unbound: Implement setting qname minimisation into strict mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2020-01-07 16:32:35 +00:00
parent a33489a7aa
commit beebf925c3
2 changed files with 8 additions and 0 deletions
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,7 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: yes
 	aggressive-nsec: yes
+	qname-minimisation: yes

 	# TLS
 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -102,6 +102,13 @@ write_forward_conf() {
 	(
 		config_header

+		# Enable strict QNAME minimisation
+		if [ "${QNAME_MIN}" = "strict" ]; then
+			echo "server:"
+			echo "	qname-minimisation-strict: yes"
+			echo
+		fi
+
 		# Force using TCP for upstream servers only
 		if [ "${PROTO}" = "TCP" ]; then
 			echo "# Force using TCP for upstream servers only"