From 1d7308e74e83386275e86f594fce16ed7234ecb8 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Fri, 26 Apr 2024 13:53:50 +0300
Subject: [PATCH] unbound: explicitly enable ede and it's log

---
 etc/unbound/unbound.conf.d/cache.conf   | 3 +++
 etc/unbound/unbound.conf.d/logging.conf | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/etc/unbound/unbound.conf.d/cache.conf b/etc/unbound/unbound.conf.d/cache.conf
index c93fa1c7..36b7b98a 100644
--- a/etc/unbound/unbound.conf.d/cache.conf
+++ b/etc/unbound/unbound.conf.d/cache.conf
@@ -23,5 +23,8 @@ server:
 	# Allow expired results to be served if they are in cache. The cache will
 	# get updated the next time.
 	serve-expired: yes
+	# DNSSEC errors for valid and expired records
+	ede: yes
+	ede-serve-expired: yes
 
 # vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/logging.conf b/etc/unbound/unbound.conf.d/logging.conf
index b009ba65..48cbd9f1 100644
--- a/etc/unbound/unbound.conf.d/logging.conf
+++ b/etc/unbound/unbound.conf.d/logging.conf
@@ -6,6 +6,9 @@ server:
 	# gives query level information, output per query.  Level  4  gives
 	# algorithm  level  information.
 	verbosity: 2
+	# Gives validation EDEs more comprehensive human-readable errors
+	# https://blog.nlnetlabs.nl/extended-dns-error-support-for-unbound/
+	val-log-level: 2
 	# Print statistics to the log hourly
 	statistics-interval: 3600