On Thu, May 17, 2018 at 07:26:47PM +0100, Stuart Henderson wrote:
> On 2018/05/17 19:06, Florian Obser wrote:
> > 2) turn on minimal-reponses and refuse-any per default
> >
> > I think these are better / sane defaults.
>
> I agree, OK.
>
> What do you think about an commented-out entry in src/etc/nsd.conf for
> these settings? Partly to show people how to turn them off in case they
> have issues, partly to draw admin attention to it when they run sysmerge?
>
Very nice idea. I haven't commited this part yet, I think it's best to
commit it together with nsd.conf.
Here is a start, while there is no precedent in nsd.conf, I believe we
usually put the the default commented into the conf file.
There is precedent to the contrary in unbound.conf, i.e.:
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
hmm...
diff --git etc/nsd.conf etc/nsd.conf
index c5491605a24..d65f3afba97 100644
--- etc/nsd.conf
+++ etc/nsd.conf
@@ -10,6 +10,13 @@ server:
# ip-address: 192.0.2.53@5678
# ip-address: 2001:db8::53
+## make packets as small as possible, on by default
+# minimal-responses: yes
+
+## respond with truncation for ANY queries over UDP and allow ANY over TCP,
+## on by default
+# refuse-any: yes
+
remote-control:
control-enable: yes
--
I'm not entirely sure you are real.
