|
 |
0d3b23 |
# validate_connection_provided_zones:
|
|
|
0d3b23 |
# -----------------------------------
|
|
|
0d3b23 |
# Setts if forward zones added into unbound by dnssec-trigger script
|
|
|
0d3b23 |
# will be DNSSEC validated or NOT. Note that this setting is global
|
|
|
0d3b23 |
# for all added forward zones..
|
|
|
0d3b23 |
# Possible options are:
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# validate_connection_provided_zones=yes - All connection provided zones
|
|
|
0d3b23 |
# configured as forward zones into
|
|
|
0d3b23 |
# unbound WILL BE DNSSEC validated
|
|
|
0d3b23 |
# (NOTE: If connection provided DNS
|
|
|
0d3b23 |
# servers are NOT DNSSEC capable, the
|
|
|
0d3b23 |
# resolving of provided zones will
|
|
|
0d3b23 |
# NOT work!)
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# validate_connection_provided_zones=no - All connection provided zones
|
|
|
0d3b23 |
# configured as forward zones into
|
|
|
0d3b23 |
# unbound will NOT be DNSSEC validated
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# NOTICE: if you turn the validation OFF then all forward zones added by
|
|
|
0d3b23 |
# dnssec-trigger script will NOT be DNSSEC validated. If you turn the
|
|
|
0d3b23 |
# validation ON, only newly added forward zones will be DNSSEC validated.
|
|
|
0d3b23 |
# Forward zones added before the change will still NOT be DNSSEC validated.
|
|
|
0d3b23 |
# To force validation of previously added forward zone you need to restart
|
|
|
0d3b23 |
# it. For VPNs this can be done by restart NetworkManager.
|
|
|
0d3b23 |
validate_connection_provided_zones=yes
|
|
|
0d3b23 |
|
|
|
0d3b23 |
# add_wifi_provided_zones:
|
|
|
0d3b23 |
# ------------------------
|
|
|
0d3b23 |
# Setts if domains provided by WiFi connection are configured as forward zones
|
|
|
0d3b23 |
# into unbound.
|
|
|
0d3b23 |
# Possible options are:
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# add_wifi_provided_zones=yes - Domains provided by ANY WiFi connection will
|
|
|
0d3b23 |
# be configured as forward zones into unbound.
|
|
|
0d3b23 |
# (NOTE: See the possible security implications
|
|
|
0d3b23 |
# stated below!)
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# add_wifi_provided_zones=no - Domains provided by ANY WiFi connection will
|
|
|
0d3b23 |
# NOT be configured as forward zones into unbound.
|
|
|
0d3b23 |
# (NOTE: Forward zones will be still configured
|
|
|
0d3b23 |
# for any other type of connection!)
|
|
|
0d3b23 |
#
|
|
|
0d3b23 |
# NOTICE: Turning ON the addition of WiFi provided domains as forward zones
|
|
|
0d3b23 |
# into unbound may have SECURITY implications such as:
|
|
|
0d3b23 |
# - A WiFi access point can intentionally provide you a domain via DHCP for
|
|
|
0d3b23 |
# which it does not have authority and route all your DNS queries to its
|
|
|
0d3b23 |
# DNS servers.
|
|
|
0d3b23 |
# - In addition to the previous point, if you have the DNSSEC validation
|
|
|
0d3b23 |
# of forward zones turned OFF, the WiFi provided DNS servers can spoof
|
|
|
0d3b23 |
# the IP address for domain names from the provided domain WITHOUT YOU
|
|
|
0d3b23 |
# KNOWING IT!
|
|
|
0d3b23 |
add_wifi_provided_zones=no
|