Add performance settings to unbound.conf

[hagezi]

The added settings increase the performance. I have tried a lot and these settings offer a significant improvement.

Another optimization would be:

auth-zone:
    # Get data for all TLDs by IXFR (or AXFR) from root servers
    # these are the only servers that answer an IXFR query
    name: "."
    primary: 199.9.14.201         # b.root-servers.net
    primary: 192.33.4.12          # c.root-servers.net
    primary: 199.7.91.13          # d.root-servers.net
    primary: 192.5.5.241          # f.root-servers.net
    primary: 192.112.36.4         # g.root-servers.net
    primary: 193.0.14.129         # k.root-servers.net
    primary: 192.0.47.132         # xfr.cjr.dns.icann.org
    primary: 192.0.32.132         # xfr.lax.dns.icann.org
    
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    
    zonefile: /var/lib/unbound/root.zone

#52

My Unbound conf: https://github.com/hagezi/files/blob/main/unbound/server.conf

[churchofnoise]

This makes sense, I also run this.
Some points I am thinking about:

for the performance optimizations:

• I'd suggest not including the min ttl at 0 line, as that is already the default value (and in defining this, we might miss it if the default ever changes)

for the auth zone:

• Would kit make sense to keep the hyperlocal root zone in a separate file so people can actively 'opt in' or would this be a standard addition?
  (don't get me wrong, I see the benefit of hyperlocal root and run it myself, but I also notice that both in NLNetlabs' example config, and in the example config over at Pi-Hole's website, this is left out. so was wondering whether there's a reason for that)
• Would it make sense to add url: "https://www.internic.net/domain/root.zone" for the root zone? This allows it to be downloaded
• Given that do-ip: no is no removed from the standard config, it's probably advisable to add the ipv6 addresses as well?

For reference, below you'll find the auth-zone part of my conf file:

 auth-zone:
  # local copy of the DNS root zone (hyperlocal)

  name: "."
  master: 192.0.32.132         # lax.xfr.dns.icann.org
  master: 192.0.47.132         # iad.xfr.dns.icann.org
  master: 2620:0:2d0:202::132  # lax.xfr.dns.icann.org
  master: 2620:0:2830:202::132 # iad.xfr.dns.icann.org

  #b.root-servers.net.
  master: 199.9.14.201
  master: 2001:500:200::b
  #c.root-servers.net.
  master: 192.33.4.12
  master: 2001:500:2::c
  #d.root-servers.net.
  master: 199.7.91.13
  master: 2001:500:2d::d
  #f.root-servers.net.
  master: 192.5.5.241
  master: 2001:500:2f::f
  #g.root-servers.net.
  master: 192.112.36.4
  master: 2001:500:12::d0d
  #k.root-servers.net.
  master: 193.0.14.129
  master: 2001:7fd::1


  # Additional download via URL:
  url: "https://www.internic.net/domain/root.zone"
  fallback-enabled: yes
  for-downstream: no
  for-upstream: yes
  zonefile: /var/lib/unbound/root.zone

[hagezi]

Thank you, good hint.

[klutchell]

The tests are passing (ignore the login failure). Can you please squash these 3 commits into one @hagezi ?

Anything else you think we are missing here @churchofnoise ?

[hagezi]

@klutchell squashed ...

[churchofnoise]

Looks good!

The only thing to consider is the hyperlocal zone (the part that @hagezi added in text, currently not in code yet), but that can be handled separately if you want. Your call to make. My point of view: with the additional configuration provided in this PR (especially the config of serve-expired), a big improvement will already be provided, so that's definitely worthwhile having in the default config. The auth-zone will in comparison have a minor impact, especially as (this is a quote of DL6ER, one of the Pi-Hole developers: https://discourse.pi-hole.net/t/hyperlocal-is-it-meaningful-to-hold-a-local-copy-of-the-root-zone/14462/12 ):

One of the points / or maybe their major point is that a local copy would eliminate the first query to the root servers. This argument is nullified by unbound's cache as it would never query the root zone again for a TLD as it already stores a local copy once the first query was made.

Don't misunderstand me - I'm mainly arguing that unbound is already so efficient and well implemented that most of the problems they address and that could be solved by a local copy don't even exist in the first place - there is no room for improvement if your existing server already does most of it.

So, my advice (but once again, not my call to make) would be to add this to a custom conf file (specifically for this for instance), so that more advanced users can add it if they want. The 'less interested' ones won't care about the minimal benefit anyway, the more 'geeky' ones (I say this with the utmost respect, and count myself among them :) ) can do some more custom configuration if they want to add it, because of the further improvements or out of principle or ...

[klutchell]

Your feedback is invaluable @churchofnoise , I agree that we can put the hyperlocal auth zones in another PR as an optional default configuration override.