From 363be56010885298e340cea9d11aaa60b0ee0307 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Wed, 17 Apr 2024 16:01:38 +0300
Subject: [PATCH] unbound: move to tls-ystem-cert from tls-cert-bundle &
 disable qname minimization for DoT forward-zones

---
 etc/unbound/unbound.conf.d/dns-over-tls.conf       | 7 ++++++-
 etc/unbound/unbound.conf.d/dns64-over-tls.conf     | 7 ++++++-
 etc/unbound/unbound.conf.d/dot-adguard.conf        | 7 ++++++-
 etc/unbound/unbound.conf.d/dot-dns0-quad9.conf     | 7 ++++++-
 etc/unbound/unbound.conf.d/dot-dns0.conf           | 7 ++++++-
 etc/unbound/unbound.conf.d/dot-fluhable-cache.conf | 7 ++++++-
 etc/unbound/unbound.conf.d/dot-quad9.conf          | 7 ++++++-
 7 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf
index 14b2a0c5..453a4b15 100644
--- a/etc/unbound/unbound.conf.d/dns-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf
@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers
diff --git a/etc/unbound/unbound.conf.d/dns64-over-tls.conf b/etc/unbound/unbound.conf.d/dns64-over-tls.conf
index e59496ce..9d5537bb 100644
--- a/etc/unbound/unbound.conf.d/dns64-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns64-over-tls.conf
@@ -3,9 +3,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # Forward queries to
 forward-zone:
diff --git a/etc/unbound/unbound.conf.d/dot-adguard.conf b/etc/unbound/unbound.conf.d/dot-adguard.conf
index 224d1704..8599e849 100644
--- a/etc/unbound/unbound.conf.d/dot-adguard.conf
+++ b/etc/unbound/unbound.conf.d/dot-adguard.conf
@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."
diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
index f9d581a9..4da55ade 100644
--- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
@@ -7,9 +7,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."
diff --git a/etc/unbound/unbound.conf.d/dot-dns0.conf b/etc/unbound/unbound.conf.d/dot-dns0.conf
index a96a9fc4..95d17ae8 100644
--- a/etc/unbound/unbound.conf.d/dot-dns0.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0.conf
@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."
diff --git a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf
index 01ea3e57..e557721f 100644
--- a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf
+++ b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf
@@ -3,9 +3,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # DNS servers that have public button for flushing cache. Privacy not considered.
 
diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf
index 5a7a88b7..f7a08f63 100644
--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."