Make it more consistent throughout the man page.
If a config option can either be *yes* or *no* use exact these terms and not something like *on* which could be easily read as *no*.
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below.
`unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.`
2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below.
`unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted`
3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one.
4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot.
5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use.
on low verbosity, they show on verbosity 3 (query details), because
there is a high volume and the operator cannot do anything for the
remote failure. Specifically filters the high volume errors.
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
issues an uninitialised value for the token buffer at the str2wire.c
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
straight character comparisons removes the false positive. Also
valgrinds --expensive-definedness-checks=yes can stop this false
positive.
Previously reported build options like linked libs and linked modules
are now moved from `-h` to `-V` as well for consistency.
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
