## page was renamed from DNS/unbound <> ---- <> [[/1.16.2]] Unbound 1.9.1 released Published: Mon 11 March 2019 https://nlnetlabs.nl/news/2019/Mar/11/unbound-1.9.1-released/ こんなページまである。w  https://www.punoqun.net/ punoqun : https://www.punoqun.net/news/2018/Jun/21/unbound-1.7.3-released/ [[/1.8.3]] 1.0.0(2008年05月)らしい。 Unbound [[/1.8.2]] (12/4) delegation 中の[[/additional毒]] Unbound 1.8.1 https://unbound.nlnetlabs.nl/download.html 27 August 2018: Wouter - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The Unbound-users Archives https://www.unbound.net/pipermail/unbound-users/ https://calomel.org/unbound_dns.html [[/cache-max-negative-ttl]] [[/qname minimisation]] $ unbound-control dump_cache http://shutingrz.hatenablog.com/entry/2016/04/10/171155 = DNS/unbound = https://unbound.net/ 1.5.8 release -- ToshinoriMaeno <> unbound.net/documentation/requirements.html … Requirements for Recursive Caching Resolver October 2006 1.5.7 on ubuntu : [[/install.log]] [[/query.log]] Release 1.5.5 Tue Oct 6 09:50:14 CET 2015 unbound 1.5.0 https://unbound.net/pipermail/unbound-users/2014-November/003620.html == About Unbound == Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. The source code is under a BSD License. [[/unbound.conf]] ----- https://unbound.net/documentation/unbound.html [[/patch-doc]] [[/log]] == ubuntu == ubuntu 14.04 LTS に入れてみました。 [[/ubuntu]] http://unbound.jp/unbound/unbound-control/ == harden-below-nxdomain == harden-below-nxdomain: From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC man- dates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. The nxdomain must be secure, this means nsec3 with optout is insufficient. == harden-referral-path option == Unbound 1.1.0  Date: 11 November, 2008 * harden-referral-path option implements draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations. Default is off, because of added load it generates, and experimental status. この程度の負荷に耐えられないから毒を受け入れるというのであれば、DNSは使い物にならないということです。 [[/harden-referral-path]] Unbound 1.3.1 * harden-referral-path: handle cases where NS is in answer section. 念のために書いておくと、NS in answer section は referral ではない。  CNAME query に関係するものを含め、リゾルバーがNSを問い合わせた場合にだけ返ってくるはずのもの。 Unbound 1.4.5 * Fix so harden-referral-path does not result in failures due to max-depth. You can increase the max-depth by adding numbers (' 0') after the target-fetch-policy, this increases the depth to which is checked. == minimal-responses == minimal-responses: If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients. 最後の文は誤解だと思う。 == harden-glue: == Will trust glue only if it is within the servers authority. Default is on. glueを誤解しているような記述です。-- ToshinoriMaeno <> "no"にするのは非常に危険な行為です。