On 2018/05/17 21:13, Florian Obser wrote: > On Thu, May 17, 2018 at 07:26:47PM +0100, Stuart Henderson wrote: > > On 2018/05/17 19:06, Florian Obser wrote: > > > 2) turn on minimal-reponses and refuse-any per default > > > > > > I think these are better / sane defaults. > > > > I agree, OK. > > > > What do you think about an commented-out entry in src/etc/nsd.conf for > > these settings? Partly to show people how to turn them off in case they > > have issues, partly to draw admin attention to it when they run sysmerge? > > > > Very nice idea. I haven't commited this part yet, I think it's best to > commit it together with nsd.conf. > > Here is a start, while there is no precedent in nsd.conf, I believe we > usually put the the default commented into the conf file.
SSH does it that way round for everything, but that feels like an outlier to me, my usual experience with ports (and old DOS software going back to the 80s) is that config samples usually have bits which you uncomment to enable. But then the descriptions make more sense the way you've got them, I've tried wording for the other way round and I'm not happy with that :-) So OK with me. > There is precedent to the contrary in unbound.conf, i.e.: > > # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains > # https://tools.ietf.org/html/rfc8198 > # > #aggressive-nsec: yes > > hmm... > > > diff --git etc/nsd.conf etc/nsd.conf > index c5491605a24..d65f3afba97 100644 > --- etc/nsd.conf > +++ etc/nsd.conf > @@ -10,6 +10,13 @@ server: > # ip-address: 192.0.2.53@5678 > # ip-address: 2001:db8::53 > > +## make packets as small as possible, on by default > +# minimal-responses: yes > + > +## respond with truncation for ANY queries over UDP and allow ANY over TCP, > +## on by default > +# refuse-any: yes > + > remote-control: > control-enable: yes > > > > -- > I'm not entirely sure you are real. >
