unbound: move to tls-ystem-cert from tls-cert-bundle & disable qname minimization for DoT forward-zones

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers

etc/unbound/unbound.conf.d/dns64-over-tls.conf

@@ -3,9 +3,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # Forward queries to
 forward-zone:

etc/unbound/unbound.conf.d/dot-adguard.conf

@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -7,9 +7,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."

etc/unbound/unbound.conf.d/dot-dns0.conf

@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."

etc/unbound/unbound.conf.d/dot-fluhable-cache.conf

@@ -3,9 +3,14 @@
 
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 # DNS servers that have public button for flushing cache. Privacy not considered.
 

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
 
 forward-zone:
 	name: "."