harden & prefetch unbound#4
harden & prefetch unbound#44-FLOSS-Free-Libre-Open-Source-Software wants to merge 1 commit intoDigitaleGesellschaft:masterfrom
Conversation
prefetch-key for dnssec
ryru
left a comment
ryru
left a comment
There was a problem hiding this comment.
Thank you for your suggestions!
Can you please elaborate what the benefits of the later two settings are?
|
|
||
| prefetch: yes | ||
| prefetch-key: yes | ||
| target-fetch-policy: "-1 -1 -1 -1 -1" |
There was a problem hiding this comment.
I don't quite understand the meaning of this setting. What is the benefit of setting it to "-1 -1 -1 -1 -1"?
There was a problem hiding this comment.
this seems to remove limit on rule of how deep to go down with queries while prefetching
Recommended for enabling the latter:
If you enable it consider adding more numbers after the tar-get-fetch-policy to increase the max depth that is checked to.
| prefetch-key: yes | ||
| target-fetch-policy: "-1 -1 -1 -1 -1" | ||
| qname-minimisation: yes | ||
| harden-referral-path: yes |
There was a problem hiding this comment.
This is experimental. I have no experience with this setting and feel a bit uncomfortable setting it.
There was a problem hiding this comment.
nice to have benefits:
enforces DNSSEC validation on nameserver NS sets and the nameserver addresses
according to documentation and as far i understand this, it must be safe. Because just generating some more queries and additional validation for and is only disabled because more queries can produce a bit more load
2 participants
prefetch-key for dnssec