On Thu, May 17, 2018 at 07:26:47PM +0100, Stuart Henderson wrote:
> On 2018/05/17 19:06, Florian Obser wrote:
> > 2) turn on minimal-reponses and refuse-any per default
> > 
> > I think these are better / sane defaults.
> I agree, OK.
> What do you think about an commented-out entry in src/etc/nsd.conf for
> these settings? Partly to show people how to turn them off in case they
> have issues, partly to draw admin attention to it when they run sysmerge?

Very nice idea. I haven't commited this part yet, I think it's best to
commit it together with nsd.conf.

Here is a start, while there is no precedent in nsd.conf, I believe we
usually put the the default commented into the conf file.

There is precedent to the contrary in unbound.conf, i.e.:

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
        # https://tools.ietf.org/html/rfc8198
        #aggressive-nsec: yes


diff --git etc/nsd.conf etc/nsd.conf
index c5491605a24..d65f3afba97 100644
--- etc/nsd.conf
+++ etc/nsd.conf
@@ -10,6 +10,13 @@ server:
 #      ip-address:
 #      ip-address: 2001:db8::53
+## make packets as small as possible, on by default
+#      minimal-responses: yes
+## respond with truncation for ANY queries over UDP and allow ANY over TCP,
+## on by default
+#      refuse-any: yes
        control-enable: yes

I'm not entirely sure you are real.

Reply via email to