uses it to	respond	to the query without performing	iterative  DNS
       resolution.   If	 Unbound cannot	even find an answer in the backend, it
       resolves	the query as usual, and	stores the answer in the backend.

       This module interacts with the serve-expired-* options and  will	 reply
       with expired data if unbound is configured for that.  Currently the use
       of serve-expired-client-timeout:	and  serve-expired-reply-ttl:  is  not
       consistent  for	data originating from the external cache as these will
       result in a reply with 0	TTL without trying to update the  data	first,
       ignoring	the configured values.

       If  Unbound  was	 built with --with-libhiredis on a system that has in-
       stalled the hiredis C client library of Redis, then the "redis" backend
       can be used.  This backend communicates with the	specified Redis	server
       over a TCP connection to	store and retrieve cache data.	It can be used
       as  a  persistent and/or	shared cache backend.  It should be noted that
       Unbound never removes data stored in the	Redis  server,	even  if  some
       data  have  expired  in terms of	DNS TTL	or the Redis server has	cached
       too much	data; if necessary the Redis  server  must  be	configured  to
       limit  the cache	size, preferably with some kind	of least-recently-used
       eviction	policy.	 Additionally, the redis-expire-records	option can  be
       used  in	order to set the relative DNS TTL of the message as timeout to
       the Redis records; keep in mind that some additional memory is used per
       key  and	 that  the expire information is stored	as absolute Unix time-
       stamps in Redis (computer time must be stable).	This backend uses syn-
       chronous	 communication	with  the Redis	server based on	the assumption
       that the	communication is stable	and  sufficiently  fast.   The	thread
       waiting	for  a	response from the Redis	server cannot handle other DNS
       queries.	 Although the backend has the  ability	to  reconnect  to  the
       server  when  the connection is closed unexpectedly and there is	a con-
       figurable timeout in case the server is overly slow or hangs up,	 these
       cases are assumed to be very rare.  If connection close or timeout hap-
       pens too	often, Unbound will be effectively unusable with this backend.
       It's the	administrator's	responsibility to make the assumption hold.

       The cachedb: clause gives custom	settings of the	cache DB module.

       backend:	_backend name_
	      Specify  the backend database name.  The default database	is the
	      in-memory	backend	named "testframe", which,  as  the  name  sug-
	      gests, is	not of any practical use.  Depending on	the build-time
	      configuration, "redis" backend may also  be  used	 as  described
	      above.

       secret-seed: _"secret string"_
	      Specify a	seed to	calculate a hash value from query information.
	      This value will be used as the key of the	 corresponding	answer
	      for  the	backend	 database  and	can  be	customized if the hash
	      should not be predictable	operationally.	If the	backend	 data-
	      base is shared by	multiple Unbound instances, all	instances must
	      use the same secret seed.	 This option defaults to "default".

       The following cachedb otions are	specific to the	redis backend.

       redis-server-host: _server address or name_
	      The IP (either v6	or v4) address or domain  name	of  the	 Redis
	      server.	In general an IP address should	be specified as	other-
	      wise Unbound will	have to	resolve	the name of the	 server	 every
	      time it establishes a connection to the server.  This option de-
	      faults to	"127.0.0.1".

       redis-server-port: _port	number_
	      The TCP port number of the Redis server.	This  option  defaults
	      to 6379.

       redis-timeout: _msec_
	      The  period until	when Unbound waits for a response from the Re-
	      dis sever.  If this timeout expires Unbound closes  the  connec-
	      tion,  treats  it	 as  if	the Redis server does not have the re-
	      quested data, and	will try  to  re-establish  a  new  connection
	      later.  This option defaults to 100 milliseconds.

       redis-expire-records: _yes or no_
	      If  Redis	 record	 expiration  is	enabled.  If yes, unbound sets
	      timeout for Redis	records	so that	Redis can evict	keys that have
	      expired  automatically.  If unbound is configured	with serve-ex-
	      pired and	serve-expired-ttl is 0,	this option is internally  re-
	      verted to	"no".  Redis SETEX support is required for this	option
	      (Redis >=	2.0.0).	 This option defaults to no.

   DNSTAP Logging Options
       DNSTAP support, when compiled in, is enabled in	the  dnstap:  section.
       This  starts an extra thread (when compiled with	threading) that	writes
       the log information to the destination.	If unbound is compiled without
       threading  it  does not spawn a thread, but connects per-process	to the
       destination.

       dnstap-enable: _yes or no_
	      If dnstap	is enabled.  Default no.  If yes, it connects  to  the
	      dnstap  server  and if any of the	dnstap-log-..-messages options
	      is enabled it sends logs for those messages to the server.

       dnstap-bidirectional: _yes or no_
	      Use frame	streams	in bidirectional mode to transfer DNSTAP  mes-
	      sages. Default is	yes.

       dnstap-socket-path: _file name_
	      Sets the unix socket file	name for connecting to the server that
	      is listening on that socket.  Default is "".

       dnstap-ip: _IPaddress[@port]_
	      If "", the unix socket is	used, if set with an IP	address	 (IPv4
	      or IPv6) that address is used to connect to the server.

       dnstap-tls: _yes	or no_
	      Set  this	 to  use  TLS  to  connect  to the server specified in
	      dnstap-ip.  The default is yes.  If set to no, TCP  is  used  to
	      connect to the server.

       dnstap-tls-server-name: _name of	TLS authentication_
	      The  TLS server name to authenticate the server with.  Used when
	      dnstap-tls is enabled.  If "" it is ignored, default "".

       dnstap-tls-cert-bundle: _file name of cert bundle_
	      The pem file with	certs to verify	the TLS	server certificate. If
	      ""  the  server default cert bundle is used, or the windows cert
	      bundle on	windows.  Default is "".

       dnstap-tls-client-key-file: _file name_
	      The client key file for TLS client authentication. If ""	client
	      authentication is	not used.  Default is "".

       dnstap-tls-client-cert-file: _file name_
	      The  client cert file for	TLS client authentication.  Default is
	      "".

       dnstap-send-identity: _yes or no_
	      If enabled, the server identity is included in the log messages.
	      Default is no.

       dnstap-send-version: _yes or no_
	      If  enabled, the server version if included in the log messages.
	      Default is no.

       dnstap-identity:	_string_
	      The identity to send with	messages, if ""	the hostname is	 used.
	      Default is "".

       dnstap-version: _string_
	      The  version to send with	messages, if ""	the package version is
	      used.  Default is	"".

       dnstap-log-resolver-query-messages: _yes	or no_
	      Enable to	log resolver query messages.  Default  is  no.	 These
	      are messages from	unbound	to upstream servers.

       dnstap-log-resolver-response-messages: _yes or no_
	      Enable to	log resolver response messages.	 Default is no.	 These
	      are replies from upstream	servers	to unbound.

       dnstap-log-client-query-messages: _yes or no_
	      Enable to	log client query messages.  Default is no.  These  are
	      client queries to	unbound.

       dnstap-log-client-response-messages: _yes or no_
	      Enable  to  log client response messages.	 Default is no.	 These
	      are responses from unbound to clients.

       dnstap-log-forwarder-query-messages: _yes or no_
	      Enable to	log forwarder query messages.  Default is no.

       dnstap-log-forwarder-response-messages: _yes or no_
	      Enable to	log forwarder response messages.  Default is no.

   Response Policy Zone	Options
       Response	Policy Zones are configured with rpz:, and each	one must  have
       a  name:.  There	can be multiple	ones, by listing multiple rpz clauses,
       each with a different name. RPZ clauses are applied in order of config-
       uration.	 The  respip  module  needs  to	be added to the	module-config,
       e.g.: module-config: "respip validator iterator".

       Only the	QNAME and Response IP Address triggers are supported. The sup-
       ported  RPZ  actions  are:  NXDOMAIN,  NODATA, PASSTHRU,	DROP and Local
       Data. RPZ QNAME triggers	are applied after local-zones and before auth-
       zones.

       name: _zone name_
	      Name of the authority zone.

       primary:	_IP address or host name_
	      Where  to	 download a copy of the	zone from, with	AXFR and IXFR.
	      Multiple primaries can be	specified.  They are all tried if  one
	      fails.

       master: _IP address or host name_
	      Alternate	syntax for primary.

       url: _url to zonefile_
	      Where  to	download a zonefile for	the zone.  With	http or	https.
	      An  example  for	the   url   is	 "http://www.example.com/exam-
	      ple.org.zone".   Multiple	 url statements	can be given, they are
	      tried in turn.  If only urls are given the SOA refresh timer  is
	      used  to	wait  for making new downloads.	 If also primaries are
	      listed, the primaries are	first probed with UDP SOA  queries  to
	      see if the SOA serial number has changed,	reducing the number of
	      downloads.  If none of the urls work, the	 primaries  are	 tried
	      with  IXFR  and  AXFR.   For  https, the tls-cert-bundle and the
	      hostname from the	url are	used to	authenticate the connection.

       allow-notify: _IP address or host name or netblockIP/prefix_
	      With allow-notify	you can	specify	additional  sources  of	 noti-
	      fies.   When  notified,  the  server attempts to first probe and
	      then zone	transfer.  If the notify is from a primary,  it	 first
	      attempts that primary.  Otherwise	other primaries	are attempted.
	      If there are no primaries, but only urls,	the file is downloaded
	      when  notified.	The primaries from primary: statements are al-
	      lowed notify by default.

       zonefile: _filename_
	      The filename where the zone is stored.  If  not  given  then  no
	      zonefile	is  used.  If the file does not	exist or is empty, un-
	      bound will attempt to fetch zone	data  (eg.  from  the  primary
	      servers).

       rpz-action-override: _action_
	      Always use this RPZ action for matching triggers from this zone.
	      Possible action are: nxdomain, nodata, passthru, drop,  disabled
	      and cname.

       rpz-cname-override: _domain_
	      The CNAME	target domain to use if	the cname action is configured
	      for rpz-action-override.

       rpz-log:	_yes or	no_
	      Log all applied RPZ actions for this RPZ zone. Default is	no.

       rpz-log-name: _name_
	      Specify a	string to be part of the log line, for easy  referenc-
	      ing.

       tags: _list of tags_
	      Limit the	policies from this RPZ clause to clients with a	match-
	      ing tag. Tags need to be defined in define-tag and  can  be  as-
	      signed  to  client  addresses  using access-control-tag. Enclose
	      list of tags in quotes ("") and put spaces between tags.	If  no
	      tags are specified the policies from this	clause will be applied
	      for all clients.

MEMORY CONTROL EXAMPLE
       In the example config settings below memory usage is reduced. Some ser-
       vice  levels are	lower, notable very large data and a high TCP load are
       no longer supported. Very large data and	high TCP loads are exceptional
       for the DNS.  DNSSEC validation is enabled, just	add trust anchors.  If
       you do not have to worry	about programs using more than 3 Mb of memory,
       the below example is not	for you. Use the defaults to receive full ser-
       vice, which on BSD-32bit	tops out at 30-40 Mb after heavy usage.

       # example settings that reduce memory usage
       server:
	    num-threads: 1
	    outgoing-num-tcp: 1	# this limits TCP service, uses	less buffers.
	    incoming-num-tcp: 1
	    outgoing-range: 60	# uses less memory, but	less performance.
	    msg-buffer-size: 8192   # note this	limits service,	'no huge stuff'.
	    msg-cache-size: 100k
	    msg-cache-slabs: 1
	    rrset-cache-size: 100k
	    rrset-cache-slabs: 1
	    infra-cache-numhosts: 200
	    infra-cache-slabs: 1
	    key-cache-size: 100k
	    key-cache-slabs: 1
	    neg-cache-size: 10k
	    num-queries-per-thread: 30
	    target-fetch-policy: "2 1 0	0 0 0"
	    harden-large-queries: "yes"
	    harden-short-bufsize: "yes"

FILES
       /usr/local/etc/unbound
	      default unbound working directory.

       /usr/local/etc/unbound
	      default chroot(2)	location.

       /usr/local/etc/unbound/unbound.conf
	      unbound configuration file.

       /usr/local/etc/unbound/unbound.pid
	      default unbound pidfile with process ID of the running daemon.

       unbound.log
	      unbound log file.	default	is to log to syslog(3).

SEE ALSO
       unbound(8), unbound-checkconf(8).

AUTHORS
       Unbound was written by NLnet Labs. Please see CREDITS file in the  dis-
       tribution for further details.

NLnet Labs			 Dec  3, 2020		       unbound.conf(5)

NAME | SYNOPSIS | DESCRIPTION | EXAMPLE | FILE FORMAT | MEMORY CONTROL EXAMPLE | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=unbound.conf&sektion=5&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help