Skip to content

configure_unbound_resolver

kumo.dns.configure_unbound_resolver { PARAMS }
Since: Version 2023.11.28-b5252a41

The functionality described in this section requires version 2023.11.28-b5252a41 of KumoMTA, or a more recent version.

By default, KumoMTA will parse the system resolver configuration and use that to drive its internal caching Hickory DNS resolver.

This function allows you to configure DNS resolving differently from your system configuration, and to use Unbound embedded DNS resolver.

If you have enabled DANE for output SMTP then you must enable the unbound resolver in order to be able to process DNSSEC correctly.

Note

This function should be called only from inside your init event handler.

The parameters to this functions are the same as those to kumo.dns.configure_resolver.

kumo.on('init', function()
  kumo.dns.configure_unbound_resolver {
    options = {
      -- Enable DNSSEC
      validate = true,
    },
    -- By default, if you omit `name_servers`, unbound will
    -- resolve via the root resolvers.
    -- We strongly recommend deploying local caching nameservers
    -- and referencing them here:
    -- name_servers = { '1.1.1.1:53' },
  }
end)
Since: Dev Builds Only

The functionality described in this section requires a dev build of KumoMTA. You can obtain a dev build by following the instructions in the Installation section.

Configuration is now validated strictly against the kumomta resolver options schema. The unbound backend honors only the option fields that have a meaningful mapping to unbound's own configuration:

  • validate — when true, the built-in DNSSEC trust anchors are loaded into the unbound context.
  • trust_anchor_file — passed through to unbound's load_trust_anchor_file.
  • use_hosts_fileAlways or Auto loads /etc/hosts; Never skips it.

Any other options field set on a config passed to configure_unbound_resolver is a configuration-time error with a message identifying the offending field. If you need fields that are only meaningful to hickory (such as ndots, timeout, cache_size, etc.) use kumo.dns.configure_resolver instead.

The protocol field on individual name_servers entries is accepted but has no effect on the unbound backend, since unbound chooses UDP/TCP internally per query.

See also kumo.dns.configure_resolver, kumo.dns.define_resolver, and kumo.dns.load_resolv_conf.