aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/doc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--external/unbound/doc/CREDITS23
-rw-r--r--external/unbound/doc/Changelog7114
-rw-r--r--external/unbound/doc/FEATURES103
-rw-r--r--external/unbound/doc/LICENSE30
-rw-r--r--external/unbound/doc/README149
-rw-r--r--external/unbound/doc/README.DNS6430
-rw-r--r--external/unbound/doc/README.svn17
-rw-r--r--external/unbound/doc/README.tests24
-rw-r--r--external/unbound/doc/TODO76
-rw-r--r--external/unbound/doc/control_proto_spec.txt70
-rw-r--r--external/unbound/doc/example.conf.in809
-rw-r--r--external/unbound/doc/ietf67-design-02.odpbin331531 -> 0 bytes
-rw-r--r--external/unbound/doc/ietf67-design-02.pdfbin630129 -> 0 bytes
-rw-r--r--external/unbound/doc/libunbound.3.in415
-rw-r--r--external/unbound/doc/requirements.txt294
-rw-r--r--external/unbound/doc/unbound-anchor.8.in177
-rw-r--r--external/unbound/doc/unbound-checkconf.8.in52
-rw-r--r--external/unbound/doc/unbound-control.8.in555
-rw-r--r--external/unbound/doc/unbound-host.1.in116
-rw-r--r--external/unbound/doc/unbound.8.in79
-rw-r--r--external/unbound/doc/unbound.conf.5.in1578
-rw-r--r--external/unbound/doc/unbound.doxygen1650
22 files changed, 0 insertions, 13361 deletions
diff --git a/external/unbound/doc/CREDITS b/external/unbound/doc/CREDITS
deleted file mode 100644
index 805327ad6..000000000
--- a/external/unbound/doc/CREDITS
+++ /dev/null
@@ -1,23 +0,0 @@
-Unbound was developed at NLnet Labs by Wouter Wijngaards.
-
-Unbound was architected in January of 2004 by Jakob Schlyter of Kirei
-and Roy Arends of Nominet. VeriSign and EP.Net funded development of
-the prototype, which was built by David Blacka and Matt Larson of VeriSign.
-Late in 2006, NLnet Labs joined the effort, writing an implementation in C
-based on the existing prototype and using experience NLnet Labs gained
-during the development of NSD, an authoritative DNS server.
-
-At NLnet Labs, Jelte Jansen, Mark Santcroos and Matthijs Mekking
-reviewed the unbound C sources.
-
-Jakob Schlyter - for advice on secure settings, random numbers and blacklists.
-Ondřej Surý - running coverity analysis tool on 0.9 dev version.
-Alexander Gall - multihomed, anycast testing of unbound resolver server.
-Zdenek Vasicek and Marek Vavrusa - python module.
-cz.nic - sponsoring 'summer of code' development by Zdenek and Marek.
-Brett Carr - windows beta testing.
-Luca Bruno - patch for windows support in libunbound hosts and resolvconf().
-Tom Hendrikx - contributed split-itar.sh a useful script to 5011-track ITAR.
-Daisuke HIGASHI - patch for rrset-roundrobin and minimal-responses.
-Simon Perrault - DNS64 module.
-Robert Edmonds - dnstap code.
diff --git a/external/unbound/doc/Changelog b/external/unbound/doc/Changelog
deleted file mode 100644
index 8f8d6daea..000000000
--- a/external/unbound/doc/Changelog
+++ /dev/null
@@ -1,7114 +0,0 @@
-13 June 2017: Wouter
- - Fix #1280: Unbound fails assert when response from authoritative
- contains malformed qname. When 0x20 caps-for-id is enabled, when
- assertions are not enabled the malformed qname is handled correctly.
- - tag for 1.6.3
-
-13 April 2017: Wouter
- - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
- - tag for 1.6.2rc1
-
-12 April 2017: Wouter
- - subnet mem value is available in shm, also when not enabled,
- to make the struct easier to memmap by other applications,
- independent of the configuration of unbound.
-
-12 April 2017: Ralph
- - Fix #1247: unbound does not shorten source prefix length when
- forwarding ECS.
- - Properly check for allocation failure in local_data_find_tag_datas.
- - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- - Set SHM ECS memory usage to 0 when module not loaded.
-
-11 April 2017: Ralph
- - Display ECS module memory usage.
-
-10 April 2017: Wouter
- - harden-algo-downgrade: no also makes unbound more lenient about
- digest algorithms in DS records.
-
-10 April 2017: Ralph
- - Remove ECS option after REFUSED answer.
- - Fix small memory leak in edns_opt_copy_alloc.
- - Respip dereference after NULL check.
- - Zero initialize addrtree allocation.
- - Use correct identifier for SHM destroy.
-
-7 April 2017: George
- - Fix pythonmod for cb changes.
- - Some whitespace fixup.
-
-7 April 2017: Ralph
- - Unlock view in respip unit test
-
-6 April 2017: Ralph
- - Generalise inplace callback (de)registration
- - (de)register inplace callbacks for module id
- - No unbound-control set_option for ECS options
- - Deprecated client-subnet-opcode config option
- - Introduced client-subnet-always-forward config option
- - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- - Removed extern ECS config options
- - module_restart_next now calls clear on all following modules
- - Also create ECS module qstate on module_event_pass event
- - remove malloc from inplace_cb_register
-
-6 April 2017: Wouter
- - Small fixup for documentation.
- - iana portlist update
- - Fix respip for braces when locks arent used.
- - Fix pythonmod for cb changes.
-
-4 April 2017: Wouter
- - Fix #1244: document that use of chroot requires trust anchor file to
- be under chroot.
- - iana portlist update
-
-3 April 2017: Ralph
- - Do not add current time twice to TTL before ECS cache store.
- - Do not touch rrset cache after ECS cache message generation.
- - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
-
-3 April 2017: Wouter
- - Fix #1217: Add metrics to unbound-control interface showing
- crypted, cert request, plaintext and malformed queries (from
- Manu Bretelle).
- - iana portlist update
-
-27 March 2017: Wouter
- - Remove (now unused) event2 include from dnscrypt code.
-
-24 March 2017: George
- - Fix to prevent non-referal query from being cached as referal when the
- no_cache_store flag was set.
-
-23 March 2017: Wouter
- - Fix #1239: configure fails to find python distutils if python
- prints warning.
-
-22 March 2017: Wouter
- - Fix #1238: segmentation fault when adding through the remote
- interface a per-view local zone to a view with no previous
- (configured) local zones.
- - Fix #1229: Systemd service sandboxing, options in wrong sections.
-
-21 March 2017: Ralph
- - Merge EDNS Client subnet implementation from feature branch into main
- branch, using new EDNS processing framework.
-
-21 March 2017: Wouter
- - Fix doxygen for dnscrypt files.
-
-20 March 2017: Wouter
- - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
- enabled in the config file from Manu Bretelle.
- - make depend, autoconf, remove warnings about statement before var.
- - lru_demote and lruhash_insert_or_retrieve functions for getdns.
- - fixup for lruhash (whitespace and header file comment).
- - dnscrypt tests.
-
-17 March 2017: Wouter
- - Patch for view functionality for local-data-ptr from Björn Ketelaars.
- - Fix #1237 - Wrong resolving in chain, for norec queries that get
- SERVFAIL returned.
-
-16 March 2017: Wouter
- - Fix that SHM is not inited if not enabled.
- - Add trustanchor.unbound CH TXT that gets a response with a number
- of TXT RRs with a string like "example.com. 2345 1234" with
- the trust anchors and their keytags.
- - Fix that looped DNAMEs do not cause unbound to spend effort.
- - trustanchor tags are sorted. reusable routine to fetch taglist.
-
-13 March 2017: Wouter
- - testbound understands Deckard MATCH rcode question answer commands.
- - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
- of YXDOMAIN + query loop, reported by Petr Spacek.
-
-10 March 2017: Wouter
- - Fix #1234: shortening DNAME loop produces duplicate DNAME records
- in ANSWER section.
-
-9 March 2017: Wouter
- - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
- DS records. NSEC3 is not disabled.
- - fake-sha1 test option; print warning if used. To make unit tests.
- - unbound-control list local zone and data commands listed in the
- help output.
-
-8 March 2017: Wouter
- - make depend for build dependencies.
- - swig version 2.0.1 required.
- - fix enum conversion warnings
-
-7 March 2017: Wouter
- - Fix #1230: swig version 2.0.0 is required for pythonmod, with
- 1.3.40 it crashes when running repeatly unbound-control reload.
- - Response actions based on IP address from Jinmei Tatuya (Infoblox).
-
-6 March 2017: Wouter
- - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- - iana portlist update
-
-28 February 2017: Ralph
- - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
- record.
-
-28 February 2017: Wouter
- - For #1227: if we have sha256, set the cipher list to have no
- known vulns.
-
-27 February 2017: Wouter
- - Fix #1227: Fix that Unbound control allows weak ciphersuits.
- - Fix #1226: provide official 32bit binary for windows.
-
-24 February 2017: Wouter
- - include sys/time.h for new shm code on NetBSD.
-
-23 February 2017: Wouter
- - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
- redirect.
- - Patch from Luiz Fernando Softov for Stats Shared Memory.
- - unbound-control stats_shm command prints stats using shared memory,
- which uses less cpu.
- - make depend, autoconf, doxygen and lint fixed up.
-
-22 February 2017: Wouter
- - Fix #1224: Fix that defaults should not fall back to "Program Files
- (x86) if Unbound is 64bit by default on windows.
-
-21 February 2017: Wouter
- - iana portlist update
-
-16 February 2017: Wouter
- - sldns updated for vfixed and buffer resize indication from getdns.
-
-15 February 2017: Wouter
- - sldns has ED25519 and ED448 algorithm number and name for display.
-
-14 February 2017: Wouter
- - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
-
-13 February 2017: Wouter
- - Fix autoconf of systemd check for lack of pkg-config.
-
-10 February 2017: Wouter
- - Fix pythonmod for typedef changes.
- - Fix dnstap for warning of set but not used.
- - tag 1.6.1rc2.
-
-9 February 2017: Wouter
- - tag 1.6.1rc1.
-
-8 February 2017: Wouter
- - Fix for type name change and fix warning on windows compile.
-
-7 February 2017: Wouter
- - Include root trust anchor id 20326 in unbound-anchor.
-
-6 February 2017: Wouter
- - Fix compile on solaris of the fix to use $host detect.
-
-4 February 2017: Wouter
- - fix root_anchor test for updated icannbundle.pem lower certificates.
-
-26 January 2017: Wouter
- - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
- more helpful error message.
-
-20 January 2017: Wouter
- - Increase MAX_MODULE to 16.
-
-19 January 2017: Wouter
- - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
- reserves _t typedefs.
- - Fix to rename internally used types from _t to _type, because _t
- type names are reserved by POSIX.
- - iana portlist update
-
-12 January 2017: Wouter
- - Fix to also block meta types 128 through to 248 with formerr.
- - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
-
-9 January 2017: Wouter
- - Fix #1202: Fix code comment that packed_rrset_data is not always
- 'packed'.
-
-6 January 2017: Wouter
- - Fix #1201: Fix missing unlock in answer_from_cache error condition.
-
-5 January 2017: Wouter
- - Fix to return formerr for queries for meta-types, to avoid
- packet amplification if this meta-type is sent on to upstream.
- - Fix #1184: Log DNS replies. This includes the same logging
- information that DNS queries and response code and response size,
- patch from Larissa Feng.
- - Fix #1185: Source IP rate limiting, patch from Larissa Feng.
-
-3 January 2017: Wouter
- - configure --enable-systemd and lets unbound use systemd sockets if
- you enable use-systemd: yes in unbound.conf.
- Also there are contrib/unbound.socket and contrib/unbound.service:
- systemd files for unbound, install them in /usr/lib/systemd/system.
- Contributed by Sami Kerola and Pavel Odintsov.
- - Fix reload chdir failure when also chrooted to that directory.
-
-2 January 2017: Wouter
- - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
-
-23 December 2016: Ralph
- - Fix #1190: Do not echo back EDNS options in local-zone error response.
- - iana portlist update
-
-21 December 2016: Ralph
- - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
- with Nettle
-
-19 December 2016: Ralph
- - Fix #1191: remove comment about view deletion.
-
-15 December 2016: Wouter
- - iana portlist update
- - 64bit is default for windows builds.
- - Fix inet_ntop and inet_pton warnings in windows compile.
-
-14 December 2016: Wouter
- - Fix #1178: attempt to fix setup error at end, pop result values
- at end of install.
-
-13 December 2016: Wouter
- - Fix #1182: Fix Resource leak (socket), at startup.
- - Fix unbound-control and ipv6 only.
-
-9 December 2016: Wouter
- - Fix #1176: stack size too small for Alpine Linux.
-
-8 December 2016: Wouter
- - Fix downcast warnings from visual studio in sldns code.
- - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
-
-7 December 2016: Ralph
- - Add DSA support for OpenSSL 1.1.0
- - Fix remote control without cert for LibreSSL
-
-6 December 2016: George
- - Added generic EDNS code for registering known EDNS option codes,
- bypassing the cache response stage and uniquifying mesh states. Four EDNS
- option lists were added to module_qstate (module_qstate.edns_opts_*) to
- store EDNS options from/to front/back side.
- - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
- control the modules' cache interactions.
- - Added code for registering inplace callback functions. The registered
- functions can be called just before replying with local data or Chaos,
- replying from cache, replying with SERVFAIL, replying with a resolved
- query, sending a query to a nameserver. The functions can inspect the
- available data and maybe change response/query related data (i.e. append
- EDNS options).
- - Updated Python module for the above.
- - Updated Python documentation.
-
-5 December 2016: Ralph
- - Fix #1173: differ local-zone type deny from unset
- tag_actions element.
-
-5 December 2016: Wouter
- - Fix #1170: document that 'inform' local-zone uses local-data.
-
-1 December 2016: Ralph
- - hyphen as minus fix, by Andreas Schulze
-
-30 November 2016: Ralph
- - Added local-zones and local-data bulk addition and removal
- functionality in unbound-control (local_zones, local_zones_remove,
- local_datas and local_datas_remove).
- - iana portlist update
-
-29 November 2016: Wouter
- - version 1.6.0 is in the development branch.
- - braces in view.c around lock statements.
-
-28 November 2016: Wouter
- - new install-sh.
-
-25 November 2016: Wouter
- - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
- using no encryption over the unix socket.
-
-22 Novenber 2016: Ralph
- - Make access-control-tag-data RDATA absolute. This makes the RDATA
- origin consistent between local-data and access-control-tag-data.
- - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
- subdomain of the NSEC owner.
- - QNAME minimisation uses QTYPE=A, therefore always check cache for
- this type in harden-below-nxdomain functionality.
- - Added unit test for QNAME minimisation + harden below nxdomain
- synergy.
-
-22 November 2016: Wouter
- - iana portlist update.
- - Fix unit tests for DS hash processing for fake-dsa test option.
- - patch from Dag-Erling Smorgrav that removes code that relies
- on sbrk().
-
-21 November 2016: Wouter
- - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
- Underneath" for the harden-below-nxdomain option.
-
-10 November 2016: Ralph
- - Fix #1155: test status code of unbound-control in 04-checkconf,
- not the status code from the tee command.
-
-4 November 2016: Ralph
- - Added stub-ssl-upstream and forward-ssl-upstream options.
-
-4 November 2016: Wouter
- - configure detects ssl security level API function in the autoconf
- manner. Every function on its own, so that other libraries (eg.
- LibreSSL) can develop their API without hindrance.
- - Fix #1154: segfault when reading config with duplicate zones.
- - Note that for harden-below-nxdomain the nxdomain must be secure,
- this means nsec3 with optout is insufficient.
-
-3 November 2016: Ralph
- - Set OpenSSL security level to 0 when using aNULL ciphers.
-
-3 November 2016: Wouter
- - .gitattributes line for githubs code language display.
- - log-identity: config option to set sys log identity, patch from
- "Robin H. Johnson" <robbat2@gentoo.org>
-
-2 November 2016: Wouter
- - iana portlist update.
-
-31 October 2016: Wouter
- - Fix failure to build on arm64 with no sbrk.
- - iana portlist update.
-
-28 October 2016: Wouter
- - Patch for server.num.zero_ttl stats for count of expired replies,
- from Pavel Odintsov.
-
-26 October 2016: Wouter
- - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
- with the undocumented switch 'fake-dsa'. It logs a warning.
-
-25 October 2016: Wouter
- - Fix #1134: unbound-control set_option -- val-override-date: -1 works
- immediately to ignore datetime, or back to 0 to enable it again.
- The -- is to ignore the '-1' as an option flag.
-
-24 October 2016: Wouter
- - serve-expired config option: serve expired responses with TTL 0.
- - g.root-servers.net has AAAA address.
-
-21 October 2016: Wouter
- - Ported tests for local_cname unit test to testbound framework.
-
-20 October 2016: Wouter
- - suppress compile warning in lex files.
- - init lzt variable, for older gcc compiler warnings.
- - fix --enable-dsa to work, instead of copying ecdsa enable.
- - Fix DNSSEC validation of query type ANY with DNAME answers.
- - Fixup query_info local_alias init.
-
-19 October 2016: Wouter
- - Fix #1130: whitespace in example.conf.in more consistent.
-
-18 October 2016: Wouter
- - Patch that resolves CNAMEs entered in local-data conf statements that
- point to data on the internet, from Jinmei Tatuya (Infoblox).
- - Removed patch comments from acllist.c and msgencode.c
- - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
- from Jinmei Tatuya (Infoblox).
- - Fix #1125: unbound could reuse an answer packet incorrectly for
- clients with different EDNS parameters, from Jinmei Tatuya.
- - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- - Added Requires line to libunbound.pc
- - Please doxygen by modifying mesh.h
-
-17 October 2016: Wouter
- - Re-fix #839 from view commit overwrite.
- - Fixup const void cast warning.
-
-12 October 2016: Ralph
- - Free view config elements.
-
-11 October 2016: Ralph
- - Added qname-minimisation-strict config option.
- - iana portlist update.
- - fix memoryleak logfile when in debug mode.
-
-5 October 2016: Ralph
- - Added views functionality.
- - Fix #1117: spelling errors, from Robert Edmonds.
-
-30 September 2016: Wouter
- - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
-
-29 September 2016: Wouter
- - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- - Fix #839: Memory grows unexpectedly with large RPZ files.
- - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- - Fix #841: big local-zone's make it consume large amounts of memory.
-
-27 September 2016: Wouter
- - tag for 1.5.10 release
- - trunk contains 1.5.11 in development.
- - Fix dnstap relaying "random" messages instead of resolver/forwarder
- responses, from Nikolay Edigaryev.
- - Fix #836: unbound could echo back EDNS options in an error response.
-
-20 September 2016: Wouter
- - iana portlist update.
- - Fix #835: fix --disable-dsa with nettle verify.
- - tag for 1.5.10rc1 release.
-
-15 September 2016: Wouter
- - Fix 883: error for duplicate local zone entry.
- - Test for openssl init_crypto and init_ssl functions.
-
-15 September 2016: Ralph
- - fix potential memory leak in daemon/remote.c and nullpointer
- dereference in validator/autotrust.
- - iana portlist update.
-
-13 September 2016: Wouter
- - Silenced flex-generated sign-unsigned warning print with gcc
- diagnostic pragma.
- - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
-
-9 September 2016: Wouter
- - Fix #831: workaround for spurious fread_chk warning against petal.c
-
-5 September 2016: Ralph
- - Take configured minimum TTL into consideration when reducing TTL
- to original TTL from RRSIG.
-
-5 September 2016: Wouter
- - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
- off-by-one typo, from Jinmei Tatuya (Infoblox).
- - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- - Fix #828: missing type in access-control-tag-action redirect results
- in NXDOMAIN.
-
-2 September 2016: Wouter
- - Fix compile with openssl 1.1.0 with api=1.1.0.
-
-1 September 2016: Wouter
- - RFC 7958 is now out, updated docs for unbound-anchor.
- - Fix for compile without warnings with openssl 1.1.0.
- - Fix #826: Fix refuse_non_local could result in a broken response.
- - iana portlist update.
-
-29 August 2016: Wouter
- - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
- Siewior.
- - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
-
-25 August 2016: Ralph
- - Clarify local-zone-override entry in unbound.conf.5
-
-25 August 2016: Wouter
- - 64bit build option for makedist windows compile, -w64.
-
-24 August 2016: Ralph
- - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
- in each iteration in find_tag_datas().
- - unbound.conf.5 entries for define-tag, access-control-tag,
- access-control-tag-action, access-control-tag-data, local-zone-tag,
- and local-zone-override.
-
-23 August 2016: Wouter
- - Fix #804: unbound stops responding after outage. Fixes queries
- that attempt to wait for an empty list of subqueries.
- - Fix #804: lower num_target_queries for iterator also for failed
- lookups.
-
-8 August 2016: Wouter
- - Note that OPENPGPKEY type is RFC 7929.
-
-4 August 2016: Wouter
- - Fix #807: workaround for possible some "unused" function parameters
- in test code, from Jinmei Tatuya.
-
-3 August 2016: Wouter
- - use sendmsg instead of sendto for TFO.
-
-28 July 2016: Wouter
- - Fix #806: wrong comment removed.
-
-26 July 2016: Wouter
- - nicer ratelimit-below-domain explanation.
-
-22 July 2016: Wouter
- - Fix #801: missing error condition handling in
- daemon_create_workers().
- - Fix #802: workaround for function parameters that are "unused"
- without log_assert.
- - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
-
-20 July 2016: Wouter
- - Fix typo in unbound.conf.
-
-18 July 2016: Wouter
- - Fix #798: Client-side TCP fast open fails (Linux).
-
-14 July 2016: Wouter
- - TCP Fast open patch from Sara Dickinson.
- - Fixed unbound.doxygen for 1.8.11.
-
-7 July 2016: Wouter
- - access-control-tag-data implemented. verbose(4) prints tag debug.
-
-5 July 2016: Wouter
- - Fix dynamic link of anchor-update.exe on windows.
- - Fix detect of mingw for MXE package build.
- - Fixes for 64bit windows compile.
- - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
- --with-libunbound-only --with-nettle.
-
-4 July 2016: Wouter
- - For #787: prefer-ip6 option for unbound.conf prefers to send
- upstream queries to ipv6 servers.
- - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
- freebind to use 64bits of entropy for every query with random local
- part.
-
-30 June 2016: Wouter
- - Document always_transparent, always_refuse, always_nxdomain types.
-
-29 June 2016: Wouter
- - Fix static compile on windows missing gdi32.
-
-28 June 2016: Wouter
- - Create a pkg-config file for libunbound in contrib.
-
-27 June 2016: Wouter
- - Fix #784: Build configure assumess that having getpwnam means there
- is endpwent function available.
- - Updated repository with newer flex and bison output.
-
-24 June 2016: Ralph
- - Possibility to specify local-zone type for an acl/tag pair
- - Possibility to specify (override) local-zone type for a source address
- block
-16 June 2016: Ralph
- - Decrease dp attempts at each QNAME minimisation iteration
-
-16 June 2016: Wouter
- - Fix tcp timeouts in tv.usec.
-
-15 June 2016: Wouter
- - TCP_TIMEOUT is specified in milliseconds.
- - If more than half of tcp connections are in use, a shorter timeout
- is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
-
-14 June 2016: Ralph
- - QNAME minimisation unit test for dropped QTYPE=A queries.
-
-14 June 2016: Wouter
- - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
- null delete for wsaevent.
- - Fix spelling in freebind option man page text.
- - Fix windows link of ssl with crypt32.
- - Fix 779: Union casting is non-portable.
- - Fix 780: MAP_ANON not defined in HP-UX 11.31.
- - Fix 781: prealloc() is an HP-UX system library call.
-
-13 June 2016: Ralph
- - Use QTYPE=A for QNAME minimisation.
- - Keep track of number of time-outs when performing QNAME minimisation.
- Stop minimising when number of time-outs for a QNAME/QTYPE pair is
- more than three.
-
-13 June 2016: Wouter
- - Fix #778: unbound 1.5.9: -h segfault (null deref).
- - Fix directory: fix for unbound-checkconf, it restores cwd.
-
-10 June 2016: Wouter
- - And delete service.conf.shipped on uninstall.
- - In unbound.conf directory: dir immediately changes to that directory,
- so that include: file below that is relative to that directory.
- With chroot, make the directory an absolute path inside chroot.
- - keep debug symbols in windows build.
- - do not delete service.conf on windows uninstall.
- - document directory immediate fix and allow EXECUTABLE syntax in it
- on windows.
-
-9 June 2016: Wouter
- - Trunk is called 1.5.10 (with previous fixes already in there to 2
- june).
- - Revert fix for NetworkService account on windows due to breakage
- it causes.
- - Fix that windows install will not overwrite existing service.conf
- file (and ignore gui config choices if it exists).
-
-7 June 2016: Ralph
- - Lookup localzones by taglist from acl.
- - Possibility to lookup local_zone, regardless the taglist.
- - Added local_zone/taglist/acl unit test.
-
-7 June 2016: Wouter
- - Fix #773: Non-standard Python location build failure with pyunbound.
- - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
-
-6 June 2016: Wouter
- - Better help text from -h (from Ray Griffith).
- - access-control-tag config directive.
- - local-zone-override config directive.
- - access-control-tag-action and access-control-tag-data config
- directives.
- - free acl-tags, acltag-action and acltag-data config lists during
- initialisation to free up memory for more entries.
-
-3 June 2016: Wouter
- - Fix to not ignore return value of chown() in daemon startup.
-
-2 June 2016: Wouter
- - Fix libubound for edns optlist feature.
- - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
- - Fix #752: retry resource temporarily unavailable on control pipe.
- - un-document localzone tags.
- - tag for release 1.5.9rc1.
- And this also became release 1.5.9.
- - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
- Program Files with (x86) appended.
- - re-documented localzone tags in example.conf.
-
-31 May 2016: Wouter
- - Fix windows service to be created run with limited rights, as a
- network service account, from Mario Turschmann.
- - compat strsep implementation.
- - generic edns option parse and store code.
- - and also generic edns options for upstream messages (and replies).
- after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
- to insert use edns_opt_append(edns, region, code, len, bindata) on
- the opt_list passed to send_query, or in edns_opt_inplace_reply.
-
-30 May 2016: Wouter
- - Fix time in case answer comes from cache in ub_resolve_event().
- - Attempted fix for #765: _unboundmodule missing for python3.
-
-27 May 2016: Wouter
- - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
- if unbound control uses a unix local named pipe.
- - Document write permission to directory of trust anchor needed.
- - Fix #768: Unbound Service Sometimes Can Not Shutdown
- Completely, WER Report Shown Up. Close handle before closing WSA.
-
-26 May 2016: Wouter
- - Updated patch from Charles Walker.
-
-24 May 2016: Wouter
- - disable-dnssec-lame-check config option from Charles Walker.
- - remove memory leak from lame-check patch.
- - iana portlist update.
-
-23 May 2016: Wouter
- - Fix #767: Reference to an expired Internet-Draft in
- harden-below-nxdomain documentation.
-
-20 May 2016: Ralph
- - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
- signed zones.
- - iana portlist update.
-
-19 May 2016: Wouter
- - Fix #766: dns64 should synthesize results on timeout/errors.
-
-18 May 2016: Wouter
- - Fix #761: DNSSEC LAME false positive resolving nic.club.
-
-17 May 2016: Wouter
- - trunk updated with output of flex 2.6.0.
-
-6 May 2016: Wouter
- - Fix memory leak in out-of-memory conditions of local zone add.
-
-29 April 2016: Wouter
- - Fix sldns with static checking fixes copied from getdns.
-
-28 April 2016: Wouter
- - Fix #759: 0x20 capsforid no longer checks type PTR, for
- compatibility with cisco dns guard. This lowers false positives.
-
-18 April 2016: Wouter
- - Fix some malformed reponses to edns queries get fallback to nonedns.
-
-15 April 2016: Wouter
- - cachedb module event handling design.
-
-14 April 2016: Wouter
- - cachedb module framework (empty).
- - iana portlist update.
-
-12 April 2016: Wouter
- - Fix #753: document dump_requestlist is for first thread.
-
-24 March 2016: Wouter
- - Document permit-small-holddown for 5011 debug.
- - Fix #749: unbound-checkconf gets SIGSEGV when use against a
- malformatted conf file.
-
-23 March 2016: Wouter
- - OpenSSL 1.1.0 portability, --disable-dsa configure option.
-
-21 March 2016: Wouter
- - Fix compile of getentropy_linux for SLES11 servicepack 4.
- - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
- - Fix test for openssl to use HMAC_Update for 1.1.0.
- - acx_nlnetlabs.m4 to v33, with HMAC_Update.
- - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
- - ERR_remove_state deprecated since openssl 1.0.0.
- - OPENSSL_config is deprecated, removing.
-
-18 March 2016: Ralph
- - Validate QNAME minimised NXDOMAIN responses.
- - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
- harden-below-nxdomain.
-
-17 March 2016: Ralph
- - Limit number of QNAME minimisation iterations.
-
-17 March 2016: Wouter
- - Fix #746: Fix unbound sets CD bit on all forwards.
- If no trust anchors, it'll not set CD bit when forwarding to another
- server. If a trust anchor, no CD bit on the first attempt to a
- forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
- - iana portlist update.
-
-16 March 2016: Wouter
- - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
- - Fix ip-transparent for tcp on freebsd.
-
-15 March 2016: Wouter
- - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
- binding to an IP address while the interface or address is down.
-
-14 March 2016: Wouter
- - Fix warnings in ifdef corner case, older or unknown libevent.
- - Fix compile for ub_event code with older libev.
-
-11 March 2016: Wouter
- - Remove warning about unused parameter in event_pluggable.c.
- - Fix libev usage of dispatch return value.
- - No side effects in tolower() call, in case it is a macro.
- - For test put free in pluggable api in parenthesis.
-
-10 March 2016: Wouter
- - Fixup backend2str for libev.
-
-09 March 2016: Willem
- - User defined pluggable event API for libunbound
- - Fixup of compile fix for pluggable event API from P.Y. Adi
- Prasaja.
-
-09 March 2016: Wouter
- - Updated configure and ltmain.sh.
- - Updated L root IPv6 address.
-
-07 March 2016: Wouter
- - Fix #747: assert in outnet_serviced_query_stop.
- - iana ports fetched via https.
- - iana portlist update.
-
-03 March 2016: Wouter
- - configure tests for the weak attribute support by the compiler.
-
-02 March 2016: Wouter
- - 1.5.8 release tag
- - trunk contains 1.5.9 in development.
- - iana portlist update.
- - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
- contains trailing dot.
-
-24 February 2016: Wouter
- - Fix OpenBSD asynclook lock free that gets used later (fix test code).
- - Fix that NSEC3 negative cache is used when there is no salt.
-
-23 February 2016: Wouter
- - ub_ctx_set_stub() function for libunbound to config stub zones.
- - sorted ubsyms.def file with exported libunbound functions.
-
-19 February 2016: Wouter
- - Print understandable debug log when unusable DS record is seen.
- - load gost algorithm if digest is seen before key algorithm.
- - iana portlist update.
-
-17 February 2016: Wouter
- - Fix that "make install" fails due to "text file busy" error.
-
-16 February 2016: Wouter
- - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
-
-15 February 2016: Wouter
- - ip-transparent option for FreeBSD with IP_BINDANY socket option.
- - wait for sendto to drain socket buffers when they are full.
-
-9 February 2016: Wouter
- - Test for type OPENPGPKEY.
- - insecure-lan-zones: yesno config option, patch from Dag-Erling
- Smørgrav.
-
-8 February 2016: Wouter
- - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
- - RR Type CSYNC support RFC 7477, in debug printout and config input.
- - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
-
-29 January 2016: Wouter
- - Neater cmdline_verbose increment patch from Edgar Pettijohn.
-
-27 January 2016: Wouter
- - Made netbsd sendmsg test nonfatal, in case of false positives.
- - Fix #741: log message for dnstap socket connection is more clear.
-
-26 January 2016: Wouter
- - Fix #734: chown the pidfile if it resides inside the chroot.
- - Use arc4random instead of random in tests (because it is
- available, possibly as compat, anyway).
- - Fix cmsg alignment for argument to sendmsg on NetBSD.
- - Fix that unbound complains about unimplemented IP_PKTINFO for
- sendmsg on NetBSD (for interface-automatic).
-
-25 January 2016: Wouter
- - Fix #738: Swig should not be invoked with CPPFLAGS.
-
-19 January 2016: Wouter
- - Squelch 'cannot assign requested address' log messages unless
- verbosity is high, it was spammed after network down.
-
-14 January 2016: Wouter
- - Fix to simplify empty string checking from Michael McConville.
- - iana portlist update.
-
-12 January 2016: Wouter
- - Fix #734: Do not log an error when the PID file cannot be chown'ed.
- Patch from Simon Deziel.
-
-11 January 2016: Wouter
- - Fix test if -pthreads unused to use better grep for portability.
-
-06 January 2016: Wouter
- - Fix mingw crosscompile for recent mingw.
- - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
-
-05 January 2016: Wouter
- - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
- from Daisuke Higashi.
- - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
- by default, and can be unblocked with "nodefault" localzone config.
-
-04 January 2016: Wouter
- - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
- for Linux glibc 2.20.
- - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
- source code, so it applies cleanly again. Removed unused variable
- warnings.
-
-15 December 2015: Ralph
- - Fix #729: omit use of escape sequences in echo since they are not
- portable (unbound-control-setup).
-
-11 December 2015: Wouter
- - remove NULL-checks before free, patch from Michael McConville.
- - updated ax_pthread.m4 to version 21 with clang support, this
- removes a warning from compilation.
- - OSX portability, detect if sbrk is deprecated.
- - OSX clang, stop -pthread unused during link stage warnings.
- - OSX clang new flto check.
-
-10 December 2015: Wouter
- - 1.5.7 release
- - trunk has 1.5.8 in development.
-
-8 December 2015: Wouter
- - Fixup 724 for unbound-control.
-
-7 December 2015: Ralph
- - Do not minimise forwarded requests.
-
-4 December 2015: Wouter
- - Removed unneeded whitespace from example.conf.
-
-3 December 2015: Ralph
- - (after rc1 tag)
- - Committed fix to qname minimisation and unit test case for it.
-
-3 December 2015: Wouter
- - iana portlist update.
- - 1.5.7rc1 prerelease tag.
-
-2 December 2015: Wouter
- - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
- re-enable stdout printout.
- - For 724: Add Changelog to windows binary dist.
-
-1 December 2015: Ralph
- - Qname minimisation review fixes
-
-1 December 2015: Wouter
- - Fixup 724 fix for fname_after_chroot() calls.
- - Remove stdout printout for unbound-service-install.exe
- - .gitignore for git users.
-
-30 November 2015: Ralph
- - Implemented qname minimisation
-
-30 November 2015: Wouter
- - Fix for #724: conf syntax to read files from run dir (on Windows).
-
-25 November 2015: Wouter
- - Fix for #720, fix unbound-control-setup windows batch file.
-
-24 November 2015: Wouter
- - Fix #720: add windows scripts to zip bundle.
- - iana portlist update.
-
-20 November 2015: Wouter
- - Added assert on rrset cache correctness.
- - Fix that malformed EDNS query gets a response without malformed EDNS.
-
-18 November 2015: Wouter
- - newer acx_nlnetlabs.m4.
- - spelling fixes from Igor Sobrado Delgado.
-
-17 November 2015: Wouter
- - Fix #594. libunbound: optionally use libnettle for crypto.
- Contributed by Luca Bruno. Added --with-nettle for use with
- --with-libunbound-only.
- - refactor nsec3 hash implementation to be more library-portable.
- - iana portlist update.
- - Fixup DER encoded DSA signatures for libnettle.
-
-16 November 2015: Wouter
- - Fix for lenient accept of reverse order DNAME and CNAME.
-
-6 November 2015: Wouter
- - Change example.conf: ftp.internic.net to https://www.internic.net
-
-5 November 2015: Wouter
- - ACX_SSL_CHECKS no longer adds -ldl needlessly.
-
-3 November 2015: Wouter
- - Fix #718: Fix unbound-control-setup with support for env
- without HEREDOC bash support.
-
-29 October 2015: Wouter
- - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
- - Fix #716: nodata proof with empty non-terminals and wildcards.
-
-28 October 2015: Wouter
- - Fix checklock testcode for linux threads on exit.
-
-27 October 2015: Wouter
- - isblank() compat implementation.
- - detect libexpat without xml_StopParser function.
- - portability fixes.
- - portability, replace snprintf if return value broken.
-
-23 October 2015: Wouter
- - Fix #714: Document config to block private-address for IPv4
- mapped IPv6 addresses.
-
-22 October 2015: Wouter
- - Fix #712: unbound-anchor appears to not fsync root.key.
-
-20 October 2015: Wouter
- - 1.5.6 release.
- - trunk tracks development of 1.5.7.
-
-15 October 2015: Wouter
- - Fix segfault in the dns64 module in the formaterror error path.
- - Fix sldns_wire2str_rdata_scan for malformed RRs.
- - tag for 1.5.6rc1 release.
-
-14 October 2015: Wouter
- - ANY responses include DNAME records if present, as per Evan Hunt's
- remark in dnsop.
- - Fix manpage to suggest using SIGTERM to terminate the server.
-
-9 October 2015: Wouter
- - Default for ssl-port is port 853, the temporary port assignment
- for secure domain name system traffic.
- If you used to rely on the older default of port 443, you have
- to put a clause in unbound.conf for that. The new value is likely
- going to be the standardised port number for this traffic.
- - iana portlist update.
-
-6 October 2015: Wouter
- - 1.5.5 release.
- - trunk tracks the development of 1.5.6.
-
-28 September 2015: Wouter
- - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
- failures.
- - tag for 1.5.5rc1 release.
- - makedist.sh: pgp sig echo commands.
-
-25 September 2015: Wouter
- - Fix unbound-control flush that does not succeed in removing data.
-
-22 September 2015: Wouter
- - Fix config globbed include chroot treatment, this fixes reload of
- globs (patch from Dag-Erling Smørgrav).
- - iana portlist update.
- - Fix #702: New IPs for for h.root-servers.net.
- - Remove confusion comment from canonical_compare() function.
- - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
- - testbound selftest also works in non-debug mode.
- - Fix minor error in unbound.conf.5.in
- - Fix unbound.conf(5) access-control description for precedence
- and default.
-
-31 August 2015: Wouter
- - changed windows setup compression to be more transparent.
-
-28 August 2015: Wouter
- - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
- 2.4 to 2.6.
- - Feature #699: --enable-pie option to that builds PIE binary.
- - Feature #700: --enable-relro-now option that enables full read-only
- relocation.
-
-24 August 2015: Wouter
- - Fix deadlock for local data add and zone add when unbound-control
- list_local_data printout is interrupted.
- - iana portlist update.
- - Change default of harden-algo-downgrade to off. This is lenient
- for algorithm rollover.
-
-13 August 2015: Wouter
- - 5011 implementation does not insist on all algorithms, when
- harden-algo-downgrade is turned off.
- - Reap the child process that libunbound spawns.
-
-11 August 2015: Wouter
- - Fix #694: configure script does not detect LibreSSL 2.2.2
-
-4 August 2015: Wouter
- - Document that local-zone nodefault matches exactly and transparent
- can be used to release a subzone.
-
-3 August 2015: Wouter
- - Document in the manual more text about configuring locally served
- zones.
- - Fix 5011 anchor update timer after reload.
- - Fix mktime in unbound-anchor not using UTC.
-
-30 July 2015: Wouter
- - please afl-gcc (llvm) for uninitialised variable warning.
- - Added permit-small-holddown config to debug fast 5011 rollover.
-
-24 July 2015: Wouter
- - Fix #690: Reload fails when so-reuseport is yes after changing
- num-threads.
- - iana portlist update.
-
-21 July 2015: Wouter
- - Fix configure to detect SSL_CTX_set_ecdh_auto.
- - iana portlist update.
-
-20 July 2015: Wouter
- - Enable ECDHE for servers. Where available, use
- SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
- enable ECDHE. Otherwise, manually offer curve p256.
- Client connections should automatically use ECDHE when available.
- (thanks Daniel Kahn Gillmor)
-
-18 July 2015: Willem
- - Allow certificate chain files to allow for intermediate certificates.
- (thanks Daniel Kahn Gillmor)
-
-13 July 2015: Wouter
- - makedist produces sha1 and sha256 files for created binaries too.
-
-9 July 2015: Wouter
- - 1.5.4 release tag
- - trunk has 1.5.5 in development.
- - Fix #681: Setting forwarders with unbound-control forward
- implicitly turns on forward-first.
-
-29 June 2015: Wouter
- - iana portlist update.
- - Fix alloc with log for allocation size checks.
-
-26 June 2015: Wouter
- - Fix #677 Fix DNAME responses from cache that failed internal chain
- test.
- - iana portlist update.
-
-22 June 2015: Wouter
- - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
- and was therefore always synthesized (thanks to Valentin Dietrich).
-
-4 June 2015: Wouter
- - RFC 7553 RR type URI support, is now enabled by default.
-
-2 June 2015: Wouter
- - Fix #674: Do not free pointers given by getenv.
-
-29 May 2015: Wouter
- - Fix that unparseable error responses are ratelimited.
- - SOA negative TTL is capped at minimumttl in its rdata section.
- - cache-max-negative-ttl config option, default 3600.
-
-26 May 2015: Wouter
- - Document that ratelimit works with unbound-control set_option.
-
-21 May 2015: Wouter
- - iana portlist update.
- - documentation proposes ratelimit of 1000 (closer to what upstream
- servers expect from us).
-
-20 May 2015: Wouter
- - DLV is going to be decommissioned. Advice to stop using it, and
- put text in the example configuration and man page to that effect.
-
-10 May 2015: Wouter
- - Change syntax of particular validator error to be easier for
- machine parse, swap rrset and ip adres info so it looks like:
- validation failure <www.example.nl. TXT IN>: signature crypto
- failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
-
-1 May 2015: Wouter
- - caps-whitelist in unbound.conf allows whitelist of loadbalancers
- that cannot work with caps-for-id or its fallback.
-
-30 April 2015: Wouter
- - Unit test for type ANY synthesis.
-
-22 April 2015: Wouter
- - Removed contrib/unbound_unixsock.diff, because it has been
- integrated, use control-interface: /path in unbound.conf.
- - iana portlist update.
-
-17 April 2015: Wouter
- - Synthesize ANY responses from cache. Does not search exhaustively,
- but MX,A,AAAA,SOA,NS also CNAME.
- - Fix leaked dns64prefix configuration string.
-
-16 April 2015: Wouter
- - Add local-zone type inform_deny, that logs query and drops answer.
- - Ratelimit does not apply to prefetched queries, and ratelimit-factor
- is default 10. Repeated normal queries get resolved and with
- prefetch stay in the cache.
- - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
- Use print_function also for Python2.
- libunbound examples: produce sorted output.
- libunbound-Python: libldns is not used anymore.
- Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
-
-10 April 2015: Wouter
- - unbound-control ratelimit_list lists high rate domains.
- - ratelimit feature, ratelimit: 100, or some sensible qps, can be
- used to turn it on. It ratelimits recursion effort per zone.
- For particular names you can configure exceptions in unbound.conf.
- - Fix that get_option for cache-sizes does not print double newline.
- - Fix#663: ssl handshake fails when using unix socket because dh size
- is too small.
-
-8 April 2015: Wouter
- - Fix crash in dnstap: Do not try to log TCP responses after timeout.
-
-7 April 2015: Wouter
- - Libunbound skips dos-line-endings from etc/hosts.
- - Unbound exits with a fatal error when the auto-trust-anchor-file
- fails to be writable. This is seconds after startup. You can
- load a readonly auto-trust-anchor-file with trust-anchor-file.
- The file has to be writable to notice the trust anchor change,
- without it, a trust anchor change will be unnoticed and the system
- will then become inoperable.
- - unbound-control list_insecure command shows the negative trust
- anchors currently configured, patch from Jelte Jansen.
-
-2 April 2015: Wouter
- - Fix #660: Fix interface-automatic broken in the presence of
- asymmetric routing.
-
-26 March 2015: Wouter
- - remote.c probedelay line is easier to read.
- - rename ldns subdirectory to sldns to avoid name collision.
-
-25 March 2015: Wouter
- - Fix #657: libunbound(3) recommends deprecated
- CRYPTO_set_id_callback.
- - If unknown trust anchor algorithm, and libressl is used, error
- message encourages upgrade of the libressl package.
-
-23 March 2015: Wouter
- - Fix segfault on user not found at startup (from Maciej Soltysiak).
-
-20 March 2015: Wouter
- - Fixed to add integer overflow checks on allocation (defense in depth).
-
-19 March 2015: Wouter
- - Add ip-transparent config option for bind to non-local addresses.
-
-17 March 2015: Wouter
- - Use reallocarray for integer overflow protection, patch submitted
- by Loganaden Velvindron.
-
-16 March 2015: Wouter
- - Fixup compile on cygwin, more portable openssl thread id.
-
-12 March 2015: Wouter
- - Updated default keylength in unbound-control-setup to 3k.
-
-10 March 2015: Wouter
- - Fix lintian warning in unbound-checkconf man page (from Andreas
- Schulze).
- - print svnroot when building windows dist.
- - iana portlist update.
- - Fix warning on sign compare in getentropy_linux.
-
-9 March 2015: Wouter
- - Fix #644: harden-algo-downgrade option, if turned off, fixes the
- reported excessive validation failure when multiple algorithms
- are present. It allows the weakest algorithm to validate the zone.
- - iana portlist update.
-
-5 March 2015: Wouter
- - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
- scripts. Contributed by Yuri Voinov.
- - Document that incoming-num-tcp increase is good for large servers.
- - stats reports tcp usage, of incoming-num-tcp buffers.
-
-4 March 2015: Wouter
- - Patch from Brad Smith that syncs compat/getentropy_linux with
- OpenBSD's version (2015-03-04).
- - 0x20 fallback improved: servfail responses do not count as missing
- comparisons (except if all responses are errors),
- inability to find nameservers does not fail equality comparisons,
- many nameservers does not try to compare more than max-sent-count,
- parse failures start 0x20 fallback procedure.
- - store caps_response with best response in case downgrade response
- happens to be the last one.
- - Document windows 8 tests.
-
-3 March 2015: Wouter
- - tag 1.5.3rc1
- [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
-
-2 March 2015: Wouter
- - iana portlist update.
-
-20 February 2015: Wouter
- - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
- Kallweit).
- - Fix #645 Portability to Solaris 10, use AF_LOCAL.
- - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
- - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
- reload.
-
-19 February 2015: Wouter
- - 1.5.2 release tag.
- - svn trunk contains 1.5.3 under development.
-
-13 February 2015: Wouter
- - Fix #643: doc/example.conf.in: unnecessary whitespace.
-
-12 February 2015: Wouter
- - tag 1.5.2rc1
-
-11 February 2015: Wouter
- - iana portlist update.
-
-10 February 2015: Wouter
- - Fix scrubber with harden-glue turned off to reject NS (and other
- not-address) records.
-
-9 February 2015: Wouter
- - Fix validation failure in case upstream forwarder (ISC BIND) does
- not have the same trust anchors and decides to insert unsigned NS
- record in authority section.
-
-2 February 2015: Wouter
- - infra-cache-min-rtt patch from Florian Riehm, for expected long
- uplink roundtrip times.
-
-30 January 2015: Wouter
- - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
- section changes.
- - Portability fix for Solaris ('sun' is not usable for a variable).
-
-29 January 2015: Wouter
- - Fix pyunbound byte string representation for python3.
-
-26 January 2015: Wouter
- - Fix unintended use of gcc extension for incomplete enum types,
- compile with pedantic c99 compliance (from Daniel Dickman).
-
-23 January 2015: Wouter
- - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
-
-16 January 2015: Wouter
- - unit test for local unix connection. Documentation and log_addr
- does not inspect port for AF_LOCAL.
- - unbound-checkconf -f prints chroot with pidfile path.
-
-13 January 2015: Wouter
- - iana portlist update.
-
-12 January 2015: Wouter
- - Cast sun_len sizeof to socklen_t.
- - Fix pyunbound ord call, portable for python 2 and 3.
-
-7 January 2015: Wouter
- - Fix warnings in pythonmod changes.
-
-6 January 2015: Wouter
- - iana portlist update.
- - patch for remote control over local sockets, from Dag-Erling
- Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
- control-use-cert: no.
- - Fixup that patch and uid lookup (only for daemon).
- - coded the default of control-use-cert, to yes.
-
-5 January 2015: Wouter
- - getauxval test for ppc64 linux compatibility.
- - make strip works for unbound-host and unbound-anchor.
- - patch from Stephane Lapie that adds to the python API, that
- exposes struct delegpt, and adds the find_delegation function.
- - print query name when max target count is exceeded.
- - patch from Stuart Henderson that fixes DESTDIR in
- unbound-control-setup for installs where config is not in
- the prefix location.
- - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
- IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
- - Updated contrib warmup.cmd/sh to support two modes - load
- from pre-defined list of domains or (with filename as argument)
- load from user-specified list of domains, and updated contrib
- unbound_cache.sh/cmd to support loading/save/reload cache to/from
- default path or (with secondary argument) arbitrary path/filename,
- from Yuri Voinov.
- - Patch from Philip Paeps to contrib/unbound_munin_ that uses
- type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
- unbound_munin_hits.graph_period minute
-
-9 December 2014: Wouter
- - svn trunk has 1.5.2 in development.
- - config.guess and config.sub update from libtoolize.
- - local-zone: example.com inform makes unbound log a message with
- client IP for queries in that zone. Eg. for finding infected hosts.
-
-8 December 2014: Wouter
- - Fix CVE-2014-8602: denial of service by making resolver chase
- endless series of delegations.
-
-1 December 2014: Wouter
- - Fix bug#632: unbound fails to build on AArch64, protects
- getentropy compat code from calling sysctl if it is has been removed.
-
-29 November 2014: Wouter
- - Add include to getentropy_linux.c, hopefully fixing debian build.
-
-28 November 2014: Wouter
- - Fix makefile for build from noexec source tree.
-
-26 November 2014: Wouter
- - Fix libunbound undefined symbol errors for main.
- Referencing main does not seem to be possible for libunbound.
-
-24 November 2014: Wouter
- - Fix log at high verbosity and memory allocation failure.
- - iana portlist update.
-
-21 November 2014: Wouter
- - Fix crash on multiple thread random usage on systems without
- arc4random.
-
-20 November 2014: Wouter
- - fix compat/getentropy_win.c check if CryptGenRandom works and no
- immediate exit on windows.
-
-19 November 2014: Wouter
- - Fix cdflag dns64 processing.
-
-18 November 2014: Wouter
- - Fix that CD flag disables DNS64 processing, returning the DNSSEC
- signed AAAA denial.
- - iana portlist update.
-
-17 November 2014: Wouter
- - Fix #627: SSL_CTX_load_verify_locations return code not properly
- checked.
-
-14 November 2014: Wouter
- - parser with bison 2.7
-
-13 November 2014: Wouter
- - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
- added to contrib/aaaa-filter-iterator.patch.
-
-12 November 2014: Wouter
- - trunk has 1.5.1 in development.
- - Patch from Robert Edmonds to build pyunbound python module
- differently. No versioninfo, with -shared and without $(LIBS).
- - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
- - Removed 'increased limit open files' log message that is written
- to console. It is only written on verbosity 4 and higher.
- This keeps system bootup console cleaner.
- - Patch from James Raftery, always print stats for rcodes 0..5.
-
-11 November 2014: Wouter
- - iana portlist update.
- - Fix bug where forward or stub addresses with same address but
- different port number were not tried.
- - version number in svn trunk is 1.5.0
- - tag 1.5.0rc1
- - review fix from Ralph.
-
-7 November 2014: Wouter
- - dnstap fixes by Robert Edmonds:
- dnstap/dnstap.m4: cosmetic fixes
- dnstap/: Remove compiled protoc-c output files
- dnstap/dnstap.m4: Error out if required libraries are not found
- dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
- protobuf-c 1.0.0
- dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
-
-4 November 2014: Wouter
- - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
- tracked trust anchor to libunbound.
- - Redefine internal minievent symbols to unique symbols that helps
- linking on platforms where the linker leaks names across modules.
-
-27 October 2014: Wouter
- - Disabled use of SSLv3 in remote-control and ssl-upstream.
- - iana portlist update.
-
-16 October 2014: Wouter
- - Documented dns64 configuration in unbound.conf man page.
-
-13 October 2014: Wouter
- - Fix #617: in ldns in unbound, lowercase WKS services.
- - Fix ctype invocation casts.
-
-10 October 2014: Wouter
- - Fix unbound-checkconf check for module config with dns64 module.
- - Fix unbound capsforid fallback, it ignores TTLs in comparison.
-
-6 October 2014: Wouter
- - Fix #614: man page variable substitution bug.
-6 October 2014: Willem
- - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
- - $TTL's value starts at position 5 (ldns).
-
-1 October 2014: Wouter
- - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
-
-29 September 2014: Wouter
- - Fix #612: create service with service.conf in present directory and
- auto load it.
- - Fix for mingw compile openssl ranlib.
-
-25 September 2014: Wouter
- - updated configure and aclocal with newer autoconf 1.13.
-
-22 September 2014: Wouter
- - Fix swig and python examples for Python 3.x.
- - Fix for mingw compile with openssl-1.0.1i.
-
-19 September 2014: Wouter
- - improve python configuration detection to build on Fedora 22.
-
-18 September 2014: Wouter
- - patches to also build with Python 3.x (from Pavel Simerda).
-
-16 September 2014: Wouter
- - Fix tcp timer waiting list removal code.
- - iana portlist update.
- - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
- is longer and more tcp connections can be handled.
-
-15 September 2014: Wouter
- - Fix unit test for CDS typecode.
-
-5 September 2014: Wouter
- - type CDS and CDNSKEY types in sldns.
-
-25 August 2014: Wouter
- - Fixup checklock code for log lock and its mutual initialization
- dependency.
- - iana portlist update.
- - Removed necessity for pkg-config from the dnstap.m4, new are
- the --with-libfstrm and --with-protobuf-c configure options.
-
-19 August 2014: Wouter
- - Update unbound manpage with more explanation (from Florian Obser).
-
-18 August 2014: Wouter
- - Fix #603: unbound-checkconf -o <option> should skip verification
- checks.
- - iana portlist update.
- - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
-
-5 August 2014: Wouter
- - dnstap support, with a patch from Farsight Security, written by
- Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
- It is BSD licensed (see dnstap/dnstap.c).
- Building with --enable-dnstap needs pkg-config with this patch.
- - Noted dnstap in doc/README and doc/CREDITS.
- - Changes to the dnstap patch.
- - lint fixes.
- - dnstap/dnstap_config.h should not have been added to the repo,
- because is it generated.
-
-1 August 2014: Wouter
- - Patch add msg, rrset, infra and key cache sizes to stats command
- from Maciej Soltysiak.
- - iana portlist update.
-
-31 July 2014: Wouter
- - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
- Initial commit of the patch from the FreeBSD base (with its fixes).
- This adds a module (for module-config in unbound.conf) dns64 that
- performs DNS64 processing, see README.DNS64.
- - Changes from DNS64:
- strcpy changed to memmove.
- arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
- allocation of result consistently in the correct region.
- time_t is now used for ttl in unbound (since the patch's version).
- - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
-
-29 July 2014: Wouter
- - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
- does not fork in the background and also logs to stderr.
-
-21 July 2014: Wouter
- - Fix endian.h include for OpenBSD.
-
-16 July 2014: Wouter
- - And Fix#596: Bail out of unbound-control dump_infra when ssl
- write fails.
-
-15 July 2014: Wouter
- - Fix #596: Bail out of unbound-control list_local_zones when ssl
- write fails.
- - iana portlist update.
-
-13 July 2014: Wouter
- - Configure tests if main can be linked to from getentropy compat.
-
-12 July 2014: Wouter
- - Fix getentropy compat code, function refs were not portable.
- - Fix to check openssl version number only for OpenSSL.
- - LibreSSL provides compat items, check for that in configure.
- - Fix bug in fix for log locks that caused deadlock in signal handler.
- - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
-
-11 July 2014: Matthijs
- - fake-rfc2553 patch (thanks Benjamin Baier).
-
-11 July 2014: Wouter
- - arc4random in compat/ and getentropy, explicit_bzero, chacha for
- dependencies, from OpenBSD. arc4_lock and sha512 in compat.
- This makes arc4random available on all platforms, except when
- compiled with LIBNSS (it uses libNSS crypto random).
- - fix strptime implicit declaration error on OpenBSD.
- - arc4random, getentropy and explicit_bzero compat for Windows.
-
-4 July 2014: Wouter
- - Fix #593: segfault or crash upon rotating logfile.
-
-3 July 2014: Wouter
- - DLV tests added.
- - signit tool fixup for compile with libldns library.
- - iana portlist updated.
-
-27 June 2014: Wouter
- - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
-
-26 June 2014: Wouter
- - unbound-control status reports if so-reuseport was successful.
- - iana portlist updated.
-
-24 June 2014: Wouter
- - Fix caps-for-id fallback, and added fallback attempt when servers
- drop 0x20 perturbed queries.
- - Fixup testsetup for VM tests (run testcode/run_vm.sh).
-
-17 June 2014: Wouter
- - iana portlist updated.
-
-3 June 2014: Wouter
- - Add AAAA for B root server to default root hints.
-
-2 June 2014: Wouter
- - Remove unused define from iterator.h
-
-30 May 2014: Wouter
- - Fixup sldns_enum_edns_option typedef definition.
-
-28 May 2014: Wouter
- - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
- fixes from FreeBSD's copy of Unbound, he notes:
- Generate unbound-control-setup.sh at build time so it respects
- prefix and sysconfdir from the configure script. Also fix the
- umask to match the comment, and the comment to match the umask.
- Add const and static where needed. Use unions instead of
- playing pointer poker. Move declarations that are needed in
- multiple source files into a shared header. Move sldns_bgetc()
- from parse.c to buffer.c where it belongs. Introduce a new
- header file, worker.h, which declares the callbacks that
- all workers must define. Remove those declarations from
- libworker.h. Include the correct headers in the correct places.
- Fix a few dummy callbacks that don't match their prototype.
- Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
- Remove a useless printf which breaks reproducible builds.
- Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
- no longer used. Add unbound-control-setup.sh to the list of
- generated files. The prototype for libworker_event_done_cb()
- needs to be moved from libunbound/libworker.h to
- libunbound/worker.h.
- - Fixup out-of-directory compile with unbound-control-setup.sh.in.
- - make depend.
-
-23 May 2014: Wouter
- - unbound-host -D enabled dnssec and reads root trust anchor from
- the default root key file that was compiled in.
-
-20 May 2014: Wouter
- - Feature, unblock-lan-zones: yesno that you can use to make unbound
- perform 10.0.0.0/8 and other reverse lookups normally, for use if
- unbound is running service for localhost on localhost.
-
-16 May 2014: Wouter
- - Updated create_unbound_ad_servers and unbound_cache scripts from
- Yuri Voinov in the source/contrib directory. Added
- warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
-
-9 May 2014: Wouter
- - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
- - iana portlist updated.
-
-8 May 2014: Wouter
- - Contrib windows scripts from Yuri Voinov added to src/contrib:
- create_unbound_ad_servers.cmd: enters anti-ad server lists.
- unbound_cache.cmd: saves and loads the cache.
- - Added unbound-control-setup.cmd from Yuri Voinov to the windows
- unbound distribution set. It requires openssl installed in %PATH%.
-
-6 May 2014: Wouter
- - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
-
-5 May 2014: Wouter
- - More #567: remove : from output of stub and forward lists, this is
- easier to parse.
-
-29 April 2014: Wouter
- - iana portlist updated.
- - Add unbound-control flush_negative that flushed nxdomains, nodata,
- and errors from the cache. For dnssec-trigger and NetworkManager,
- fixes cases where network changes have localdata that was already
- negatively cached from the previous network.
-
-23 April 2014: Wouter
- - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
- if available on the OS, it gets entropy from the OS.
-
-15 April 2014: Wouter
- - Fix compile with libevent2 on FreeBSD.
-
-11 April 2014: Wouter
- - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
- but it stops the use of the ipv6 transport layer for DNS traffic.
- - iana portlist updated.
-
-10 April 2014: Wouter
- - iana portlist updated.
- - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
- option for DNS fragmentation defense.
- - Document that dump_requestlist only prints queries from thread 0.
- - unbound-control stats prints num.query.tcpout with number of TCP
- outgoing queries made in the previous statistics interval.
- - Fix #567: unbound lists if forward zone is secure or insecure with
- +i annotation in output of list_forwards, also for list_stubs
- (for NetworkManager integration.)
- - Fix #554: use unsigned long to print 64bit statistics counters on
- 64bit systems.
- - Fix #558: failed prefetch lookup does not remove cached response
- but delays next prefetch (in lieu of caching a SERVFAIL).
- - Fix #545: improved logging, the ip address of the error is printed
- on the same log-line as the error.
-
-8 April 2014: Wouter
- - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
- in testbound scripts.
- - iana portlist updated.
-
-7 April 2014: Wouter
- - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
- hints (patch from Anand Buddhdev).
- - Fix #572: Fix unit test failure for systems with different
- /etc/services.
-
-28 March 2014: Wouter
- - Fix #569: do_tcp is do-tcp in unbound.conf man page.
-
-25 March 2014: Wouter
- - Patch from Stuart Henderson to build unbound-host man from .1.in.
-
-24 March 2014: Wouter
- - Fix print filename of encompassing config file on read failure.
-
-12 March 2014: Wouter
- - tag 1.4.22
- - trunk has 1.4.23 in development.
-
-10 March 2014: Wouter
- - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
- because of spelling. Patch from Chris Coates.
-
-27 February 2014: Wouter
- - tag 1.4.22rc1
-
-21 February 2014: Wouter
- - iana portlist updated.
-
-20 February 2014: Matthijs
- - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
- received. This is okay according 4035, but not after revising
- existence in 4592. NSEC empty non-terminals exist and thus the
- RCODE should have been NOERROR. If this occurs, and the RRsets
- are secure, we set the RCODE to NOERROR and the security status
- of the response is also considered secure.
-
-14 February 2014: Wouter
- - Works on Minix (3.2.1).
-
-11 February 2014: Wouter
- - Fix parse of #553(NSD) string in sldns, quotes without spaces.
-
-7 February 2014: Wouter
- - iana portlist updated.
- - add body to ifstatement if locks disabled.
- - add TXT string"string" test case to unit test.
- - Fix #551: License change "Regents" to "Copyright holder", matching
- the BSD license on opensource.org.
-
-6 February 2014: Wouter
- - sldns has type HIP.
- - code documentation on the module interface.
-
-5 February 2014: Wouter
- - Fix sldns parse tests on osx.
-
-3 February 2014: Wouter
- - Detect libevent2 install automatically by configure.
- - Fixup link with lib/event2 subdir.
- - Fix parse in sldns of quoted parenthesized text strings.
-
-31 January 2014: Wouter
- - unit test for ldns wire to str and back with zones, root, nlnetlabs
- and types.sidnlabs.
- - Fix for hex to string in unknown, atma and nsap.
- - fixup nss compile (no ldns in it).
- - fixup warning in unitldns
- - fixup WKS and rdata type service to print unsigned because strings
- are not portable; they cannot be read (for sure) on other computers.
- - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
- parse sldns.
-
-30 January 2014: Wouter
- - delay-close does not act if there are udp-wait queries, so that
- it does not make a socketdrain DoS easier.
-
-28 January 2014: Wouter
- - iana portlist updated.
- - iana portlist test updated so it does not touch the source
- if there are no changes.
- - delay-close: msec option that delays closing ports for which
- the UDP reply has timed out. Keeps the port open, only accepts
- the correct reply. This correct reply is not used, but the port
- is open so that no port-denied ICMPs are generated.
-
-27 January 2014: Wouter
- - reuseport is attempted, then fallback to without on failure.
-
-24 January 2014: Wouter
- - Change unbound-event.h to use void* buffer, length idiom.
- - iana portlist updated.
- - unbound-event.h is installed if you configure --enable-event-api.
- - speed up unbound (reports say it could be up to 10%), by reducing
- lock contention on localzones.lock. It is changed to an rwlock.
- - so-reuseport: yesno option to distribute queries evenly over
- threads on Linux (Thanks Robert Edmonds).
- - made lint clean.
-
-21 January 2014: Wouter
- - Fix #547: no trustanchor written if filesystem full, fclose checked.
-
-17 January 2014: Wouter
- - Fix isprint() portability in sldns, uses unsigned int.
- - iana portlist updated.
-
-16 January 2014: Wouter
- - fix #544: Fixed +i causes segfault when running with module conf
- "iterator".
- - Windows port, adjust %lld to %I64d, and warning in win_event.c.
-
-14 January 2014: Wouter
- - iana portlist updated.
-
-5 Dec 2013: Wouter
- - Fix bug in cachedump that uses sldns.
- - update pythonmod for ldns_ to sldns_ name change.
-
-3 Dec 2013: Wouter
- - Fix sldns to use sldns_ prefix for all ldns_ variables.
- - Fix windows compile to compile with sldns.
-
-30 Nov 2013: Wouter
- - Fix sldns to make globals use sldns_ prefix. This fixes
- linking with libldns that uses global variables ldns_ .
-
-13 Nov 2013: Wouter
- - Fix bug#537: compile python plugin without ldns library.
-
-12 Nov 2013: Wouter
- - Fix bug#536: acl_deny_non_local and refuse_non_local added.
-
-5 Nov 2013: Wouter
- - Patch from Neel Goyal to fix async id assignment if callback
- is called by libunbound in the mesh attach.
- - Accept ip-address: as an alternative for interface: for
- consistency with nsd.conf syntax.
-
-4 Nov 2013: Wouter
- - Patch from Neel Goyal to fix callback in libunbound.
-
-3 Nov 2013: Wouter
- - if configured --with-libunbound-only fix make install.
-
-31 Oct 2013: Wouter
- - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
- more specific interface port 53 can be used at the same time, and
- one of the daemons is unbound.
- - iana portlist update.
- - separate ldns into core ldns inside ldns/ subdirectory. No more
- --with-ldns is needed and unbound does not rely on libldns.
- - portability fixes for new USE_SLDNS ldns subdir codebase.
-
-22 Oct 2013: Wouter
- - Patch from Neel Goyal: Add an API call to set an event base on an
- existing ub_ctx. This basically just destroys the current worker and
- sets the event base to the current. And fix a deadlock in
- ub_resolve_event – the cfglock is held when libworker_create is
- called. This ends up trying to acquire the lock again in
- context_obtain_alloc in the call chain.
- - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
-
-26 Sep 2013: Wouter
- - unbound-event.h is installed if configured --with-libevent. It
- contains low-level library calls, that use libevent's event_base
- and an ldns_buffer for the wire return packet to perform async
- resolution in the client's eventloop.
-
-19 Sep 2013: Wouter
- - 1.4.21 tag created.
- - trunk has 1.4.22 number inside it.
- - iana portlist updated.
- - acx_nlnetlabs.m4 to 26; improve FLTO help text.
-
-16 Sep 2013: Wouter
- - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
- Daisuke HIGASHI.
-
-10 Sep 2013: Wouter
- - MIN_TTL and MAX_TTL also in time_t.
- - tag 1.4.21rc1 made again.
-
-26 Aug 2013: Wouter
- - More fixes for bug#519: for the threaded case test if the bg
- thread has been killed, on ub_ctx_delete, to avoid hangs.
-
-22 Aug 2013: Wouter
- - more fixes that I overlooked.
- - review fixes from Willem.
-
-21 Aug 2013: Wouter
- - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
-
-20 Aug 2013: Wouter
- - Fix for 2038, with time_t instead of uint32_t.
-
-19 Aug 2013: Wouter
- - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
-
-14 Aug 2013: Wouter
- - Fix uninit variable in fix#516.
-
-8 Aug 2013: Wouter
- - Fix#516 dnssec lameness detection for answers that are improper.
-
-30 Jun 2013: Wouter
- - tag 1.4.21rc1
-
-29 Jun 2013: Wouter
- - Fix#512 memleak in testcode for testbound (if it fails).
- - Fix#512 NSS returned arrays out of setup function to be statics.
-
-26 Jun 2013: Wouter
- - max include of 100.000 files (depth and globbed at one time).
- This is to preserve system memory in bug cases, or endless cases.
- - iana portlist updated.
-
-19 Jun 2013: Wouter
- - streamtcp man page, contributed by Tomas Hozza.
- - iana portlist updated.
- - libunbound documentation on how to avoid openssl race conditions.
-
-25 Jun 2013: Wouter
- - Squelch sendto-permission denied errors when the network is
- not connected, to avoid spamming syslog.
- - configure --disable-flto option (from Robert Edmonds).
-
-18 Jun 2013: Wouter
- - Fix for const string literals in C++ for libunbound, from Karel
- Slany.
- - iana portlist updated.
-
-17 Jun 2013: Wouter
- - Fixup manpage syntax.
-
-14 Jun 2013: Wouter
- - get_option and set_option support for log-time-ascii, python-script
- val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
- immediately. The others are mostly useful for libunbound users.
-
-13 Jun 2013: Wouter
- - get_option, set_option, unbound-checkconf -o and libunbound
- getoption and setoption support cache-min-ttl and cache-max-ttl.
-
-10 Jun 2013: Wouter
- - Fix#501: forward-first does not recurse, when forward name is ".".
- - iana portlist update.
- - Max include depth is unlimited.
-
-27 May 2013: Wouter
- - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
- patch to it to not fail when -Werror is also specified, from the
- autoconf-archives.
- - iana portlist update.
-
-21 May 2013: Wouter
- - Explain bogus and secure flags in libunbound more.
-
-16 May 2013: Wouter
- - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
- Montgomery).
- - Fix#500 use on non-initialised values on socket bind failures.
-
-15 May 2013: Wouter
- - Fix round-robin doesn't work with some Windows clients (from Ilya
- Bakulin).
-
-3 May 2013: Wouter
- - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
-
-26 April 2013: Wouter
- - add unbound-control insecure_add and insecure_remove for the
- administration of negative trust anchors.
-
-25 April 2013: Wouter
- - Implement max-udp-size config option, default 4096 (thanks
- Daisuke Higashi).
- - Robust checks on dname validity from rdata for dname compare.
- - updated iana portlist.
-
-19 April 2013: Wouter
- - Fixup snprintf return value usage, fixed libunbound_get_option.
-
-18 April 2013: Wouter
- - fix bug #491: pick program name (0th argument) as syslog identity.
- - own implementation of compat/snprintf.c.
-
-15 April 2013: Wouter
- - Fix so that for a configuration line of include: "*.conf" it is not
- an error if there are no files matching the glob pattern.
- - unbound-anchor review: BIO_write can return 0 successfully if it
- has successfully appended a zero length string.
-
-11 April 2013: Wouter
- - Fix queries leaking up for stubs and forwards, if the configured
- nameservers all fail to answer.
-
-10 April 2013: Wouter
- - code improve for minimal responses, small speed increase.
-
-9 April 2013: Wouter
- - updated iana portlist.
- - Fix crash in previous private address fixup of 22 March.
-
-28 March 2013: Wouter
- - Make reverse zones easier by documenting the nodefault statements
- commented-out in the example config file.
-
-26 March 2013: Wouter
- - more fixes to lookup3.c endianness detection.
-
-25 March 2013: Wouter
- - #492: Fix endianness detection, revert to older lookup3.c detection
- and put new detect lines after previous tests, to avoid regressions
- but allow new detections to succeed.
- And add detection for machine/endian.h to it.
-
-22 March 2013: Wouter
- - Fix resolve of names that use a mix of public and private addresses.
- - iana portlist update.
- - Fix makedist for new svn for -d option.
- - unbound.h header file has UNBOUND_VERSION_MAJOR define.
- - Fix windows RSRC version for long version numbers.
-
-21 March 2013: Wouter
- - release 1.4.20
- - trunk has 1.4.21
- - committed libunbound version 4:1:2 for binary API updated in 1.4.20
- - install copy of unbound-control.8 man page for unbound-control-setup
-
-14 March 2013: Wouter
- - iana portlist update.
- - tag 1.4.20rc1
-
-12 March 2013: Wouter
- - Fixup makedist.sh for windows compile.
-
-11 March 2013: Wouter
- - iana portlist update.
- - testcode/ldns-testpkts.c check for makedist is informational.
-
-15 February 2013: Wouter
- - fix defines in lookup3 for bigendian bsd alpha
-
-11 February 2013: Wouter
- - Fixup openssl_thread init code to only run if compiled with SSL.
-
-7 February 2013: Wouter
- - detect endianness in lookup3 on BSD.
- - add libunbound.ttl at end of result structure, version bump for
- libunbound and binary backwards compatible, but 1.4.19 is not
- forward compatible with 1.4.20.
- - update iana port list.
-
-30 January 2013: Wouter
- - includes and have_ssl fixes for nss.
-
-29 January 2013: Wouter
- - printout name of zone with duplicate fwd and hint errors.
-
-28 January 2013: Wouter
- - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
-
-17 January 2013: Wouter
- - unbound-anchors checks the emailAddress of the signer of the
- root.xml file, default is dnssec@iana.org. It also checks that
- the signer has the correct key usage for a digital signature.
- - update iana port list.
-
-3 January 2013: Wouter
- - Test that unbound-control checks client credentials.
- - Test that unbound can handle a CNAME at an intermediate node in
- the chain of trust (where it seeks a DS record).
- - Check the commonName of the signer of the root.xml file in
- unbound-anchor, default is dnssec@iana.org.
-
-2 January 2013: Wouter
- - Fix openssl lock free on exit (reported by Robert Fleischman).
- - iana portlist updated.
- - Tested that unbound implements the RFC5155 Technical Errata id 3441.
- Unbound already implements insecure classification of an empty
- nonterminal in NSEC3 optout zone.
-
-20 December 2012: Wouter
- - Fix unbound-anchor xml parse of entity declarations for safety.
-
-19 December 2012: Wouter
- - iana portlist updated.
-
-18 December 2012: Wouter
- - iana portlist updated.
-
-14 December 2012: Wouter
- - Change of D.ROOT-SERVERS.NET A address in default root hints.
-
-12 December 2012: Wouter
- - 1.4.19 release.
- - trunk has 1.4.20 under development.
-
-5 December 2012: Wouter
- - note support for AAAA RR type RFC.
-
-4 December 2012: Wouter
- - 1.4.19rc1 tag.
-
-30 November 2012: Wouter
- - bug 481: fix python example0.
- - iana portlist updated.
-
-27 November 2012: Wouter
- - iana portlist updated.
-
-9 November 2012: Wouter
- - Fix unbound-control forward disables configured stubs below it.
-
-7 November 2012: Wouter
- - Fixup ldns-testpkts, identical to ldns/examples.
- - iana portlist updated.
-
-30 October 2012: Wouter
- - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
-
-29 October 2012: Matthijs
- - Fix validation for responses with both CNAME and wildcard
- expanded CNAME records in answer section.
-
-8 October 2012: Wouter
- - update ldns-testpkts.c to ldns 1.6.14 version.
- - fix build of pythonmod in objdir, for unbound.py.
- - make clean and makerealclean remove generated python and docs.
-
-5 October 2012: Wouter
- - fix build of pythonmod in objdir (thanks Jakob Schlyter).
-
-3 October 2012: Wouter
- - fix text in unbound-anchor man page.
-
-1 October 2012: Wouter
- - ignore trusted-keys globs that have no files (from Paul Wouters).
-
-27 September 2012: Wouter
- - include: directive in config file accepts wildcards. Patch from
- Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
- - unbound-control -q option is quiet, patch from Mariano Absatz.
- - iana portlist updated.
- - updated contrib/unbound.spec, patch from Valentin Bud.
-
-21 September 2012: Wouter
- - chdir to / after chroot call (suggested by Camiel Dobbelaar).
-
-17 September 2012: Wouter
- - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
- otherwise it is treated as insecure. The RSAMD5 algorithm is
- deprecated (RFC6725). The MD5 hash is considered weak for some
- purposes, if you want to sign your zone, then RSASHA256 is an
- uncontested hash.
-
-30 August 2012: Wouter
- - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
- - iana portlist updated.
-
-29 August 2012: Wouter
- - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
-
-22 August 2012: Wouter
- - Fallback to 1472 and 1232, one fragment size without headers.
-
-21 August 2012: Wouter
- - Fix timeouts so that when a server has been offline for a while
- and is probed to see it works, it becomes fully available for
- server selection again.
-
-17 August 2012: Wouter
- - Add documentation to libunbound for default nonuse of resolv.conf.
-
-2 August 2012: Wouter
- - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
- are for 1.4.19).
- - iana portlist updated.
-
-1 August 2012: Wouter
- - Fix openssl race condition, initializes openssl locks, reported
- by Einar Lonn and Patrik Wallstrom.
-
-31 July 2012: Wouter
- - Improved forward-first and stub-first documentation.
- - Fix that enables modules to register twice for the same
- serviced_query, without race conditions or administration issues.
- This should not happen with the current codebase, but it is robust.
- - Fix forward-first option where it sets the RD flag wrongly.
- - added manpage links for libunbound calls (Thanks Paul Wouters).
-
-30 July 2012: Wouter
- - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
-
-27 July 2012: Wouter
- - unbound-host works with libNSS
- - fix bogus nodata cname chain not reported as bogus by validator,
- (Thanks Peter van Dijk).
-
-26 July 2012: Wouter
- - iana portlist updated.
- - tag 1.4.18rc1.
-
-25 July 2012: Wouter
- - review fix for libnss, check hash prefix allocation size.
-
-23 July 2012: Wouter
- - fix missing break for GOST DS hash function.
- - implemented forward_first for the root.
-
-20 July 2012: Wouter
- - Fix bug#452 and another assertion failure in mesh.c, makes
- assertions in mesh.c resist duplicates. Fixes DS NS search to
- not generate duplicate sub queries.
-
-19 July 2012: Willem
- - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
- if CFLAGS is specified at configure time then '-g -O2' is not
- appended to CFLAGS, so that the user can override them.
-
-18 July 2012: Willem
- - Fix libunbound report of errors when in background mode.
-
-11 July 2012: Willem
- - updated iana ports list.
-
-9 July 2012: Willem
- - Add flush_bogus option for unbound-control
-
-6 July 2012: Wouter
- - Fix validation of qtype DS queries that result in no data for
- non-optout NSEC3 zones.
-
-4 July 2012: Wouter
- - compile libunbound with libnss on Suse, passes regression tests.
-
-3 July 2012: Wouter
- - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
-
-2 July 2012: Wouter
- - updated iana ports list.
-
-29 June 2012: Wouter
- - patch for unbound_munin_ script to handle arbitrary thread count by
- Sven Ulland.
-
-28 June 2012: Wouter
- - detect if openssl has FIPS_mode.
- - code review: return value of cache_store can be ignored for better
- performance in out of memory conditions.
- - fix edns-buffer-size and msg-buffer-size manpage documentation.
- - updated iana ports list.
-
-25 June 2012: Wouter
- - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
-
-22 June 2012: Wouter
- - implement DS records, NSEC3 and ECDSA for compile with libnss.
-
-21 June 2012: Wouter
- - fix error handling of alloc failure during rrsig verification.
- - nss check for verification failure.
- - nss crypto works for RSA and DSA.
-
-20 June 2012: Wouter
- - work on --with-nss build option (for now, --with-libunbound-only).
-
-19 June 2012: Wouter
- - --with-libunbound-only build option, only builds the library and
- not the daemon and other tools.
-
-18 June 2012: Wouter
- - code review.
-
-15 June 2012: Wouter
- - implement log-time-ascii on windows.
- - The key-cache bad key ttl is now 60 seconds.
- - updated iana ports list.
- - code review.
-
-11 June 2012: Wouter
- - bug #452: fix crash on assert in mesh_state_attachment.
-
-30 May 2012: Wouter
- - silence warning from swig-generated code (md set but not used in
- swig initmodule, due to ifdefs in swig-generated code).
-
-27 May 2012: Wouter
- - Fix debian-bugs-658021: Please enable hardened build flags.
-
-25 May 2012: Wouter
- - updated iana ports list.
-
-24 May 2012: Wouter
- - tag for 1.4.17 release.
- - trunk is 1.4.18 in development.
-
-18 May 2012: Wouter
- - Review comments, removed duplicate memset to zero in delegpt.
-
-16 May 2012: Wouter
- - Updated doc/FEATURES with RFCs that are implemented but not listed.
- - Protect if statements in val_anchor for compile without locks.
- - tag for 1.4.17rc1.
-
-15 May 2012: Wouter
- - fix configure ECDSA support in ldns detection for windows compile.
- - fix possible uninitialised variable in windows pipe implementation.
-
-9 May 2012: Wouter
- - Fix alignment problem in util/random on sparc64/freebsd.
-
-8 May 2012: Wouter
- - Fix for accept spinning reported by OpenBSD.
- - iana portlist updated.
-
-2 May 2012: Wouter
- - Fix validation of nodata for DS query in NSEC zones, reported by
- Ondrej Mikle.
-
-13 April 2012: Wouter
- - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
- openssl.
-
-10 April 2012: Wouter
- - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
- minimal-responses features.
- - iana portlist updated.
-
-5 April 2012: Wouter
- - fix bug #443: --with-chroot-dir not honoured by configure.
- - fix bug #444: setusercontext was called too late (thanks Bjorn
- Ketelaars).
-
-27 March 2012: Wouter
- - fix bug #442: Fix that Makefile depends on pythonmod headers
- even using --without-pythonmodule.
-
-22 March 2012: Wouter
- - contrib/validation-reporter follows rotated log file (patch from
- Augie Schwer).
-
-21 March 2012: Wouter
- - new approach to NS fetches for DS lookup that works with
- cornercases, and is more robust and considers forwarders.
-
-19 March 2012: Wouter
- - iana portlist updated.
- - fix to locate nameservers for DS lookup with NS fetches.
-
-16 March 2012: Wouter
- - Patch for access to full DNS packet data in unbound python module
- from Ondrej Mikle.
-
-9 March 2012: Wouter
- - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
-
-2 March 2012: Wouter
- - flush_infra cleans timeouted servers from the cache too.
- - removed warning from --enable-ecdsa.
-
-1 March 2012: Wouter
- - forward-first option. Tries without forward if a query fails.
- Also stub-first option that is similar.
-
-28 February 2012: Wouter
- - Fix from code review, if EINPROGRESS not defined chain if statement
- differently.
-
-27 February 2012: Wouter
- - Fix bug#434: on windows check registry for config file location
- for unbound-control.exe, and unbound-checkconf.exe.
-
-23 February 2012: Wouter
- - Fix to squelch 'network unreachable' errors from tcp connect in
- logs, high verbosity will show them.
-
-16 February 2012: Wouter
- - iter_hints is now thread-owned in module env, and thus threadsafe.
- - Fix prefetch and sticky NS, now the prefetch works. It picks
- nameservers that 'would be valid in the future', and if this makes
- the NS timeout, it updates that NS by asking delegation from the
- parent again. If child NS has longer TTL, that TTL does not get
- refreshed from the lookup to the child nameserver.
-
-15 February 2012: Wouter
- - Fix forward-zone memory, uses malloc and frees original root dp.
- - iter hints (stubs) uses malloc inside for more dynamicity.
- - unbound-control forward_add, forward_remove, stub_add, stub_remove
- can modify stubs and forwards for running unbound (on mobile computer)
- they can also add and remove domain-insecure for the zone.
-
-14 February 2012: Wouter
- - Fix sticky NS (ghost domain problem) if prefetch is yes.
- - iter forwards uses malloc inside for more dynamicity.
-
-13 February 2012: Wouter
- - RT#2955. Fix for cygwin compilation.
- - iana portlist updated.
-
-10 February 2012: Wouter
- - Slightly smaller critical region in one case in infra cache.
- - Fix timeouts to keep track of query type, A, AAAA and other, if
- another has caused timeout blacklist, different type can still probe.
- - unit test fix for nomem_cnametopos.rpl race condition.
-
-9 February 2012: Wouter
- - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
-
-8 February 2012: Wouter
- - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
- implementation is experimental at this time and not recommended
- for use on the public internet (the protocol numbers have not
- been assigned). Needs recent ldns with --enable-ecdsa.
- - fix memory leak in errorcase for DSA signatures.
- - iana portlist updated.
- - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
-
-3 February 2012: Wouter
- - fix for windows, rename() is not posix compliant on windows.
-
-2 February 2012: Wouter
- - 1.4.16 release tag.
- - svn trunk is 1.4.17 in development.
- - iana portlist updated.
-
-1 February 2012: Wouter
- - Fix validation failures (like: validation failure xx: no NSEC3
- closest encloser from yy for DS zz. while building chain of trust,
- because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
- for an NSEC3. Now it does not change rdata, and fixes TTL.
-
-30 January 2012: Wouter
- - Fix version-number in libtool to be version-info so it produces
- libunbound.so.2 like it should.
-
-26 January 2012: Wouter
- - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
- - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
- and keyfile write fixup.
- - applied patch to support outgoing-interface with ub_ctx_set_option.
-
-23 January 2012: Wouter
- - Fix memset in test code.
-
-20 January 2012: Wouter
- - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
-
-19 January 2012: Wouter
- - Fix to write key files completely to a temporary file, and if that
- succeeds, replace the real key file. So failures leave a useful file.
-
-18 January 2012: Wouter
- - tag 1.4.15rc1 created
- - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
-
-17 January 2012: Wouter
- - Fix bug where canonical_compare of RRSIG did not downcase the
- signer-name. This is mostly harmless because RRSIGs do not have
- to be sorted in canonical order, usually.
-
-12 January 2012: Wouter
- - bug#428: add ub_version() call to libunbound. API version increase,
- with (binary) backwards compatibility for the previous version.
-
-10 January 2012: Wouter
- - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
- that would be permissible by the RFCs but it is not the TTL in the
- cache.
- - iana portlist updated.
- - uninitialised variable in reprobe for rtt blocked domains fixed.
- - lintfix and new flex output.
-
-2 January 2012: Wouter
- - Fix to randomize hash function, based on 28c3 congress, reported
- by Peter van Dijk.
-
-24 December 2011: Wouter
- - Fix for memory leak (about 20 bytes when a tcp or udp send operation
- towards authority servers failed, takes about 50.000 such failures to
- leak one Mb, such failures are also usually logged), reported by
- Robert Fleischmann.
- - iana portlist updated.
-
-19 December 2011: Wouter
- - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
- vulnerabilities from nonstandard redirection and denial of existence
- http://www.unbound.net/downloads/CVE-2011-4528.txt
- - robust checks for next-closer NSEC3s.
- - tag 1.4.14 created.
- - trunk has 1.4.15 in development.
-
-15 December 2011: Wouter
- - remove uninit warning from cachedump code.
- - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
-
-13 December 2011: Wouter
- - iana portlist updated.
- - svn tag 1.4.14rc1
- - fix infra cache comparison.
- - Fix to constrain signer_name to be a parent of the lookupname.
-
-5 December 2011: Wouter
- - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- - Fix warning unused in compat/strptime.c.
- - Fix malloc detection and double definition.
-
-2 December 2011: Wouter
- - configure generated with autoconf 2.68.
-
-30 November 2011: Wouter
- - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
- SERVFAILs. Also fixed for UDP (but less likely).
-
-28 November 2011: Wouter
- - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- - iana ports updated.
-
-11 November 2011: Wouter
- - Makefile compat with SunOS make, BSD make and GNU make.
- - iana ports updated.
-
-10 November 2011: Wouter
- - Makefile changed for BSD make compatibility.
-
-9 November 2011: Wouter
- - added unit test for SSL service and SSL-upstream.
-
-8 November 2011: Wouter
- - can configure ssl service to one port number, and not on others.
- - fixup windows compile with ssl support.
- - Fix double free in unbound-host, reported by Steve Grubb.
- - iana portlist updated.
-
-1 November 2011: Wouter
- - dns over ssl support as a client, ssl-upstream yes turns it on.
- It performs an SSL transaction for every DNS query (250 msec).
- - documentation for new options: ssl-upstream, ssl-service-key and
- ssl-service.pem.
- - iana portlist updated.
- - fix -flto detection on Lion for llvm-gcc.
-
-31 October 2011: Wouter
- - dns over ssl support, ssl-service-pem and ssl-service-key files
- can be given and then TCP queries are serviced wrapped in SSL.
-
-27 October 2011: Wouter
- - lame-ttl and lame-size options no longer exist, it is integrated
- with the host info. They are ignored (with verbose warning) if
- encountered to keep the config file backwards compatible.
- - fix iana-update for changing gzip compression of results.
- - fix export-all-symbols on OSX.
-
-26 October 2011: Wouter
- - iana portlist updated.
- - Infra cache stores information about ping and lameness per IP, zone.
- This fixes bug #416.
- - fix iana_update target for gzipped file on iana site.
-
-24 October 2011: Wouter
- - Fix resolve of partners.extranet.microsoft.com with a fix for the
- server selection for choosing out of a (particular) list of bad
- choices. (bug#415)
- - Fix make_new_space function so that the incoming query is not
- overwritten if a jostled out query causes a waiting query to be
- resumed that then fails and sends an error message. (Thanks to
- Matthew Lee).
-
-21 October 2011: Wouter
- - fix --enable-allsymbols, fptr wlist is disabled on windows with this
- option enabled because of memory layout exe vs dll.
-
-19 October 2011: Wouter
- - fix unbound-anchor for broken strptime on OSX lion, detected
- in configure.
- - Detect if GOST really works, openssl1.0 on OSX fails.
- - Implement ipv6%interface notation for scope_id usage.
-
-17 October 2011: Wouter
- - better documentation for inform_super (Thanks Yang Zhe).
-
-14 October 2011: Wouter
- - Fix for out-of-memory condition in libunbound (thanks
- Robert Fleischman).
-
-13 October 2011: Wouter
- - Fix --enable-allsymbols, it depended on link specifics of the
- target platform, or fptr_wlist assertion failures could occur.
-
-12 October 2011: Wouter
- - updated contrib/unbound_munin_ to family=auto so that it works with
- munin-node-configure automatically (if installed as
- /usr/local/share/munin/plugins/unbound_munin_ ).
-
-27 September 2011: Wouter
- - unbound.exe -w windows option for start and stop service.
-
-23 September 2011: Wouter
- - TCP-upstream calculates tcp-ping so server selection works if there
- are alternatives.
-
-20 September 2011: Wouter
- - Fix classification of NS set in answer section, where there is a
- parent-child server, and the answer has the AA flag for dir.slb.com.
- Thanks to Amanda Constant from Secure64.
-
-16 September 2011: Wouter
- - fix bug #408: accept patch from Steve Snyder that comments out
- unused functions in lookup3.c.
- - iana portlist updated.
- - fix EDNS1480 change memleak and TCP fallback.
- - fix various compiler warnings (reported by Paul Wouters).
- - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
- fetch if sentcount > 3, stop query if sentcount > 16. Count is
- reset when referral or CNAME happens. This makes unbound better
- at managing large NS sets, they are explored when there is continued
- interest (in the form of queries).
-
-15 September 2011: Wouter
- - release 1.4.13.
- - trunk contains 1.4.14 in development.
- - Unbound probes at EDNS1480 if there an EDNS0 timeout.
-
-12 September 2011: Wouter
- - Reverted dns EDNS backoff fix, it did not help and needs
- fragmentation fixes instead.
- - tag 1.4.13rc2
-
-7 September 2011: Wouter
- - Fix operation in ipv6 only (do-ip4: no) mode.
-
-6 September 2011: Wouter
- - fedora specfile updated.
-
-5 September 2011: Wouter
- - tag 1.4.13rc1
-
-2 September 2011: Wouter
- - iana portlist updated.
-
-26 August 2011: Wouter
- - Fix num-threads 0 does not segfault, reported by Simon Deziel.
- - Fix validation failures due to EDNS backoff retries, the retry
- for fetch of data has want_dnssec because the iter_indicate_dnssec
- function returns true when validation failure retry happens, and
- then the serviced query code does not fallback to noEDNS, even if
- the cache says it has this. This helps for DLV deployment when
- the DNSSEC status is not known for sure before the lookup concludes.
-
-24 August 2011: Wouter
- - Applied patch from Karel Slany that fixes a memory leak in the
- unbound python module, in string conversions.
-
-22 August 2011: Wouter
- - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
- Zhang and Luo Ce). Unbound responds with the RR types that are
- available at the name for qtype ANY and validates those RR types.
- It does not test for completeness (i.e. with NSEC or NSEC3 query),
- and it does not follow the CNAME or DNAME to another name (with
- even more data for the already large response).
- - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
- - Documented the options that work with control set_option command.
- - tcp-upstream yes/no option (works with set_option) for tunnels.
-
-18 August 2011: Wouter
- - fix autoconf call in makedist crosscompile to RC or snapshot.
-
-17 August 2011: Wouter
- - Fix validation of . DS query.
- - new xml format at IANA, new awk for iana_update.
- - iana portlist updated.
-
-10 August 2011: Wouter
- - Fix python site-packages path to /usr/lib64.
- - updated patch from Tom.
- - fix memory and fd leak after out-of-memory condition.
-
-9 August 2011: Wouter
- - patch from Tom Hendrikx fixes load of python modules.
-
-8 August 2011: Wouter
- - make clean had ldns-src reference, removed.
-
-1 August 2011: Wouter
- - Fix autoconf 2.68 warnings
-
-14 July 2011: Wouter
- - Unbound implements RFC6303 (since version 1.4.7).
- - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
- meantime, those are for 1.4.13).
- - iana portlist updated.
-
-13 July 2011: Wouter
- - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
-
-11 July 2011: Wouter
- - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
- validated as insecure, reported by Jia Li (lijia@cnnic.cn).
-
-4 July 2011: Wouter
- - 1.4.12rc1 tag created.
-
-1 July 2011: Wouter
- - version number in example config file.
- - fix that --enable-static-exe does not complain about it unknown.
-
-30 June 2011: Wouter
- - tag relase 1.4.11, trunk is 1.4.12 development.
- - iana portlist updated.
- - fix bug#395: id bits of other query may leak out under conditions
- - fix replyaddr count wrong after jostled queries, which leads to
- eventual starvation where the daemon has no replyaddrs left to use.
- - fix comment about rndc port, that referred to the old port number.
- - fix that the listening socket is not closed when too many remote
- control connections are made at the same time.
- - removed ldns-src tarball inside the unbound tarball.
-
-23 June 2011: Wouter
- - Changed -flto check to support clang compiler.
- - tag 1.4.11rc3 created.
-
-17 June 2011: Wouter
- - tag 1.4.11rc1 created.
- - remove warning about signed/unsigned from flex (other flex version).
- - updated aclocal.m4 and libtool to match.
- - tag 1.4.11rc2 created.
-
-16 June 2011: Wouter
- - log-queries: yesno option, default is no, prints querylog.
- - version is 1.4.11.
-
-14 June 2011: Wouter
- - Use -flto compiler flag for link time optimization, if supported.
- - iana portlist updated.
-
-12 June 2011: Wouter
- - IPv6 service address for d.root-servers.net (2001:500:2D::D).
-
-10 June 2011: Wouter
- - unbound-control has version number in the header,
- UBCT[version]_space_ is the header sent by the client now.
- - Unbound control port number is registered with IANA:
- ub-dns-control 8953/tcp unbound dns nameserver control
- This is the new default for the control-port config setting.
- - statistics-interval prints the number of jostled queries to log.
-
-30 May 2011: Wouter
- - Fix Makefile for U in environment, since wrong U is more common than
- deansification necessity.
- - iana portlist updated.
- - updated ldns tarball to 1.6.10rc2 snapshot of today.
-
-25 May 2011: Wouter
- - Fix assertion failure when unbound generates an empty error reply
- in response to a query, CVE-2011-1922 VU#531342.
- - This fix is in tag 1.4.10.
- - defense in depth against the above bug, an error is printed to log
- instead of an assertion failure.
-
-10 May 2011: Wouter
- - bug#386: --enable-allsymbols option links all binaries to libunbound
- and reduces install size significantly.
- - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
- - iana portlist updated.
- - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
-
-14 April 2011: Wouter
- - configure created with newer autoconf 2.66.
-
-12 April 2011: Wouter
- - bug#378: Fix that configure checks for ldns_get_random presence.
-
-8 April 2011: Wouter
- - iana portlist updated.
- - queries with CD flag set cause DNSSEC validation, but the answer is
- not withheld if it is bogus. Thus, unbound will retry if it is bad
- and curb the TTL if it is bad, thus protecting the cache for use by
- downstream validators.
- - val-override-date: -1 ignores dates entirely, for NTP usage.
-
-29 March 2011: Wouter
- - harden-below-nxdomain: changed so that it activates when the
- cached nxdomain is dnssec secure. This avoids backwards
- incompatibility because those old servers do not have dnssec.
-
-24 March 2011: Wouter
- - iana portlist updated.
- - release 1.4.9.
- - trunk is 1.5.0
-
-17 March 2011: Wouter
- - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
- Applied but did not do the --disable-gost.
-
-10 March 2011: Wouter
- - tag 1.4.9 release candidate 1 created.
-
-3 March 2011: Wouter
- - updated ldns to today.
-
-1 March 2011: Wouter
- - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
- - give config parse error for multiple names on a stub or forward zone.
- - updated ldns tarball to 1.6.9(todays snapshot).
-
-24 February 2011: Wouter
- - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
-
-23 February 2011: Wouter
- - iana portlist updated.
- - common.sh to version 3.
-
-18 February 2011: Wouter
- - common.sh in testdata updated to version 2.
-
-15 February 2011: Wouter
- - Added explicit note on unbound-anchor usage:
- Please note usage of unbound-anchor root anchor is at your own risk
- and under the terms of our LICENSE (see that file in the source).
-
-11 February 2011: Wouter
- - iana portlist updated.
- - tpkg updated with common.sh for common functionality.
-
-7 February 2011: Wouter
- - Added regression test for addition of a .net DS to the root, and
- cache effects with different TTL for glue and DNSKEY.
- - iana portlist updated.
-
-28 January 2011: Wouter
- - Fix remove private address does not throw away entire response.
-
-24 January 2011: Wouter
- - release 1.4.8
-
-19 January 2011: Wouter
- - fix bug#349: no -L/usr for ldns.
-
-18 January 2011: Wouter
- - ldns 1.6.8 tarball included.
- - release 1.4.8rc1.
-
-17 January 2011: Wouter
- - add get and set option for harden-below-nxdomain feature.
- - iana portlist updated.
-
-14 January 2011: Wouter
- - Fix so a changed NS RRset does not get moved name stuck on old
- server, for type NS the TTL is not increased.
-
-13 January 2011: Wouter
- - Fix prefetch so it does not get stuck on old server for moved names.
-
-12 January 2011: Wouter
- - iana portlist updated.
-
-11 January 2011: Wouter
- - Fix insecure CNAME sequence marked as secure, reported by Bert
- Hubert.
-
-10 January 2011: Wouter
- - faster lruhash get_mem routine.
-
-4 January 2011: Wouter
- - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
- - iana portlist updated.
-
-23 December 2010: Wouter
- - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
-
-21 December 2010: Wouter
- - algorithm compromise protection using the algorithms signalled in
- the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
- and thus, if you have multiple algorithms in your trust-anchor-file
- then it will now behave different than before. Also, 5011 rollover
- for algorithms needs to be double-signature until the old algorithm
- is revoked.
- It is not an option, because I see no use to turn the security off.
- - iana portlist updated.
-
-17 December 2010: Wouter
- - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
- - fix validation in this case: CNAME to nodata for co-hosted opt-in
- NSEC3 insecure delegation, was bogus, fixed to be insecure.
-
-16 December 2010: Wouter
- - Fix our 'BDS' license (typo reported by Xavier Belanger).
-
-10 December 2010: Wouter
- - iana portlist updated.
- - review changes for unbound-anchor.
-
-2 December 2010: Wouter
- - feature typetransparent localzone, does not block other RR types.
-
-1 December 2010: Wouter
- - Fix bug#338: print address when socket creation fails.
-
-30 November 2010: Wouter
- - Fix storage of EDNS failures in the infra cache.
- - iana portlist updated.
-
-18 November 2010: Wouter
- - harden-below-nxdomain option, default off (because very old
- software may be incompatible). We could enable it by default in
- the future.
-
-17 November 2010: Wouter
- - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
- - make test output nicer.
-
-15 November 2010: Wouter
- - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
- - iana portlist updated.
- - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
-
-9 November 2010: Wouter
- - unbound-anchor compiles with openssl 0.9.7.
-
-8 November 2010: Wouter
- - release tag 1.4.7.
- - trunk is version 1.4.8.
- - Be lenient and accept imgw.pl malformed packet (like BIND).
-
-5 November 2010: Wouter
- - do not synthesize a CNAME message from cache for qtype DS.
-
-4 November 2010: Wouter
- - Use central entropy to seed threads.
-
-3 November 2010: Wouter
- - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
-
-2 November 2010: Wouter
- - tag 1.4.7rc1.
- - code review.
-
-1 November 2010: Wouter
- - GOST code enabled by default (RFC 5933).
-
-27 October 2010: Wouter
- - Fix uninit value in dump_infra print.
- - Fix validation failure for parent and child on same server with an
- insecure childzone and a CNAME from parent to child.
- - Configure detects libev-4.00.
-
-26 October 2010: Wouter
- - dump_infra and flush_infra commands for unbound-control.
- - no timeout backoff if meanwhile a query succeeded.
- - Change of timeout code. No more lost and backoff in blockage.
- At 12sec timeout (and at least 2x lost before) one probe per IP
- is allowed only. At 120sec, the IP is blocked. After 15min, a
- 120sec entry has a single retry packet.
-
-25 October 2010: Wouter
- - Configure errors if ldns is not found.
-
-22 October 2010: Wouter
- - Windows 7 fix for the installer.
-
-21 October 2010: Wouter
- - Fix bug where fallback_tcp causes wrong roundtrip and edns
- observation to be noted in cache. Fix bug where EDNSprobe halted
- exponential backoff if EDNS status unknown.
- - new unresponsive host method, exponentially increasing block backoff.
- - iana portlist updated.
-
-20 October 2010: Wouter
- - interface automatic works for some people with ip6 disabled.
- Therefore the error check is removed, so they can use the option.
-
-19 October 2010: Wouter
- - Fix for request list growth, if a server has long timeout but the
- lost counter is low, then its effective rtt is the one without
- exponential backoff applied. Because the backoff is not working.
- The lost counter can then increase and the server is blacklisted,
- or the lost counter does not increase and the server is working
- for some queries.
-
-18 October 2010: Wouter
- - iana portlist updated.
-
-13 October 2010: Wouter
- - Fix TCP so it uses a random outgoing-interface.
- - unbound-anchor handles ADDPEND keystate.
-
-11 October 2010: Wouter
- - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
- the zone has a secure delegation hosted on the same server did not
- verify as secure (it was insecure by mistake).
- - iana portlist updated.
- - ldns tarball updated (for reading cachedumps with bad RR data).
-
-1 October 2010: Wouter
- - test for unbound-anchor. fix for reading certs.
- - Fix alloc_reg_release for longer uptime in out of memory conditions.
-
-28 September 2010: Wouter
- - unbound-anchor working, it creates or updates a root.key file.
- Use it before you start the validator (e.g. at system boot time).
-
-27 September 2010: Wouter
- - iana portlist updated.
-
-24 September 2010: Wouter
- - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
-
-23 September 2010: Wouter
- - unbound-anchor app, unbound requires libexpat (xml parser library).
-
-22 September 2010: Wouter
- - compliance with draft-ietf-dnsop-default-local-zones-14, removed
- reverse ipv6 orchid prefix from builtin list.
- - iana portlist updated.
-
-17 September 2010: Wouter
- - DLV has downgrade protection again, because the RFC says so.
- - iana portlist updated.
-
-16 September 2010: Wouter
- - Algorithm rollover operational reality intrudes, for trust-anchor,
- 5011-store, and DLV-anchor if one key matches it's good enough.
- - iana portlist updated.
- - Fix reported validation error in out of memory condition.
-
-15 September 2010: Wouter
- - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
-
-14 September 2010: Wouter
- - increased mesh-max-activation from 1000 to 3000 for crazy domains
- like _tcp.slb.com with 262 servers.
- - iana portlist updated.
-
-13 September 2010: Wouter
- - bug#327: Fix for cannot access stub zones until the root is primed.
-
-9 September 2010: Wouter
- - unresponsive servers are not completely blacklisted (because of
- firewalls), but also not probed all the time (because of the request
- list size it generates). The probe rate is 1%.
- - iana portlist updated.
-
-20 August 2010: Wouter
- - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
- iterator get_mem includes priv_get_mem. delegpt nodup removed.
- listen_pushback, query_info_allocqname, write_socket, send_packet,
- comm_point_set_cb_arg and listen_resume removed.
-
-19 August 2010: Wouter
- - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
- Delegpt structures checked for duplicates always.
- No more nameserver lookups generated when depth is full anyway.
- - example.conf notes how to do DNSSEC validation and track the root.
- - iana portlist updated.
-
-18 August 2010: Wouter
- - Fix bug#322: configure does not respect CFLAGS on Solaris.
- Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
- if use sun-cc, but some systems need different flags.
-
-16 August 2010: Wouter
- - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
- changes, uses m4_bpatsubst now.
- - make test (or make check) should be more portable and run the unit
- test and testbound scripts. (make longtest has special requirements).
-
-13 August 2010: Wouter
- - More pleasant remote control command parsing.
- - documentation added for return values reported by doxygen 1.7.1.
- - iana portlist updated.
-
-9 August 2010: Wouter
- - Fix name of rrset printed that failed validation.
-
-5 August 2010: Wouter
- - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
-
-4 August 2010: Wouter
- - Fix validation in case a trust anchor enters into a zone with
- unsupported algorithms.
-
-3 August 2010: Wouter
- - updated ldns tarball with bugfixes.
- - release tag 1.4.6.
- - trunk becomes 1.4.7 develop.
- - iana portlist updated.
-
-22 July 2010: Wouter
- - more error details on failed remote control connection.
-
-15 July 2010: Wouter
- - rlimit adjustments for select and ulimit can happen at the same time.
-
-14 July 2010: Wouter
- - Donation text added to README.
- - Fix integer underflow in prefetch ttl creation from cache. This
- fixes a potential negative prefetch ttl.
-
-12 July 2010: Wouter
- - Changed the defaults for num-queries-per-thread/outgoing-range.
- For builtin-select: 512/960, for libevent 1024/4096 and for
- windows 24/48 (because of win api). This makes the ratio this way
- to improve resilience under heavy load. For high performance, use
- libevent and possibly higher numbers.
-
-10 July 2010: Wouter
- - GOST enabled if SSL is recent and ldns has GOST enabled too.
- - ldns tarball updated.
-
-9 July 2010: Wouter
- - iana portlist updated.
- - Fix validation of qtype DNSKEY when a key-cache entry exists but
- no rr-cache entry is used (it expired or prefetch), it then goes
- back up to the DS or trust-anchor to validate the DNSKEY.
-
-7 July 2010: Wouter
- - Neat function prototypes, unshadowed local declarations.
-
-6 July 2010: Wouter
- - failure to chown the pidfile is not fatal any more.
- - testbound uses UTC timezone.
- - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
- /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
-
-5 July 2010: Wouter
- - log if a server is skipped because it is on the donotquery list,
- at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
- - added feature to print configure date, target and options with -h.
- - added feature to print event backend system details with -h.
- - wdiff is not actually required by make test, updated requirements.
-
-1 July 2010: Wouter
- - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
- must be signed with all algorithms from the DS rrset at the parent.
- This is now checked and becomes bogus if not.
-
-28 June 2010: Wouter
- - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
- in overload situations to be about 5 qps for the class of shortly
- serviced queries.
- The capacity of the resolver is then about (numqueriesperthread / 2)
- / (average time for such long queries) qps for long queries.
- And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
- qps for short queries, per thread.
- - Fix the max number of reply-address count to be applied for duplicate
- queries, and not for new query list entries. This raises the memory
- usage to a max of (16+1)*numqueriesperthread reply addresses.
-
-25 June 2010: Wouter
- - Fix handling of corner case reply from lame server, follows rfc2308.
- It could lead to a nodata reply getting into the cache if the search
- for a non-lame server turned up other misconfigured servers.
- - unbound.h has extern "C" statement for easier include in c++.
-
-23 June 2010: Wouter
- - iana portlist updated.
- - makedist upgraded cross compile openssl option, like this:
- ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
-
-22 June 2010: Wouter
- - Unbound reports libev or libevent correctly in logs in verbose mode.
- - Fix to unload gost dynamic library module for leak testing.
-
-18 June 2010: Wouter
- - iana portlist updated.
-
-17 June 2010: Wouter
- - Add AAAA to root hints for I.ROOT-SERVERS.NET.
-
-16 June 2010: Wouter
- - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
- assertion was wrong.
- - updated ldns tarball.
-
-15 June 2010: Wouter
- - tag 1.4.5 created.
- - trunk contains 1.4.6 in development.
- - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
- - Fix to use one pointer less for iterator query state store_parent_NS.
- - makedist crosscompile to windows uses builtin ldns not host ldns.
- - Max referral count from 30 to 130, because 128 one character domains
- is valid DNS.
- - added documentation for the histogram printout to syslog.
-
-11 June 2010: Wouter
- - When retry to parent the retrycount is not wiped, so failed
- nameservers are not tried again.
- - iana portlist updated.
-
-10 June 2010: Wouter
- - Fix bug where a long loop could be entered, now cycle detection
- has a loop-counter and maximum search amount.
-
-4 June 2010: Wouter
- - iana portlist updated.
- - 1.4.5rc1 tag created.
-
-3 June 2010: Wouter
- - ldns tarball updated, 1.6.5.
- - review comments, split dependency cycle tracking for parentside
- last resort lookups for A and AAAA so there are more lookup options.
-
-2 June 2010: Wouter
- - Fix compile warning if compiled without threads.
- - updated ldns-tarball with current ldns svn (pre 1.6.5).
- - GOST disabled-by-default, the algorithm number is allocated but the
- RFC is still has to pass AUTH48 at the IETF.
-
-1 June 2010: Wouter
- - Ignore Z flag in incoming messages too.
- - Fix storage of negative parent glue if that last resort fails.
- - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
- - new splint flags for newer splint install.
-
-31 May 2010: Wouter
- - Fix AD flag handling, it could in some cases mistakenly copy the AD
- flag from upstream servers.
- - alloc_special_obtain out of memory is not a fatal error any more,
- enabling unbound to continue longer in out of memory conditions.
- - parentside names are dispreferred but not said to be dnssec-lame.
- - parentside check for cached newname glue.
- - fix parentside and querytargets modulestate, for dump_requestlist.
- - unbound-control-setup makes keys -rw-r--- so not all users permitted.
- - fix parentside from cache to be marked dispreferred for bad names.
-
-28 May 2010: Wouter
- - iana portlist updated.
- - parent-child disagreement approach altered. Older fixes are
- removed in place of a more exhaustive search for misconfigured data
- available via the parent of a delegation.
- This is designed to be throttled by cache entries, with TTL from the
- parent if possible. Additionally the loop-counter is used.
- It also tests for NS RRset differences between parent and child.
- The fetch of misconfigured data should be more reliable and thorough.
- It should work reliably even with no or only partial data in cache.
- Data received from the child (as always) is deemed more
- authoritative than information received from the delegation parent.
- The search for misconfigured data is not performed normally.
-
-26 May 2010: Wouter
- - Contribution from Migiel de Vos (Surfnet): nagios patch for
- unbound-host, in contrib/ (in the source tarball). Makes
- unbound-host suitable for monitoring dnssec(-chain) status.
-
-21 May 2010: Wouter
- - EDNS timeout code will not fire if EDNS status already known.
- - EDNS failure not stored if EDNS status known to work.
-
-19 May 2010: Wouter
- - Fix resolution for domains like safesvc.com.cn. If the iterator
- can not recurse further and it finds the delegation in a state
- where it would otherwise have rejected it outhand if so received
- from a cache lookup, then it can try to ask higherup (with loop
- protection).
- - Fix comments in iter_utils:dp_is_useless.
-
-18 May 2010: Wouter
- - Fix various compiler warnings from the clang llvm compiler.
- - iana portlist updated.
-
-6 May 2010: Wouter
- - Fix bug#308: spelling error in variable name in parser and lexer.
-
-4 May 2010: Wouter
- - Fix dnssec-missing detection that was turned off by server selection.
- - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
- reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
- 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
-
-29 April 2010: Wouter
- - Fix for dnssec lameness detection to use the key cache.
- - infra cache entries that are expired are wiped clean. Previously
- it was possible to not expire host data (if accessed often).
-
-28 April 2010: Wouter
- - ldns tarball updated and GOST support is detected and then enabled.
- - iana portlist updated.
- - Fix detection of gost support in ldns (reported by Chris Smith).
-
-27 April 2010: Wouter
- - unbound-control get_option domain-insecure shows config file items.
- - fix retry sequence if prime hints are recursion-lame.
- - autotrust anchor file can be initialized with a ZSK key as well.
- - harden-referral-path does not result in failures due to max-depth.
- You can increase the max-depth by adding numbers (' 0') after the
- target-fetch-policy, this increases the depth to which is checked.
-
-26 April 2010: Wouter
- - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
- CPPFLAGS during configure process.
- - if libev is installed on the base system (not libevent), detect
- it from the event.h header file and link with -lev.
- - configlexer.lex gets config.h, and configyyrename.h added by make,
- no more double include.
- - More strict scrubber (Thanks to George Barwood for the idea):
- NS set must be pertinent to the query (qname subdomain nsname).
- - Fix bug#307: In 0x20 backoff fix fallback so the number of
- outstanding queries does not become -1 and block the request.
- Fixed handling of recursion-lame in combination with 0x20 fallback.
- Fix so RRsets are compared canonicalized and sorted if the immediate
- comparison fails, this makes it work around round-robin sites.
-
-23 April 2010: Wouter
- - Squelch log message: sendto failed permission denied for
- 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
- - Fix to fetch data as last resort more tenaciously. When cycle
- targets cause the server selection to believe there are more options
- when they really are not there, the server selection is reinitiated.
- - Fix fetch from blacklisted dnssec lame servers as last resort. The
- server's IP address is then given in validator errors as well.
- - Fix local-zone type redirect that did not use the query name for
- the answer rrset.
-
-22 April 2010: Wouter
- - tag 1.4.4.
- - trunk contains 1.4.5 in development.
- - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
- The validator error message was 'no signatures from ...'.
-
-16 April 2010: Wouter
- - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
- - tag 1.4.4rc1.
-
-15 April 2010: Wouter
- - ECC-GOST algorithm number 12 that is assigned by IANA. New test
- example key and signatures for GOST. GOST requires openssl-1.0.0.
- GOST is still disabled by default.
-
-9 April 2010: Wouter
- - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
- get into an endless loop, if 0x20 was enabled, and buffers are small
- or particular broken packets are received.
- - Fix chain of trust with CNAME at an intermediate step, for the DS
- processing proof.
-
-8 April 2010: Wouter
- - Fix validation of queries with wildcard names (*.example).
-
-6 April 2010: Wouter
- - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
- cache timeout coincided with a server update, the current EDNS
- backoff is less sensitive, and does not cache the backoff unless
- the backoff actually works and the domain is not expecting DNSSEC.
- - GOST support with correct algorithm numbers.
-
-1 April 2010: Wouter
- - iana portlist updated.
-
-24 March 2010: Wouter
- - unbound control flushed items are not counted when flushed again.
-
-23 March 2010: Wouter
- - iana portlist updated.
-
-22 March 2010: Wouter
- - unbound-host disables use-syslog from config file so that the
- config file for the main server can be used more easily.
- - fix bug#301: unbound-checkconf could not parse interface
- '0.0.0.0@5353', even though unbound itself worked fine.
-
-19 March 2010: Wouter
- - fix fwd_ancil test to pass if the socket options are not supported.
-
-18 March 2010: Wouter
- - Fixed random numbers for port, interface and server selection.
- Removed very small bias.
- - Refer to the listing in unbound-control man page in the extended
- statistics entry in the unbound.conf man page.
-
-16 March 2010: Wouter
- - Fix interface-automatic for OpenBSD: msg.controllen was too small,
- also assertions on ancillary data buffer.
- - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
- - for NSEC3 check if signatures are cached.
-
-15 March 2010: Wouter
- - unit test for util/regional.c.
-
-12 March 2010: Wouter
- - Reordered configure checks so fork and -lnsl -lsocket checks are
- earlier, and thus later checks benefit from and do not hinder them.
- - iana portlist updated.
- - ldns tarball updated.
- - Fix python use when multithreaded.
- - Fix solaris python compile.
- - Include less in config.h and include per code file for ldns, ssl.
-
-11 March 2010: Wouter
- - another memory allocation option: --enable-alloc-nonregional.
- exposes the regional allocations to other memory purifiers.
- - fix for memory alignment in struct sock_list allocation.
- - Fix for MacPorts ldns without ssl default, unbound checks if ldns
- has dnssec functionality and uses the builtin if not.
- - Fix daemonize on Solaris 10, it did not detach from terminal.
- - tag 1.4.3 created.
- - trunk is 1.4.4 in development.
- - spelling fix in validation error involving cnames.
-
-10 March 2010: Wouter
- - --enable-alloc-lite works with test set.
- - portability in the testset: printf format conversions, prototypes.
-
-9 March 2010: Wouter
- - tag 1.4.2 created.
- - trunk is 1.4.3 in development.
- - --enable-alloc-lite debug option.
-
-8 March 2010: Wouter
- - iana portlist updated.
-
-4 March 2010: Wouter
- - Fix crash in control channel code.
-
-3 March 2010: Wouter
- - better casts in pipe code, brackets placed wrongly.
- - iana portlist updated.
-
-1 March 2010: Wouter
- - make install depends on make all.
- - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
- - --enable-checking: enables assertions but does not look nonproduction.
- - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
- nxdomain and nodata distinguished.
- - ldns tarball updated.
- - --disable-rpath fixed for libtool not found errors.
- - new fedora specfile from Fedora13 in contrib from Paul Wouters.
-
-26 February 2010: Wouter
- - Fixup prototype for lexer cleanup in daemon code.
- - unbound-control list_stubs, list_forwards, list_local_zones and
- list_local_data.
-
-24 February 2010: Wouter
- - Fix scrubber bug that potentially let NS records through. Reported
- by Amanda Constant.
- - Also delete potential poison references from additional.
- - Fix: no classification of a forwarder as lame, throw away instead.
-
-23 February 2010: Wouter
- - libunbound ub_ctx_get_option() added.
- - unbound-control set_option and get_option commands.
- - iana portlist updated.
-
-18 February 2010: Wouter
- - A little more strict DS scrubbing.
- - No more blacklisting of unresponsive servers, a 2 minute timeout
- is backed off to.
- - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
- - pickup ldns compile fix, libdl for libcrypto.
- - log 'tcp connect: connection timed out' only in high verbosity.
- - unbound-control log_reopen command.
- - moved get_option code from unbound-checkconf to util/config_file.c
-
-17 February 2010: Wouter
- - Disregard DNSKEY from authority section for chain of trust.
- DS records that are irrelevant to a referral scrubbed. Anti-poison.
- - iana portlist updated.
-
-16 February 2010: Wouter
- - Check for 'no space left on device' (or other errors) when
- writing updated autotrust anchors and print errno to log.
-
-15 February 2010: Wouter
- - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
- hardcoded. We made the choice to send out more conservatively,
- protecting against an aggregate effect more than protecting a
- single user (from their own folly, perhaps in case of misconfig).
-
-12 February 2010: Wouter
- - Re-query pattern changed on validation failure. To protect troubled
- authority servers, unbound caches a failure for the DNSKEY or DS
- records for the entire zone, and only retries that 900 seconds later.
- This implies that only a handful of packets are sent extra to the
- authority if the zone fails.
-
-11 February 2010: Wouter
- - ldns tarball update for long label length syntax error fix.
- - iana portlist updated.
-
-9 February 2010: Wouter
- - Fixup in compat snprintf routine, %f 1.02 and %g support.
- - include math.h for testbound test compile portability.
-
-2 February 2010: Wouter
- - Updated url of IANA itar, interim trust anchor repository, in script.
-
-1 February 2010: Wouter
- - iana portlist updated.
- - configure test for memcmp portability.
-
-27 January 2010: Wouter
- - removed warning on format string in validator error log statement.
- - iana portlist updated.
-
-22 January 2010: Wouter
- - libtool finish the install of unbound python dynamic library.
-
-21 January 2010: Wouter
- - acx_nlnetlabs.m4 synchronised with nsd's version.
-
-20 January 2010: Wouter
- - Fixup lookup trouble for parent-child domains on the first query.
-
-14 January 2010: Wouter
- - Fixup ldns detection to also check for header files.
-
-13 January 2010: Wouter
- - prefetch-key option that performs DNSKEY queries earlier in the
- validation process, and that could halve the latency on DNSSEC
- queries. It takes some extra processing (CPU, a cache is needed).
-
-12 January 2010: Wouter
- - Fix unbound-checkconf for auto-trust-anchor-file present checks.
-
-8 January 2010: Wouter
- - Fix for parent-child disagreement code which could have trouble
- when (a) ipv6 was disabled and (b) the TTL for parent and child
- were different. There were two bugs, the parent-side information
- is fixed to no longer block lookup of child side information and
- the iterator is fixed to no longer attempt to get ipv6 when it is
- not enabled and then give up in failure.
- - test and fixes to make prefetch actually store the answer in the
- cache. Considers some rrsets 'already expired' but does not allow
- overwriting of rrsets considered more secure.
-
-7 January 2010: Wouter
- - Fixup python documentation (thanks Leo Vandewoestijne).
- - Work on cache prefetch feature.
- - Stats for prefetch, in log print stats, unbound-control stats
- and in unbound_munin plugin.
-
-6 January 2010: Wouter
- - iana portlist updated.
- - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
- - verbose output includes parent-side-address notion for lameness.
- - documented val-log-level: 2 setting in example.conf and man page.
- - change unbound-control-setup from 1024(sha1) to 1536(sha256).
-
-1 January 2010: Wouter
- - iana portlist updated.
-
-22 December 2009: Wouter
- - configure with newer libtool 2.2.6b.
-
-17 December 2009: Wouter
- - review comments.
- - tag 1.4.1.
- - trunk to version 1.4.2.
-
-15 December 2009: Wouter
- - Answer to qclass=ANY queries, with class IN contents.
- Test that validation also works.
- - updated ldns snapshot tarball with latest fixes (parsing records).
-
-11 December 2009: Wouter
- - on IPv4 UDP turn off DF flag.
-
-10 December 2009: Wouter
- - requirements.txt updated with design choice explanations.
- - Reading fixes: fix to set unlame when child confirms parent glue,
- and fix to avoid duplicate addresses in delegation point.
- - verify_rrsig routine checks expiration last.
-
-9 December 2009: Wouter
- - Fix Bug#287(reopened): update of ldns tarball with fix for parse
- errors generated for domain names like '.example.com'.
- - Fix SOA excluded from negative DS responses. Reported by Hauke
- Lampe. The negative cache did not include proper SOA records for
- negative qtype DS responses which makes BIND barf on it, such
- responses are now only used internally.
- - Fix negative cache lookup of closestencloser check of DS type bit.
-
-8 December 2009: Wouter
- - Fix for lookup of parent-child disagreement domains, where the
- parent-side glue works but it does not provide proper NS, A or AAAA
- for itself, fixing domains such as motorcaravanners.eu.
- - Feature: you can specify a port number in the interface: line, so
- you can bind the same interface multiple times at different ports.
-
-7 December 2009: Wouter
- - Bug#287: Fix segfault when unbound-control remove nonexistent local
- data. Added check to tests.
-
-1 December 2009: Wouter
- - Fix crash with module-config "iterator".
- - Added unit test that has "iterator" module-config.
-
-30 November 2009: Wouter
- - bug#284: fix parse of # without end-of-line at end-of-file.
-
-26 November 2009: Wouter
- - updated ldns with release candidate for version 1.6.3.
- - tag for 1.4.0 release.
- - 1.4.1 version in trunk.
- - Fixup major libtool version to 2 because of why_bogus change.
- It was 1:5:0 but should have been 2:0:0.
-
-23 November 2009: Wouter
- - Patch from David Hubbard for libunbound manual page.
- - Fixup endless spinning in unbound-control stats reported by
- Attila Nagy. Probably caused by clock reversal.
-
-20 November 2009: Wouter
- - contrib/split-itar.sh contributed by Tom Hendrikx.
-
-19 November 2009: Wouter
- - better argument help for unbound-control.
- - iana portlist updated.
-
-17 November 2009: Wouter
- - noted multiple entries for multiple domain names in example.conf.
- - iana portlist updated.
-
-16 November 2009: Wouter
- - Fixed signer detection of CNAME responses without signatures.
- - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
- - Tests for CNAMEs to deeper trust anchors, secure and bogus.
- - svn tag 1.4.0rc1 made.
-
-13 November 2009: Wouter
- - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
- - unbound-host does not fail on type ANY.
- - Fixed wireparse failure to put RRSIGs together with data in some
- long ANY mix cases, which fixes validation failures.
-
-12 November 2009: Wouter
- - iana portlist updated.
- - fix manpage errors reported by debian lintian.
- - review comments.
- - fixup very long vallog2 level error strings.
-
-11 November 2009: Wouter
- - ldns tarball updated (to 1.6.2).
- - review comments.
-
-10 November 2009: Wouter
- - Thanks to Surfnet found bug in new dnssec-retry code that failed
- to combine well when combined with DLV and a particular failure.
- - Fixed unbound-control -h output about argument optionality.
- - review comments.
-
-5 November 2009: Wouter
- - lint fixes and portability tests.
- - better error text for multiple domain keys in one autotrust file.
-
-2 November 2009: Wouter
- - Fix bug where autotrust does not work when started with a DS.
- - Updated GOST unit tests for unofficial algorithm number 249
- and DNSKEY-format changes in draft version -01.
-
-29 October 2009: Wouter
- - iana portlist updated.
- - edns-buffer-size option, default 4096.
- - fixed do-udp: no.
-
-28 October 2009: Wouter
- - removed abort on prealloc failure, error still printed but softfail.
- - iana portlist updated.
- - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
- - ldns tarball updated (which also enables rsasha256 support).
-
-27 October 2009: Wouter
- - iana portlist updated.
-
-8 October 2009: Wouter
- - please doxygen
- - add val-log-level print to corner case (nameserver.epost.bg).
- - more detail to errors from insecure delegation checks.
- - Fix double time subtraction in negative cache reported by
- Amanda Constant and Hugh Mahon.
- - Made new validator error string available from libunbound for
- applications. It is in result->why_bogus, a zero-terminated string.
- unbound-host prints it by default if a result is bogus.
- Also the errinf is public in module_qstate (for other modules).
-
-7 October 2009: Wouter
- - retry for validation failure in DS and prime results. Less mem use.
- unit test. Provisioning in other tests for requeries.
- - retry for validation failure in DNSKEY in middle of chain of trust.
- unit test.
- - retry for empty non terminals in chain of trust and unit test.
- - Fixed security bug where the signatures for NSEC3 records were not
- checked when checking for absence of DS records. This could have
- enabled the substitution of an insecure delegation.
- - moved version number to 1.4.0 because of 1.3.4 release with only
- the NSEC3 patch from the entry above.
- - val-log-level: 2 shows extended error information for validation
- failures, but still one (longish) line per failure. For example:
- validation failure <example.com. DNSKEY IN>: signature expired from
- 192.0.2.4 for trust anchor example.com. while building chain of trust
- validation failure <www.example.com. A IN>: no signatures from
- 192.0.2.6 for key example.com. while building chain of trust
-
-6 October 2009: Wouter
- - Test set updated to provide additional ns lookup result.
- The retry would attempt to fetch the data from other nameservers
- for bogus data, and this needed to be provisioned in the tests.
-
-5 October 2009: Wouter
- - first validation failure retry code. Retries for data failures.
- And unit test.
-
-2 October 2009: Wouter
- - improve 5011 modularization.
- - fix unbound-host so -d can be given before -C.
- - iana portlist updated.
-
-28 September 2009: Wouter
- - autotrust-anchor-file can read multiline input and $ORIGIN.
- - prevent integer overflow in holddown calculation. review fixes.
- - fixed race condition in trust point revocation. review fix.
- - review fixes to comments, removed unused code.
-
-25 September 2009: Wouter
- - so-rcvbuf: 4m option added. Set this on large busy servers to not
- drop the occasional packet in spikes due to full socket buffers.
- netstat -su keeps a counter of UDP dropped due to full buffers.
- - review of validator/autotrust.c, small fixes and comments.
-
-23 September 2009: Wouter
- - 5011 query failed counts verification failures, not lookup failures.
- - 5011 probe failure handling fixup.
- - test unbound reading of original autotrust data.
- The metadata per-key, such as key state (PENDING, MISSING, VALID) is
- picked up, otherwise performs initial probe like usual.
-
-22 September 2009: Wouter
- - autotrust test with algorithm rollover, new ordering of checks
- assists in orderly rollover.
- - autotrust test with algorithm rollover to unknown algorithm.
- checks if new keys are supported before adding them.
- - autotrust test with trust point revocation, becomes unsigned.
- - fix DNSSEC-missing-signature detection for minimal responses
- for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
-
-18 September 2009: Wouter
- - autotrust tests, fix trustpoint timer deletion code.
- fix count of valid anchors during missing remove.
- - autotrust: pick up REVOKE even if not signed with known other keys.
-
-17 September 2009: Wouter
- - fix compile of unbound-host when --enable-alloc-checks.
- - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
- - Manual page fixes reported by Tony Finch.
-
-16 September 2009: Wouter
- - Fix memory leak reported by Tao Ma.
- - Fix memstats test tool for log-time-ascii log format.
-
-15 September 2009: Wouter
- - iana portlist updated.
-
-10 September 2009: Wouter
- - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
- - use linebuffering for log-file: output, this can be significantly
- faster than the previous fflush method and enable some class of
- resolvers to use high verbosity (for short periods).
- Not on windows, because line buffering does not work there.
-
-9 September 2009: Wouter
- - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
- The RRsets would still expire at the normal time, but this would
- keep messages bogus in the cache for too long.
- - regression test for that bug.
- - documented that load_cache is meant for debugging.
-
-8 September 2009: Wouter
- - fixup printing errors when load_cache, they were printed to the
- SSL connection which broke, now to the log.
- - new ldns - with fixed parse of large SOA values.
-
-7 September 2009: Wouter
- - autotrust testbound scenarios.
- - autotrust fix that failure count is written to file.
- - autotrust fix that keys may become valid after add holddown time
- alone, before the probe returns.
-
-4 September 2009: Wouter
- - Changes to make unbound work with libevent-2.0.3 alpha. (in
- configure detection due to new ssl dependency in libevent)
- - do not call sphinx for documentation when python is disabled.
- - remove EV_PERSIST from libevent timeout code to make the code
- compatible with the libevent-2.0. Works with older libevent too.
- - fix memory leak in python code.
-
-3 September 2009: Wouter
- - Got a patch from Luca Bruno for libunbound support on windows to
- pick up the system resolvconf nameservers and hosts there.
- - included ldns updated (enum warning fixed).
- - makefile fix for parallel makes.
- - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
- from python scripts. See pythonmod/examples/resip.py.
- - doxygen comment fixes.
-
-2 September 2009: Wouter
- - TRAFFIC keyword for testbound. Simplifies test generation.
- ${range lower val upper} to check probe timeout values.
- - test with 5011-prepublish rollover and revocation.
- - fix revocation of RR for autotrust, stray exclamation mark.
-
-1 September 2009: Wouter
- - testbound variable arithmetic.
- - autotrust probe time is randomised.
- - autotrust: the probe is active and does not fetch from cache.
-
-31 August 2009: Wouter
- - testbound variable processing.
-
-28 August 2009: Wouter
- - fixup unbound-control lookup to print forward and stub servers.
-
-27 August 2009: Wouter
- - autotrust: mesh answer callback is empty.
-
-26 August 2009: Wouter
- - autotrust probing.
- - iana portlist updated.
-
-25 August 2009: Wouter
- - fixup memleak in trust anchor unsupported algorithm check.
- - iana portlist updated.
- - autotrust options: add-holddown, del-holddown, keep-missing.
- - autotrust store revoked status of trust points.
- - ctime_r compat definition.
- - detect yylex_destroy() in configure.
- - detect SSL_get_compression_methods declaration in configure.
- - fixup DS lookup at anchor point with unsigned parent.
- - fixup DLV lookup for DS queries to unsigned domains.
-
-24 August 2009: Wouter
- - cleaner memory allocation on exit. autotrust test routines.
- - free all memory on program exit, fix for ssl and flex.
-
-21 August 2009: Wouter
- - autotrust: debug routines. Read,write and conversions work.
-
-20 August 2009: Wouter
- - autotrust: save and read trustpoint variables.
-
-19 August 2009: Wouter
- - autotrust: state table updates.
- - iana portlist updated.
-
-17 August 2009: Wouter
- - autotrust: process events.
-
-17 August 2009: Wouter
- - Fix so that servers are only blacklisted if they fail to reply
- to 16 queries in a row and the timeout gets above 2 minutes.
- - autotrust work, split up DS verification of DNSKEYs.
-
-14 August 2009: Wouter
- - unbound-control lookup prints out infra cache information, like RTT.
- - Fix bug in DLV lookup reported by Amanda from Secure64.
- It could sometimes wrongly classify a domain as unsigned, which
- does not give the AD bit on replies.
-
-13 August 2009: Wouter
- - autotrust read anchor files. locked trust anchors.
-
-12 August 2009: Wouter
- - autotrust import work.
-
-11 August 2009: Wouter
- - Check for openssl compatible with gost if enabled.
- - updated unit test for GOST=211 code.
- Nicer naming of test files.
- - iana portlist updated.
-
-7 August 2009: Wouter
- - call OPENSSL_config() in unbound and unit test so that the
- operator can use openssl.cnf for configuration options.
- - removed small memory leak from config file reader.
-
-6 August 2009: Wouter
- - configure --enable-gost for GOST support, experimental
- implementation of draft-dolmatov-dnsext-dnssec-gost-01.
- - iana portlist updated.
- - ldns tarball updated (with GOST support).
-
-5 August 2009: Wouter
- - trunk moved to 1.3.4.
-
-4 August 2009: Wouter
- - Added test that the examples from draft rsasha256-14 verify.
- - iana portlist updated.
- - tagged 1.3.3
-
-3 August 2009: Wouter
- - nicer warning when algorithm not supported, tells you to upgrade.
- - iana portlist updated.
-
-27 July 2009: Wouter
- - Updated unbound-cacti contribution from Dmitriy Demidov, with
- the queue statistics displayed in its own graph.
- - iana portlist updated.
-
-22 July 2009: Wouter
- - Fix bug found by Michael Tokarev where unbound would try to
- prime the root servers even though forwarders are configured for
- the root.
- - tagged 1.3.3rc1
-
-21 July 2009: Wouter
- - Fix server selection, so that it waits for open target queries when
- faced with lameness.
-
-20 July 2009: Wouter
- - Ignore transient sendto errors, no route to host, and host, net down.
- - contrib/update-anchor.sh has -r option for root-hints.
- - feature val-log-level: 1 prints validation failures so you can
- keep track of them during dnssec deployment.
-
-16 July 2009: Wouter
- - fix replacement malloc code. Used in crosscompile.
- - makedist -w creates crosscompiled setup.exe on fedora11.
-
-15 July 2009: Wouter
- - dependencies for compat items, for crosscompile.
- - mingw32 crosscompile changes, dependencies and zipfile creation.
- and with System.dll from the windows NSIS you can make setup.exe.
- - package libgcc_s_sjlj exception handler for NSISdl.dll.
-
-14 July 2009: Wouter
- - updated ldns tarball for solaris x64 compile assistance.
- - no need to define RAND_MAX from config.h.
- - iana portlist updated.
- - configure changes and ldns update for mingw32 crosscompile.
-
-13 July 2009: Wouter
- - Fix for crash at start on windows.
- - tag for release 1.3.2.
- - trunk has version 1.3.3.
- - Fix for ID bits on windows to use all 16. RAND_MAX was not
- defined like you'd expect on mingw. Reported by Mees de Roo.
-
-9 July 2009: Wouter
- - tag for release 1.3.1.
- - trunk has version 1.3.2.
-
-7 July 2009: Wouter
- - iana portlist updated.
-
-6 July 2009: Wouter
- - prettier error handling in SSL setup.
- - makedist.sh uname fix (same as ldns).
- - updated fedora spec file.
-
-3 July 2009: Wouter
- - fixup linking when ldnsdir is "".
-
-30 June 2009: Wouter
- - more lenient truncation checks.
-
-29 June 2009: Wouter
- - ldns trunk r2959 imported as tarball, because of solaris cc compile
- support for c99. r2960 for better configure.
- - better wrongly_truncated check.
- - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
- avoid dropped packets at routers.
-
-26 June 2009: Wouter
- - Fix EDNS fallback when EDNS works for short answers but long answers
- are dropped.
-
-22 June 2009: Wouter
- - fixup iter priv strict aliasing while preserving size of sockaddr.
- - iana portlist updated. (one less port allocated, one more fraction
- of a bit for security!)
- - updated fedora specfile in contrib from Paul Wouters.
-
-19 June 2009: Wouter
- - Fixup strict aliasing warning in iter priv code.
- and config_file code.
- - iana portlist updated.
- - harden-referral-path: handle cases where NS is in answer section.
-
-18 June 2009: Wouter
- - Fix of message parse bug where (specifically) an NSEC and RRSIG
- in the wrong order would be parsed, but put wrongly into internal
- structures so that later validation would fail.
- - Extreme lenience for wrongly truncated replies where a positive
- reply has an NS in the authority but no signatures. They are
- turned into minimal responses with only the (secure) answer.
- - autoconf 2.63 for configure.
- - python warnings suppress. Keep python API away from header files.
-
-17 June 2009: Wouter
- - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
- used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
-
-16 June 2009: Wouter
- - Fixup opportunistic target query generation to it does not
- generate queries that are known to fail.
- - Touchup on munin total memory report.
- - messages picked out of the cache by the iterator are checked
- if their cname chain is still correct and if validation status
- has to be reexamined.
-
-15 June 2009: Wouter
- - iana portlist updated.
-
-14 June 2009: Wouter
- - Fixed bug where cached responses would lose their security
- status on second validation, which especially impacted dlv
- lookups. Reported by Hauke Lampe.
-
-13 June 2009: Wouter
- - bug #254. removed random whitespace from example.conf.
-
-12 June 2009: Wouter
- - Fixup potential wrong NSEC picked out of the cache.
- - If unfulfilled callbacks are deleted they are called with an error.
- - fptr wlist checks for mesh callbacks.
- - fwd above stub in configuration works.
-
-11 June 2009: Wouter
- - Fix queries for type DS when forward or stub zones are there.
- They are performed to higherup domains, and thus treated as if
- going to higher zones when looking up the right forward or stub
- server. This makes a stub pointing to a local server that has
- a local view of example.com signed with the same keys as are
- publicly used work. Reported by Johan Ihren.
- - Added build-unbound-localzone-from-hosts.pl to contrib, from
- Dennis DeDonatis. It converts /etc/hosts into config statements.
- - same thing fixed for forward-zone and DS, chain of trust from
- public internet into the forward-zone works now. Added unit test.
-
-9 June 2009: Wouter
- - openssl key files are opened apache-style, when user is root and
- before chrooting. This makes permissions on remote-control key
- files easier to set up. Fixes bug #251.
- - flush_type and flush_name remove msg cache entries.
- - codereview - dp copy bogus setting fix.
-
-8 June 2009: Wouter
- - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
- inadvertant behaviour.
- - 1.3.0 tarball for release created.
- - 1.3.1 development in svn trunk.
- - iana portlist updated.
- - fix lint from complaining on ldns/sha.h.
- - help compiler figure out aliasing in priv_rrset_bad() routine.
- - fail to configure with python if swig is not found.
- - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
-
-3 June 2009: Wouter
- - fixup bad free() when wrongly encoded DSA signature is seen.
- Reported by Paul Wouters.
- - review comments from Matthijs.
-
-2 June 2009: Wouter
- - --enable-sha2 option. The draft rsasha256 changed its algorithm
- numbers too often. Therefore it is more prudent to disable the
- RSASHA256 and RSASHA512 support by default.
- - ldns trunk included as new tarball.
- - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
-
-29 May 2009: Wouter
- - fixup doc bug in README reported by Matthew Dempsky.
-
-28 May 2009: Wouter
- - update iana port list
- - update ldns lib tarball
-
-27 May 2009: Wouter
- - detect lack of IPv6 support on XP (with a different error code).
- - Fixup a crash-on-exit which was triggered by a very long queue.
- Unbound would try to re-use ports that came free, but this is
- of course not really possible because everything is deleted.
- Most easily triggered on XP (not Vista), maybe because of the
- network stack encouraging large messages backlogs.
- - change in debug statements.
- - Fixed bug that could cause a crash if root prime failed when there
- were message backlogs.
-
-26 May 2009: Wouter
- - Thanks again to Brett Carr, found an assertion that was not true.
- Assertion checked if recursion parent query still existed.
-
-29 April 2009: Wouter
- - Thanks to Brett Carr, caught windows resource leak, use
- closesocket() and not close() on sockets or else the network stack
- starts to leak handles.
- - Removed usage of windows Mutex because windows cannot handle enough
- mutexes open. Provide own mutex implementation using primitives.
-
-28 April 2009: Wouter
- - created svn tag for 1.3.0.
-
-27 April 2009: Wouter
- - optimised cname from cache.
- - ifdef windows functions in testbound.
-
-23 April 2009: Wouter
- - fix for threadsafety in solaris thr_key_create() in tests.
- - iana portlist updated.
- - fix pylib test for Darwin.
- - fix pymod test for Darwin and a python threading bug in pymod init.
- - check python >= 2.4 in configure.
- - -ldl check for libcrypto 1.0.0beta.
-
-21 April 2009: Wouter
- - fix for build outside sourcedir.
- - fix for configure script swig detection.
-
-17 April 2009: Wouter
- - Fix reentrant in minievent handler for unix. Could have resulted
- in spurious event callbacks.
- - timers do not take up a fd slot for winsock handler.
- - faster fix for winsock reentrant check.
- - fix rsasha512 unit test for new (interim) algorithm number.
- - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
- - fix compile warning on ubuntu (configlexer fwrite return value).
- - move python include directives into CPPFLAGS instead of CFLAGS.
-
-16 April 2009: Wouter
- - winsock event handler exit very quickly on signal, even if
- under heavy load.
- - iana portlist updated.
- - fixup windows winsock handler reentrant problem.
-
-14 April 2009: Wouter
- - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
- - makedist.sh; better help text.
- - cache-min-ttl option and tests.
- - mingw detect error condition on TCP sockets (NOTCONN).
-
-9 April 2009: Wouter
- - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
- - ldns tarball updated.
- - iana portlist update.
- - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
- because that openssl defines the name STRING for itself.
-
-6 April 2009: Wouter
- - windows compile fix.
- - Detect FreeBSD jail without ipv6 addresses assigned.
- - python libunbound wrapper unit test.
- - installs the following files. Default is to not build them.
- from configure --with-pythonmodule:
- /usr/lib/python2.x/site-packages/unboundmodule.py
- from configure --with-pyunbound:
- /usr/lib/python2.x/site-packages/unbound.py
- /usr/lib/python2.x/site-packages/_unbound.so*
- The example python scripts (pythonmod/examples and
- libunbound/python/examples) are not installed.
- - python invalidate routine respects packed rrset ids and locks.
- - clock skew checks in unbound, config statements.
- - nxdomain ttl considerations in requirements.txt
-
-3 April 2009: Wouter
- - Fixed a bug that caused messages to be stored in the cache too
- long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
- targets have been more vulnerable to the TTL miscalculation bug.
- - documentation test fixed for python addition.
-
-2 April 2009: Wouter
- - pyunbound (libunbound python plugin) compiles using libtool.
- - documentation for pythonmod and pyunbound is generated in doc/html.
- - iana portlist updated.
- - fixed bug in unbound-control flush_zone where it would not flush
- every message in the target domain. This especially impacted
- NXDOMAIN messages which could remain in the cache regardless.
- - python module test package.
-
-1 April 2009: Wouter
- - suppress errors when trying to contact authority servers that gave
- ipv6 AAAA records for their nameservers with ipv4 mapped contents.
- Still tries to do so, could work when deployed in intranet.
- Higher verbosity shows the error.
- - new libunbound calls documented.
- - pyunbound in libunbound/python. Removed compile warnings.
- Makefile to make it.
-
-30 March 2009: Wouter
- - Fixup LDFLAGS from libevent sourcedir compile configure restore.
- - Fixup so no non-absolute rpaths are added.
- - Fixup validation of RRSIG queries, they are let through.
- - read /dev/random before chroot
- - checkconf fix no python checks when no python module enabled.
- - fix configure, pthread first, so other libs do not change outcome.
-
-27 March 2009: Wouter
- - nicer -h output. report linked libraries and modules.
- - prints modules in intuitive order (config file friendly).
- - python compiles easily on BSD.
-
-26 March 2009: Wouter
- - ignore swig varargs warnings with gcc.
- - remove duplicate example.conf text from python example configs.
- - outofdir compile fix for python.
- - pyunbound works.
- - print modules compiled in on -h. manpage.
-
-25 March 2009: Wouter
- - initial import of the python contribution from Zdenek Vasicek and
- Marek Vavrusa.
- - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
-
-24 March 2009: Wouter
- - more neat configure.ac. Removed duplicate config.h includes.
- - neater config.h.in.
- - iana portlist updated.
- - fix util/configlexer.c and solaris -std=c99 flag.
- - fix postcommit aclocal errors.
- - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
- - swap order of host detect and libtool generation.
-
-23 March 2009: Wouter
- - added launchd plist example file for MacOSX to contrib.
- - deprecation test for daemon(3).
- - moved common configure actions to m4 include, prettier Makefile.
-
-20 March 2009: Wouter
- - bug #239: module-config entries order is important. Documented.
- - build fix for test asynclook.
-
-19 March 2009: Wouter
- - winrc/README.txt dos-format text file.
- - iana portlist updated.
- - use _beginthreadex() when available (performs stack alignment).
- - defaults for windows baked into configure.ac (used if on mingw).
-
-18 March 2009: Wouter
- - Added tests, unknown algorithms become insecure. fallback works.
- - Fix for and test for unknown algorithms in a trust anchor
- definition. Trust anchors with no supported algos are ignored.
- This means a (higher)DS or DLV entry for them could succeed, and
- otherwise they are treated as insecure.
- - domain-insecure: "example.com" statement added. Sets domain
- insecure regardless of chain of trust DSs or DLVs. The inverse
- of a trust-anchor.
-
-17 March 2009: Wouter
- - unit test for unsupported algorithm in anchor warning.
- - fixed so queries do not fail on opportunistic target queries.
-
-16 March 2009: Wouter
- - fixup diff error printout in contrib/update-itar.sh.
- - added contrib/unbound_cacti for statistics support in cacti,
- contributed by Dmitriy Demidov.
-
-13 March 2009: Wouter
- - doxygen and lex/yacc on linux.
- - strip update-anchor on makedist -w.
- - fix testbound on windows.
- - default log to syslog for windows.
- - uninstaller can stop unbound - changed text on it to reflect that.
- - remove debugging from windows 'cron' actions.
-
-12 March 2009: Wouter
- - log to App.logs on windows prints executable identity.
- - fixup tests.
- - munin plugin fix benign locking error printout.
- - anchor-update for windows, called every 24 hours; unbound reloads.
-
-11 March 2009: Wouter
- - winsock event handler resets WSAevents after signalled.
- - winsock event handler tests if signals are really signalled.
- - install and service with log to file works on XP and Vista on
- default install location.
- - on windows logging to the Application logbook works (as a service).
- - fix RUN_DIR on windows compile setting in makedist.
- - windows registry has Software\Unbound\ConfigFile element.
- If does not exist, the default is used. The -c switch overrides it.
- - fix makedist version cleanup function.
-
-10 March 2009: Wouter
- - makedist -w strips out old rc.. and snapshot info from version.
- - setup.exe starts and stops unbound after install, before uninstall.
- - unbound-checkconf recognizes absolute pathnames on windows (C:...).
-
-9 March 2009: Wouter
- - Nullsoft NSIS installer creation script.
-
-5 March 2009: Wouter
- - fixup memory leak introduced on 18feb in mesh reentrant fix.
-
-3 March 2009: Wouter
- - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
- - service works on xp/vista, no config necessary (using defaults).
- - windows registry settings.
-
-2 March 2009: Wouter
- - fixup --export-symbols to be -export-symbls for libtool.
- This should fix extraneous symbols exported from libunbound.
- Thanks to Ondrej Sury and Robert Edmonds for finding it.
- - iana portlist updated.
- - document FAQ entry on stub/forward zones and default blocking.
- - fix asynclook test app for libunbound not exporting symbols.
- - service install and remove utils that work with vista UAC.
-
-27 February 2009: Wouter
- - Fixup lexer, to not give warnings about fwrite. Appeared in
- new lexer features.
- - makedistro functionality for mingw. Has RC support.
- - support spaces and backslashes in configured defaults paths.
- - register, deregister in service control manager.
-
-25 February 2009: Wouter
- - windres usage for application resources.
-
-24 February 2009: Wouter
- - isc moved their dlv key download location.
- - fixup warning on vista/mingw.
- - makedist -w for window zip distribution first version.
-
-20 February 2009: Wouter
- - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
- Nicer script layout. Added url to site in -h output.
-
-19 February 2009: Wouter
- - unbound-checkconf and unbound print warnings when trust anchors
- have unsupported algorithms.
- - added contrib/update-itar.sh This script is similar to
- update-anchor.sh, and updates from the IANA ITAR repository.
- You can provide your own PGP key and trust repo, or can use the
- builtin. The program uses wget and gpg to work.
- - iana portlist updated.
- - update-itar.sh: using ftp:// urls because https godaddy certificate
- is not available everywhere and then gives fatal errors. The
- security is provided by pgp signature.
-
-18 February 2009: Wouter
- - more cycle detection. Also for target queries.
- - fixup bug where during deletion of the mesh queries the callbacks
- that were reentrant caused assertion failures. Keep the mesh in
- a reentrant safe state. Affects libunbound, reload of server,
- on quit and flush_requestlist.
- - iana portlist updated.
-
-13 February 2009: Wouter
- - forwarder information now per-thread duplicated.
- This keeps it read only for speed, with no locking necessary.
- - forward command for unbound control to change forwarders to use
- on the fly.
- - document that unbound-host reads no config file by default.
- - updated iana portlist.
-
-12 February 2009: Wouter
- - call setusercontext if available (on BSD).
- - small refactor of stats clearing.
- - #227: flush_stats feature for unbound-control.
- - stats_noreset feature for unbound-control.
- - flush_requestlist feature for unbound-control.
- - libunbound version upped API (was changed 5 feb).
- - unbound-control status shows if root forwarding is in use.
- - slightly nicer memory management in iter-fwd code.
-
-10 February 2009: Wouter
- - keys with rfc5011 REVOKE flag are skipped and not considered when
- validating data.
- - iana portlist updated
- - #226: dump_requestlist feature for unbound-control.
-
-6 February 2009: Wouter
- - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
- - iana portlist updated.
- - fixup EOL in include directive (reported by Paul Wouters).
- You can no longer specify newlines in the names of included files.
- - config parser changed. Gives some syntax errors closer to where they
- occurred. Does not enforce a space after keyword anymore.
- Does not allow literal newlines inside quoted strings anymore.
- - verbosity level 5 logs customer IP for new requestlist entries.
- - test fix, lexer and cancel test.
- - new option log-time-ascii: yes if you enable it prints timestamps
- in the log file as Feb 06 13:45:26 (like syslog does).
- - detect event_base_new in libevent-1.4.1 and later and use it.
- - #231 unbound-checkconf -o option prints that value from config file.
- Useful for scripting in management scripts and the like.
-
-5 February 2009: Wouter
- - ldns 1.5.0 rc as tarball included.
- - 1.3.0 development continues:
- change in libunbound API: ub_cancel can return an error, that
- the async_id did not exist, or that it was already delivered.
- The result could have been delivered just before the cancel
- routine managed to acquire the lock, so a caller may get the
- result at the same time they call cancel. For this case,
- ub_cancel tries to return an error code.
- Fixes race condition in ub_cancel() libunbound function.
- - MacOSX Leopard cleaner text output from configure.
- - initgroups(3) is called to drop secondary group permissions, if
- applicable.
- - configure option --with-ldns-builtin forces the use of the
- inluded ldns package with the unbound source. The -I include
- is put before the others, so it avoids bad include files from
- an older ldns install.
- - daemon(3) posix call is used when available.
- - testbound test for older fix added.
-
-4 February 2009: Wouter
- - tag for release 1.2.1.
- - trunk setup for 1.3.0 development.
-
-3 February 2009: Wouter
- - noted feature requests in doc/TODO.
- - printout more detailed errors on ssl certificate loading failures.
- - updated IANA portlist.
-
-16 January 2009: Wouter
- - more quiet about ipv6 network failures, i.e. when ipv6 is not
- available (network unreachable). Debug still printed on high
- verbosity.
- - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
- debugging with unbound-host -4 -d ...
- - more cycle detection for NS-check, addr-check, root-prime and
- stub-prime queries in the iterator. Avoids possible deadlock
- when priming fails.
-
-15 January 2009: Wouter
- - bug #229: fixup configure checks for compilation with Solaris
- Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
- - fixup suncc warnings.
- - fix bug where unbound could crash using libevent 1.3 and older.
- - update testset for recent retry change.
-
-14 January 2009: Wouter
- - 1.2.1 feature: negative caching for failed queries.
- Queries that failed are cached for 5 seconds (NORR_TTL).
- If the failure is local, like out of memory, it is not cached.
- - the TTL comparison for the cache used different comparisons,
- causing many cache responses that used the iterator and validator
- state machines unnecessarily.
- - retry from 4 to 5 so that EDNS drop retry is part of the first
- query resolve attempt, and cached error does not stop EDNS fallback.
- - remove debug prints that protect against bad referrals.
- - honor QUIET=no on make commandline (or QUIET=yes ).
-
-13 January 2009: Wouter
- - fixed bug in lameness marking, removed printouts.
- - find NS rrset more cleanly for qtype NS.
- - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
- reporting and logs.
- - 1.2.1 feature: stops resolving AAAAs promiscuously when they
- are in the negative cache.
-
-12 January 2009: Wouter
- - fixed bug in infrastructure lameness cache, did not lowercase
- name of zone to hash when setting lame.
- - lameness debugging printouts.
-
-9 January 2009: Wouter
- - created svn tag for 1.2.0 release.
- - svn trunk contains 1.2.1 version number.
- - iana portlist updated for todays list.
- - removed debug print.
-
-8 January 2009: Wouter
- - new version of ldns-trunk (today) included as tarball, fixed
- bug #224, building with -j race condition.
- - remove possible race condition in the test for race conditions.
-
-7 January 2009: Wouter
- - version 1.2.0 in preparation.
- - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
- statements. (Adapted from patch by Paul Wouters).
- - typo fix and iana portlist updated.
- - porting testsuite; unused var warning, and type fixup.
-
-6 January 2009: Wouter
- - fixup packet-of-death when compiled with --enable-debug.
- A malformed packet could cause an internal assertion failure.
- - added test for HINFO canonicalisation behaviour.
- - fixup reported problem with transparent local-zone data where
- queries with different type could get nxdomain. Now queries
- with a different name get resolved normally, with different type
- get a correct NOERROR/NODATA answer.
- - HINFO no longer downcased for validation, making unbound compatible
- with bind and ldns.
- - fix reading included config files when chrooted.
- Give full path names for include files.
- Relative path names work if the start dir equals the working dir.
- - fix libunbound message transport when no packet buffer is available.
-
-5 January 2009: Wouter
- - fixup getaddrinfo failure handling for remote control port.
- - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
- - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
- - comm_timer_set performs base_set operation after event_add.
-
-18 December 2008: Wouter
- - fixed bug reported by Duane Wessels: error in DLV lookup, would make
- some zones that had correct DLV keys as insecure.
- - follows -rc makedist from ldns changes (no _rc).
- - ldns tarball updated with 1.4.1rc for DLV unit test.
- - verbose prints about recursion lame detection and server selection.
- - fixup BSD port for infra host storage. It hashed wrongly.
- - fixup makedist snapshot name generation.
- - do not reopen syslog to avoid dev/log dependency.
-
-17 December 2008: Wouter
- - follows ldns makedist.sh. -rc option. autom4te dir removed.
- - unbound-control status command.
- - extended statistics has a number of ipv6 queries counter.
- contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
-
-16 December 2008: Wouter
- - follow makedist improvements from ldns, for maintainers prereleases.
- - snapshot version uses _ not - to help rpm distinguish the
- version number.
-
-11 December 2008: Wouter
- - better fix for bug #219: use LOG_NDELAY with openlog() call.
- Thanks to Tamas Tevesz.
-
-9 December 2008: Wouter
- - bug #221 fixed: unbound checkconf checks if key files exist if
- remote control is enabled. Also fixed NULL printf when not chrooted.
- - iana portlist updated.
-
-3 December 2008: Wouter
- - Fix problem reported by Jaco Engelbrecht where unbound-control stats
- freezes up unbound if this was compiled without threading, and
- was using multiple processes.
- - iana portlist updated.
- - test for remote control with interprocess communication.
- - created command distribution mechanism so that remote control
- commands other than 'stats' work on all processes in a nonthreaded
- compiled version. dump/load cache work, on the first process.
- - fixup remote control local_data addition memory corruption bug.
-
-1 December 2008: Wouter
- - SElinux policy files in contrib/selinux for the unbound daemon,
- by Paul Wouters and Adam Tkac.
-
-25 November 2008: Wouter
- - configure complains when --without-ssl is given (bug #220).
- - skip unsupported feature tests on vista/mingw.
- - fixup testcode/streamtcp to work on vista/mingw.
- - root-hints test checks version of dig required.
- - blacklisted servers are polled at a low rate (1%) to see if they
- come back up. But not if there is some other working server.
-
-24 November 2008: Wouter
- - document that the user of the server daemon needs read privileges
- on the keys and certificates generated by unbound-control-setup.
- This is different per system or distribution, usually, running the
- script under the same username as the server uses suffices.
- i.e. sudo -u unbound unbound-control-setup
- - testset port to vista/mingw.
- - tcp_sigpipe to freebsd port.
-
-21 November 2008: Wouter
- - fixed tcp accept, errors were printed when they should not.
- - unbound-control-setup.sh removes read/write permissions other
- from the keys it creates (as suggested by Dmitriy Demidov).
-
-20 November 2008: Wouter
- - fixup fatal error due to faulty error checking after tcp accept.
- - add check in rlimit to avoid integer underflow.
- - rlimit check with new formula; better estimate for number interfaces
- - nicer comments in rlimit check.
- - tag 1.1.1 created in svn.
- - trunk label is 1.1.2
-
-19 November 2008: Wouter
- - bug #219: fixed so that syslog which delays opening until the first
- log line is written, gets a log line while not chroot'ed yet.
-
-18 November 2008: Wouter
- - iana portlist updated.
- - removed cast in unit test debug print that was not 64bit safe.
- - trunk back to 1.1.0; copied to tags 1.1.0 release.
- - trunk to has version number 1.1.1 again.
- - in 1.1.1; make clean nicer. grammar in manpage.
-
-17 November 2008: Wouter
- - theoretical fix for problems reported on mailing list.
- If a delegation point has no A but only AAAA and do-ip6 is no,
- resolution would fail. Fixed to ask for the A and AAAA records.
- It has to ask for both always, so that it can fail quietly, from
- TLD perspective, when a zone is only reachable on one transport.
- - test for above, only AAAA and doip6 is no. Fix causes A record
- for nameserver to be fetched.
- - fixup address duplication on cache fillup for delegation points.
- - testset updated for new query answer requirements.
-
-14 November 2008: Wouter
- - created 1.1.0 release tag in svn.
- - trunk moved to 1.1.1
- - fixup unittest-neg for locking.
-
-13 November 2008: Wouter
- - added fedora init and specfile to contrib (by Paul Wouters).
- - added configure check for ldns 1.4.0 (using its compat funcs).
- - neater comments in worker.h.
- - removed doc/plan and updated doc/TODO.
- - silenced EHOSTDOWN (verbosity 2 or higher to see it).
- - review comments from Jelte, Matthijs. Neater code.
-
-12 November 2008: Wouter
- - add unbound-control manpage to makedist replace list.
-
-11 November 2008: Wouter
- - unit test for negative cache, stress tests the refcounting.
- - fix for refcounting error that could cause fptr_wlist fatal exit
- in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
- Attila Nagy for testing).
- - nicer comments in cachedump about failed RR to string conversion.
- - fix 32bit wrap around when printing large (4G and more) mem usage
- for extended statistics.
-
-10 November 2008: Wouter
- - fixup the getaddrinfo compat code rename.
-
-8 November 2008: Wouter
- - added configure check for eee build warning.
-
-7 November 2008: Wouter
- - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
- - detect nonblocking problems in network stack in configure script.
-
-6 November 2008: Wouter
- - dname_priv must decompress the name before comparison.
- - iana portlist updated.
-
-5 November 2008: Wouter
- - fixed possible memory leak in key_entry_key deletion.
- Would leak a couple bytes when trust anchors were replaced.
- - if query and reply qname overlap, the bytes are skipped not copied.
- - fixed file descriptor leak when messages were jostled out that
- had outstanding (TCP) replies.
- - DNAMEs used from cache have their synthesized CNAMEs initialized
- properly.
- - fixed file descriptor leak for localzone type deny (for TCP).
- - fixed memleak at exit for nsec3 negative cached zones.
- - fixed memleak for the keyword 'nodefault' when reading config.
- - made verbosity of 'edns incapable peer' warning higher, so you
- do not get spammed by it.
- - caught elusive Bad file descriptor error bug, that would print the
- error while unnecessarily try to listen to a closed fd. Fixed.
-
-4 November 2008: Wouter
- - fixed -Wwrite-strings warnings that result in better code.
-
-3 November 2008: Wouter
- - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
- - generated configure with autoconf-2.61.
- - iana portlist updated.
- - detect if libssl needs libdl. For static linking with libssl.
- - changed to use new algorithm identifiers for sha256/sha512
- from ldns 1.4.0 (need very latest version).
- - updated the included ldns tarball.
- - proper detection of SHA256 and SHA512 functions (not just sizes).
-
-23 October 2008: Wouter
- - a little more debug info for failure on signer names. prints names.
-
-22 October 2008: Wouter
- - CFLAGS are picked up by configure from the environment.
- - iana portlist updated.
- - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
- - new stub-prime: yesno option. Default is off, so it does not prime.
- can be turned on to get same behaviour as previous unbound release.
- - made automated test that checks if builtin root hints are uptodate.
- - finished draft-wijngaards-dnsext-resolver-side-mitigation
- implementation. The unwanted-reply-threshold can be set.
- - fixup so fptr_whitelist test in alloc.c works.
-
-21 October 2008: Wouter
- - fix update-anchors.sh, so it does not report different RR order
- as an update. Sorts the keys in the file. Updated copyright.
- - fixup testbound on windows, the command control pipe doesn't exist.
- - skip 08hostlib test on windows, no fork() available.
- - made unbound-remote work on windows.
-
-20 October 2008: Wouter
- - quench a log message that is debug only.
- - iana portlist updated.
- - do not query bogus nameservers. It is like nameservers that have
- the NS or A or AAAA record bogus are listed as donotquery.
- - if server selection is faced with only bad choices, it will
- attempt to get more options to be fetched.
- - changed bogus-ttl default value from 900 to 60 seconds.
- In anticipation that operator caused failures are more likely than
- actual attacks at this time. And thus repeated validation helps
- the operators get the problem fixed sooner. It makes validation
- failures go away sooner (60 seconds after the zone is fixed).
- Also it is likely to try different nameserver targets every minute,
- so that if a zone is bad on one server but not another, it is
- likely to pick up the 'correct' one after a couple minutes,
- and if the TTL is big enough that solves validation for the zone.
- - fixup unbound-control compilation on windows.
-
-17 October 2008: Wouter
- - port Leopard/G5: fixup type conversion size_t/uint32.
- please ranlib, stop file without symbols warning.
- - harden referral path now also validates the root after priming.
- It looks up the root NS authoritatively as well as the root servers
- and attemps to validate the entries.
-
-16 October 2008: Wouter
- - Fixup negative TTL values appearing (reported by Attila Nagy).
-
-15 October 2008: Wouter
- - better documentation for 0x20; remove fallback TODO, it is done.
- - harden-referral-path feature includes A, AAAA queries for glue,
- as well as very careful NS caching (only when doing NS query).
- A, AAAA use the delegation from the NS-query.
-
-14 October 2008: Wouter
- - fwd_three.tpkg test was flaky. If the three requests hit the
- wrong threads by chance (or bad OS) then the test would fail.
- Made less flaky by increasing number of retries.
- - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
- - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
- Which includes the ldns_dname_absolute fix.
- - fwd_three test remains flaky now that unbound does not stop
- listening when full. Thus, removed timeout problem.
- It may be serviced by three threads, or maybe by one.
- Mostly only useful for lock-check testing now.
-
-13 October 2008: Wouter
- - fixed recursion servers deployed as authoritative detection, so
- that as a last resort, a +RD query is sent there to get the
- correct answer.
- - iana port list update.
- - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
-
-10 October 2008: Wouter
- - fixup tests - the negative cache contained the correct NSEC3s for
- two tests that are supposed to fail to validate.
-
-9 October 2008: Wouter
- - negative cache caps max iterations of NSEC3 done.
- - NSEC3 negative cache for qtype DS works.
-
-8 October 2008: Wouter
- - NSEC negative cache for DS.
-
-6 October 2008: Wouter
- - jostle-timeout option, so you can config for slow links.
- - 0x20 fallback code. Tries 3xnumber of nameserver addresses
- queries that must all be the same. Sent to random nameservers.
- - documented choices for DoS, EDNS, 0x20.
-
-2 October 2008: Wouter
- - fixup unlink of pidfile.
- - fixup SHA256 algorithm collation code.
- - contrib/update-anchor.sh does not overwrite anchors if not needed.
- exits 0 when a restart is needed, other values if not.
- so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
- can restart unbound exactly when needed.
-
-30 September 2008: Wouter
- - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
- - tests for sha256 support and downgrade resistance.
- - RSASHA256 and RSASHA512 support (using the draft in dnsext),
- using the drafted protocol numbers.
- - when using stub on localhost (127.0.0.1@10053) unbound works.
- Like when running NSD to host a local zone, on the same machine.
- The noprime feature. manpages more explanation. Added a test for it.
- - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
-
-29 September 2008: Wouter
- - EDNS lameness detection, if EDNS packets are dropped this is
- detected, eventually.
- - multiple query timeout rtt backoff does not backoff too much.
-
-26 September 2008: Wouter
- - tests for remote-control.
- - small memory leak in exception during remote control fixed.
- - fixup for lock checking but not unchecking in remote control.
- - iana portlist updated.
-
-23 September 2008: Wouter
- - Msg cache is loaded. A cache load enables cache responses.
- - unbound-control flush [name], flush_type and flush_zone.
-
-22 September 2008: Wouter
- - dump_cache and load_cache statements in unbound-control.
- RRsets are dumped and loaded correctly.
- Msg cache is dumped.
-
-19 September 2008: Wouter
- - locking on the localdata structure.
- - add and remove local zone and data with unbound-control.
- - ldns trunk snapshot updated, make tests work again.
-
-18 September 2008: Wouter
- - fixup error in time calculation.
- - munin plugin improvements.
- - nicer abbreviations for high query types values (ixfr, axfr, any...)
- - documented the statistics output in unbound-control man page.
- - extended statistics prints out histogram, over unbound-control.
-
-17 September 2008: Wouter
- - locking for threadsafe bogus rrset counter.
- - ldns trunk no longer exports b32 functions, provide compat.
- - ldns tarball updated.
- - testcode/ldns-testpkts.c const fixups.
- - fixed rcode stat printout.
- - munin plugin in contrib.
- - stats always printout uptime, because stats plugins need it.
-
-16 September 2008: Wouter
- - extended-statistics: yesno config option.
- - unwanted replies spoof nearmiss detector.
- - iana portlist updated.
-
-15 September 2008: Wouter
- - working start, stop, reload commands for unbound-control.
- - test for unbound-control working; better exit value for control.
- - verbosity control via unbound-control.
- - unbound-control stats.
-
-12 September 2008: Wouter
- - removed browser control mentions. Proto speccy.
-
-11 September 2008: Wouter
- - set nonblocking on new TCP streams, because linux does not inherit
- the socket options to the accepted socket.
- - fix TCP timeouts.
- - SSL protected connection between server and unbound-control.
-
-10 September 2008: Wouter
- - remove memleak in privacy addresses on reloads and quits.
- - remote control work.
-
-9 September 2008: Wouter
- - smallapp/unbound-control-setup.sh script to set up certificates.
-
-4 September 2008: Wouter
- - scrubber scrubs away private addresses.
- - test for private addresses. man page entry.
- - code refactored for name and address tree lookups.
-
-3 September 2008: Wouter
- - options for 'DNS Rebinding' protection: private-address and
- private-domain.
- - dnstree for reuse of routines that help with domain, addr lookups.
- - private-address and private-domain config option read, stored.
-
-2 September 2008: Wouter
- - DoS protection features. Queries are jostled out to make room.
- - testbound can pass time, increasing the internal timer.
- - do not mark unsigned additionals bogus, leave unchecked, which
- is removed too.
-
-1 September 2008: Wouter
- - disallow nonrecursive queries for cache snooping by default.
- You can allow is using access-control: <subnet> allow_snoop.
- The defaults do allow access no authoritative data without RD bit.
- - two tests for it and fixups of tests for nonrec refused.
-
-29 August 2008: Wouter
- - version 1.1 number in trunk.
- - harden-referral-path option for query for NS records.
- Default turns off expensive, experimental option.
-
-28 August 2008: Wouter
- - fixup logfile handling; it is created with correct permissions
- again. (from bugfix#199).
- Some errors are not written to logfile (pidfile writing, forking),
- and these are only visible by using the -d commandline flag.
-
-27 August 2008: Wouter
- - daemon(3) is causing problems for people. Reverting the patch.
- bug#200, and 199 and 203 contain sideline discussion on it.
- - bug#199 fixed: pidfile can be outside chroot. openlog is done before
- chroot and drop permissions.
- - config option to set size of aggressive negative cache,
- neg-cache-size.
- - bug#203 fixed: dlv has been implemented.
-
-26 August 2008: Wouter
- - test for insecure zone when DLV is in use, also does negative cache.
- - test for trustanchor when DLV is in use (the anchor works).
- - test for DLV used for a zone below a trustanchor.
- - added scrub filter for overreaching NSEC records and unit test.
- - iana portlist update
- - use of setresuid or setreuid when available.
- - use daemon(3) if available.
-
-25 August 2008: Wouter
- - realclean patch from Robert Edmonds.
-
-22 August 2008: Wouter
- - nicer debuglogging of DLV.
- - test with secure delegation inside the DLV repository.
-
-21 August 2008: Wouter
- - negative cache code linked into validator, for DLV use.
- negative cache works for DLV.
- - iana portlist update.
- - dlv-anchor option for unit tests.
- - fixup NSEC_AT_APEX classification for short typemaps.
- - ldns-testns has subdomain checks, for unit tests.
-
-20 August 2008: Wouter
- - negative cache code, reviewed.
-
-18 August 2008: Wouter
- - changes info: in logfile to notice: info: or debug: depending on
- the verbosity of the statements. Better logfile message
- classification.
- - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
-
-15 August 2008: Wouter
- - DLV nsec code fixed for better detection of closest existing
- enclosers from NSEC responses.
- - DLV works, straight to the dlv repository, so not for production.
- - Iana port update.
-
-14 August 2008: Wouter
- - synthesize DLV messages from the rrset cache, like done for DS.
-
-13 August 2008: Wouter
- - bug #203: nicer do-auto log message when user sets incompatible
- options.
- - bug #204: variable name ameliorated in log.c.
- - bug #206: in iana_update, no egrep, but awk use.
- - ldns snapshot r2699 taken (includes DLV type).
- - DLV work, config file element, trust anchor read in.
-
-12 August 2008: Wouter
- - finished adjusting testset to provide qtype NS answers.
-
-11 August 2008: Wouter
- - Fixup rrset security updates overwriting 2181 trust status.
- This makes validated to be insecure data just as worthless as
- nonvalidated data, and 2181 rules prevent cache overwrites to them.
- - Fix assertion fail on bogus key handling.
- - dnssec lameness detection works on first query at trust apex.
- - NS queries get proper cache and dnssec lameness treatment.
- - fixup compilation without pthreads on linux.
-
-8 August 2008: Wouter
- - NS queries are done after every referral.
- validator is used on those NS records (if anchors enabled).
-
-7 August 2008: Wouter
- - Scrubber more strict. CNAME chains, DNAMEs from cache, other
- irrelevant rrsets removed.
- - 1.0.2 released from 1.0 support branch.
- - fixup update-anchor.sh to work both in BSD shell and bash.
-
-5 August 2008: Wouter
- - fixup DS test so apex nodata works again.
-
-4 August 2008: Wouter
- - iana port update.
- - TODO update.
- - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
- - added explanatory text for outgoing-port-permit in manpage.
-
-30 July 2008: Wouter
- - fixup bug qtype DS for unsigned zone and signed parent validation.
-
-25 July 2008: Wouter
- - added original copyright statement of OpenBSD arc4random code.
- - created tube signaling solution on windows, as a pipe replacement.
- this makes background asynchronous resolution work on windows.
- - removed very insecure socketpair compat code. It also did not
- work with event_waiting. Solved by pipe replacement.
- - unbound -h prints openssl version number as well.
-
-22 July 2008: Wouter
- - moved pipe actions to util/tube.c. easier porting and shared code.
- - check _raw() commpoint callbacks with fptr_wlist.
- - iana port update.
-
-21 July 2008: Wouter
- - #198: nicer entropy warning message. manpage OS hints.
-
-19 July 2008: Wouter
- - #198: fixup man page to suggest chroot entropy fix.
-
-18 July 2008: Wouter
- - branch for 1.0 support.
- - trunk work on tube.c.
-
-17 July 2008: Wouter
- - fix bug #196, compile outside source tree.
- - fix bug #195, add --with-username=user configure option.
- - print error and exit if started with config that requires more
- fds than the builtin minievent can handle.
-
-16 July 2008: Wouter
- - made svn tag 1.0.1, trunk now 1.0.2
- - sha256 checksums enabled in makedist.sh
-
-15 July 2008: Wouter
- - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
- IPv6 example prefix to AS112 default blocklist.
- - fixup lookup of DS records by client with trustanchor for same.
- - libunbound ub_resolve, fix handling of error condition during setup.
- - lowered log_hex blocksize to fit through BSD syslog linesize.
- - no useless initialisation if getpwnam not available.
- - iana, ldns snapshot updated.
-
-3 July 2008: Wouter
- - Matthijs fixed memory leaks in root hints file reading.
-
-26 June 2008: Wouter
- - fixup streamtcp bounds setting for udp mode, in the test framework.
- - contrib item for updating trust anchors.
-
-25 June 2008: Wouter
- - fixup fwd_ancil test typos.
- - Fix for newegg lameness : ok for qtype=A, but lame for others.
- - fixup unit test for infra cache, test lame merging.
- - porting to mingw, bind, listen, getsockopt and setsockopt error
- handling.
-
-24 June 2008: Wouter
- - removed testcode/checklocks from production code compilation path.
- - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
- on windows.
- - fwd_ancil test fails if platform support is lacking.
-
-23 June 2008: Wouter
- - fixup minitpkg to cleanup on windows with its file locking troubles.
- - minitpkg shows skipped tests in report.
- - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
- ipv6 connectivity).
- - winsock event handler keeps track of sticky TCP events, that have
- not been fully handled yet. when interest in the event(s) resumes,
- they are sent again. When WOULDBLOCK is returned events are cleared.
- - skip tests that need signals when testing on mingw.
-
-18 June 2008: Wouter
- - open testbound replay files in binary mode, because fseek/ftell
- do not work in ascii-mode on windows. The b does nothing on unix.
- unittest and testbound tests work on windows (xp too).
- - ioctlsocket prints nicer error message.
- - fixed up some TCP porting for winsock.
- - lack of IPv6 gives a warning, no fatal error.
- - use WSAGetLastError() on windows instead of errno for some errors.
-
-17 June 2008: Wouter
- - outgoing num fds 32 by default on windows ; it supports less
- fds for waiting on than unixes.
- - winsock_event minievent handler for windows. (you could also
- attempt to link with libevent/libev ports for windows).
- - neater crypto check and gdi32 detection.
- - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
-
-16 June 2008: Wouter
- - on windows, use windows threads, mutex and thread-local-storage(Tls).
- - detect if openssl needs gdi32.
- - if no threading, THREADS_DISABLED is defined for use in the code.
- - sets USE_WINSOCK if using ws2_32 on windows.
- - wsa_strerror() function for more readable errors.
- - WSA Startup and Cleanup called in unbound.exe.
-
-13 June 2008: Wouter
- - port mingw32, more signal ifdefs, detect sleep, usleep,
- random, srandom (used inside the tests).
- - signed or unsigned FD_SET is cast.
-
-10 June 2008: Wouter
- - fixup warnings compiling on eeepc xandros linux.
-
-9 June 2008: Wouter
- - in iteration response type code
- * first check for SOA record (negative answer) before NS record
- and lameness.
- * check if no AA bit for non-forwarder, and thus lame zone.
- In response to error report by Richard Doty for mail.opusnet.com.
- - fixup unput warning from lexer on freeBSD.
- - bug#183. pidfile, rundir, and chroot configure options. Also the
- example.conf and manual pages get the configured defaults.
- You can use: (or accept the defaults to /usr/local/etc/unbound/)
- --with-conf-file=filename
- --with-pidfile=filename
- --with-run-dir=path
- --with-chroot-dir=path
-
-8 June 2008: Wouter
- - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
- Reported by Robert Edmonds.
- - iana port updated.
-
-4 June 2008: Wouter
- - updated libtool files with newer version.
- - iana portlist updated.
-
-3 June 2008: Wouter
- - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
- trailing dot is not used during comparison.
-
-2 June 2008: Wouter
- - Jelte fixed bugs in my absence
- - bug 178: fixed unportable shell usage in configure (relied on
- bash shell).
- - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
- - bug 181: fixed buffer overflow in ldns (called by unbound to parse
- config file parts).
- - fixes by Wouter
- - bug 177: fixed compilation failure on opensuse, the
- --disable-static configure flag caused problems. (Patch from
- Klaus Singvogel)
- - bug 179: same fix as 177.
- - bug 185: --disable-shared not passed along to ldns included with
- unbound. Fixed so that configure parameters are passed to the
- subdir configure script.
- fixed that ./libtool is used always, you can still override
- manually with ./configure libtool=mylibtool or set $libtool in
- the environment.
- - update of the ldns tarball to current ldns svn version (fix 181).
- - bug 184: -r option for unbound-host, read resolv.conf for
- forwarder. (Note that forwarder must support DNSSEC for validation
- to succeed).
-
-23 May 2008: Wouter
- - mingw32 porting.
- - test for sys/wait.h
- - WSAEWOULDBLOCK test after nonblocking TCP connect.
- - write_iov_buffer removed: unused and no struct iov on windows.
- - signed/unsigned warning fixup mini_event.
- - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
- - skip signals that are not defined
- - detect pwd.h.
- - detect getpwnam, getrlimit, setsid, sbrk, chroot.
- - default config has no chroot if chroot() unavailable.
- - if no kill() then no pidfile is read or written.
- - gmtime_r is replaced by nonthreadsafe alternative if unavail.
- used in rrsig time validation errors.
-
-22 May 2008: Wouter
- - contrib unbound.spec from Patrick Vande Walle.
- - fixup bug#175: call tzset before chroot to have correct timestamps
- in system log.
- - do not generate lex input and lex unput functions.
- - mingw port. replacement functions labelled _unbound.
- - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
-
-19 May 2008: Wouter
- - fedora 9, check in6_pktinfo define in configure.
- - CREDITS fixup of history.
- - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
-
-16 May 2008: Wouter
- - fixup for MacOSX hosts file reading (reported by John Dickinson).
- - created 1.0.0 svn tag.
- - trunk version 1.0.1.
-
-14 May 2008: Wouter
- - accepted patch from Ondrej Sury for library version libtool option.
- - configure --disable-rpath fixes up libtool for rpath trouble.
- Adapted from debian package patch file.
-
-13 May 2008: Wouter
- - Added root ipv6 addresses to builtin root hints.
- - TODO modified for post 1.0 plans.
- - trunk version set to 1.0.0.
- - no unnecessary linking with librt (only when libevent/libev used).
-
-7 May 2008: Wouter
- - fixup no-ip4 problem with error callback in outside network.
-
-25 April 2008: Wouter
- - DESTDIR is honored by the Makefile for rpms.
- - contrib files unbound.spec and unbound.init, builds working RPM
- on FC7 Linux, a chrooted caching resolver, and libunbound.
- - iana ports update.
-
-24 April 2008: Wouter
- - chroot checks improved. working directory relative to chroot.
- checks if config file path is inside chroot. Documentation on it.
- - nicer example.conf text.
- - created 0.11 tag.
-
-23 April 2008: Wouter
- - parseunbound.pl contrib update from Kai Storbeck for threads.
- - iana ports update
-
-22 April 2008: Wouter
- - ignore SIGPIPE.
- - unit test for SIGPIPE ignore.
-
-21 April 2008: Wouter
- - FEATURES document.
- - fixup reread of config file if it was given as a full path
- and chroot was used.
-
-16 April 2008: Wouter
- - requirements doc, updated clean query returns.
- - parseunbound.pl update from Kai Storbeck.
- - sunos4 porting changes.
-
-15 April 2008: Wouter
- - fixup default rc.d pidfile location to /usr/local/etc.
- - iana ports updated.
- - copyright updated in ldns-testpkts to keep same as in ldns.
- - fixup checkconf chroot tests a bit more, chdir must be inside
- chroot dir.
- - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
- - example.conf values changed to /usr/local/etc/unbound
- - DSA test work.
- - DSA signatures: unbound is compatible with both encodings found.
- It will detect and convert when necessary.
-
-14 April 2008: Wouter
- - got update for parseunbound.pl statistics script from Kai Storbeck.
- - tpkg tests for udp wait list.
- - documented 0x20 status.
- - fixup chroot and checkconf, it is much smarter now.
- - fixup DSA EVP signature decoding. Solution that Jelte found copied.
- - and check first sig byte for the encoding type.
-
-11 April 2008: Wouter
- - random port selection out of the configged ports.
- - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
- - removed base_port.
- - created 256-port ephemeral space for the OS, 59802 available.
- - fixup consistency of port_if out array during heavy use.
-
-10 April 2008: Wouter
- - --with-libevent works with latest libevent 1.4.99-trunk.
- - added log file statistics perl script to contrib.
- - automatic iana ports update from makefile. 60058 available.
-
-9 April 2008: Wouter
- - configure can detect libev(from its build directory) when passed
- --with-libevent=/home/wouter/libev-3.2
- libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
- - unused commpoints not listed in epoll list.
- - statistics-cumulative option so that the values are not reset.
- - config creates array of available ports, 61841 available,
- it excludes <1024 and iana assigned numbers.
- config statements to modify the available port numbers.
-
-8 April 2008: Wouter
- - unbound tries to set the ulimit fds when started as server.
- if that does not work, it will scale back its requirements.
-
-27 March 2008: Wouter
- - documented /dev/random symlink from chrootdir as FAQ entry.
-
-26 March 2008: Wouter
- - implemented AD bit signaling. If a query sets AD bit (but not DO)
- then the AD bit is set in the reply if the answer validated.
- Without including DNSSEC signatures. Useful if you have a trusted
- path from the client to the resolver. Follows dnssec-updates draft.
-
-25 March 2008: Wouter
- - implemented check that for NXDOMAIN and NOERROR answers a query
- section must be present in the reply (by the scrubber). And it must
- be equal to the question sent, at least lowercase folded.
- Previously this feature happened because the cache code refused
- to store such messages. However blocking by the scrubber makes
- sure nothing gets into the RRset cache. Also, this looks like a
- timeout (instead of an allocation failure) and this retries are
- done (which is useful in a spoofing situation).
- - RTT banding. Band size 400 msec, this makes band around zero (fast)
- include unknown servers. This makes unbound explore unknown servers.
-
-7 March 2008: Wouter
- - -C config feature for harvest program.
- - harvest handles CNAMEs too.
-
-5 March 2008: Wouter
- - patch from Hugo Koji Kobayashi for iterator logs spelling.
-
-4 March 2008: Wouter
- - From report by Jinmei Tatuya, rfc2181 trust value for remainder
- of a cname trust chain is lower; not full answer_AA.
- - test for this fix.
- - default config file location is /usr/local/etc/unbound.
- Thus prefix is used to determine the location. This is also the
- chroot and pidfile default location.
-
-3 March 2008: Wouter
- - Create 0.10 svn tag.
- - 0.11 version in trunk.
- - indentation nicer.
-
-29 February 2008: Wouter
- - documentation update.
- - fixup port to Solaris of perf test tool.
- - updated ldns-tarball with decl-after-statement fixes.
-
-28 February 2008: Wouter
- - fixed memory leaks in libunbound (during cancellation and wait).
- - libunbound returns the answer packet in full.
- - snprintf compat update.
- - harvest performs lookup.
- - ldns-tarball update with fix for ldns_dname_label.
- - installs to sbin by default.
- - install all manual pages (unbound-host and libunbound too).
-
-27 February 2008: Wouter
- - option to use caps for id randomness.
- - config file option use-caps-for-id: yes
- - harvest debug tool
-
-26 February 2008: Wouter
- - delay utility delays TCP as well. If the server that is forwarded
- to has a TCP error, the delay utility closes the connection.
- - delay does REUSE_ADDR, and can handle a server that closes its end.
- - answers use casing from query.
-
-25 February 2008: Wouter
- - delay utility works. Gets decent thoughput too (>20000).
-
-22 February 2008: Wouter
- - +2% for recursions, if identical queries (except for destination
- and query ID) in the reply list, avoid re-encoding the answer.
- - removed TODO items for optimizations that do not show up in
- profile reports.
- - default is now minievent - not libevent. As its faster and
- not needed for regular installs, only for very large port ranges.
- - loop check different speedup pkt-dname-reading, 1% faster for
- nocache-recursion check.
- - less hashing during msg parse, 4% for recursion.
- - small speed fix for dname_count_size_labels, +1 or +2% recursion.
- - some speed results noted:
- optimization resulted in +40% for recursion (cache miss) and
- +70 to +80 for cache hits, and +96% for version.bind.
- zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
- www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
- www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
- So, unbound can be about equal qps to NSD in cache hits.
- And about 3.4x faster than BIND in cache performance.
- - delay utility for testing.
-
-21 February 2008: Wouter
- - speedup of root-delegation message encoding by 15%.
- - minor speedup of compress tree_lookup, maybe 1%.
- - speedup of dname_lab_cmp and memlowercmp - the top functions in
- profiler output, maybe a couple percent when it matters.
-
-20 February 2008: Wouter
- - setup speec_cache for need-ldns-testns in dotests.
- - check number of queued replies on incoming queries to avoid overload
- on that account.
- - fptr whitelist checks are not disabled in optimize mode.
- - do-daemonize config file option.
- - minievent time share initializes time at start.
- - updated testdata for nsec3 new algorithm numbers (6, 7).
- - small performance test of packet encoding (root delegation).
-
-19 February 2008: Wouter
- - applied patch to unbound-host man page from Jan-Piet Mens.
- - fix donotquery-localhost: yes default (it erroneously was switched
- to default 'no').
- - time is only gotten once and the value is shared across unbound.
- - unittest cleans up crypto, so that it has no memory leaks.
- - mini_event shares the time value with unbound this results in
- +3% speed for cache responses and +9% for recursions.
- - ldns tarball update with new NSEC3 sign code numbers.
- - perform several reads per UDP operation. This improves performance
- in DoS conditions, and costs very little in normal conditions.
- improves cache response +50%, and recursions +10%.
- - modified asynclook test. because the callback from async is not
- in any sort of lock (and thus can use all library functions freely),
- this causes a tiny race condition window when the last lock is
- released for a callback and a new cancel() for that callback.
- The only way to remove this is by putting callbacks into some
- lock window. I'd rather have the small possibility of a callback
- for a cancelled function then no use of library functions in
- callbacks. Could be possible to only outlaw process(), wait(),
- cancel() from callbacks, by adding another lock, but I'd rather not.
-
-18 February 2008: Wouter
- - patch to unbound-host from Jan-Piet Mens.
- - unbound host prints errors if fails to configure context.
- - fixup perf to resend faster, so that long waiting requests do
- not hold up the queue, they become lost packets or SERVFAILs,
- or can be sent a little while later (i.e. processing time may
- take long, but throughput has to be high).
- - fixup iterator operating in no cache conditions (RD flag unset
- after a CNAME).
- - streamlined code for RD flag setting.
- - profiled code and changed dname compares to be faster.
- The speedup is about +3% to +8% (depending on the test).
- - minievent tests for eintr and eagain.
-
-15 February 2008: Wouter
- - added FreeBSD rc.d script to contrib.
- - --prefix option for configure also changes directory: pidfile:
- and chroot: defaults in config file.
- - added cache speed test, for cache size OK and cache too small.
-
-14 February 2008: Wouter
- - start without a config file (will complain, but start with
- defaults).
- - perf test program works.
-
-13 February 2008: Wouter
- - 0.9 released.
- - 1.0 development. Printout ldns version on unbound -h.
- - start of perf tool.
- - bugfix to read empty lines from /etc/hosts.
-
-12 February 2008: Wouter
- - fixup problem with configure calling itself if ldns-src tarball
- is not present.
-
-11 February 2008: Wouter
- - changed library to use ub_ instead of ub_val_ as prefix.
- - statistics output text nice.
- - etc/hosts handling.
- - library function to put logging to a stream.
- - set any option interface.
-
-8 February 2008: Wouter
- - test program for multiple queries over a TCP channel.
- - tpkg test for stream tcp queries.
- - unbound replies to multiple TCP queries on a TCP channel.
- - fixup misclassification of root referral with NS in answer
- when validating a nonrec query.
- - tag 0.9
- - layout of manpages, spelling fix in header, manpages process by
- makedist, list asynclook and tcpstream tests as ldns-testns
- required.
-
-7 February 2008: Wouter
- - moved up all current level 2 to be level 3. And 3 to 4.
- to make room for new debug level 2 for detailed information
- for operators.
- - verbosity level 2. Describes recursion and validation.
- - cleaner configure script and fixes for libevent solaris.
- - signedness for log output memory sizes in high verbosity.
-
-6 February 2008: Wouter
- - clearer explanation of threading configure options.
- - fixup asynclook test for nothreading (it creates only one process
- to do the extended test).
- - changed name of ub_val_result_free to ub_val_resolve_free.
- - removes warning message during library linking, renamed
- libunbound/unbound.c -> libunbound.c and worker to libworker.
- - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
-
-5 February 2008: Wouter
- - statistics-interval: seconds option added.
- - test for statistics option
- - ignore errors making directories, these can occur in parallel builds
- - fixup Makefile strip command and libunbound docs typo.
-
-31 January 2008: Wouter
- - bg thread/process reads and writes the pipe nonblocking all the time
- so that even if the pipe is buffered or so, the bg thread does not
- block, and services both pipes and queries.
-
-30 January 2008: Wouter
- - check trailing / on chrootdir in checkconf.
- - check if root hints and anchor files are in chrootdir.
- - no route to host tcp error is verbosity level 2.
- - removed unused send_reply_iov. and its configure check.
- - added prints of 'remote address is 1.2.3.4 port 53' to errors
- from netevent; the basic socket errors.
-
-28 January 2008: Wouter
- - fixup uninit use of buffer by libunbound (query id, flags) for
- local_zone answers.
- - fixup uninit warning from random.c; also seems to fix sporadic
- sigFPE coming out of openssl.
- - made openssl entropy warning more silent for library use. Needs
- verbosity 1 now.
- - fixup forgotten locks for rbtree_searches on ctx->query tree.
- - random generator cleanup - RND_STATE_SIZE removed, and instead
- a super-rnd can be passed at init to chain init random states.
- - test also does lock checks if available.
- - protect config access in libworker_setup().
- - libevent doesn't like comm_base_exit outside of runloop.
- - close fds after removing commpoints only (for epoll, kqueue).
-
-25 January 2008: Wouter
- - added tpkg for asynclook and library use.
- - allows localhost to be queried when as a library.
- - fixup race condition between cancel and answer (in case of
- really fast answers that beat the cancel).
- - please doxygen, put doxygen comment in one place.
- - asynclook -b blocking mode and test.
- - refactor asynclook, nicer code.
- - fixup race problems from opensll in rand init from library, with
- a mutex around the rand init.
- - fix pass async_id=NULL to _async resolve().
- - rewrote _wait() routine, so that it is threadsafe.
- - cancelation is threadsafe.
- - asynclook extended test in tpkg.
- - fixed two races where forked bg process waits for (somehow shared?)
- locks, so does not service the query pipe on the bg side.
- Now those locks are only held for fg_threads and for bg_as_a_thread.
-
-24 January 2008: Wouter
- - tested the cancel() function.
- - asynclook -c (cancel) feature.
- - fix fail to allocate context actions.
- - make pipe nonblocking at start.
- - update plane for retry mode with caution to limit bandwidth.
- - fix Makefile for concurrent make of unbound-host.
- - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
- - new calls to set forwarding added to header and docs.
-
-23 January 2008: Wouter
- - removed debug prints from if-auto, verb-algo enables some.
- - libunbound QUIT setup, remove memory leaks, when using threads
- will share memory for passing results instead of writing it over
- the pipe, only writes ID number over the pipe (towards the handler
- thread that does process() ).
-
-22 January 2008: Wouter
- - library code for async in libunbound/unbound.c.
- - fix link testbound.
- - fixup exit bug in mini_event.
- - background worker query enter and result functions.
- - bg query test application asynclook, it looks up multiple
- hostaddresses (A records) at the same time.
-
-21 January 2008: Wouter
- - libworker work, netevent raw commpoints, write_msg, serialize.
-
-18 January 2008: Wouter
- - touch up of manpage for libunbound.
- - support for IP_RECVDSTADDR (for *BSD ip4).
- - fix for BSD, do not use ip4to6 mapping, make two sockets, once
- ip6 and once ip4, uses socket options.
- - goodbye ip4to6 mapping.
- - update ldns-testpkts with latest version from ldns-trunk.
- - updated makedist for relative ldns pathnames.
- - library API with more information inside the result structure.
- - work on background resolves.
-
-17 January 2008: Wouter
- - fixup configure in case -lldns is installed.
- - fixup a couple of doxygen warnings, about enum variables.
- - interface-automatic now copies the interface address from the
- PKT_INFO structure as well.
- - manual page with library API, all on one page 'man libunbound'.
- - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
-
-16 January 2008: Wouter
- - incoming queries to the server with TC bit on are replied FORMERR.
- - interface-automatic replied the wrong source address on localhost
- queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
- to use ifnum=-1 to mean 'no interface, use kernel route'.
-
-15 January 2008: Wouter
- - interface-automatic feature. experimental. Nice for anycast.
- - tpkg test for ip6 ancillary data.
- - removed debug prints.
- - porting experience, define for Solaris, test refined for BSD
- compatibility. The feature probably will not work on OpenBSD.
- - makedist fixup for ldns-src in build-dir.
-
-14 January 2008: Wouter
- - in no debug sets NDEBUG to remove asserts.
- - configure --enable-debug is needed for dependency generation
- for assertions and for compiler warnings.
- - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
- - fix lint, unit test in optimize mode.
- - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
-
-11 January 2008: Wouter
- - man page, warning removed.
- - added text describing the use of stub zones for private zones.
- - checkconf tests for bad hostnames (IP address), and for doubled
- interface lines.
- - memory sizes can be given with 'k', 'Kb', or M or G appended.
-
-10 January 2008: Wouter
- - typo in example.conf.
- - made using ldns-src that is included the package more portable
- by linking with .lo instead of .o files in the ldns package.
- - nicer do-ip6: yes/no documentation.
- - nicer linking of libevent .o files.
- - man pages render correctly on solaris.
-
-9 January 2008: Wouter
- - fixup openssl RAND problem, when the system is not configured to
- give entropy, and the rng needs to be seeded.
-
-8 January 2008: Wouter
- - print median and quartiles with extensive logging.
-
-4 January 2008: Wouter
- - document misconfiguration in private network.
-
-2 January 2008: Wouter
- - fixup typo in requirements.
- - document that 'refused' is a better choice than 'drop' for
- the access control list, as refused will stop retries.
-
-7 December 2007: Wouter
- - unbound-host has a -d option to show what happens. This can help
- with debugging (why do I get this answer).
- - fixup CNAME handling, on nodata, sets and display canonname.
- - dot removed from CNAME display.
- - respect -v for NXDOMAINs.
- - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
- - size_t to int for portability of the header file.
- - fixup bogus handling.
- - dependencies and lint for unbound-host.
-
-6 December 2007: Wouter
- - library resolution works in foreground mode, unbound-host app
- receives data.
- - unbound-host prints rdata using ldns.
- - unbound-host accepts trust anchors, and prints validation
- information when you give -v.
-
-5 December 2007: Wouter
- - locking in context_new() inside the function.
- - setup of libworker.
-
-4 December 2007: Wouter
- - minor Makefile fixup.
- - moved module-stack code out of daemon/daemon into services/modstack,
- preparing for code-reuse.
- - move context into own header file.
- - context query structure.
- - removed unused variable pwd from checkconf.
- - removed unused assignment from outside netw.
- - check timeval length of string.
- - fixup error in val_utils getsigner.
- - fixup same (*var) error in netblocktostr.
- - fixup memleak on parse error in localzone.
- - fixup memleak on packet parse error.
- - put ; after union in parser.y.
- - small hardening in iter_operate against iq==NULL.
- - hardening, if error reply with rcode=0 (noerror) send servfail.
- - fixup same (*var) error in find_rrset in msgparse, was harmless.
- - check return value of evtimer_add().
- - fixup lockorder in lruhash_reclaim(), building up a list of locked
- entries one at a time. Instead they are removed and unlocked.
- - fptr_wlist for markdelfunc.
- - removed is_locked param from lruhash delkeyfunc.
- - moved bin_unlock during bin_split purely to please.
-
-3 December 2007: Wouter
- - changed checkconf/ to smallapp/ to make room for more support tools.
- (such as unbound-host).
- - install dirs created with -m 755 because they need to be accessible.
- - library extensive featurelist added to TODO.
- - please doxygen, lint.
- - library test application, with basic functionality.
- - fix for building in a subdirectory.
- - link lib fix for Leopard.
-
-30 November 2007: Wouter
- - makefile that creates libunbound.la, basic file or libunbound.a
- when creating static executables (no libtool).
- - more API setup.
-
-29 November 2007: Wouter
- - 0.9 public API start.
-
-28 November 2007: Wouter
- - Changeup plan for 0.8 - no complication needed, a simple solution
- has been chosen for authoritative features.
- - you can use single quotes in the config file, so it is possible
- to specify TXT records in local data.
- - fixup small memory problem in implicit transparent zone creation.
- - test for implicit zone creation and multiple RR RRsets local data.
- - local-zone nodefault test.
- - show testbound testlist on commit.
- - iterator normalizer changes CNAME chains ending in NXDOMAIN where
- the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
- domain exists).
- - nicer verbosity: 0 and 1 levels.
- - lower nonRDquery chance of eliciting wrongly typed validation
- requiring message from the cache.
- - fix for nonRDquery validation typing; nodata is detected when
- SOA record in auth section (all validation-requiring nodata messages
- have a SOA record in authority, so this is OK for the validator),
- and NS record is needed to be a referral.
- - duplicate checking when adding NSECs for a CNAME, and test.
- - created svn tag 0.8, after completing testbed tests.
-
-27 November 2007: Wouter
- - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
- - set size of msgparse lookup table to 32, from 1024, so that its size
- is below the 2048 regional large size threshold, and does not cause
- a call to malloc when a message is parsed.
- - update of memstats tool to print number of allocation calls.
- This is what is taking time (not space) and indicates the avg size
- of the allocations as well. region_alloc stat is removed.
-
-22 November 2007: Wouter
- - noted EDNS in-the-middle dropping trouble as a TODO.
- At this point theoretical, no user trouble has been reported.
- - added all default AS112 zones.
- - answers from local zone content.
- * positive answer, the rrset in question
- * nodata answer (exist, but not that type).
- * nxdomain answer (domain does not exist).
- * empty-nonterminal answer.
- * But not: wildcard, nsec, referral, rrsig, cname/dname,
- or additional section processing, NS put in auth.
- - test for correct working of static and transparent and couple
- of important defaults (localhost, as112, reverses).
- Also checks deny and refuse settings.
- - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
-
-21 November 2007: Wouter
- - local zone internal data setup.
-
-20 November 2007: Wouter
- - 0.8 - str2list config support for double string config options.
- - local-zone and local-data options, config storage and documentation.
-
-19 November 2007: Wouter
- - do not downcase NSEC and RRSIG for verification. Follows
- draft-ietf-dnsext-dnssec-bis-updates-06.txt.
- - fixup leaking unbound daemons at end of tests.
- - README file updated.
- - nice libevent not found error.
- - README talks about gnu make.
- - 0.8: unit test for addr_mask and fixups for it.
- and unit test for addr_in_common().
- - 0.8: access-control config file element.
- and unit test rpl replay file.
- - 0.8: fixup address reporting from netevent.
-
-16 November 2007: Wouter
- - privilege separation is not needed in unbound at this time.
- TODO item marked as such.
- - created beta-0.7 branch for support.
- - tagged 0.7 for beta release.
- - moved trunk to 0.8 for 0.8(auth features) development.
- - 0.8: access control list setup.
-
-15 November 2007: Wouter
- - review fixups from Jelte.
-
-14 November 2007: Wouter
- - testbed script does not recreate configure, since its in svn now.
- - fixup checkconf test so that it does not test
- /etc/unbound/unbound.conf.
- - tag 0.6.
-
-13 November 2007: Wouter
- - remove debug print.
- - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
-
-12 November 2007: Wouter
- - fixup signal handling where SIGTERM could be ignored if a SIGHUP
- arrives later on.
- - bugreports to unbound-bugs@nlnetlabs.nl
- - fixup testbound so it exits cleanly.
- - cleanup the caches on a reload, so that rrsetID numbers won't clash.
-
-9 November 2007: Wouter
- - took ldns snapshot in repo.
- - default config file is /etc/unbound/unbound.conf.
- If it doesn't exist, it is installed with the doc/example.conf file.
- The file is not deleted on uninstall.
- - default listening is not all, but localhost interfaces.
-
-8 November 2007: Wouter
- - Fixup chroot and drop user privileges.
- - new L root ip address in default hints.
-
-1 November 2007: Wouter
- - Fixup of crash on reload, due to anchors in env not NULLed after
- dealloc during deinit.
- - Fixup of chroot call. Happens after privileges are dropped, so
- that checking the passwd entry still works.
- - minor touch up of clear() hashtable function.
- - VERB_DETAIL prints out what chdir, username, chroot is being done.
- - when id numbers run out, caches are cleared, as in design notes.
- Tested with a mock setup with very few bits in id, it worked.
- - harden-dnssec-stripped: yes is now default. It insists on dnssec
- data for trust anchors. Included tests for the feature.
-
-31 October 2007: Wouter
- - cache-max-ttl config option.
- - building outside sourcedir works again.
- - defaults more secure:
- username: "unbound"
- chroot: "/etc/unbound"
- The operator can override them to be less secure ("") if necessary.
- - fix horrible oversight in sorting rrset references in a message,
- sort per reference key pointer, not on referencepointer itself.
- - pidfile: "/etc/unbound/unbound.pid" is now the default.
- - tests changed to reflect the updated default.
- - created hashtable clear() function that respects locks.
-
-30 October 2007: Wouter
- - fixup assertion failure that relied on compressed names to be
- smaller than uncompressed names. A packet from comrite.com was seen
- to be compressed to a larger size. Added it as unit test.
- - quieter logging at low verbosity level for common tcp messages.
- - no greedy TTL update.
-
-23 October 2007: Wouter
- - fixup (grand-)parent problem for dnssec-lameness detection.
- - fixup tests to do additional section processing for lame replies,
- since the detection needs that.
- - no longer trust in query section in reply during dnssec lame detect.
- - dnssec lameness does not make the server never ever queried, but
- non-preferred. If no other servers exist or answer, the dnssec lame
- server is used; the fastest dnssec lame server is chosen.
- - added test then when trust anchor cannot be primed (nodata), the
- insecure mode from unbound works.
- - Fixup max queries per thread, any more are dropped.
-
-22 October 2007: Wouter
- - added donotquerylocalhost config option. Can be turned off for
- out test cases.
- - ISO C compat changes.
- - detect RA-no-AA lameness, as LAME.
- - DNSSEC-lameness detection, as LAME.
- See notes in requirements.txt for choices made.
- - tests for lameness detection.
- - added all to make test target; need unbound for fwd tests.
- - testbound does not pollute /etc/unbound.
-
-19 October 2007: Wouter
- - added configure (and its files) to svn, so that the trunk is easier
- to use. ./configure, config.guess, config.sub, ltmain.sh,
- and config.h.in.
- - added yacc/lex generated files, util/configlexer.c,
- util/configparser.c util/configparser.h, to svn.
- - without lex no attempt to use it.
- - unsecure response validation collated into one block.
- - remove warning about const cast of cfgfile name.
- - outgoing-interfaces can be different from service interfaces.
- - ldns-src configure is done during unbound configure and
- ldns-src make is done during unbound make, and so inherits the
- make arguments from the unbound make invocation.
- - nicer error when libevent problem causes instant exit on signal.
- - read root hints from a root hint file (like BIND does).
-
-18 October 2007: Wouter
- - addresses are logged with errors.
- - fixup testcode fake event to remove pending before callback
- since the callback may create new pending items.
- - tests updated because retries are now in iterator module.
- - ldns-testpkts code is checked for differences between unbound
- and ldns by makedist.sh.
- - ldns trunk from today added in svn repo for fallback in case
- no ldns is installed on the system.
- make download_ldns refreshes the tarball with ldns svn trunk.
- - ldns-src.tar.gz is used if no ldns is found on the system, and
- statically linked into unbound.
- - start of regional allocator code.
- - regional uses less memory and variables, simplified code.
- - remove of region-allocator.
- - alloc cache keeps a cache of recently released regional blocks,
- up to a maximum.
- - make unit test cleanly free memory.
-
-17 October 2007: Wouter
- - fixup another cycle detect and ns-addr timeout resolution bug.
- This time by refusing delegations from the cache without addresses
- when resolving a mandatory-glue nameserver-address for that zone.
- We're going to have to ask a TLD server anyway; might as well be
- the TLD server for this name. And this resolves a lot of cases where
- the other nameserver names lead to cycles or are not available.
- - changed random generator from random(3) clone to arc4random wrapped
- for thread safety. The random generator is initialised with
- entropy from the system.
- - fix crash where failure to prime DNSKEY tried to print null pointer
- in the log message.
- - removed some debug prints, only verb_algo (4) enables them.
- - fixup test; new random generator took new paths; such as one
- where no scripted answer was available.
- - mark insecure RRs as insecure.
- - fixup removal of nonsecure items from the additional.
- - reduced timeout values to more realistic, 376 msec (262 msec has
- 90% of roundtrip times, 512 msec has 99% of roundtrip times.)
- - server selection failover to next server after timeout (376 msec).
-
-16 October 2007: Wouter
- - no malloc in log_hex.
- - assertions around system calls.
- - protect against gethostname without ending zero.
- - ntop output is null terminated by unbound.
- - pidfile content null termination
- - various snprintf use sizeof(stringbuf) instead of fixed constant.
- - changed loopdetect % 8 with & 0x7 since % can become negative for
- weird negative input and particular interpretation of integer math.
- - dname_pkt_copy checks length of result, to protect result buffers.
- prints an error, this should not happen. Bad strings should have
- been rejected earlier in the program.
- - remove a size_t underflow from msgreply size func.
-
-15 October 2007: Wouter
- - nicer warning.
- - fix IP6 TCP, wrong definition check. With test package.
- - fixup the fact that the query section was not compressed to,
- the code was there but was called by value instead of by reference.
- And test for the case, uses xxd and nc.
- - more portable ip6 check for sockaddr types.
-
-8 October 2007: Wouter
- - --disable-rpath option in configure for 64bit systems with
- several dynamic lib dirs.
-
-7 October 2007: Wouter
- - fixup tests for no AD bit in non-DO queries.
- - test that makes sure AD bit is not set on non-DO query.
-
-6 October 2007: Wouter
- - removed logfile open early. It did not have the proper permissions;
- it was opened as root instead of the user. And we cannot change user
- id yet, since chroot and bind ports need to be done.
- - callback checks for event callbacks done from mini_event. Because
- of deletions cannot do this from netevent. This means when using
- libevent the protection does not work on event-callbacks.
- - fixup too small reply (did not zero counts).
- - fixup reply no longer AD bit when query without DO bit.
-
-5 October 2007: Wouter
- - function pointer whitelist.
-
-4 October 2007: Wouter
- - overwrite sensitive random seed value after use.
- - switch to logfile very soon if not -d (console attached).
- - error messages do not reveal the trustanchor contents.
- - start work on function pointer whitelists.
-
-3 October 2007: Wouter
- - fix for multiple empty nonterminals, after multiple DSes in the
- chain of trust.
- - mesh checks if modules are looping, and stops them.
- - refetch with CNAMEd nameserver address regression test added.
- - fixup line count bug in testcode, so testbound prints correct line
- number with parse errors.
- - unit test for multiple ENT case.
- - fix for cname out of validated unsec zone.
- - fixup nasty id=0 reuse. Also added assertions to detect its
- return (the assertion catches in the existing test cases).
-
-1 October 2007: Wouter
- - skip F77, CXX, objC tests in configure step.
- - fixup crash in refetch glue after a CNAME.
- and protection against similar failures (with error print).
-
-28 September 2007: Wouter
- - test case for unbound-checkconf, fixed so it also checks the
- interface: statements.
-
-26 September 2007: Wouter
- - SIGHUP will reopen the log file.
- - Option to log to syslog.
- - please lint, fixup tests (that went to syslog on open, oops).
- - config check program.
-
-25 September 2007: Wouter
- - tests for NSEC3. Fixup bitmap checks for NSEC3.
- - positive ANY response needs to check if wildcard expansion, and
- check that original data did not exist.
- - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
- delegation, for abuse of child zone apex nsec3.
- - create 0.5 release tag.
-
-24 September 2007: Wouter
- - do not make test programs by default.
- - But 'make test' will perform all of the tests.
- - Advertise builtin select libevent alternative when no libevent
- is found.
- - signit can generate NSEC3 hashes, for generating tests.
- - multiple nsec3 parameters in message test.
- - too high nsec3 iterations becomes insecure test.
-
-21 September 2007: Wouter
- - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
- - fixup testcode lock safety (port FreeBSD).
- - removes subscript has type char warnings (port Solaris 9).
- - fixup of field with format type to int (port MacOS/X intel).
- - added test for infinite loop case in nonRD answer validation.
- It was a more general problem, but hard to reproduce. When an
- unsigned rrset is being validated and the key fetched, the DS
- sequence is followed, but if the final name has no DS, then no
- proof is possible - the signature has been stripped off.
-
-20 September 2007: Wouter
- - fixup and test for NSEC wildcard with empty nonterminals.
- - makedist.sh fixup for svn info.
- - acl features request in plan.
- - improved DS empty nonterminal handling.
- - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
- proof anyway, which succeeds in ANS failure case.
- - striplab protection in case it becomes -1.
- - plans for static and blacklist config.
-
-19 September 2007: Wouter
- - comments about non-packed usage.
- - plan for overload support in 0.6.
- - added testbound tests for a failed resolution from the logs
- and for failed prime when missing glue.
- - fixup so useless delegation points are not returned from the
- cache. Also the safety belt is used if priming fails to complete.
- - fixup NSEC rdata not to be lowercased, bind compat.
-
-18 September 2007: Wouter
- - wildcard nsec3 testcases, and fixup to get correct wildcard name.
- - validator prints subtype classification for debug.
-
-17 September 2007: Wouter
- - NSEC3 hash cache unit test.
- - validator nsec3 nameerror test.
-
-14 September 2007: Wouter
- - nsec3 nodata proof, nods proof, wildcard proof.
- - nsec3 support for cname chain ending in noerror or nodata.
- - validator calls nsec3 proof routines if no NSECs prove anything.
- - fixup iterator bug where it stored the answer to a cname under
- the wrong qname into the cache. When prepending the cnames, the
- qname has to be reset to the original qname.
-
-13 September 2007: Wouter
- - nsec3 find matching and covering, ce proof, prove namerror msg.
-
-12 September 2007: Wouter
- - fixup of manual page warnings, like for NSD bugreport.
- - nsec3 work, config, max iterations, filter, and hash cache.
-
-6 September 2007: Wouter
- - fixup to find libevent on mac port install.
- - fixup size_t vs unsigned portability in validator/sigcrypt.
- - please compiler on different platforms, for unreachable code.
- - val_nsec3 file.
- - pthread_rwlock type is optional, in case of old pthread libs.
-
-5 September 2007: Wouter
- - cname, name error validator tests.
- - logging of qtype ANY works.
- - ANY type answers get RRSIG in answer section of replies (but not
- in other sections, unless DO bit is on).
- - testbound can replay a TCP query (set MATCH TCP in the QUERY).
- - DS and noDS referral validation test.
- - if you configure many trust anchors, parent trust anchors can
- securely deny existence of child trust anchors, if validated.
- - not all *.name NSECs are present because a wildcard was matched,
- and *.name NSECs can prove nodata for empty nonterminals.
- Also, for wildcard name NSECs, check they are not from the parent
- zone (for wildcarded zone cuts), and check absence of CNAME bit,
- for a nodata proof.
- - configure option for memory allocation debugging.
- - port configure option for memory allocation to solaris10.
-
-4 September 2007: Wouter
- - fixup of Leakage warning when serviced queries processed multiple
- callbacks for the same query from the same server.
- - testbound removes config file from /tmp on failed exit.
- - fixup for referral cleanup of the additional section.
- - tests for cname, referral validation.
- - neater testbound tpkg output.
- - DNAMEs no longer match their apex when synthesized from the cache.
- - find correct signer name for DNAME responses.
- - wildcarded DNAME test and fixup code to detect.
- - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
- So that wildcarded CNAMEs get their NSEC with them to the answer.
- - test for a CNAME to a DNAME to a CNAME to an answer, all from
- different domains, for key fetching and signature checking of
- CNAME'd messages.
-
-3 September 2007: Wouter
- - Fixed error in iterator that would cause assertion failure in
- validator. CNAME to a NXDOMAIN response was collated into a response
- with both a CNAME and the NXDOMAIN rcode. Added a test that the
- rcode is changed to NOERROR (because of the CNAME).
- - timeout on tcp does not lead to spurious leakage detect.
- - account memory for name of lame zones, so that memory leakages does
- not show lame cache growth as a leakage growth.
- - config setting for lameness cache expressed in bytes, instead of
- number of entries.
- - tool too summarize allocations per code line.
-
-31 August 2007: Wouter
- - can read bind trusted-keys { ... }; files, in a compatibility mode.
- - iterator should not detach target queries that it still could need.
- the protection against multiple outstanding queries is moved to a
- current_query num check.
- - validator nodata, positive, referral tests.
- - dname print can print '*' wildcard.
-
-30 August 2007: Wouter
- - fixup override date config option.
- - config options to control memory usage.
- - caught bad free of un-alloced data in worker_send error case.
- - memory accounting for key cache (trust anchors and temporary cache).
- - memory accounting fixup for outside network tcp pending waits.
- - memory accounting fixup for outside network tcp callbacks.
- - memory accounting for iterator fixed storage.
- - key cache size and slabs config options.
- - lib crypto cleanups at exit.
-
-29 August 2007: Wouter
- - test tool to sign rrsets for testing validator with.
- - added RSA and DSA test keys, public and private pairs, 512 bits.
- - default configuration is with validation enabled.
- Only a trust-anchor needs to be configured for DNSSEC to work.
- - do not convert to DER for DSA signature verification.
- - validator replay test file, for a DS to DNSKEY DSA key prime and
- positive response.
-
-28 August 2007: Wouter
- - removed double use for udp buffers, that could fail,
- instead performs a malloc to do the backup.
- - validator validates referral messages, by validating all the rrsets
- and stores the rrsets in the cache. Further referral (nonRD queries)
- replies are made from the rrset cache directly. Unless unchecked
- rrsets are encountered, there are then validated.
- - enforce that signing is done by a parent domain (or same domain).
- - adjust TTL downwards if rrset TTL bigger than signature allows.
- - permissive mode feature, sets AD bit for secure, but bogus does
- not give servfail (bogus is changed into indeterminate).
- - optimization of rrset verification. rr canonical sorting is reused,
- for the same rrset. canonical rrset image in buffer is reused for
- the same signature.
- - if the rrset is too big (64k exactly + large owner name) the
- canonicalization routine will fail if it does not fit in buffer.
- - faster verification for large sigsets.
- - verb_detail mode reports validation failures, but not the entire
- algorithm for validation. Key prime failures are reported as
- verb_ops level.
-
-27 August 2007: Wouter
- - do not garble the edns if a cache answer fails.
- - answer norecursive from cache if possible.
- - honor clean_additional setting when returning secure non-recursive
- referrals.
- - do not store referral in msg cache for nonRD queries.
- - store verification status in the rrset cache to speed up future
- verification.
- - mark rrsets indeterminate and insecure if they are found to be so.
- and store this in the cache.
-
-24 August 2007: Wouter
- - message is bogus if unsecure authority rrsets are present.
- - val-clean-additional option, so you can turn it off.
- - move rrset verification out of the specific proof types into one
- routine. This makes the proof routines prettier.
- - fixup cname handling in validator, cname-to-positive and cname-to-
- nodata work.
- - Do not synthesize DNSKEY and DS responses from the rrset cache if
- the rrset is from the additional section. Signatures may have
- fallen off the packet, and cause validation failure.
- - more verbose signature date errors (with the date attached).
- - increased default infrastructure cache size. It is important for
- performance, and 1000 entries are only 212k (or a 400 k total cache
- size). To 10000 entries (for 2M entries, 4M cache size).
-
-23 August 2007: Wouter
- - CNAME handling - move needs_validation to before val_new().
- val_new() setups the chase-reply to be an edited copy of the msg.
- new classification, and find signer can find for it.
- removal of unsigned crap from additional, and query restart for
- cname.
- - refuse to follow wildcarded DNAMEs when validating.
- But you can query for qtype ANY, or qtype DNAME and validate that.
-
-22 August 2007: Wouter
- - bogus TTL.
- - review - use val_error().
-
-21 August 2007: Wouter
- - ANY response validation.
- - store security status in cache.
- - check cache security status and either send the query to be
- validated, return the query to client, or send servfail to client.
- Sets AD bit on validated replies.
- - do not examine security status on an error reply in mesh_done.
- - construct DS, DNSKEY messages from rrset cache.
- - manual page entry for override-date.
-
-20 August 2007: Wouter
- - validate and positive validation, positive wildcard NSEC validation.
- - nodata validation, nxdomain validation.
-
-18 August 2007: Wouter
- - process DNSKEY response in FINDKEY state.
-
-17 August 2007: Wouter
- - work on DS2KE routine.
- - val_nsec.c for validator NSEC proofs.
- - unit test for NSEC bitmap reading.
- - dname iswild and canonical_compare with unit tests.
-
-16 August 2007: Wouter
- - DS sig unit test.
- - latest release libevent 1.3c and 1.3d have threading fixed.
- - key entry fixup data pointer and ttl absolute.
- - This makes a key-prime succeed in validator, with DS or DNSKEY as
- trust-anchor.
- - fixup canonical compare byfield routine, fix bug and also neater.
- - fixed iterator response type classification for queries of type
- ANY and NS.
- dig ANY gives sometimes NS rrset in AN and NS section, and parser
- removes the NS section duplicate. dig NS gives sometimes the NS
- in the answer section, as referral.
- - validator FINDKEY state.
-
-15 August 2007: Wouter
- - crypto calls to verify signatures.
- - unit test for rrsig verification.
-
-14 August 2007: Wouter
- - default outgoing ports changed to avoid port 2049 by default.
- This port is widely blocked by firewalls.
- - count infra lameness cache in memory size.
- - accounting of memory improved
- - outbound entries are allocated in the query region they are for.
- - extensive debugging for memory allocations.
- - --enable-lock-checks can be used to enable lock checking.
- - protect undefs in config.h from autoheaders ministrations.
- - print all received udp packets. log hex will print on multiple
- lines if needed.
- - fixed error in parser with backwards rrsig references.
- - mark cycle targets for iterator did not have CD flag so failed
- its task.
-
-13 August 2007: Wouter
- - fixup makefile, if lexer is missing give nice error and do not
- mess up the dependencies.
- - canonical compare routine updated.
- - canonical hinfo compare.
- - printout list of the queries that the mesh is working on.
-
-10 August 2007: Wouter
- - malloc and free overrides that track total allocation and frees.
- for memory debugging.
- - work on canonical sort.
-
-9 August 2007: Wouter
- - canonicalization, signature checks
- - dname signature label count and unit test.
- - added debug heap size print to memory printout.
- - typo fixup in worker.c
- - -R needed on solaris.
- - validator override option for date check testing.
-
-8 August 2007: Wouter
- - ldns _raw routines created (in ldns trunk).
- - sigcrypt DS digest routines
- - val_utils uses sigcrypt to perform signature cryptography.
- - sigcrypt keyset processing
-
-7 August 2007: Wouter
- - security status type.
- - security status is copied when rdata is equal for rrsets.
- - rrset id is updated to invalidate all the message cache entries
- that refer to NSEC, NSEC3, DNAME rrsets that have changed.
- - val_util work
- - val_sigcrypt file for validator signature checks.
-
-6 August 2007: Wouter
- - key cache for validator.
- - moved isroot and dellabel to own dname routines, with unit test.
-
-3 August 2007: Wouter
- - replanning.
- - scrubber check section of lame NS set.
- - trust anchors can be in config file or read from zone file,
- DS and DNSKEY entries.
- - unit test trust anchor storage.
- - trust anchors converted to packed rrsets.
- - key entry definition.
-
-2 August 2007: Wouter
- - configure change for latest libevent trunk version (needs -lrt).
- - query_done and walk_supers are moved out of module interface.
- - fixup delegation point duplicates.
- - fixup iterator scrubber; lame NS set is let through the scrubber
- so that the classification is lame.
- - validator module exists, and does nothing but pass through,
- with calling of next module and return.
- - validator work.
-
-1 August 2007: Wouter
- - set version to 0.5
- - module work for module to module interconnections.
- - config of modules.
- - detect cycle takes flags.
-
-31 July 2007: Wouter
- - updated plan
- - release 0.4 tag.
-
-30 July 2007: Wouter
- - changed random state init, so that sequential process IDs are not
- cancelled out by sequential thread-ids in the random number seed.
- - the fwd_three test, which sends three queries to unbound, and
- unbound is kept waiting by ldns-testns for 3 seconds, failed
- because the retry timeout for default by unbound is 3 seconds too,
- it would hit that timeout and fail the test. Changed so that unbound
- is kept waiting for 2 seconds instead.
-
-27 July 2007: Wouter
- - removed useless -C debug option. It did not work.
- - text edit of documentation.
- - added doc/CREDITS file, referred to by the manpages.
- - updated planning.
-
-26 July 2007: Wouter
- - cycle detection, for query state dependencies. Will attempt to
- circumvent the cycle, but if no other targets available fails.
- - unit test for AXFR, IXFR response.
- - test for cycle detection.
-
-25 July 2007: Wouter
- - testbound read ADDRESS and check it.
- - test for version.bind and friends.
- - test for iterator chaining through several referrals.
- - test and fixup for refetch for glue. Refetch fails if glue
- is still not provided.
-
-24 July 2007: Wouter
- - Example section in config manual.
- - Addr stored for range and moment in replay.
-
-20 July 2007: Wouter
- - Check CNAME chain before returning cache entry with CNAMEs.
- - Option harden-glue, default is on. It will discard out of zone
- data. If disabled, performance is faster, but spoofing attempts
- become a possibility. Note that still normalize scrubbing is done,
- and that the potentially spoofed data is used for infrastructure
- and not returned to the client.
- - if glue times out, refetch by asking parent of delegation again.
- Much like asking for DS at the parent side.
- - TODO items from forgery-resilience draft.
- and on memory handling improvements.
- - renamed module_event_timeout to module_event_noreply.
- - memory reporting code; reports on memory usage after handling
- a network packet (not on cache replies).
-
-19 July 2007: Wouter
- - shuffle NS selection when getting nameserver target addresses.
- - fixup of deadlock warnings, yield cpu in checklock code so that
- freebsd scheduler selects correct process to run.
- - added identity and version config options and replies.
- - store cname messages complete answers.
-
-18 July 2007: Wouter
- - do not query addresses, 127.0.0.1, and ::1 by default.
-
-17 July 2007: Wouter
- - forward zone options in config file.
- - forward per zone in iterator. takes precedence over stubs.
- - fixup commithooks.
- - removed forward-to and forward-to-port features, subsumed by
- new forward zones.
- - fix parser to handle absent server: clause.
- - change untrusted rrset test to account for scrubber that is now
- applied during the test (which removes the poison, by the way).
- - feature, addresses can be specified with @portnumber, like nsd.conf.
- - test config files changed over to new forwarder syntax.
-
-27 June 2007: Wouter
- - delete of mesh does a postorder traverse of the tree.
- - found and fixed a memory leak. For TTL=0 messages, that would
- not be cached, instead the msg-replyinfo structure was leaked.
- - changed server selection so it will filter out hosts that are
- unresponsive. This is defined as a host with the maximum rto value.
- This means that unbound tried the host for retries up to 120 secs.
- The rto value will time out after host-ttl seconds from the cache.
- This keeps such unresolvable queries from taking up resources.
- - utility for keeping histogram.
-
-26 June 2007: Wouter
- - mesh is called by worker, and iterator uses it.
- This removes the hierarchical code.
- QueryTargets state and Finished state are merged for iterator.
- - forwarder mode no longer sets AA bit on first reply.
- - rcode in walk_supers is not needed.
-
-25 June 2007: Wouter
- - more mesh work.
- - error encode routine for ease.
-
-22 June 2007: Wouter
- - removed unused _node iterator value from rbtree_t. Takes up space.
- - iterator can handle querytargets state without a delegation point
- set, so that a priming(stub) subquery error can be handled.
- - iterator stores if it is priming or not.
- - log_query_info() neater logging.
- - changed iterator so that it does not alter module_qstate.qinfo
- but keeps a chase query info. Also query_flags are not altered,
- the iterator uses chase_flags.
- - fixup crash in case no ports for the family exist.
-
-21 June 2007: Wouter
- - Fixup secondary buffer in case of error callback.
- - cleanup slumber list of runnable states.
- - module_subreq_depth fails to work in slumber list.
- - fixup query release for cached results to sub targets.
- - neater error for tcp connection failure, shows addr in verbose.
- - rbtree_init so that it can be used with preallocated memory.
-
-20 June 2007: Wouter
- - new -C option to enable coredumps after forking away.
- - doc update.
- - fixup CNAME generation by scrubber, and memory allocation of it.
- - fixup deletion of serviced queries when all callbacks delete too.
- - set num target queries to 0 when you move them to slumber list.
- - typo in check caused subquery errors to be ignored, fixed.
- - make lint happy about rlim_t.
- - freeup of modules after freeup of module-states.
- - duplicate replies work, this uses secondary udp buffer in outnet.
-
-19 June 2007: Wouter
- - nicer layout in stats.c, review 0.3 change.
- - spelling improvement, review 0.3 change.
- - uncapped timeout for server selection, so that very fast or slow
- servers will stand out from the rest.
- - target-fetch-policy: "3 2 1 0 0" config setting.
- - fixup queries answered without RD bit (for root prime results).
- - refuse AXFR and IXFR requests.
- - fixup RD flag in error reply from iterator. fixup RA flag from
- worker error reply.
- - fixup encoding of very short edns buffer sizes, now sets TC bit.
- - config options harden-short-bufsize and harden-large-queries.
-
-18 June 2007: Wouter
- - same, move subqueries to slumber list when first has resolved.
- - fixup last fix for duplicate callbacks.
- - another offbyone in targetcounter. Also in Java prototype by the way.
-
-15 June 2007: Wouter
- - if a query asks to be notified of the same serviced query result
- multiple times, this will succeed. Only one callback will happen;
- multiple outbound-list entries result (but the double cleanup of it
- will not matter).
- - when iterator moves on due to CNAME or referral, it will remove
- the subqueries (for other targets). These are put on the slumber
- list.
- - state module wait subq is OK with no new subqs, an old one may have
- stopped, with an error, and it is still waiting for other ones.
- - if a query loops, halt entire query (easy way to clean up properly).
-
-14 June 2007: Wouter
- - num query targets was > 0 , not >= 0 compared, so that fetch
- policy of 0 did nothing.
-
-13 June 2007: Wouter
- - debug option: configure --enable-static-exe for compile where
- ldns and libevent are linked statically. Default is off.
- - make install and make uninstall. Works with static-exe and without.
- installation of unbound binary and manual pages.
- - alignment problem fix on solaris 64.
- - fixup address in case of TCP error.
-
-12 June 2007: Wouter
- - num target queries was set to 0 at a bad time. Default it to 0 and
- increase as target queries are done.
- - synthesize CNAME and DNAME responses from the cache.
- - Updated doxygen config for doxygen 1.5.
- - aclocal newer version.
- - doxygen 1.5 fixes for comments (for the strict check on docs).
-
-11 June 2007: Wouter
- - replies on TCP queries have the address field set in replyinfo,
- for serviced queries, because the initiator does not know that
- a TCP fallback has occured.
- - omit DNSSEC types from nonDO replies, except if qtype is ANY or
- if qtype directly queries for the type (and then only show that
- 'unknown type' in the answer section).
- - fixed message parsing where rrsigs on their own would be put
- in the signature list over the rrsig type.
-
-7 June 2007: Wouter
- - fixup error in double linked list insertion for subqueries and
- for outbound list of serviced queries for iterator module.
- - nicer printout of outgoing port selection.
- - fixup cname target readout.
- - nicer debug output.
- - fixup rrset counts when prepending CNAMEs to the answer.
- - fixup rrset TTL for prepended CNAMEs.
- - process better check for looping modules, and which submodule to
- run next.
- - subreq insertion code fixup for slumber list.
- - VERB_DETAIL, verbosity: 2 level gives short but readable output.
- VERB_ALGO, verbosity: 3 gives extensive output.
- - fixup RA bit in cached replies.
- - fixup CNAME responses from the cache no longer partial response.
- - error in network send handled without leakage.
- - enable ip6 from config, and try ip6 addresses if available,
- if ip6 is not connected, skips to next server.
-
-5 June 2007: Wouter
- - iterator state finished.
- - subrequests without parent store in cache and stop.
- - worker slumber list for ongoing promiscuous queries.
- - subrequest error handling.
- - priming failure returns SERVFAIL.
- - priming gives LAME result, returns SERVFAIL.
- - debug routine to print dns_msg as handled by iterator.
- - memleak in config file stubs fixup.
- - more small bugs, in scrubber, query compare no ID for lookup,
- in dname validation for NS targets.
- - sets entry.key for new special allocs.
- - lognametypeclass can display unknown types and classes.
-
-4 June 2007: Wouter
- - random selection of equally preferred nameserver targets.
- - reply info copy routine. Reuses existing code.
- - cache lameness in response handling.
- - do not touch qstate after worker_process_query because it may have
- been deleted by that routine.
- - Prime response state.
- - Process target response state.
- - some memcmp changed to dname_compare for case preservation.
-
-1 June 2007: Wouter
- - normalize incoming messages. Like unbound-java, with CNAME chain
- checked, DNAME checked, CNAME's synthesized, glue checked.
- - sanitize incoming messages.
- - split msgreply encode functions into own file msgencode.c.
- - msg_parse to queryinfo/replyinfo conversion more versatile.
- - process_response, classify response, delegpt_from_message.
-
-31 May 2007: Wouter
- - querytargets state.
- - dname_subdomain_c() routine.
- - server selection, based on RTT. ip6 is filtered out if not available,
- and lameness is checked too.
- - delegation point copy routine.
-
-30 May 2007: Wouter
- - removed FLAG_CD from message and rrset caches. This was useful for
- an agnostic forwarder, but not for a sophisticated (trust value per
- rrset enabled) cache.
- - iterator response typing.
- - iterator cname handle.
- - iterator prime start.
- - subquery work.
- - processInitRequest and processInitRequest2.
- - cache synthesizes referral messages, with DS and NSEC.
- - processInitRequest3.
- - if a request creates multiple subrequests these are all activated.
-
-29 May 2007: Wouter
- - routines to lock and unlock array of rrsets moved to cache/rrset.
- - lookup message from msg cache (and copy to region).
- - fixed cast error in dns msg lookup.
- - message with duplicate rrset does not increase its TTLs twice.
- - 'qnamesize' changed to 'qname_len' for similar naming scheme.
-
-25 May 2007: Wouter
- - Acknowledge use of unbound-java code in iterator. Nicer readme.
- - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
- rrset cache from module environment.
- - packed rrset key has type and class as easily accessible struct
- members. They are still kept in network format for fast msg encode.
- - dns cache find_delegation routine.
- - iterator main functions setup.
- - dns cache lookup setup.
-
-24 May 2007: Wouter
- - small changes to prepare for subqueries.
- - iterator forwarder feature separated out.
- - iterator hints stub code, config file stub code, so that first
- testing can proceed locally.
- - replay tests now have config option to enable forwarding mode.
-
-23 May 2007: Wouter
- - outside network does precise timers for roundtrip estimates for rtt
- and for setting timeout for UDP. Pending_udp takes milliseconds.
- - cleaner iterator sockaddr conversion of forwarder address.
- - iterator/iter_utils and iter_delegpt setup.
- - root hints.
-
-22 May 2007: Wouter
- - outbound query list for modules and support to callback with the
- outbound entry to the module.
- - testbound support for new serviced queries.
- - test for retry to TCP cannot use testbound any longer.
- - testns test for EDNS fallback, test for TCP fallback already exists.
- - fixes for no-locking compile.
- - mini_event timer precision and fix for change in timeouts during
- timeout callback. Fix for fwd_three tests, performed nonexit query.
-
-21 May 2007: Wouter
- - small comment on hash table locking.
- - outside network serviced queries, contain edns and tcp fallback,
- and udp retries and rtt timing.
-
-16 May 2007: Wouter
- - lruhash_touch() would cause locking order problems. Fixup in
- lock-verify in case locking cycle is found.
- - services/cache/rrset.c for rrset cache code.
- - special rrset_cache LRU updating function that uses the rrset id.
- - no dependencies calculation when make clean is called.
- - config settings for infra cache.
- - daemon code slightly cleaner, only creates caches once.
-
-15 May 2007: Wouter
- - host cache code.
- - unit test for host cache.
-
-14 May 2007: Wouter
- - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
- - extensive lock debug report on join timeout.
- - proper RTT calculation, in utility code.
- - setup of services/cache/infra, host cache.
-
-11 May 2007: Wouter
- - iterator/iterator.c module.
- - fixup to pass reply_info in testcode and in netevent.
-
-10 May 2007: Wouter
- - created release-0.3 svn tag.
- - util/module.h
- - fixed compression - no longer compresses root name.
-
-9 May 2007: Wouter
- - outside network cleans up waiting tcp queries on exit.
- - fallback to TCP.
- - testbound replay with retry in TCP mode.
- - tpkg test for retry in TCP mode, against ldns-testns server.
- - daemon checks max number of open files and complains if not enough.
- - test where data expires in the cache.
- - compiletests: fixed empty body ifstatements in alloc.c, in case
- locks are disabled.
-
-8 May 2007: Wouter
- - outgoing network keeps list of available tcp buffers for outgoing
- tcp queries.
- - outgoing-num-tcp config option.
- - outgoing network keeps waiting list of queries waiting for buffer.
- - netevent supports outgoing tcp commpoints, nonblocking connects.
-
-7 May 2007: Wouter
- - EDNS read from query, used to make reply smaller.
- - advertised edns value constants.
- - EDNS BADVERS response, if asked for too high edns version.
- - EDNS extended error responses once the EDNS record from the query
- has successfully been parsed.
-
-4 May 2007: Wouter
- - msgreply sizefunc is more accurate.
- - config settings for rrset cache size and slabs.
- - hashtable insert takes argument so that a thread can use its own
- alloc cache to store released keys.
- - alloc cache special_release() locks if necessary.
- - rrset trustworthiness type added.
- - thread keeps a scratchpad region for handling messages.
- - writev used in netevent to write tcp length and data after another.
- This saves a roundtrip on tcp replies.
- - test for one rrset updated in the cache.
- - test for one rrset which is not updated, as it is not deemed
- trustworthy enough.
- - test for TTL refreshed in rrset.
-
-3 May 2007: Wouter
- - fill refs. Use new parse and encode to answer queries.
- - stores rrsets in cache.
- - uses new msgreply format in cache.
-
-2 May 2007: Wouter
- - dname unit tests in own file and spread out neatly in functions.
- - more dname unit tests.
- - message encoding creates truncated TC flagged messages if they do
- not fit, and will leave out (whole)rrsets from additional if needed.
-
-1 May 2007: Wouter
- - decompress query section, extremely lenient acceptance.
- But only for answers from other servers, not for plain queries.
- - compression and decompression test cases.
- - some stats added.
- - example.conf interface: line is changed from 127.0.0.1 which leads
- to problems if used (restricting communication to the localhost),
- to a documentation and test address.
-
-27 April 2007: Wouter
- - removed iov usage, it is not good for dns message encoding.
- - owner name compression more optimal.
- - rrsig owner name compression.
- - rdata domain name compression.
-
-26 April 2007: Wouter
- - floating point exception fix in lock-verify.
- - lint uses make dependency
- - fixup lint in dname owner domain name compression code.
- - define for offset range that can be compressed to.
-
-25 April 2007: Wouter
- - prettier code; parse_rrset->type kept in host byte order.
- - datatype used for hashvalue of converted rrsig structure.
- - unit test compares edns section data too.
-
-24 April 2007: Wouter
- - ttl per RR, for RRSIG rrsets and others.
- - dname_print debug function.
- - if type is not known, size calc will skip DNAME decompression.
- - RRSIG parsing and storing and putting in messages.
- - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
- - EDNS extraction routine.
-
-20 April 2007: Wouter
- - code comes through all of the unit tests now.
- - disabled warning about spurious extra data.
- - documented the RRSIG parse plan in msgparse.h.
- - rrsig reading and outputting.
-
-19 April 2007: Wouter
- - fix unit test to actually to tests.
- - fix write iov helper, and fakevent code.
- - extra builtin testcase (small packet).
- - ttl converted to network format in packets.
- - flags converted correctly
- - rdatalen off by 2 error fixup.
- - uses less iov space for header.
-
-18 April 2007: Wouter
- - review of msgparse code.
- - smaller test cases.
-
-17 April 2007: Wouter
- - copy and decompress dnames.
- - store calculated hash value too.
- - routine to create message out of stored information.
- - util/data/msgparse.c for message parsing code.
- - unit test, and first fixes because of test.
- * forgot rrset_count addition.
- * did & of ptr on stack for memory position calculation.
- * dname_pkt_copy forgot to read next label length.
- - test from file and fixes
- * double frees fixed in error conditions.
- * types with less than full rdata allowed by parser.
- Some dynamic update packets seem to use it.
-
-16 April 2007: Wouter
- - following a small change in LDNS, parsing code calculates the
- memory size to allocate for rrs.
- - code to handle ID creation.
-
-13 April 2007: Wouter
- - parse routines. Code that parses rrsets, rrs.
-
-12 April 2007: Wouter
- - dname compare routine that preserves case, with unit tests.
-
-11 April 2007: Wouter
- - parse work - dname packet parse, msgparse, querysection parse,
- start of sectionparse.
-
-10 April 2007: Wouter
- - Improved alignment of reply_info packet, nice for 32 and 64 bit.
- - Put RRset counts in reply_info, because the number of RRs can change
- due to RRset updates.
- - import of region-allocator code from nsd.
- - set alloc special type to ub_packed_rrset_key.
- Uses lruhash entry overflow chain next pointer in alloc cache.
- - doxygen documentation for region-allocator.
- - setup for parse scratch data.
-
-5 April 2007: Wouter
- - discussed packed rrset with Jelte.
-
-4 April 2007: Wouter
- - moved to version 0.3.
- - added util/data/dname.c
- - layout of memory for rrsets.
-
-3 April 2007: Wouter
- - detect sign of msghdr.msg_iovlen so that the cast to that type
- in netevent (which is there to please lint) can be correct.
- The type on several OSes ranges from int, int32, uint32, size_t.
- Detects unsigned or signed using math trick.
- - constants for DNS flags.
- - compilation without locks fixup.
- - removed include of unportable header from lookup3.c.
- - more portable use of struct msghdr.
- - casts for printf warning portability.
- - tweaks to tests to port them to the testbed.
- - 0.2 tag created.
-
-2 April 2007: Wouter
- - check sizes of udp received messages, not too short.
- - review changes. Some memmoves can be memcpys: 4byte aligned.
- set id correctly on cached answers.
- - review changes msgreply.c, memleak on error condition. AA flag
- clear on cached reply. Lowercase queries on hashing.
- unit test on lowercasing. Test AA bit not set on cached reply.
- Note that no TTLs are managed.
-
-29 March 2007: Wouter
- - writev or sendmsg used when answering from cache.
- This avoids a copy of the data.
- - do not do useless byteswap on query id. Store reply flags in uint16
- for easier access (and no repeated byteswapping).
- - reviewed code.
- - configure detects and config.h includes sys/uio.h for writev decl.
-
-28 March 2007: Wouter
- - new config option: num-queries-per-thread.
- - added tpkg test for answering three queries at the same time
- using one thread (from the query service list).
-
-27 March 2007: Wouter
- - added test for cache and not cached answers, in testbound replays.
- - testbound can give config file and commandline options from the
- replay file to unbound.
- - created test that checks if items drop out of the cache.
- - added word 'partitioned hash table' to documentation on slab hash.
- A slab hash is a partitioned hash table.
- - worker can handle multiple queries at a time.
-
-26 March 2007: Wouter
- - config settings for slab hash message cache.
- - test for cached answer.
- - Fixup deleting fake answer from testbound list.
-
-23 March 2007: Wouter
- - review of yesterday's commits.
- - covered up memory leak of the entry locks.
- - answers from the cache correctly. Copies flags correctly.
- - sanity check for incoming query replies.
- - slabbed hash table. Much nicer contention, need dual cpu to see.
-
-22 March 2007: Wouter
- - AIX configure check.
- - lock-verify can handle references to locks that are created
- in files it has not yet read in.
- - threaded hash table test.
- - unit test runs lock-verify afterwards and checks result.
- - need writelock to update data on hash_insert.
- - message cache code, msgreply code.
-
-21 March 2007: Wouter
- - unit test of hash table, fixup locking problem in table_grow().
- - fixup accounting of sizes for removing items from hashtable.
- - unit test for hash table, single threaded test of integrity.
- - lock-verify reports errors nicely. More quiet in operation.
-
-16 March 2007: Wouter
- - lock-verifier, checks consistent order of locking.
-
-14 March 2007: Wouter
- - hash table insert (and subroutines) and lookup implemented.
- - hash table remove.
- - unit tests for hash internal bin, lru functions.
-
-13 March 2007: Wouter
- - lock_unprotect in checklocks.
- - util/storage/lruhash.h for LRU hash table structure.
-
-12 March 2007: Wouter
- - configure.ac moved to 0.2.
- - query_info and replymsg util/data structure.
-
-9 March 2007: Wouter
- - added rwlock writelock checking.
- So it will keep track of the writelock, and readlocks are enforced
- to not change protected memory areas.
- - log_hex function to dump hex strings to the logfile.
- - checklocks zeroes its destroyed lock after checking memory areas.
- - unit test for alloc.
- - identifier for union in checklocks to please older compilers.
- - created 0.1 tag.
-
-8 March 2007: Wouter
- - Reviewed checklock code.
-
-7 March 2007: Wouter
- - created a wrapper around thread calls that performs some basic
- checking for data race and deadlock, and basic performance
- contention measurement.
-
-6 March 2007: Wouter
- - Testbed works with threading (different machines, different options).
- - alloc work, does the special type.
-
-2 March 2007: Wouter
- - do not compile fork funcs unless needed. Otherwise will give
- type errors as their typedefs have not been enabled.
- - log shows thread numbers much more nicely (and portably).
- - even on systems with nonthreadsafe libevent signal handling,
- unbound will exit if given a signal.
- Reloads will not work, and exit is not graceful.
- - start of alloc framework layout.
-
-1 March 2007: Wouter
- - Signals, libevent and threads work well, with libevent patch and
- changes to code (close after event_del).
- - set ipc pipes nonblocking.
-
-27 February 2007: Wouter
- - ub_thread_join portable definition.
- - forking is used if no threading is available.
- Tested, it works, since pipes work across processes as well.
- Thread_join is replaced with waitpid.
- - During reloads the daemon will temporarily handle signals,
- so that they do not result in problems.
- - Also randomize the outgoing port range for tests.
- - If query list is full, will stop selecting listening ports for read.
- This makes all threads service incoming requests, instead of one.
- No memory is leaking during reloads, service of queries, etc.
- - test that uses ldns-testns -f to test threading. Have to answer
- three queries at the same time.
- - with verbose=0 operates quietly.
-
-26 February 2007: Wouter
- - ub_random code used to select ID and port.
- - log code prints thread id.
- - unbound can thread itself, with reload(HUP) and quit working
- correctly.
- - don't open pipes for #0, doesn't need it.
- - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
-
-23 February 2007: Wouter
- - Can do reloads on sigHUP. Everything is stopped, and freed,
- except the listening ports. Then the config file is reread.
- And everything is started again (and listening ports if needed).
- - Ports for queries are shared.
- - config file added interface:, chroot: and username:.
- - config file: directory, logfile, pidfile. And they work too.
- - will daemonize by default now. Use -d to stay in the foreground.
- - got BSD random[256 state] code, made it threadsafe. util/random.
-
-22 February 2007: Wouter
- - Have a config file. Removed commandline options, moved to config.
- - tests use config file.
-
-21 February 2007: Wouter
- - put -c option in man page.
- - minievent fd array capped by FD_SETSIZE.
-
-20 February 2007: Wouter
- - Added locks code and pthread spinlock detection.
- - can use no locks, or solaris native thread library.
- - added yacc and lex configure, and config file parsing code.
- also makedist.sh, and manpage.
- - put include errno.h in config.h
-
-19 February 2007: Wouter
- - Created 0.0 svn tag.
- - added acx_pthread.m4 autoconf check for pthreads from
- the autoconf archive. It is GPL-with-autoconf-exception Licensed.
- You can specify --with-pthreads, or --without-pthreads to configure.
-
-16 February 2007: Wouter
- - Updated testbed script, works better by using make on remote end.
- - removed check decls, we can compile without them.
- - makefile supports LIBOBJ replacements.
- - docs checks ignore compat code.
- - added util/mini-event.c and .h, a select based alternative used with
- ./configure --with-libevent=no
- It is limited to 1024 file descriptors, and has less features.
- - will not create ip6 sockets if ip6 not on the machine.
-
-15 February 2007: Wouter
- - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
- Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
- - malloc rndstate, so that it is aligned for access.
- - fixed rbtree cleanup with postorder traverse.
- - fixed pending messages are deleted when handled.
- - You can control verbosity; default is not verbose, every -v
- adds more verbosity.
-
-14 February 2007: Wouter
- - Included configure.ac changes from ldns.
- - detect (some) headers before the standards check.
- - do not use isblank to test c99, since its not available on solaris9.
- - review of testcode.
- * entries in a RANGE are no longer reversed.
- * print name of file with replay entry parse errors.
- - port to OSX: cast to int for some prints of sizet.
- - Makefile copies ldnstestpkts.c before doing dependencies on it.
-
-13 February 2007: Wouter
- - work on fake events, first fwd replay works.
- - events can do timeouts and errors on queries to servers.
- - test package that runs replay scenarios.
-
-12 February 2007: Wouter
- - work on fake events.
-
-9 February 2007: Wouter
- - replay file reading.
- - fake event setup, it creates fake structures, and teardowns,
- added signal callbacks to reply to be able to fake those,
- and main structure of event replay routines.
-
-8 February 2007: Wouter
- - added tcp test.
- - replay storage.
- - testcode/fake_event work.
-
-7 February 2007: Wouter
- - return answer with the same ID as query was sent with.
- - created udp forwarder test. I've done some effort to make it perform
- quickly. After servers are created, no big sleep statements but
- it checks the logfiles to see if servers have come up. Takes 0.14s.
- - set addrlen value when calling recvfrom.
- - comparison of addrs more portable.
- - LIBEVENT option for testbed to set libevent directory.
- - work on tcp input.
-
-6 February 2007: Wouter
- - reviewed code and improved in places.
-
-5 February 2007: Wouter
- - Picked up stdc99 and other define tests from ldns. Improved
- POSIX define test to include getaddrinfo.
- - defined constants for netevent callback error code.
- - unit test for strisip6.
-
-2 February 2007: Wouter
- - Created udp4 and udp6 port arrays to provide service for both
- address families.
- - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
- - listens on both ip4 and ip6 ports to provide correct return address.
- - worker fwder address filled correctly.
- - fixup timer code.
- - forwards udp queries and sends answer.
-
-1 February 2007: Wouter
- - outside network more UDP work.
- - moved * closer to type.
- - comm_timer object and events.
-
-31 January 2007: Wouter
- - Added makedist.sh script to make release tarball.
- - Removed listen callback layer, did not add anything.
- - Added UDP recv to netevent, worker callback for udp.
- - netevent communication reply storage structure.
- - minimal query header sanity checking for worker.
- - copied over rbtree implementation from NSD (BSD licensed too).
- - outgoing network query service work.
-
-30 January 2007: Wouter
- - links in example/ldns-testpkts.c and .h for premade packet support.
- - added callback argument to listen_dnsport and daemon/worker.
-
-29 January 2007: Wouter
- - unbound.8 a short manpage.
-
-26 January 2007: Wouter
- - fixed memleak.
- - make lint works on BSD and Linux (openssl defines).
- - make tags works.
- - testbound program start.
-
-25 January 2007: Wouter
- - fixed lint so it may work on BSD.
- - put license into header of every file.
- - created verbosity flag.
- - fixed libevent configure flag.
- - detects event_base_free() in new libevent 1.2 version.
- - getopt in daemon. fatal_exit() and verbose() logging funcs.
- - created log_assert, that throws assertions to the logfile.
- - listen_dnsport service. Binds ports.
-
-24 January 2007: Wouter
- - cleaned up configure.ac.
-
-23 January 2007: Wouter
- - added libevent to configure to link with.
- - util/netevent setup work.
- - configure searches for libevent.
- - search for libs at end of configure (when other headers and types
- have been found).
- - doxygen works with ATTR_UNUSED().
- - util/netevent implementation.
-
-22 January 2007: Wouter
- - Designed header file for network communication.
-
-16 January 2007: Wouter
- - added readme.svn and readme.tests.
-
-4 January 2007: Wouter
- - Testbed script (run on multiple platforms the test set).
- Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
- - added unit test tpkg.
-
-3 January 2007: Wouter
- - committed first set of files into subversion repository.
- svn co svn+ssh://unbound.net/svn/unbound
- You need a ssh login. There is no https access yet.
- - Added LICENSE, the BSD license.
- - Added doc/README with compile help.
- - main program stub and quiet makefile.
- - minimal logging service (to stderr).
- - added postcommit hook that serves emails.
- - added first test 00-lint. postcommit also checks if build succeeds.
- - 01-doc: doxygen doc target added for html docs. And stringent test
- on documented files, functions and parameters.
-
-15 December 2006: Wouter
- - Created Makefile.in and configure.ac.
diff --git a/external/unbound/doc/FEATURES b/external/unbound/doc/FEATURES
deleted file mode 100644
index 076988ea9..000000000
--- a/external/unbound/doc/FEATURES
+++ /dev/null
@@ -1,103 +0,0 @@
-Unbound Features
-
-(C) Copyright 2008, Wouter Wijngaards, NLnet Labs.
-
-
-This document describes the features and RFCs that unbound
-adheres to, and which ones are decided to be out of scope.
-
-
-Big Features
-------------
-Recursive service.
-Caching service.
-Forwarding and stub zones.
-Very limited authoritative service.
-DNSSEC Validation options.
-EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types.
-RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms.
-
-Details
--------
-Processing support
-RFC 1034-1035: as a recursive, caching server. Not authoritative.
- including CNAMEs, referrals, wildcards, classes, ...
- AAAA type, and IP6 dual stack support.
- type ANY queries are supported, class ANY queries are supported.
-RFC 1123, 6.1 Requirements for DNS of internet hosts.
-RFC 4033-4035: as a validating caching server (unbound daemon).
- as a validating stub (libunbound).
-RFC 1918.
-RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or
- dynamic update services are appropriate.
-RFC 2181: completely, including the trust model, keeping rrsets together.
-RFC 2308: TTL directive, and the rest of the RFC too.
-RFC 2671: EDNS0 support, default advertisement 4Kb size.
-RFC 2672: DNAME support.
-RFC 3597: Unknown RR type support.
-RFC 4343: case insensitive handling of domain names.
-RFC 4509: SHA256 DS hash.
-RFC 4592: wildcards.
-RFC 4697: No DNS Resolution Misbehavior.
-RFC 5011: update of trust anchors with timers.
-RFC 5155: NSEC3, NSEC3PARAM types
-RFC 5358: reflectors-are-evil: access control list for recursive
- service. In fact for all DNS service so cache snooping is halted.
-RFC 5452: forgery resilience. all recommendations followed.
-RFC 5702: RSASHA256 signature algorithm.
-RFC 5933: GOST signature algorithm.
-RFC 6303: default local zones.
- It is possible to block zones or return an address for localhost.
- This is a very limited authoritative service. Defaults as in draft.
-RFC 6604: xNAME RCODE and status bits.
-RFC 6605: ECDSA signature algorithm, SHA384 DS hash.
-
-chroot and drop-root-privileges support, default enabled in config file.
-
-AD bit in query can be used to request AD bit in response (w/o using DO bit).
-CD bit in query can be used to request bogus data.
-UDP and TCP service is provided downstream.
-UDP and TCP are used to request from upstream servers.
-SSL wrapped TCP service can be used upstream and provided downstream.
-Multiple queries can be made over a TCP stream.
-
-No TSIG support at this time.
-No SIG0 support at this time.
-No dTLS support at this time.
-This is not a DNS statistics package, but some operationally useful
-values are provided via unbound-control stats.
-TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported.
-
-draft-0x20: implemented, use caps-for-id option to enable use.
- Also implements bitwise echo of the query to support downstream 0x20.
-draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to
- a safety belt list.
-draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured
- as trust anchors. Also DNSKEYs are allowed, by the way.
-draft-ietf-dnsext-dnssec-bis-updates: supported.
-
-Record type syntax support, extensive, from lib ldns.
-For these types only syntax and parsing support is needed.
-RFC 1034-1035: basic RR types.
-RFC 1183: RP, AFSDB, X25, ISDN, RT
-RFC 1706: NSAP
-RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete).
-2163: PX
-AAAA type
-1876: LOC type
-2782: SRV type
-2915: NAPTR type.
-2230: KX type.
-2538: CERT type.
-2672: DNAME type.
-OPT type
-3123: APL
-3596: AAAA
-SSHFP type
-4025: IPSECKEY
-4033-4035: DS, RRSIG, NSEC, DNSKEY
-4701: DHCID
-5155: NSEC3, NSEC3PARAM
-4408: SPF
-6944: DNSKEY algorithm status
-
diff --git a/external/unbound/doc/LICENSE b/external/unbound/doc/LICENSE
deleted file mode 100644
index 1859c095a..000000000
--- a/external/unbound/doc/LICENSE
+++ /dev/null
@@ -1,30 +0,0 @@
-Copyright (c) 2007, NLnet Labs. All rights reserved.
-
-This software is open source.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-Neither the name of the NLNET LABS nor the names of its contributors may
-be used to endorse or promote products derived from this software without
-specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/external/unbound/doc/README b/external/unbound/doc/README
deleted file mode 100644
index 558a48071..000000000
--- a/external/unbound/doc/README
+++ /dev/null
@@ -1,149 +0,0 @@
-README for Unbound 1.6.3
-Copyright 2007 NLnet Labs
-http://unbound.net
-
-This software is under BSD license, see LICENSE for details.
-The DNS64 module has BSD license in dns64/dns64.c.
-The DNSTAP code has BSD license in dnstap/dnstap.c.
-
-* Download the latest release version of this software from
- http://unbound.net
- or get a beta version from the svn repository at
- http://unbound.net/svn/
-
-* Uses the following libraries;
- * libevent http://www.monkey.org/~provos/libevent/ (BSD license)
- (optional) can use builtin alternative instead.
- * libexpat (for the unbound-anchor helper program) (MIT license)
-
-* Make and install: ./configure; make; make install
- * --with-libevent=/path/to/libevent
- Can be set to either the system install or the build directory.
- --with-libevent=no (default) gives a builtin alternative
- implementation. libevent is useful when having many (thousands)
- of outgoing ports. This improves randomization and spoof
- resistance. For the default of 16 ports the builtin alternative
- works well and is a little faster.
- * --with-libexpat=/path/to/libexpat
- Can be set to the install directory of libexpat.
- * --without-pthreads
- This disables pthreads. Without this option the pthreads library
- is detected automatically. Use this option to disable threading
- altogether, or, on Solaris, also use --with(out)-solaris-threads.
- * --enable-checking
- This enables assertions in the code that guard against a variety of
- programming errors, among which buffer overflows. The program exits
- with an error if an assertion fails (but the buffer did not overflow).
- * --enable-static-exe
- This enables a debug option to statically link against the
- libevent library.
- * --enable-lock-checks
- This enables a debug option to check lock and unlock calls. It needs
- a recent pthreads library to work.
- * --enable-alloc-checks
- This enables a debug option to check malloc (calloc, realloc, free).
- The server periodically checks if the amount of memory used fits with
- the amount of memory it thinks it should be using, and reports
- memory usage in detail.
- * --with-conf-file=filename
- Set default location of config file,
- the default is /usr/local/etc/unbound/unbound.conf.
- * --with-pidfile=filename
- Set default location of pidfile,
- the default is /usr/local/etc/unbound/unbound.pid.
- * --with-run-dir=path
- Set default working directory,
- the default is /usr/local/etc/unbound.
- * --with-chroot-dir=path
- Set default chroot directory,
- the default is /usr/local/etc/unbound.
- * --with-rootkey-file=path
- Set the default root.key path. This file is read and written.
- the default is /usr/local/etc/unbound/root.key
- * --with-rootcert-file=path
- Set the default root update certificate path. A builtin certificate
- is used if this file is empty or does not exist.
- the default is /usr/local/etc/unbound/icannbundle.pem
- * --with-username=user
- Set default user name to change to,
- the default is the "unbound" user.
- * --with-pyunbound
- Create libunbound wrapper usable from python.
- Needs python-devel and swig development tools.
- * --with-pythonmodule
- Compile the python module that processes responses in the server.
- * --disable-sha2
- Disable support for RSASHA256 and RSASHA512 crypto.
- * --disable-gost
- Disable support for GOST crypto, RFC 5933.
-
-* 'make test' runs a series of self checks.
-
-Known issues
-------------
-o If there are no replies for a forward or stub zone, for a reverse zone,
- you may need to add a local-zone: name transparent or nodefault to the
- server: section of the config file to unblock the reverse zone.
- Only happens for (sub)zones that are blocked by default; e.g. 10.in-addr.arpa
-o If libevent is older (before 1.3c), unbound will exit instead of reload
- on sighup. On a restart 'did not exit gracefully last time' warning is
- printed. Perform ./configure --with-libevent=no or update libevent, rerun
- configure and recompile unbound to make sighup work correctly.
- It is strongly suggested to use a recent version of libevent.
-o If you are not receiving the correct source IP address on replies (e.g.
- you are running a multihomed, anycast server), the interface-automatic
- option can be enabled to set socket options to achieve the correct
- source IP address on UDP replies. Listing all IP addresses explicitly in
- the config file is an alternative. The interface-automatic option uses
- non portable socket options, Linux and FreeBSD should work fine.
-o The warning 'openssl has no entropy, seeding with time', with chroot
- enabled, may be solved with a symbolic link to /dev/random from <chrootdir>.
-o On Solaris 5.10 some libtool packages from repositories do not work with
- gcc, showing errors gcc: unrecognized option `-KPIC'
- To solve this do ./configure libtool=./libtool [your options...].
- On Solaris you may pass CFLAGS="-xO4 -xtarget=generic" if you use sun-cc.
-o If unbound-control (or munin graphs) do not work, this can often be because
- the unbound-control-setup script creates the keys with restricted
- permissions, and the files need to be made readable or ownered by both the
- unbound daemon and unbound-control.
-o Crosscompile seems to hang. You tried to install unbound under wine.
- wine regedit and remove all the unbound entries from the registry or
- delete .wine/drive_c.
-
-Acknowledgements
-----------------
-o Unbound was written in portable C by Wouter Wijngaards (NLnet Labs).
-o Thanks to David Blacka and Matt Larson (Verisign) for the unbound-java
- prototype. Design and code from that prototype has been used to create
- this program. Such as the iterator state machine and the cache design.
-o Other code origins are from the NSD (NLnet Labs) and LDNS (NLnet Labs)
- projects. Such as buffer, region-allocator and red-black tree code.
-o See Credits file for contributors.
-
-
-Your Support
-------------
-NLnet Labs offers all of its software products as open source, most are
-published under a BSD license. You can download them, not only from the
-NLnet Labs website but also through the various OS distributions for
-which NSD, ldns, and Unbound are packaged. We therefore have little idea
-who uses our software in production environments and have no direct ties
-with 'our customers'.
-
-Therefore, we ask you to contact us at users@NLnetLabs.nl and tell us
-whether you use one of our products in your production environment,
-what that environment looks like, and maybe even share some praise.
-We would like to refer to the fact that your organization is using our
-products. We will only do that if you explicitly allow us. In all other
-cases we will keep the information you share with us to ourselves.
-
-In addition to the moral support you can also support us
-financially. NLnet Labs is a recognized not-for-profit charity foundation
-that is chartered to develop open-source software and open-standards
-for the Internet. If you use our software to satisfaction please express
-that by giving us a donation. For small donations PayPal can be used. For
-larger and regular donations please contact us at users@NLnetLabs.nl. Also
-see http://www.nlnetlabs.nl/labs/contributors/.
-
-
-* mailto:unbound-bugs@nlnetlabs.nl
diff --git a/external/unbound/doc/README.DNS64 b/external/unbound/doc/README.DNS64
deleted file mode 100644
index 49446ac57..000000000
--- a/external/unbound/doc/README.DNS64
+++ /dev/null
@@ -1,30 +0,0 @@
-The DNS64 code was written by Viagenie, 2009, by Simon Perrault as part
-of the Ecdysis project. The code is copyright by them, and has the BSD
-license (see the dns64/dns64.c file).
-
-To enable DNS64 functionality in Unbound, two directives in unbound.conf must
-be edited:
-
-1. The "module-config" directive must start with "dns64". For example:
-
- module-config: "dns64 validator iterator"
-
-If you're not using DNSSEC then you may remove "validator".
-
-2. The "dns64-prefix" directive indicates your DNS64 prefix. For example:
-
- dns64-prefix: 64:FF9B::/96
-
-The prefix must be a /96 or shorter.
-
-To test that things are working right, perform a query against Unbound for a
-domain name for which no AAAA record exists. You should see a AAAA record in
-the answer section. The corresponding IPv6 address will be inside the DNS64
-prefix. For example:
-
- $ unbound -c unbound.conf
- $ dig @localhost jazz-v4.viagenie.ca aaaa
- [...]
- ;; ANSWER SECTION:
- jazz-v4.viagenie.ca. 86400 IN AAAA 64:ff9b::ce7b:1f02
-
diff --git a/external/unbound/doc/README.svn b/external/unbound/doc/README.svn
deleted file mode 100644
index b887e308c..000000000
--- a/external/unbound/doc/README.svn
+++ /dev/null
@@ -1,17 +0,0 @@
-README.svn
-
-For a svn checkout:
-* configure script, aclocal.m4, as well as yacc/lex output files are
- committed to the repository.
-* use --enable-debug flag for configure to enable dependency tracking and
- assertions, otherwise, use make clean; make after svn update.
-
-* Note changes in the Changelog.
-* Every check-in a postcommit hook is run
- (the postcommit hook is in the svn/unbound/hooks directory).
- * generates commit email with your changes and comment.
- * compiles and runs the tests (with testcode/do-tests.sh).
- * If build errors or test errors happen
- * Please fix your errors and commit again.
-
-* Use gnu make to compile, make or 'gmake'.
diff --git a/external/unbound/doc/README.tests b/external/unbound/doc/README.tests
deleted file mode 100644
index 5385e2b22..000000000
--- a/external/unbound/doc/README.tests
+++ /dev/null
@@ -1,24 +0,0 @@
-README unbound tests
-
-For a quick test that runs unit tests and state machine tests, use
- make test
-
-There is a long test setup for unbound that needs tools installed. Use
- make longtest
-To make and run the long tests. The results are summarized at the end.
-
-You need to have the following programs installed and in your PATH.
-* dig - from the bind-tools package. Used to send DNS queries.
-* splint (optional) - for lint test
-* doxygen (optional) - for doc completeness test
-* ldns-testns - from ldns examples. Used as DNS auth server.
-* xxd and nc (optional) - for (malformed) packet transmission.
-The optional programs are detected and can be omitted.
-
-testdata/ contains the data for tests.
-testcode/ contains scripts and c code for the tests.
-
-do-tests.sh : runs all the tests in the testdata directory.
-testbed.sh : compiles on a set of (user specific) hosts and runs do-tests.
-
-Tests are run using testcode/mini_tpkg.sh.
diff --git a/external/unbound/doc/TODO b/external/unbound/doc/TODO
deleted file mode 100644
index bfeef4aa4..000000000
--- a/external/unbound/doc/TODO
+++ /dev/null
@@ -1,76 +0,0 @@
-TODO items. These are interesting todo items.
-o understand synthesized DNAMEs, so those TTL=0 packets are cached properly.
-o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3
- will result in proper negative responses.
-o (option) where port 53 is used for send and receive, no other ports are used.
-o (option) to not send replies to clients after a timeout of (say 5 secs) has
- passed, but keep task active for later retries by client.
-o (option) private TTL feature (always report TTL x in answers).
-o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops.
-o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets.
-o (option) reprime and refresh oft used data before timeout.
-o (option) retain prime results in a overlaid roothints file.
-o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers).
-o windows version, auto update feature, a query to check for the version.
-o command the server with TSIG inband. get-config, clearcache,
- get stats, get memstats, get ..., reload, clear one zone from cache
-o NSID rfc 5001 support.
-o timers rfc 5011 support.
-o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
-o make timeout backoffs randomized (a couple percent random) to spread traffic.
-o inspect date on executable, then warn user in log if its more than 1 year.
-o (option) proactively prime root, stubs and trust anchors, feature.
- early failure, faster on first query, but more traffic.
-o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve.
-o library add function to validate input from app that is signed.
-o add dynamic-update requests (making a dynupd request) to libunbound api.
-o SIG(0) and TSIG.
-o support OPT record placement on recv anywhere in the additional section.
-o add local-file: config with authority features.
-o (option) to make local-data answers be secure for libunbound (default=no)
-o (option) to make chroot: copy all needed files into jail (or make jail)
- perhaps also print reminder to link /dev/random and sysloghack.
-o overhaul outside-network servicedquery to merge with udpwait and tcpwait,
- to make timers in servicedquery independent of udpwait queues.
-o check into rebinding ports for efficiency, configure time test.
-o EVP hardware crypto support.
-o option to ignore all inception and expiration dates for rrsigs.
-o cleaner code; return and func statements on newline.
-o memcached module that sits before validator module; checks for memcached
- data (on local lan), stores recursion lookup. Provides one cache for multiple resolver machines, coherent reply content in anycast setup.
-o no openssl_add_all_algorithms, but only the ones necessary, less space.
-o listen to NOTIFY messages for zones and flush the cache for that zone
- if received. Useful when also having a stub to that auth server.
- Needs proper protection, TSIG, in place.
-o winevent - do not go more than 64 fds (by polling with select one by
- one), win95/98 have 100fd limit in the kernel, so this ruins w9x portability.
-
-*** Features features, for later
-* dTLS, TLS, look to need special port numbers, cert storage, recent libssl.
-* aggressive negative caching for NSEC, NSEC3.
-* multiple queries per question, server exploration, server selection.
-* support TSIG on queries, for validating resolver deployment.
-* retry-mode, where a bogus result triggers a retry-mode query, where a list
- of responses over a time interval is collected, and each is validated.
- or try in TCP mode. Do not 'try all servers several times', since we must
- not create packet storms with operator errors.
-o on windows version, implement that OS ancillary data capabilities for
- interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
-o local-zone directive with authority service, full authority server
- is a non-goal.
-o infra and lame cache: easier size config (in Mb), show usage in graphs.
-- store time of dump in cachedumps, so that on a load the ttls can be
- compared to the absolute time, and now-expired items can be dealt with.
-
-later
-- selective verbosity; ubcontrol trace example.com
-- cache fork-dump, pre-load
-- for fwds, send queries to N servers in fwd-list, use first reply.
- document high scalable, high available unbound setup onepager.
-- prefetch DNSKEY when DS in delegation seen (nonCD, underTA).
-- use libevent if available on system by default(?), default outgoing 256to1024
-
-[1] BIND-like query logging to see who's looking up what and when
-[2] more logging about stuff like SERVFAIL and REFUSED responses
-[3] a Makefile that works without gnumake
-
diff --git a/external/unbound/doc/control_proto_spec.txt b/external/unbound/doc/control_proto_spec.txt
deleted file mode 100644
index d26258f1e..000000000
--- a/external/unbound/doc/control_proto_spec.txt
+++ /dev/null
@@ -1,70 +0,0 @@
-
-Specification for the unbound-control protocol.
-
-Server listens on 8953 TCP (localhost by default). Client connects,
-SSLv3 or TLSv1 connection setup (server selfsigned certificate,
-client has cert signed by server certificate).
-
-Port 8953 is registered with IANA as:
-ub-dns-control 8953/tcp unbound dns nameserver control
-# Wouter Wijngaards <wouter&nlnetlabs.nl> 10 May 2011
-On may 11 2011, ticket [IANA #442315].
-
-Query and Response
-------------------
-Client sends
- UBCT[version] [commandline] \n
- fixed string UBCT1 (for version 1), then an ascii text line,
- with a command, some whitespace allowed. Line ends with '\n'.
-
-Server executes command. And sends reply in ascii text over channel,
-closes the channel when done.
- in case of error the first line of the response is:
- error <descriptive text possible> \n
- or the remainder is data of the response, for many commands the
- response is 'ok\n'.
-
-Queries and responses
----------------------
-stop
- stops the server.
-reload
- reloads the config file, and flushes the cache.
-verbosity <new value>
- Change logging verbosity to new value.
-stats
- output is a list of [name]=[value] lines.
- clears the counters.
-dump_cache
- output is a text representation of the cache contents.
- data ends with a line 'EOF' before connection close.
-load_cache
- client sends cache contents (like from dump_cache), which is stored
- in the cache. end of data indicated with a line with 'EOF' on it.
- The data is sent after the query line.
-flush <name>
- flushes some information regarding the name from the cache.
- removes the A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR types.
- Does not remove other types.
-flush_type <name> <RR type>
- removes rrtype entry from the cache.
-flush_zone <name>
- removes name and everything below that name from the cache.
- has to search through the cache item by item, so this is slow.
-lookup <name>
- see what servers would be queried for a lookup of the given name.
-local_zone_remove <name of local-zone entry>
- the local-zone entry is removed.
- All data from the local zone is also deleted.
- If it did not exist, nothing happens.
-local_zone <name of local zone> <type>
- As the config file entry. Adds new local zone or updates
- existing zone type.
-local_data_remove <name>
- Removes local-data (all types) name.
-local_data <resource record string>
- Add new local data record (on the rest of the line).
- local_data_add www.example.com. IN A 192.0.2.2
- if no local_zone exists for it; a transparent zone with the same
- name as the data is created.
-Other commands in the unbound-control manual page.
diff --git a/external/unbound/doc/example.conf.in b/external/unbound/doc/example.conf.in
deleted file mode 100644
index 3411d7edb..000000000
--- a/external/unbound/doc/example.conf.in
+++ /dev/null
@@ -1,809 +0,0 @@
-#
-# Example configuration file.
-#
-# See unbound.conf(5) man page, version 1.6.3.
-#
-# this is a comment.
-
-#Use this to include other text into the file.
-#include: "otherfile.conf"
-
-# The server clause sets the main parameters.
-server:
- # whitespace is not necessary, but looks cleaner.
-
- # verbosity number, 0 is least verbose. 1 is default.
- verbosity: 1
-
- # print statistics to the log (for every thread) every N seconds.
- # Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
-
- # enable shm for stats, default no. if you enable also enable
- # statistics-interval, every time it also writes stats to the
- # shared memory segment keyed with shm-key.
- # shm-enable: no
-
- # shm for stats uses this key, and key+1 for the shared mem segment.
- # shm-key: 11777
-
- # enable cumulative statistics, without clearing them after printing.
- # statistics-cumulative: no
-
- # enable extended statistics (query types, answer codes, status)
- # printed from unbound-control. default off, because of speed.
- # extended-statistics: no
-
- # number of threads to create. 1 disables threading.
- # num-threads: 1
-
- # specify the interfaces to answer queries from by ip-address.
- # The default is to listen to localhost (127.0.0.1 and ::1).
- # specify 0.0.0.0 and ::0 to bind to all available interfaces.
- # specify every interface[@port] on a new 'interface:' labelled line.
- # The listen interfaces are not changed on reload, only on restart.
- # interface: 192.0.2.153
- # interface: 192.0.2.154
- # interface: 192.0.2.154@5003
- # interface: 2001:DB8::5
-
- # enable this feature to copy the source address of queries to reply.
- # Socket options are not supported on all platforms. experimental.
- # interface-automatic: no
-
- # port to answer queries from
- # port: 53
-
- # specify the interfaces to send outgoing queries to authoritative
- # server from by ip-address. If none, the default (all) interface
- # is used. Specify every interface on a 'outgoing-interface:' line.
- # outgoing-interface: 192.0.2.153
- # outgoing-interface: 2001:DB8::5
- # outgoing-interface: 2001:DB8::6
-
- # Specify a netblock to use remainder 64 bits as random bits for
- # upstream queries. Uses freebind option (Linux).
- # outgoing-interface: 2001:DB8::/64
- # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
- # And: ip -6 route add local 2001:db8::/64 dev lo
- # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
- # Set this to yes to prefer ipv6 upstream servers over ipv4.
- # prefer-ip6: no
-
- # number of ports to allocate per thread, determines the size of the
- # port range that can be open simultaneously. About double the
- # num-queries-per-thread, or, use as many as the OS will allow you.
- # outgoing-range: 4096
-
- # permit unbound to use this port number or port range for
- # making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
-
- # deny unbound the use this of port number or port range for
- # making outgoing queries, using an outgoing interface.
- # Use this to make sure unbound does not grab a UDP port that some
- # other server on this computer needs. The default is to avoid
- # IANA-assigned port numbers.
- # If multiple outgoing-port-permit and outgoing-port-avoid options
- # are present, they are processed in order.
- # outgoing-port-avoid: "3200-3208"
-
- # number of outgoing simultaneous tcp buffers to hold per thread.
- # outgoing-num-tcp: 10
-
- # number of incoming simultaneous tcp buffers to hold per thread.
- # incoming-num-tcp: 10
-
- # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
- # 0 is system default. Use 4m to catch query spikes for busy servers.
- # so-rcvbuf: 0
-
- # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
- # 0 is system default. Use 4m to handle spikes on very busy servers.
- # so-sndbuf: 0
-
- # use SO_REUSEPORT to distribute queries over threads.
- # so-reuseport: no
-
- # use IP_TRANSPARENT so the interface: addresses can be non-local
- # and you can config non-existing IPs that are going to work later on
- # (uses IP_BINDANY on FreeBSD).
- # ip-transparent: no
-
- # use IP_FREEBIND so the interface: addresses can be non-local
- # and you can bind to nonexisting IPs and interfaces that are down.
- # Linux only. On Linux you also have ip-transparent that is similar.
- # ip-freebind: no
-
- # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
- # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
- # edns-buffer-size: 4096
-
- # Maximum UDP response size (not applied to TCP response).
- # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
- # max-udp-size: 4096
-
- # buffer size for handling DNS data. No messages larger than this
- # size can be sent or received, by UDP or TCP. In bytes.
- # msg-buffer-size: 65552
-
- # the amount of memory to use for the message cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # msg-cache-size: 4m
-
- # the number of slabs to use for the message cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # msg-cache-slabs: 4
-
- # the number of queries that a thread gets to service.
- # num-queries-per-thread: 1024
-
- # if very busy, 50% queries run to completion, 50% get timeout in msec
- # jostle-timeout: 200
-
- # msec to wait before close of port on timeout UDP. 0 disables.
- # delay-close: 0
-
- # the amount of memory to use for the RRset cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # rrset-cache-size: 4m
-
- # the number of slabs to use for the RRset cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # rrset-cache-slabs: 4
-
- # the time to live (TTL) value lower bound, in seconds. Default 0.
- # If more than an hour could easily give trouble due to stale data.
- # cache-min-ttl: 0
-
- # the time to live (TTL) value cap for RRsets and messages in the
- # cache. Items are not cached for longer. In seconds.
- # cache-max-ttl: 86400
-
- # the time to live (TTL) value cap for negative responses in the cache
- # cache-max-negative-ttl: 3600
-
- # the time to live (TTL) value for cached roundtrip times, lameness and
- # EDNS version information for hosts. In seconds.
- # infra-host-ttl: 900
-
- # minimum wait time for responses, increase if uplink is long. In msec.
- # infra-cache-min-rtt: 50
-
- # the number of slabs to use for the Infrastructure cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # infra-cache-slabs: 4
-
- # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
- # infra-cache-numhosts: 10000
-
- # define a number of tags here, use with local-zone, access-control.
- # repeat the define-tag statement to add additional tags.
- # define-tag: "tag1 tag2 tag3"
-
- # Enable IPv4, "yes" or "no".
- # do-ip4: yes
-
- # Enable IPv6, "yes" or "no".
- # do-ip6: yes
-
- # Enable UDP, "yes" or "no".
- # do-udp: yes
-
- # Enable TCP, "yes" or "no".
- # do-tcp: yes
-
- # upstream connections use TCP only (and no UDP), "yes" or "no"
- # useful for tunneling scenarios, default no.
- # tcp-upstream: no
-
- # Maximum segment size (MSS) of TCP socket on which the server
- # responds to queries. Default is 0, system default MSS.
- # tcp-mss: 0
-
- # Maximum segment size (MSS) of TCP socket for outgoing queries.
- # Default is 0, system default MSS.
- # outgoing-tcp-mss: 0
-
- # Use systemd socket activation for UDP, TCP, and control sockets.
- # use-systemd: no
-
- # Detach from the terminal, run in background, "yes" or "no".
- # Set the value to "no" when unbound runs as systemd service.
- # do-daemonize: yes
-
- # control which clients are allowed to make (recursive) queries
- # to this server. Specify classless netblocks with /size and action.
- # By default everything is refused, except for localhost.
- # Choose deny (drop message), refuse (polite error reply),
- # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
- # deny_non_local (drop queries unless can be answered from local-data)
- # refuse_non_local (like deny_non_local but polite error reply).
- # access-control: 0.0.0.0/0 refuse
- # access-control: 127.0.0.0/8 allow
- # access-control: ::0/0 refuse
- # access-control: ::1 allow
- # access-control: ::ffff:127.0.0.1 allow
-
- # tag access-control with list of tags (in "" with spaces between)
- # Clients using this access control element use localzones that
- # are tagged with one of these tags.
- # access-control-tag: 192.0.2.0/24 "tag2 tag3"
-
- # set action for particular tag for given access control element
- # if you have multiple tag values, the tag used to lookup the action
- # is the first tag match between access-control-tag and local-zone-tag
- # where "first" comes from the order of the define-tag values.
- # access-control-tag-action: 192.0.2.0/24 tag3 refuse
-
- # set redirect data for particular tag for access control element
- # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
-
- # Set view for access control element
- # access-control-view: 192.0.2.0/24 viewname
-
- # if given, a chroot(2) is done to the given directory.
- # i.e. you can chroot to the working directory, for example,
- # for extra security, but make sure all files are in that directory.
- #
- # If chroot is enabled, you should pass the configfile (from the
- # commandline) as a full path from the original root. After the
- # chroot has been performed the now defunct portion of the config
- # file path is removed to be able to reread the config after a reload.
- #
- # All other file paths (working dir, logfile, roothints, and
- # key files) can be specified in several ways:
- # o as an absolute path relative to the new root.
- # o as a relative path to the working directory.
- # o as an absolute path relative to the original root.
- # In the last case the path is adjusted to remove the unused portion.
- #
- # The pid file can be absolute and outside of the chroot, it is
- # written just prior to performing the chroot and dropping permissions.
- #
- # Additionally, unbound may need to access /dev/random (for entropy).
- # How to do this is specific to your OS.
- #
- # If you give "" no chroot is performed. The path must not end in a /.
- # chroot: "@UNBOUND_CHROOT_DIR@"
-
- # if given, user privileges are dropped (after binding port),
- # and the given username is assumed. Default is user "unbound".
- # If you give "" no privileges are dropped.
- # username: "@UNBOUND_USERNAME@"
-
- # the working directory. The relative files in this config are
- # relative to this directory. If you give "" the working directory
- # is not changed.
- # If you give a server: directory: dir before include: file statements
- # then those includes can be relative to the working directory.
- # directory: "@UNBOUND_RUN_DIR@"
-
- # the log file, "" means log to stderr.
- # Use of this option sets use-syslog to "no".
- # logfile: ""
-
- # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
- # log to. If yes, it overrides the logfile.
- # use-syslog: yes
-
- # Log identity to report. if empty, defaults to the name of argv[0]
- # (usually "unbound").
- # log-identity: ""
-
- # print UTC timestamp in ascii to logfile, default is epoch in seconds.
- # log-time-ascii: no
-
- # print one line with time, IP, name, type, class for every query.
- # log-queries: no
-
- # print one line per reply, with time, IP, name, type, class, rcode,
- # timetoresolve, fromcache and responsesize.
- # log-replies: no
-
- # the pid file. Can be an absolute path outside of chroot/work dir.
- # pidfile: "@UNBOUND_PIDFILE@"
-
- # file to read root hints from.
- # get one from https://www.internic.net/domain/named.cache
- # root-hints: ""
-
- # enable to not answer id.server and hostname.bind queries.
- # hide-identity: no
-
- # enable to not answer version.server and version.bind queries.
- # hide-version: no
-
- # enable to not answer trustanchor.unbound queries.
- # hide-trustanchor: no
-
- # the identity to report. Leave "" or default to return hostname.
- # identity: ""
-
- # the version to report. Leave "" or default to return package version.
- # version: ""
-
- # the target fetch policy.
- # series of integers describing the policy per dependency depth.
- # The number of values in the list determines the maximum dependency
- # depth the recursor will pursue before giving up. Each integer means:
- # -1 : fetch all targets opportunistically,
- # 0: fetch on demand,
- # positive value: fetch that many targets opportunistically.
- # Enclose the list of numbers between quotes ("").
- # target-fetch-policy: "3 2 1 0 0"
-
- # Harden against very small EDNS buffer sizes.
- # harden-short-bufsize: no
-
- # Harden against unseemly large queries.
- # harden-large-queries: no
-
- # Harden against out of zone rrsets, to avoid spoofing attempts.
- # harden-glue: yes
-
- # Harden against receiving dnssec-stripped data. If you turn it
- # off, failing to validate dnskey data for a trustanchor will
- # trigger insecure mode for that zone (like without a trustanchor).
- # Default on, which insists on dnssec data for trust-anchored zones.
- # harden-dnssec-stripped: yes
-
- # Harden against queries that fall under dnssec-signed nxdomain names.
- # harden-below-nxdomain: no
-
- # Harden the referral path by performing additional queries for
- # infrastructure data. Validates the replies (if possible).
- # Default off, because the lookups burden the server. Experimental
- # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
- # harden-referral-path: no
-
- # Harden against algorithm downgrade when multiple algorithms are
- # advertised in the DS record. If no, allows the weakest algorithm
- # to validate the zone.
- # harden-algo-downgrade: no
-
- # Sent minimum amount of information to upstream servers to enhance
- # privacy. Only sent minimum required labels of the QNAME and set QTYPE
- # to NS when possible.
- # qname-minimisation: no
-
- # QNAME minimisation in strict mode. Do not fall-back to sending full
- # QNAME to potentially broken nameservers. A lot of domains will not be
- # resolvable when this option in enabled.
- # This option only has effect when qname-minimisation is enabled.
- # qname-minimisation-strict: no
-
- # Use 0x20-encoded random bits in the query to foil spoof attempts.
- # This feature is an experimental implementation of draft dns-0x20.
- # use-caps-for-id: no
-
- # Domains (and domains in them) without support for dns-0x20 and
- # the fallback fails because they keep sending different answers.
- # caps-whitelist: "licdn.com"
- # caps-whitelist: "senderbase.org"
-
- # Enforce privacy of these addresses. Strips them away from answers.
- # It may cause DNSSEC validation to additionally mark it as bogus.
- # Protects against 'DNS Rebinding' (uses browser as network proxy).
- # Only 'private-domain' and 'local-data' names are allowed to have
- # these private addresses. No default.
- # private-address: 10.0.0.0/8
- # private-address: 172.16.0.0/12
- # private-address: 192.168.0.0/16
- # private-address: 169.254.0.0/16
- # private-address: fd00::/8
- # private-address: fe80::/10
- # private-address: ::ffff:0:0/96
-
- # Allow the domain (and its subdomains) to contain private addresses.
- # local-data statements are allowed to contain private addresses too.
- # private-domain: "example.com"
-
- # If nonzero, unwanted replies are not only reported in statistics,
- # but also a running total is kept per thread. If it reaches the
- # threshold, a warning is printed and a defensive action is taken,
- # the cache is cleared to flush potential poison out of it.
- # A suggested value is 10000000, the default is 0 (turned off).
- # unwanted-reply-threshold: 0
-
- # Do not query the following addresses. No DNS queries are sent there.
- # List one address per entry. List classless netblocks with /size,
- # do-not-query-address: 127.0.0.1/8
- # do-not-query-address: ::1
-
- # if yes, the above default do-not-query-address entries are present.
- # if no, localhost can be queried (for testing and debugging).
- # do-not-query-localhost: yes
-
- # if yes, perform prefetching of almost expired message cache entries.
- # prefetch: no
-
- # if yes, perform key lookups adjacent to normal lookups.
- # prefetch-key: no
-
- # if yes, Unbound rotates RRSet order in response.
- # rrset-roundrobin: no
-
- # if yes, Unbound doesn't insert authority/additional sections
- # into response messages when those sections are not required.
- # minimal-responses: no
-
- # true to disable DNSSEC lameness check in iterator.
- # disable-dnssec-lame-check: no
-
- # module configuration of the server. A string with identifiers
- # separated by spaces. Syntax: "[dns64] [validator] iterator"
- # module-config: "validator iterator"
-
- # File with trusted keys, kept uptodate using RFC5011 probes,
- # initial file like trust-anchor-file, then it stores metadata.
- # Use several entries, one per domain name, to track multiple zones.
- #
- # If you want to perform DNSSEC validation, run unbound-anchor before
- # you start unbound (i.e. in the system boot scripts). And enable:
- # Please note usage of unbound-anchor root anchor is at your own risk
- # and under the terms of our LICENSE (see that file in the source).
- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-
- # File with DLV trusted keys. Same format as trust-anchor-file.
- # There can be only one DLV configured, it is trusted from root down.
- # DLV is going to be decommissioned. Please do not use it any more.
- # dlv-anchor-file: "dlv.isc.org.key"
-
- # File with trusted keys for validation. Specify more than one file
- # with several entries, one file per entry.
- # Zone file format, with DS and DNSKEY entries.
- # Note this gets out of date, use auto-trust-anchor-file please.
- # trust-anchor-file: ""
-
- # Trusted key for validation. DS or DNSKEY. specify the RR on a
- # single line, surrounded by "". TTL is ignored. class is IN default.
- # Note this gets out of date, use auto-trust-anchor-file please.
- # (These examples are from August 2007 and may not be valid anymore).
- # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
- # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
-
- # File with trusted keys for validation. Specify more than one file
- # with several entries, one file per entry. Like trust-anchor-file
- # but has a different file format. Format is BIND-9 style format,
- # the trusted-keys { name flag proto algo "key"; }; clauses are read.
- # you need external update procedures to track changes in keys.
- # trusted-keys-file: ""
-
- # Ignore chain of trust. Domain is treated as insecure.
- # domain-insecure: "example.com"
-
- # Override the date for validation with a specific fixed date.
- # Do not set this unless you are debugging signature inception
- # and expiration. "" or "0" turns the feature off. -1 ignores date.
- # val-override-date: ""
-
- # The time to live for bogus data, rrsets and messages. This avoids
- # some of the revalidation, until the time interval expires. in secs.
- # val-bogus-ttl: 60
-
- # The signature inception and expiration dates are allowed to be off
- # by 10% of the signature lifetime (expir-incep) from our local clock.
- # This leeway is capped with a minimum and a maximum. In seconds.
- # val-sig-skew-min: 3600
- # val-sig-skew-max: 86400
-
- # Should additional section of secure message also be kept clean of
- # unsecure data. Useful to shield the users of this validator from
- # potential bogus data in the additional section. All unsigned data
- # in the additional section is removed from secure messages.
- # val-clean-additional: yes
-
- # Turn permissive mode on to permit bogus messages. Thus, messages
- # for which security checks failed will be returned to clients,
- # instead of SERVFAIL. It still performs the security checks, which
- # result in interesting log files and possibly the AD bit in
- # replies if the message is found secure. The default is off.
- # val-permissive-mode: no
-
- # Ignore the CD flag in incoming queries and refuse them bogus data.
- # Enable it if the only clients of unbound are legacy servers (w2008)
- # that set CD but cannot validate themselves.
- # ignore-cd-flag: no
-
- # Serve expired reponses from cache, with TTL 0 in the response,
- # and then attempt to fetch the data afresh.
- # serve-expired: no
-
- # Have the validator log failed validations for your diagnosis.
- # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
- # val-log-level: 0
-
- # It is possible to configure NSEC3 maximum iteration counts per
- # keysize. Keep this table very short, as linear search is done.
- # A message with an NSEC3 with larger count is marked insecure.
- # List in ascending order the keysize and count values.
- # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-
- # instruct the auto-trust-anchor-file probing to add anchors after ttl.
- # add-holddown: 2592000 # 30 days
-
- # instruct the auto-trust-anchor-file probing to del anchors after ttl.
- # del-holddown: 2592000 # 30 days
-
- # auto-trust-anchor-file probing removes missing anchors after ttl.
- # If the value 0 is given, missing anchors are not removed.
- # keep-missing: 31622400 # 366 days
-
- # debug option that allows very small holddown times for key rollover,
- # otherwise the RFC mandates probe intervals must be at least 1 hour.
- # permit-small-holddown: no
-
- # the amount of memory to use for the key cache.
- # plain value in bytes or you can append k, m or G. default is "4Mb".
- # key-cache-size: 4m
-
- # the number of slabs to use for the key cache.
- # the number of slabs must be a power of 2.
- # more slabs reduce lock contention, but fragment memory usage.
- # key-cache-slabs: 4
-
- # the amount of memory to use for the negative cache (used for DLV).
- # plain value in bytes or you can append k, m or G. default is "1Mb".
- # neg-cache-size: 1m
-
- # By default, for a number of zones a small default 'nothing here'
- # reply is built-in. Query traffic is thus blocked. If you
- # wish to serve such zone you can unblock them by uncommenting one
- # of the nodefault statements below.
- # You may also have to use domain-insecure: zone to make DNSSEC work,
- # unless you have your own trust anchors for this zone.
- # local-zone: "localhost." nodefault
- # local-zone: "127.in-addr.arpa." nodefault
- # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
- # local-zone: "onion." nodefault
- # local-zone: "10.in-addr.arpa." nodefault
- # local-zone: "16.172.in-addr.arpa." nodefault
- # local-zone: "17.172.in-addr.arpa." nodefault
- # local-zone: "18.172.in-addr.arpa." nodefault
- # local-zone: "19.172.in-addr.arpa." nodefault
- # local-zone: "20.172.in-addr.arpa." nodefault
- # local-zone: "21.172.in-addr.arpa." nodefault
- # local-zone: "22.172.in-addr.arpa." nodefault
- # local-zone: "23.172.in-addr.arpa." nodefault
- # local-zone: "24.172.in-addr.arpa." nodefault
- # local-zone: "25.172.in-addr.arpa." nodefault
- # local-zone: "26.172.in-addr.arpa." nodefault
- # local-zone: "27.172.in-addr.arpa." nodefault
- # local-zone: "28.172.in-addr.arpa." nodefault
- # local-zone: "29.172.in-addr.arpa." nodefault
- # local-zone: "30.172.in-addr.arpa." nodefault
- # local-zone: "31.172.in-addr.arpa." nodefault
- # local-zone: "168.192.in-addr.arpa." nodefault
- # local-zone: "0.in-addr.arpa." nodefault
- # local-zone: "254.169.in-addr.arpa." nodefault
- # local-zone: "2.0.192.in-addr.arpa." nodefault
- # local-zone: "100.51.198.in-addr.arpa." nodefault
- # local-zone: "113.0.203.in-addr.arpa." nodefault
- # local-zone: "255.255.255.255.in-addr.arpa." nodefault
- # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
- # local-zone: "d.f.ip6.arpa." nodefault
- # local-zone: "8.e.f.ip6.arpa." nodefault
- # local-zone: "9.e.f.ip6.arpa." nodefault
- # local-zone: "a.e.f.ip6.arpa." nodefault
- # local-zone: "b.e.f.ip6.arpa." nodefault
- # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
- # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-
- # If unbound is running service for the local host then it is useful
- # to perform lan-wide lookups to the upstream, and unblock the
- # long list of local-zones above. If this unbound is a dns server
- # for a network of computers, disabled is better and stops information
- # leakage of local lan information.
- # unblock-lan-zones: no
-
- # The insecure-lan-zones option disables validation for
- # these zones, as if they were all listed as domain-insecure.
- # insecure-lan-zones: no
-
- # a number of locally served zones can be configured.
- # local-zone: <zone> <type>
- # local-data: "<resource record string>"
- # o deny serves local data (if any), else, drops queries.
- # o refuse serves local data (if any), else, replies with error.
- # o static serves local data, else, nxdomain or nodata answer.
- # o transparent gives local data, but resolves normally for other names
- # o redirect serves the zone data for any subdomain in the zone.
- # o nodefault can be used to normally resolve AS112 zones.
- # o typetransparent resolves normally for other types and other names
- # o inform acts like transparent, but logs client IP address
- # o inform_deny drops queries and logs client IP address
- # o always_transparent, always_refuse, always_nxdomain, resolve in
- # that way but ignore local data for that name.
- #
- # defaults are localhost address, reverse for 127.0.0.1 and ::1
- # and nxdomain for AS112 zones. If you configure one of these zones
- # the default content is omitted, or you can omit it with 'nodefault'.
- #
- # If you configure local-data without specifying local-zone, by
- # default a transparent local-zone is created for the data.
- #
- # You can add locally served data with
- # local-zone: "local." static
- # local-data: "mycomputer.local. IN A 192.0.2.51"
- # local-data: 'mytext.local TXT "content of text record"'
- #
- # You can override certain queries with
- # local-data: "adserver.example.com A 127.0.0.1"
- #
- # You can redirect a domain to a fixed address with
- # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
- # local-zone: "example.com" redirect
- # local-data: "example.com A 192.0.2.3"
- #
- # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
- # You can also add PTR records using local-data directly, but then
- # you need to do the reverse notation yourself.
- # local-data-ptr: "192.0.2.3 www.example.com"
-
- # tag a localzone with a list of tag names (in "" with spaces between)
- # local-zone-tag: "example.com" "tag2 tag3"
-
- # add a netblock specific override to a localzone, with zone type
- # local-zone-override: "example.com" 192.0.2.0/24 refuse
-
- # service clients over SSL (on the TCP sockets), with plain DNS inside
- # the SSL stream. Give the certificate to use and private key.
- # default is "" (disabled). requires restart to take effect.
- # ssl-service-key: "path/to/privatekeyfile.key"
- # ssl-service-pem: "path/to/publiccertfile.pem"
- # ssl-port: 853
-
- # request upstream over SSL (with plain DNS inside the SSL stream).
- # Default is no. Can be turned on and off with unbound-control.
- # ssl-upstream: no
-
- # DNS64 prefix. Must be specified when DNS64 is use.
- # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
- # dns64-prefix: 64:ff9b::0/96
-
- # ratelimit for uncached, new queries, this limits recursion effort.
- # ratelimiting is experimental, and may help against randomqueryflood.
- # if 0(default) it is disabled, otherwise state qps allowed per zone.
- # ratelimit: 0
-
- # ratelimits are tracked in a cache, size in bytes of cache (or k,m).
- # ratelimit-size: 4m
- # ratelimit cache slabs, reduces lock contention if equal to cpucount.
- # ratelimit-slabs: 4
-
- # 0 blocks when ratelimited, otherwise let 1/xth traffic through
- # ratelimit-factor: 10
-
- # override the ratelimit for a specific domain name.
- # give this setting multiple times to have multiple overrides.
- # ratelimit-for-domain: example.com 1000
- # override the ratelimits for all domains below a domain name
- # can give this multiple times, the name closest to the zone is used.
- # ratelimit-below-domain: com 1000
-
- # global query ratelimit for all ip addresses.
- # feature is experimental.
- # if 0(default) it is disabled, otherwise states qps allowed per ip address
- # ip-ratelimit: 0
-
- # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
- # ip-ratelimit-size: 4m
- # ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
- # ip-ratelimit-slabs: 4
-
- # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
- # ip-ratelimit-factor: 10
-
-
-# Python config section. To enable:
-# o use --with-pythonmodule to configure before compiling.
-# o list python in the module-config string (above) to enable.
-# o and give a python-script to run.
-python:
- # Script file to load
- # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
-
-# Remote control config section.
-remote-control:
- # Enable remote control with unbound-control(8) here.
- # set up the keys and certificates with unbound-control-setup.
- # control-enable: no
-
- # Set to no and use an absolute path as control-interface to use
- # a unix local named pipe for unbound-control.
- # control-use-cert: yes
-
- # what interfaces are listened to for remote control.
- # give 0.0.0.0 and ::0 to listen to all interfaces.
- # control-interface: 127.0.0.1
- # control-interface: ::1
-
- # port number for remote control operations.
- # control-port: 8953
-
- # unbound server key file.
- # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
-
- # unbound server certificate file.
- # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
-
- # unbound-control key file.
- # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
-
- # unbound-control certificate file.
- # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-
-# Stub zones.
-# Create entries like below, to make all queries for 'example.com' and
-# 'example.org' go to the given list of nameservers. list zero or more
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
-# the list is treated as priming hints (default is no).
-# With stub-first yes, it attempts without the stub if it fails.
-# Consider adding domain-insecure: name and local-zone: name nodefault
-# to the server: section if the stub is a locally served zone.
-# stub-zone:
-# name: "example.com"
-# stub-addr: 192.0.2.68
-# stub-prime: no
-# stub-first: no
-# stub-ssl-upstream: no
-# stub-zone:
-# name: "example.org"
-# stub-host: ns.example.com.
-
-# Forward zones
-# Create entries like below, to make all queries for 'example.com' and
-# 'example.org' go to the given list of servers. These servers have to handle
-# recursion to other nameservers. List zero or more nameservers by hostname
-# or by ipaddress. Use an entry with name "." to forward all queries.
-# If you enable forward-first, it attempts without the forward if it fails.
-# forward-zone:
-# name: "example.com"
-# forward-addr: 192.0.2.68
-# forward-addr: 192.0.2.73@5355 # forward to port 5355.
-# forward-first: no
-# forward-ssl-upstream: no
-# forward-zone:
-# name: "example.org"
-# forward-host: fwd.example.com
-
-# Views
-# Create named views. Name must be unique. Map views to requests using
-# the access-control-view option. Views can contain zero or more local-zone
-# and local-data options. Options from matching views will override global
-# options. Global options will be used if no matching view is found.
-# With view-first yes, it will try to answer using the global local-zone and
-# local-data elements if there is no view specific match.
-# view:
-# name: "viewname"
-# local-zone: "example.com" redirect
-# local-data: "example.com A 192.0.2.3"
-# local-data-ptr: "192.0.2.3 www.example.com"
-# view-first: no
-# view:
-# name: "anotherview"
-# local-zone: "example.com" refuse
-
-# DNSCrypt
-# Caveats:
-# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
-# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
-# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
-# listen on `dnscrypt-port` with the follo0wing snippet:
-# server:
-# interface: 0.0.0.0@443
-# interface: ::0@443
-#
-# Finally, `dnscrypt` config has its own section.
-# dnscrypt:
-# dnscrypt-enable: yes
-# dnscrypt-port: 443
-# dnscrypt-provider: 2.dnscrypt-cert.example.com.
-# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
-# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
-# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
-# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
diff --git a/external/unbound/doc/ietf67-design-02.odp b/external/unbound/doc/ietf67-design-02.odp
deleted file mode 100644
index 8321b556f..000000000
--- a/external/unbound/doc/ietf67-design-02.odp
+++ /dev/null
Binary files differ
diff --git a/external/unbound/doc/ietf67-design-02.pdf b/external/unbound/doc/ietf67-design-02.pdf
deleted file mode 100644
index 1ebdaf92d..000000000
--- a/external/unbound/doc/ietf67-design-02.pdf
+++ /dev/null
Binary files differ
diff --git a/external/unbound/doc/libunbound.3.in b/external/unbound/doc/libunbound.3.in
deleted file mode 100644
index 70ed5c2d4..000000000
--- a/external/unbound/doc/libunbound.3.in
+++ /dev/null
@@ -1,415 +0,0 @@
-.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" libunbound.3 -- unbound library functions manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B libunbound,
-.B unbound.h,
-.B ub_ctx,
-.B ub_result,
-.B ub_callback_type,
-.B ub_ctx_create,
-.B ub_ctx_delete,
-.B ub_ctx_set_option,
-.B ub_ctx_get_option,
-.B ub_ctx_config,
-.B ub_ctx_set_fwd,
-.B ub_ctx_set_stub,
-.B ub_ctx_resolvconf,
-.B ub_ctx_hosts,
-.B ub_ctx_add_ta,
-.B ub_ctx_add_ta_autr,
-.B ub_ctx_add_ta_file,
-.B ub_ctx_trustedkeys,
-.B ub_ctx_debugout,
-.B ub_ctx_debuglevel,
-.B ub_ctx_async,
-.B ub_poll,
-.B ub_wait,
-.B ub_fd,
-.B ub_process,
-.B ub_resolve,
-.B ub_resolve_async,
-.B ub_cancel,
-.B ub_resolve_free,
-.B ub_strerror,
-.B ub_ctx_print_local_zones,
-.B ub_ctx_zone_add,
-.B ub_ctx_zone_remove,
-.B ub_ctx_data_add,
-.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.3 functions.
-.SH "SYNOPSIS"
-.B #include <unbound.h>
-.LP
-\fIstruct ub_ctx *\fR
-\fBub_ctx_create\fR(\fIvoid\fR);
-.LP
-\fIvoid\fR
-\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val);
-.LP
-\fIint\fR
-\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val);
-.LP
-\fIint\fR
-\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
-.LP
-\fIint\fR
-\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone,
-\fIchar*\fR addr,
-.br
- \fIint\fR isprime);
-.LP
-\fIint\fR
-\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out);
-.LP
-\fIint\fR
-\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d);
-.LP
-\fIint\fR
-\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread);
-.LP
-\fIint\fR
-\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_process\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
-.br
- \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result);
-.LP
-\fIint\fR
-\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
-.br
- \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata,
-.br
- \fIub_callback_type\fR callback, \fIint*\fR async_id);
-.LP
-\fIint\fR
-\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
-.LP
-\fIvoid\fR
-\fBub_resolve_free\fR(\fIstruct ub_result*\fR result);
-.LP
-\fIconst char *\fR
-\fBub_strerror\fR(\fIint\fR err);
-.LP
-\fIint\fR
-\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type);
-.LP
-\fIint\fR
-\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name);
-.LP
-\fIint\fR
-\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
-.LP
-\fIint\fR
-\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
-.SH "DESCRIPTION"
-.B Unbound
-is an implementation of a DNS resolver, that does caching and
-DNSSEC validation. This is the library API, for using the \-lunbound library.
-The server daemon is described in \fIunbound\fR(8).
-The library can be used to convert hostnames to ip addresses, and back,
-and obtain other information from the DNS. The library performs public\-key
-validation of results with DNSSEC.
-.P
-The library uses a variable of type \fIstruct ub_ctx\fR to keep context
-between calls. The user must maintain it, creating it with
-.B ub_ctx_create
-and deleting it with
-.B ub_ctx_delete\fR.
-It can be created and deleted at any time. Creating it anew removes any
-previous configuration (such as trusted keys) and clears any cached results.
-.P
-The functions are thread\-safe, and a context an be used in a threaded (as
-well as in a non\-threaded) environment. Also resolution (and validation)
-can be performed blocking and non\-blocking (also called asynchronous).
-The async method returns from the call immediately, so that processing
-can go on, while the results become available later.
-.P
-The functions are discussed in turn below.
-.SH "FUNCTIONS"
-.TP
-.B ub_ctx_create
-Create a new context, initialised with defaults.
-The information from /etc/resolv.conf and /etc/hosts is not utilised
-by default. Use
-.B ub_ctx_resolvconf
-and
-.B ub_ctx_hosts
-to read them.
-Before you call this, use the openssl functions CRYPTO_set_id_callback and
-CRYPTO_set_locking_callback to set up asynchronous operation if you use
-lib openssl (the application calls these functions once for initialisation).
-Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
-.TP
-.B ub_ctx_delete
-Delete validation context and free associated resources.
-Outstanding async queries are killed and callbacks are not called for them.
-.TP
-.B ub_ctx_set_option
-A power\-user interface that lets you specify one of the options from the
-config file format, see \fIunbound.conf\fR(5). Not all options are
-relevant. For some specific options, such as adding trust anchors, special
-routines exist. Pass the option name with the trailing ':'.
-.TP
-.B ub_ctx_get_option
-A power\-user interface that gets an option value. Some options cannot be
-gotten, and others return a newline separated list. Pass the option name
-without trailing ':'. The returned value must be free(2)d by the caller.
-.TP
-.B ub_ctx_config
-A power\-user interface that lets you specify an unbound config file, see
-\fIunbound.conf\fR(5), which is read for configuration. Not all options are
-relevant. For some specific options, such as adding trust anchors, special
-routines exist.
-.TP
-.B ub_ctx_set_fwd
-Set machine to forward DNS queries to, the caching resolver to use.
-IP4 or IP6 address. Forwards all DNS requests to that machine, which
-is expected to run a recursive resolver. If the proxy is not
-DNSSEC capable, validation may fail. Can be called several times, in
-that case the addresses are used as backup servers.
-At this time it is only possible to set configuration before the
-first resolve is done.
-.TP
-.B ub_ctx_set_stub
-Set a stub zone, authoritative dns servers to use for a particular zone.
-IP4 or IP6 address. If the address is NULL the stub entry is removed.
-Set isprime true if you configure root hints with it. Otherwise similar to
-the stub zone item from unbound's config file. Can be called several times,
-for different zones, or to add multiple addresses for a particular zone.
-At this time it is only possible to set configuration before the
-first resolve is done.
-.TP
-.B ub_ctx_resolvconf
-By default the root servers are queried and full resolver mode is used, but
-you can use this call to read the list of nameservers to use from the
-filename given.
-Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
-If they do not support DNSSEC, validation may fail.
-Only nameservers are picked up, the searchdomain, ndots and other
-settings from \fIresolv.conf\fR(5) are ignored.
-If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows,
-the system\-wide configured nameserver is picked instead).
-At this time it is only possible to set configuration before the
-first resolve is done.
-.TP
-.B ub_ctx_hosts
-Read list of hosts from the filename given.
-Usually "/etc/hosts". When queried for, these addresses are not marked
-DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used
-(if on Windows, etc/hosts from WINDIR is picked instead).
-At this time it is only possible to set configuration before the
-first resolve is done.
-.TP
-.B
-ub_ctx_add_ta
-Add a trust anchor to the given context.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
-The format is a string, similar to the zone\-file format,
-[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
-.TP
-.B ub_ctx_add_ta_autr
-Add filename with automatically tracked trust anchor to the given context.
-Pass name of a file with the managed trust anchor. You can create this
-file with \fIunbound\-anchor\fR(8) for the root anchor. You can also
-create it with an initial file with one line with a DNSKEY or DS record.
-If the file is writable, it is updated when the trust anchor changes.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
-.TP
-.B ub_ctx_add_ta_file
-Add trust anchors to the given context.
-Pass name of a file with DS and DNSKEY records in zone file format.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
-.TP
-.B ub_ctx_trustedkeys
-Add trust anchors to the given context.
-Pass the name of a bind\-style config file with trusted\-keys{}.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
-.TP
-.B ub_ctx_debugout
-Set debug and error log output to the given stream. Pass NULL to disable
-output. Default is stderr. File\-names or using syslog can be enabled
-using config options, this routine is for using your own stream.
-.TP
-.B ub_ctx_debuglevel
-Set debug verbosity for the context. Output is directed to stderr.
-Higher debug level gives more output.
-.TP
-.B ub_ctx_async
-Set a context behaviour for asynchronous action.
-if set to true, enables threading and a call to
-.B ub_resolve_async
-creates a thread to handle work in the background.
-If false, a process is forked to handle work in the background.
-Changes to this setting after
-.B ub_resolve_async
-calls have been made have no effect (delete and re\-create the context
-to change).
-.TP
-.B ub_poll
-Poll a context to see if it has any new results.
-Do not poll in a loop, instead extract the fd below to poll for readiness,
-and then check, or wait using the wait routine.
-Returns 0 if nothing to read, or nonzero if a result is available.
-If nonzero, call
-.B ub_process
-to do callbacks.
-.TP
-.B ub_wait
-Wait for a context to finish with results. Calls
-.B ub_process
-after the wait for you. After the wait, there are no more outstanding
-asynchronous queries.
-.TP
-.B ub_fd
-Get file descriptor. Wait for it to become readable, at this point
-answers are returned from the asynchronous validating resolver.
-Then call the \fBub_process\fR to continue processing.
-.TP
-.B ub_process
-Call this routine to continue processing results from the validating
-resolver (when the fd becomes readable).
-Will perform necessary callbacks.
-.TP
-.B ub_resolve
-Perform resolution and validation of the target name.
-The name is a domain name in a zero terminated text string.
-The rrtype and rrclass are DNS type and class codes.
-The result structure is newly allocated with the resulting data.
-.TP
-.B ub_resolve_async
-Perform asynchronous resolution and validation of the target name.
-Arguments mean the same as for \fBub_resolve\fR except no
-data is returned immediately, instead a callback is called later.
-The callback receives a copy of the mydata pointer, that you can use to pass
-information to the callback. The callback type is a function pointer to
-a function declared as
-.IP
-void my_callback_function(void* my_arg, int err,
-.br
- struct ub_result* result);
-.IP
-The async_id is returned so you can (at your option) decide to track it
-and cancel the request if needed. If you pass a NULL pointer the async_id
-is not returned.
-.TP
-.B ub_cancel
-Cancel an async query in progress. This may return an error if the query
-does not exist, or the query is already being delivered, in that case you
-may still get a callback for the query.
-.TP
-.B ub_resolve_free
-Free struct ub_result contents after use.
-.TP
-.B ub_strerror
-Convert error value from one of the unbound library functions
-to a human readable string.
-.TP
-.B ub_ctx_print_local_zones
-Debug printout the local authority information to debug output.
-.TP
-.B ub_ctx_zone_add
-Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5)
-statement.
-.TP
-.B ub_ctx_zone_remove
-Delete zone from local authority info.
-.TP
-.B ub_ctx_data_add
-Add resource record data to local authority info, like local\-data
-\fIunbound.conf\fR(5) statement.
-.TP
-.B ub_ctx_data_remove
-Delete local authority data from the name given.
-.SH "RESULT DATA STRUCTURE"
-The result of the DNS resolution and validation is returned as
-\fIstruct ub_result\fR. The result structure contains the following entries.
-.P
-.nf
- struct ub_result {
- char* qname; /* text string, original question */
- int qtype; /* type code asked for */
- int qclass; /* class code asked for */
- char** data; /* array of rdata items, NULL terminated*/
- int* len; /* array with lengths of rdata items */
- char* canonname; /* canonical name of result */
- int rcode; /* additional error code in case of no data */
- void* answer_packet; /* full network format answer packet */
- int answer_len; /* length of packet in octets */
- int havedata; /* true if there is data */
- int nxdomain; /* true if nodata because name does not exist */
- int secure; /* true if result is secure */
- int bogus; /* true if a security failure happened */
- char* why_bogus; /* string with error if bogus */
- int ttl; /* number of seconds the result is valid */
- };
-.fi
-.P
-If both secure and bogus are false, security was not enabled for the
-domain of the query. Else, they are not both true, one of them is true.
-.SH "RETURN VALUES"
-Many routines return an error code. The value 0 (zero) denotes no error
-happened. Other values can be passed to
-.B ub_strerror
-to obtain a readable error string.
-.B ub_strerror
-returns a zero terminated string.
-.B ub_ctx_create
-returns NULL on an error (a malloc failure).
-.B ub_poll
-returns true if some information may be available, false otherwise.
-.B ub_fd
-returns a file descriptor or \-1 on error.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
-.SH "AUTHORS"
-.B Unbound
-developers are mentioned in the CREDITS file in the distribution.
diff --git a/external/unbound/doc/requirements.txt b/external/unbound/doc/requirements.txt
deleted file mode 100644
index a66962d4a..000000000
--- a/external/unbound/doc/requirements.txt
+++ /dev/null
@@ -1,294 +0,0 @@
-Requirements for Recursive Caching Resolver
- (a.k.a. Treeshrew, Unbound-C)
-By W.C.A. Wijngaards, NLnet Labs, October 2006.
-
-Contents
-1. Introduction
-2. History
-3. Goals
-4. Non-Goals
-
-
-1. Introduction
----------------
-This is the requirements document for a DNS name server and aims to
-document the goals and non-goals of the project. The DNS (the Domain
-Name System) is a global, replicated database that uses a hierarchical
-structure for queries.
-
-Data in the DNS is stored in Resource Record sets (RR sets), and has a
-time to live (TTL). During this time the data can be cached. It is
-thus useful to cache data to speed up future lookups. A server that
-looks up data in the DNS for clients and caches previous answers to
-speed up processing is called a caching, recursive nameserver.
-
-This project aims to develop such a nameserver in modular components, so
-that also DNSSEC (secure DNS) validation and stub-resolvers (that do not
-run as a server, but a linked into an application) are easily possible.
-
-The main components are the Validator that validates the security
-fingerprints on data sets, the Iterator that sends queries to the
-hierarchical DNS servers that own the data and the Cache that stores
-data from previous queries. The networking and query management code
-then interface with the modules to perform the necessary processing.
-
-In Section 2 the origins of the Unbound project are documented. Section
-3 lists the goals, while Section 4 lists the explicit non-goals of the
-project. Section 5 discusses choices made during development.
-
-
-2. History
-----------
-The unbound resolver project started by Bill Manning, David Blacka, and
-Matt Larson (from the University of California and from Verisign), that
-created a Java based prototype resolver called Unbound. The basic
-design decisions of clean modules was executed.
-
-The Java prototype worked very well, with contributions from Geoff
-Sisson and Roy Arends from Nominet. Around 2006 the idea came to create
-a full-fledged C implementation ready for deployed use. NLnet Labs
-volunteered to write this implementation.
-
-
-3. Goals
---------
-o A validating recursive DNS resolver.
-o Code diversity in the DNS resolver monoculture.
-o Drop-in replacement for BIND apart from config.
-o DNSSEC support.
-o Fully RFC compliant.
-o High performance
- * even with validation.
-o Used as
- * stub resolver.
- * full caching name server.
- * resolver library.
-o Elegant design of validator, resolver, cache modules.
- * provide the ability to pick and choose modules.
-o Robust.
-o In C, open source: The BSD license.
-o Highly portable, targets include modern Unix systems, such as *BSD,
-solaris, linux, and maybe also the windows platform.
-o Smallest as possible component that does the job.
-o Stub-zones can be configured (local data or AS112 zones).
-
-
-4. Non-Goals
-------------
-o An authoritative name server.
-o Too many Features.
-
-
-5. Choices
-----------
-o rfc2181 decourages duplicates RRs in RRsets. unbound does not create
- duplicates, but when presented with duplicates on the wire from the
- authoritative servers, does not perform duplicate removal.
- It does do some rrsig duplicate removal, in the msgparser, for dnssec qtype
- rrsig and any, because of special rrsig processing in the msgparser.
-o The harden-glue feature, when yes all out of zone glue is deleted, when
- no out of zone glue is used for further resolving, is more complicated
- than that, see below.
- Main points:
- * rfc2182 trust handling is used.
- * data is let through only in very specific cases
- * spoofability remains possible.
- Not all glue is let through (despite the name of the option). Only glue
- which is present in a delegation, of type A and AAAA, where the name is
- present in the NS record in the authority section is let through.
- The glue that is let through is stored in the cache (marked as 'from the
- additional section'). And will then be used for sending queries to. It
- will not be present in the reply to the client (if RD is off).
- A direct query for that name will attempt to get a msg into the message
- cache. Since A and AAAA queries are not synthesized by the unbound cache,
- this query will be (eventually) sent to the authoritative server and its
- answer will be put in the cache, marked as 'from the answer section' and
- thus remove the 'from the additional section' data, and this record is
- returned to the client.
- The message has a TTL smaller or equal to the TTL of the answer RR.
- If the cache memory is low; the answer RR may be dropped, and a glue
- RR may be inserted, within the message TTL time, and thus return the
- spoofed glue to a client. When the message expires, it is refetched and
- the cached RR is updated with the correct content.
- The server can be spoofed by getting it to visit a especially prepared
- domain. This domain then inserts an address for another authoritative
- server into the cache, when visiting that other domain, this address may
- then be used to send queries to. And fake answers may be returned.
- If the other domain is signed by DNSSEC, the fakes will be detected.
-
- In summary, the harden glue feature presents a security risk if
- disabled. Disabling the feature leads to possible better performance
- as more glue is present for the recursive service to use. The feature
- is implemented so as to minimise the security risk, while trying to
- keep this performance gain.
-o The method by which dnssec-lameness is detected is not secure. DNSSEC lame
- is when a server has the zone in question, but lacks dnssec data, such as
- signatures. The method to detect dnssec lameness looks at nonvalidated
- data from the parent of a zone. This can be used, by spoofing the parent,
- to create a false sense of dnssec-lameness in the child, or a false sense
- or dnssec-non-lameness in the child. The first results in the server marked
- lame, and not used for 900 seconds, and the second will result in a
- validator failure (SERVFAIL again), when the query is validated later on.
-
- Concluding, a spoof of the parent delegation can be used for many cases
- of denial of service. I.e. a completely different NS set could be returned,
- or the information withheld. All of these alterations can be caught by
- the validator if the parent is signed, and result in 900 seconds bogus.
- The dnssec-lameness detection is used to detect operator failures,
- before the validator will properly verify the messages.
-
- Also for zones for which no chain of trust exists, but a DS is given by the
- parent, dnssec-lameness detection enables. This delivers dnssec to our
- clients when possible (for client validators).
-
- The following issue needs to be resolved:
- a server that serves both a parent and child zone, where
- parent is signed, but child is not. The server must not be marked
- lame for the parent zone, because the child answer is not signed.
- Instead of a false positive, we want false negatives; failure to
- detect dnssec-lameness is less of a problem than marking honest
- servers lame. dnssec-lameness is a config error and deserves the trouble.
- So, only messages that identify the zone are used to mark the zone
- lame. The zone is identified by SOA or NS RRsets in the answer/auth.
- That includes almost all negative responses and also A, AAAA qtypes.
- That would be most responses from servers.
- For referrals, delegations that add a single label can be checked to be
- from their zone, this covers most delegation-centric zones.
-
- So possibly, for complicated setups, with multiple (parent-child) zones
- on a server, dnssec-lameness detection does not work - no dnssec-lameness
- is detected. Instead the zone that is dnssec-lame becomes bogus.
-
-o authority features.
- This is a recursive server, and authority features are out of scope.
- However, some authority features are expected in a recursor. Things like
- localhost, reverse lookup for 127.0.0.1, or blocking AS112 traffic.
- Also redirection of domain names with fixed data is needed by service
- providers. Limited support is added specifically to address this.
-
- Adding full authority support, requires much more code, and more complex
- maintenance.
-
- The limited support allows adding some static data (for localhost and so),
- and to respond with a fixed rcode (NXDOMAIN) for domains (such as AS112).
-
- You can put authority data on a separate server, and set the server in
- unbound.conf as stub for those zones, this allows clients to access data
- from the server without making unbound authoritative for the zones.
-
-o the access control denies queries before any other processing.
- This denies queries that are not authoritative, or version.bind, or any.
- And thus prevents cache-snooping (denied hosts cannot make non-recursive
- queries and get answers from the cache).
-
-o If a client makes a query without RD bit, in the case of a returned
- message from cache which is:
- answer section: empty
- auth section: NS record present, no SOA record, no DS record,
- maybe NSEC or NSEC3 records present.
- additional: A records or other relevant records.
- A SOA record would indicate that this was a NODATA answer.
- A DS records would indicate a referral.
- Absence of NS record would indicate a NODATA answer as well.
-
- Then the receiver does not know whether this was a referral
- with attempt at no-DS proof) or a nodata answer with attempt
- at no-data proof. It could be determined by attempting to prove
- either condition; and looking if only one is valid, but both
- proofs could be valid, or neither could be valid, which creates
- doubt. This case is validated by unbound as a 'referral' which
- ascertains that RRSIGs are OK (and not omitted), but does not
- check NSEC/NSEC3.
-
-o Case preservation
- Unbound preserves the casing received from authority servers as best
- as possible. It compresses without case, so case can get lost there.
- The casing from the query name is used in preference to the casing
- of the authority server. This is the same as BIND. RFC4343 allows either
- behaviour.
-
-o Denial of service protection
- If many queries are made, and they are made to names for which the
- authority servers do not respond, then the requestlist for unbound
- fills up fast. This results in denial of service for new queries.
- To combat this the first 50% of the requestlist can run to completion.
- The last 50% of the requestlist get (200 msec) at least and are replaced
- by newer queries when older (LIFO).
- When a new query comes in, and a place in the first 50% is available, this
- is preferred. Otherwise, it can replace older queries out of the last 50%.
- Thus, even long queries get a 50% chance to be resolved. And many 'short'
- one or two round-trip resolves can be done in the last 50% of the list.
- The timeout can be configured.
-
-o EDNS fallback. Is done according to the EDNS RFC (and update draft-00).
- Unbound assumes EDNS 0 support for the first query. Then it can detect
- support (if the servers replies) or non-support (on a NOTIMPL or FORMERR).
- Some middleboxes drop EDNS 0 queries, mainly when forwarding, not when
- routing packets. To detect this, when timeouts keep happening, as the
- timeout approached 5-10 seconds, and EDNS status has not been detected yet,
- a single probe query is sent. This probe has a sub-second timeout, and
- if the server responds (quickly) without EDNS, this is cached for 15 min.
- This works very well when detecting an address that you use much - like
- a forwarder address - which is where the middleboxes need to be detected.
- Otherwise, it results in a 5 second wait time before EDNS timeout is
- detected, which is slow but it works at least.
- It minimizes the chances of a dropped query making a (DNSSEC) EDNS server
- falsely EDNS-nonsupporting, and thus DNSSEC-bogus, works well with
- middleboxes, and can detect the occasional authority that drops EDNS.
- For some boxes it is necessary to probe for every failing query, a
- reassurance that the DNS server does EDNS does not mean that path can
- take large DNS answers.
-
-o 0x20 backoff.
- The draft describes to back off to the next server, and go through all
- servers several times. Unbound goes on get the full list of nameserver
- addresses, and then makes 3 * number of addresses queries.
- They are sent to a random server, but no one address more than 4 times.
- It succeeds if one has 0x20 intact, or else all are equal.
- Otherwise, servfail is returned to the client.
-
-o NXDOMAIN and SOA serial numbers.
- Unbound keeps TTL values for message formats, and thus rcodes, such
- as NXDOMAIN. Also it keeps the latest rrsets in the rrset cache.
- So it will faithfully negative cache for the exact TTL as originally
- specified for an NXDOMAIN message, but send a newer SOA record if
- this has been found in the mean time. In point, this could lead to a
- negative cached NXDOMAIN reply with a SOA RR where the serial number
- indicates a zone version where this domain is not any longer NXDOMAIN.
- These situations become consistent once the original TTL expires.
- If the domain is DNSSEC signed, by the way, then NSEC records are
- updated more carefully. If one of the NSEC records in an NXDOMAIN is
- updated from another query, the NXDOMAIN is dropped from the cache,
- and queried for again, so that its proof can be checked again.
-
-o SOA records in negative cached answers for DS queries.
- The current unbound code uses a negative cache for queries for type DS.
- This speeds up building chains of trust, and uses NSEC and NSEC3
- (optout) information to speed up lookups. When used internally,
- the bare NSEC(3) information is sufficient, probably picked up from
- a referral. When answering to clients, a SOA record is needed for
- the correct message format, a SOA record is picked from the cache
- (and may not actually match the serial number of the SOA for which the
- NSEC and NSEC3 records were obtained) if available otherwise network
- queries are performed to get the data.
-
-o Parent and child with different nameserver information.
- A misconfiguration that sometimes happens is where the parent and child
- have different NS, glue information. The child is authoritative, and
- unbound will not trust information from the parent nameservers as the
- final answer. To help lookups, unbound will however use the parent-side
- version of the glue as a last resort lookup. This resolves lookups for
- those misconfigured domains where the servers reported by the parent
- are the only ones working, and servers reported by the child do not.
-
-o Failure of validation and probing.
- Retries on a validation failure are now 5x to a different nameserver IP
- (if possible), and then it gives up, for one name, type, class entry in
- the message cache. If a DNSKEY or DS fails in the chain of trust in the
- key cache additionally, after the probing, a bad key entry is created that
- makes the entire zone bogus for 900 seconds. This is a fixed value at
- this time and is conservative in sending probes. It makes the compound
- effect of many resolvers less and easier to handle, but penalizes
- individual resolvers by having less probes and a longer time before fixes
- are picked up.
-
diff --git a/external/unbound/doc/unbound-anchor.8.in b/external/unbound/doc/unbound-anchor.8.in
deleted file mode 100644
index f96a9e6c2..000000000
--- a/external/unbound/doc/unbound-anchor.8.in
+++ /dev/null
@@ -1,177 +0,0 @@
-.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
-.\"
-.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-anchor
-\- Unbound anchor utility.
-.SH "SYNOPSIS"
-.B unbound\-anchor
-.RB [ opts ]
-.SH "DESCRIPTION"
-.B Unbound\-anchor
-performs setup or update of the root trust anchor for DNSSEC validation.
-The program fetches the trust anchor with the method from RFC7958 when
-regular RFC5011 update fails to bring it up to date.
-It can be run (as root) from the commandline, or run as part of startup
-scripts. Before you start the \fIunbound\fR(8) DNS server.
-.P
-Suggested usage:
-.P
-.nf
- # in the init scripts.
- # provide or update the root anchor (if necessary)
- unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
- # Please note usage of this root anchor is at your own risk
- # and under the terms of our LICENSE (see source).
- #
- # start validating resolver
- # the unbound.conf contains:
- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
- unbound \-c unbound.conf
-.fi
-.P
-This tool provides builtin default contents for the root anchor and root
-update certificate files.
-.P
-It tests if the root anchor file works, and if not, and an update is possible,
-attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
-if all checks are successful, it updates the root anchor file. Otherwise
-the root anchor file is unchanged. It performs RFC5011 tracking if the
-DNSSEC information available via the DNS makes that possible.
-.P
-It does not perform an update if the certificate is expired, if the network
-is down or other errors occur.
-.P
-The available options are:
-.TP
-.B \-a \fIfile
-The root anchor key file, that is read in and written out.
-Default is @UNBOUND_ROOTKEY_FILE@.
-If the file does not exist, or is empty, a builtin root key is written to it.
-.TP
-.B \-c \fIfile
-The root update certificate file, that is read in.
-Default is @UNBOUND_ROOTCERT_FILE@.
-If the file does not exist, or is empty, a builtin certificate is used.
-.TP
-.B \-l
-List the builtin root key and builtin root update certificate on stdout.
-.TP
-.B \-u \fIname
-The server name, it connects to https://name. Specify without https:// prefix.
-The default is "data.iana.org". It connects to the port specified with \-P.
-You can pass an IPv4 address or IPv6 address (no brackets) if you want.
-.TP
-.B \-x \fIpath
-The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
-The default is /root\-anchors/root\-anchors.xml.
-.TP
-.B \-s \fIpath
-The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
-The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7
-signature over the xml file, using the pem file (\-c) as trust anchor.
-.TP
-.B \-n \fIname
-The emailAddress for the Subject of the signer's certificate from the p7s
-signature file. Only signatures from this name are allowed. default is
-dnssec@iana.org. If you pass "" then the emailAddress is not checked.
-.TP
-.B \-4
-Use IPv4 for domain resolution and contacting the server on https. Default is
-to use IPv4 and IPv6 where appropriate.
-.TP
-.B \-6
-Use IPv6 for domain resolution and contacting the server on https. Default is
-to use IPv4 and IPv6 where appropriate.
-.TP
-.B \-f \fIresolv.conf
-Use the given resolv.conf file. Not enabled by default, but you could try to
-pass /etc/resolv.conf on some systems. It contains the IP addresses of the
-recursive nameservers to use. However, since this tool could be used to
-bootstrap that very recursive nameserver, it would not be useful (since
-that server is not up yet, since we are bootstrapping it). It could be
-useful in a situation where you know an upstream cache is deployed (and
-running) and in captive portal situations.
-.TP
-.B \-r \fIroot.hints
-Use the given root.hints file (same syntax as the BIND and Unbound root hints
-file) to bootstrap domain resolution. By default a list of builtin root
-hints is used. Unbound\-anchor goes to the network itself for these roots,
-to resolve the server (\-u option) and to check the root DNSKEY records.
-It does so, because the tool when used for bootstrapping the recursive
-resolver, cannot use that recursive resolver itself because it is bootstrapping
-that server.
-.TP
-.B \-v
-More verbose. Once prints informational messages, multiple times may enable
-large debug amounts (such as full certificates or byte\-dumps of downloaded
-files). By default it prints almost nothing. It also prints nothing on
-errors by default; in that case the original root anchor file is simply
-left undisturbed, so that a recursive server can start right after it.
-.TP
-.B \-C \fIunbound.conf
-Debug option to read unbound.conf into the resolver process used.
-.TP
-.B \-P \fIport
-Set the port number to use for the https connection. The default is 443.
-.TP
-.B \-F
-Debug option to force update of the root anchor through downloading the xml
-file and verifying it with the certificate. By default it first tries to
-update by contacting the DNS, which uses much less bandwidth, is much
-faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
-With this option, it still attempts to do so (and may verbosely tell you),
-but then ignores the result and goes on to use the xml fallback method.
-.TP
-.B \-h
-Show the version and commandline option help.
-.SH "EXIT CODE"
-This tool exits with value 1 if the root anchor was updated using the
-certificate or if the builtin root-anchor was used. It exits with code
-0 if no update was necessary, if the update was possible with RFC5011
-tracking, or if an error occurred.
-.P
-You can check the exit value in this manner:
-.nf
- unbound-anchor \-a "root.key" || logger "Please check root.key"
-.fi
-Or something more suitable for your operational environment.
-.SH "TRUST"
-The root keys and update certificate included in this tool
-are provided for convenience and under the terms of our
-license (see the LICENSE file in the source distribution or
-http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
-not suitable to your purpose.
-.P
-By running "unbound\-anchor \-l" the keys and certificate that are
-configured in the code are printed for your convenience.
-.P
-The build\-in configuration can be overridden by providing a root\-cert
-file and a rootkey file.
-.SH "FILES"
-.TP
-.I @UNBOUND_ROOTKEY_FILE@
-The root anchor file, updated with 5011 tracking, and read and written to.
-The file is created if it does not exist.
-.TP
-.I @UNBOUND_ROOTCERT_FILE@
-The trusted self\-signed certificate that is used to verify the downloaded
-DNSSEC root trust anchor. You can update it by fetching it from
-https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
-If the file does not exist or is empty, a builtin version is used.
-.TP
-.I https://data.iana.org/root\-anchors/root\-anchors.xml
-Source for the root key information.
-.TP
-.I https://data.iana.org/root\-anchors/root\-anchors.p7s
-Signature on the root key information.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
diff --git a/external/unbound/doc/unbound-checkconf.8.in b/external/unbound/doc/unbound-checkconf.8.in
deleted file mode 100644
index 523784b5c..000000000
--- a/external/unbound/doc/unbound-checkconf.8.in
+++ /dev/null
@@ -1,52 +0,0 @@
-.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound-checkconf.8 -- unbound configuration checker manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-unbound\-checkconf
-\- Check unbound configuration file for errors.
-.SH "SYNOPSIS"
-.B unbound\-checkconf
-.RB [ \-h ]
-.RB [ \-f ]
-.RB [ \-o
-.IR option ]
-.RI [ cfgfile ]
-.SH "DESCRIPTION"
-.B Unbound\-checkconf
-checks the configuration file for the
-\fIunbound\fR(8)
-DNS resolver for syntax and other errors.
-The config file syntax is described in
-\fIunbound.conf\fR(5).
-.P
-The available options are:
-.TP
-.B \-h
-Show the version and commandline option help.
-.TP
-.B \-f
-Print full pathname, with chroot applied to it. Use with the \-o option.
-.TP
-.B \-o\fI option
-If given, after checking the config file the value of this option is
-printed to stdout. For "" (disabled) options an empty line is printed.
-.TP
-.I cfgfile
-The config file to read with settings for unbound. It is checked.
-If omitted, the config file at the default location is checked.
-.SH "EXIT CODE"
-The unbound\-checkconf program exits with status code 1 on error,
-0 for a correct config file.
-.SH "FILES"
-.TP
-.I @ub_conf_file@
-unbound configuration file.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
diff --git a/external/unbound/doc/unbound-control.8.in b/external/unbound/doc/unbound-control.8.in
deleted file mode 100644
index 47d2a4861..000000000
--- a/external/unbound/doc/unbound-control.8.in
+++ /dev/null
@@ -1,555 +0,0 @@
-.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound-control.8 -- unbound remote control manual
-.\"
-.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-control,
-.B unbound\-control\-setup
-\- Unbound remote server control utility.
-.SH "SYNOPSIS"
-.B unbound\-control
-.RB [ \-hq ]
-.RB [ \-c
-.IR cfgfile ]
-.RB [ \-s
-.IR server ]
-.IR command
-.SH "DESCRIPTION"
-.B Unbound\-control
-performs remote administration on the \fIunbound\fR(8) DNS server.
-It reads the configuration file, contacts the unbound server over SSL
-sends the command and displays the result.
-.P
-The available options are:
-.TP
-.B \-h
-Show the version and commandline option help.
-.TP
-.B \-c \fIcfgfile
-The config file to read with settings. If not given the default
-config file @ub_conf_file@ is used.
-.TP
-.B \-s \fIserver[@port]
-IPv4 or IPv6 address of the server to contact. If not given, the
-address is read from the config file.
-.TP
-.B \-q
-quiet, if the option is given it does not print anything if it works ok.
-.SH "COMMANDS"
-There are several commands that the server understands.
-.TP
-.B start
-Start the server. Simply execs \fIunbound\fR(8). The unbound executable
-is searched for in the \fBPATH\fR set in the environment. It is started
-with the config file specified using \fI\-c\fR or the default config file.
-.TP
-.B stop
-Stop the server. The server daemon exits.
-.TP
-.B reload
-Reload the server. This flushes the cache and reads the config file fresh.
-.TP
-.B verbosity \fInumber
-Change verbosity value for logging. Same values as \fBverbosity\fR keyword in
-\fIunbound.conf\fR(5). This new setting lasts until the server is issued
-a reload (taken from config file again), or the next verbosity control command.
-.TP
-.B log_reopen
-Reopen the logfile, close and open it. Useful for logrotation to make the
-daemon release the file it is logging to. If you are using syslog it will
-attempt to close and open the syslog (which may not work if chrooted).
-.TP
-.B stats
-Print statistics. Resets the internal counters to zero, this can be
-controlled using the \fBstatistics\-cumulative\fR config statement.
-Statistics are printed with one [name]: [value] per line.
-.TP
-.B stats_noreset
-Peek at statistics. Prints them like the \fBstats\fR command does, but does not
-reset the internal counters to zero.
-.TP
-.B status
-Display server status. Exit code 3 if not running (the connection to the
-port is refused), 1 on error, 0 if running.
-.TP
-.B local_zone \fIname\fR \fItype
-Add new local zone with name and type. Like \fBlocal\-zone\fR config statement.
-If the zone already exists, the type is changed to the given argument.
-.TP
-.B local_zone_remove \fIname
-Remove the local zone with the given name. Removes all local data inside
-it. If the zone does not exist, the command succeeds.
-.TP
-.B local_data \fIRR data...
-Add new local data, the given resource record. Like \fBlocal\-data\fR
-config statement, except for when no covering zone exists. In that case
-this remote control command creates a transparent zone with the same
-name as this record. This command is not good at returning detailed syntax
-errors.
-.TP
-.B local_data_remove \fIname
-Remove all RR data from local name. If the name already has no items,
-nothing happens. Often results in NXDOMAIN for the name (in a static zone),
-but if the name has become an empty nonterminal (there is still data in
-domain names below the removed name), NOERROR nodata answers are the
-result for that name.
-.TP
-.B local_zones
-Add local zones read from stdin of unbound\-control. Input is read per line,
-with name space type on a line. For bulk additions.
-.TP
-.B local_zones_remove
-Remove local zones read from stdin of unbound\-control. Input is one name per
-line. For bulk removals.
-.TP
-.B local_datas
-Add local data RRs read from stdin of unbound\-control. Input is one RR per
-line. For bulk additions.
-.TP
-.B local_datas_remove
-Remove local data RRs read from stdin of unbound\-control. Input is one name per
-line. For bulk removals.
-.TP
-.B dump_cache
-The contents of the cache is printed in a text format to stdout. You can
-redirect it to a file to store the cache in a file.
-.TP
-.B load_cache
-The contents of the cache is loaded from stdin. Uses the same format as
-dump_cache uses. Loading the cache with old, or wrong data can result
-in old or wrong data returned to clients. Loading data into the cache
-in this way is supported in order to aid with debugging.
-.TP
-.B lookup \fIname
-Print to stdout the name servers that would be used to look up the
-name specified.
-.TP
-.B flush \fIname
-Remove the name from the cache. Removes the types
-A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
-Because that is fast to do. Other record types can be removed using
-.B flush_type
-or
-.B flush_zone\fR.
-.TP
-.B flush_type \fIname\fR \fItype
-Remove the name, type information from the cache.
-.TP
-.B flush_zone \fIname
-Remove all information at or below the name from the cache.
-The rrsets and key entries are removed so that new lookups will be performed.
-This needs to walk and inspect the entire cache, and is a slow operation.
-.TP
-.B flush_bogus
-Remove all bogus data from the cache.
-.TP
-.B flush_negative
-Remove all negative data from the cache. This is nxdomain answers,
-nodata answers and servfail answers. Also removes bad key entries
-(which could be due to failed lookups) from the dnssec key cache, and
-iterator last-resort lookup failures from the rrset cache.
-.TP
-.B flush_stats
-Reset statistics to zero.
-.TP
-.B flush_requestlist
-Drop the queries that are worked on. Stops working on the queries that the
-server is working on now. The cache is unaffected. No reply is sent for
-those queries, probably making those users request again later.
-Useful to make the server restart working on queries with new settings,
-such as a higher verbosity level.
-.TP
-.B dump_requestlist
-Show what is worked on. Prints all queries that the server is currently
-working on. Prints the time that users have been waiting. For internal
-requests, no time is printed. And then prints out the module status.
-This prints the queries from the first thread, and not queries that are
-being serviced from other threads.
-.TP
-.B flush_infra \fIall|IP
-If all then entire infra cache is emptied. If a specific IP address, the
-entry for that address is removed from the cache. It contains EDNS, ping
-and lameness data.
-.TP
-.B dump_infra
-Show the contents of the infra cache.
-.TP
-.B set_option \fIopt: val
-Set the option to the given value without a reload. The cache is
-therefore not flushed. The option must end with a ':' and whitespace
-must be between the option and the value. Some values may not have an
-effect if set this way, the new values are not written to the config file,
-not all options are supported. This is different from the set_option call
-in libunbound, where all values work because unbound has not been initialized.
-.IP
-The values that work are: statistics\-interval, statistics\-cumulative,
-do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
-harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
-harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
-hide\-identity, hide\-version, identity, version, val\-log\-level,
-val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
-keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit,
-ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
-.TP
-.B get_option \fIopt
-Get the value of the option. Give the option name without a trailing ':'.
-The value is printed. If the value is "", nothing is printed
-and the connection closes. On error 'error ...' is printed (it gives
-a syntax error on unknown option). For some options a list of values,
-one on each line, is printed. The options are shown from the config file
-as modified with set_option. For some options an override may have been
-taken that does not show up with this command, not results from e.g. the
-verbosity and forward control commands. Not all options work, see list_stubs,
-list_forwards, list_local_zones and list_local_data for those.
-.TP
-.B list_stubs
-List the stub zones in use. These are printed one by one to the output.
-This includes the root hints in use.
-.TP
-.B list_forwards
-List the forward zones in use. These are printed zone by zone to the output.
-.TP
-.B list_insecure
-List the zones with domain\-insecure.
-.TP
-.B list_local_zones
-List the local zones in use. These are printed one per line with zone type.
-.TP
-.B list_local_data
-List the local data RRs in use. The resource records are printed.
-.TP
-.B insecure_add \fIzone
-Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
-Adds to the running unbound without affecting the cache contents (which may
-still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
-.TP
-.B insecure_remove \fIzone
-Removes domain\-insecure for the given zone.
-.TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
-Add a new forward zone to running unbound. With +i option also adds a
-\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
-a DNSSEC root trust anchor configured for other names).
-The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
-in unbound.conf.
-.TP
-.B forward_remove \fR[\fI+i\fR] \fIzone
-Remove a forward zone from running unbound. The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
-Add a new stub zone to running unbound. With +i option also adds a
-\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
-without it it is set to notprime. The addr can be IP4, IP6 or nameserver
-names, like the \fIstub-zone\fR config in unbound.conf.
-.TP
-.B stub_remove \fR[\fI+i\fR] \fIzone
-Remove a stub zone from running unbound. The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
-.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
-Setup forwarding mode. Configures if the server should ask other upstream
-nameservers, should go to the internet root nameservers itself, or show
-the current config. You could pass the nameservers after a DHCP update.
-.IP
-Without arguments the current list of addresses used to forward all queries
-to is printed. On startup this is from the forward\-zone "." configuration.
-Afterwards it shows the status. It prints off when no forwarding is used.
-.IP
-If \fIoff\fR is passed, forwarding is disabled and the root nameservers
-are used. This can be used to avoid to avoid buggy or non\-DNSSEC supporting
-nameservers returned from DHCP. But may not work in hotels or hotspots.
-.IP
-If one or more IPv4 or IPv6 addresses are given, those are then used to forward
-queries to. The addresses must be separated with spaces. With '@port' the
-port number can be set explicitly (default port is 53 (DNS)).
-.IP
-By default the forwarder information from the config file for the root "." is
-used. The config file is not changed, so after a reload these changes are
-gone. Other forward zones from the config file are not affected by this command.
-.TP
-.B ratelimit_list \fR[\fI+a\fR]
-List the domains that are ratelimited. Printed one per line with current
-estimated qps and qps limit from config. With +a it prints all domains, not
-just the ratelimited domains, with their estimated qps. The ratelimited
-domains return an error for uncached (new) queries, but cached queries work
-as normal.
-.TP
-.B ip_ratelimit_list \fR[\fI+a\fR]
-List the ip addresses that are ratelimited. Printed one per line with current
-estimated qps and qps limit from config. With +a it prints all ips, not
-just the ratelimited ips, with their estimated qps. The ratelimited
-ips are dropped before checking the cache.
-.TP
-.B view_list_local_zones \fIview\fR
-\fIlist_local_zones\fR for given view.
-.TP
-.B view_local_zone \fIview\fR \fIname\fR \fItype
-\fIlocal_zone\fR for given view.
-.TP
-.B view_local_zone_remove \fIview\fR \fIname
-\fIlocal_zone_remove\fR for given view.
-.TP
-.B view_list_local_data \fIview\fR
-\fIlist_local_data\fR for given view.
-.TP
-.B view_local_data \fIview\fR \fIRR data...
-\fIlocal_data\fR for given view.
-.TP
-.B view_local_data_remove \fIview\fR \fIname
-\fIlocal_data_remove\fR for given view.
-.SH "EXIT CODE"
-The unbound\-control program exits with status code 1 on error, 0 on success.
-.SH "SET UP"
-The setup requires a self\-signed certificate and private keys for both
-the server and client. The script \fIunbound\-control\-setup\fR generates
-these in the default run directory, or with \-d in another directory.
-If you change the access control permissions on the key files you can decide
-who can use unbound\-control, by default owner and group but not all users.
-Run the script under the same username as you have configured in unbound.conf
-or as root, so that the daemon is permitted to read the files, for example with:
-.nf
- sudo \-u unbound unbound\-control\-setup
-.fi
-If you have not configured
-a username in unbound.conf, the keys need read permission for the user
-credentials under which the daemon is started.
-The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol\-enable\fR in
-\fIunbound.conf\fR.
-.SH "STATISTIC COUNTERS"
-The \fIstats\fR command shows a number of statistic counters.
-.TP
-.I threadX.num.queries
-number of queries received by thread
-.TP
-.I threadX.num.queries_ip_ratelimited
-number of queries rate limited by thread
-.TP
-.I threadX.num.cachehits
-number of queries that were successfully answered using a cache lookup
-.TP
-.I threadX.num.cachemiss
-number of queries that needed recursive processing
-.TP
-.I threadX.num.prefetch
-number of cache prefetches performed. This number is included in
-cachehits, as the original query had the unprefetched answer from cache,
-and resulted in recursive processing, taking a slot in the requestlist.
-Not part of the recursivereplies (or the histogram thereof) or cachemiss,
-as a cache response was sent.
-.TP
-.I threadX.num.zero_ttl
-number of replies with ttl zero, because they served an expired cache entry.
-.TP
-.I threadX.num.recursivereplies
-The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
-.TP
-.I threadX.requestlist.avg
-The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query.
-.TP
-.I threadX.requestlist.max
-Maximum size attained by the internal recursive processing request list.
-.TP
-.I threadX.requestlist.overwritten
-Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time.
-.TP
-.I threadX.requestlist.exceeded
-Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up.
-.TP
-.I threadX.requestlist.current.all
-Current size of the request list, includes internally generated queries (such
-as priming queries and glue lookups).
-.TP
-.I threadX.requestlist.current.user
-Current size of the request list, only the requests from client queries.
-.TP
-.I threadX.recursion.time.avg
-Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average.
-.TP
-.I threadX.recursion.time.median
-The median of the time it took to answer queries that needed recursive
-processing. The median means that 50% of the user queries were answered in
-less than this time. Because of big outliers (usually queries to non
-responsive servers), the average can be bigger than the median. This median
-has been calculated by interpolation from a histogram.
-.TP
-.I threadX.tcpusage
-The currently held tcp buffers for incoming connections. A spot value on
-the time of the request. This helps you spot if the incoming\-num\-tcp
-buffers are full.
-.TP
-.I total.num.queries
-summed over threads.
-.TP
-.I total.num.cachehits
-summed over threads.
-.TP
-.I total.num.cachemiss
-summed over threads.
-.TP
-.I total.num.prefetch
-summed over threads.
-.TP
-.I total.num.zero_ttl
-summed over threads.
-.TP
-.I total.num.recursivereplies
-summed over threads.
-.TP
-.I total.requestlist.avg
-averaged over threads.
-.TP
-.I total.requestlist.max
-the maximum of the thread requestlist.max values.
-.TP
-.I total.requestlist.overwritten
-summed over threads.
-.TP
-.I total.requestlist.exceeded
-summed over threads.
-.TP
-.I total.requestlist.current.all
-summed over threads.
-.TP
-.I total.recursion.time.median
-averaged over threads.
-.TP
-.I total.tcpusage
-summed over threads.
-.TP
-.I time.now
-current time in seconds since 1970.
-.TP
-.I time.up
-uptime since server boot in seconds.
-.TP
-.I time.elapsed
-time since last statistics printout, in seconds.
-.SH EXTENDED STATISTICS
-.TP
-.I mem.cache.rrset
-Memory in bytes in use by the RRset cache.
-.TP
-.I mem.cache.message
-Memory in bytes in use by the message cache.
-.TP
-.I mem.mod.iterator
-Memory in bytes in use by the iterator module.
-.TP
-.I mem.mod.validator
-Memory in bytes in use by the validator module. Includes the key cache and
-negative cache.
-.TP
-.I histogram.<sec>.<usec>.to.<sec>.<usec>
-Shows a histogram, summed over all threads. Every element counts the
-recursive queries whose reply time fit between the lower and upper bound.
-Times larger or equal to the lowerbound, and smaller than the upper bound.
-There are 40 buckets, with bucket sizes doubling.
-.TP
-.I num.query.type.A
-The total number of queries over all threads with query type A.
-Printed for the other query types as well, but only for the types for which
-queries were received, thus =0 entries are omitted for brevity.
-.TP
-.I num.query.type.other
-Number of queries with query types 256\-65535.
-.TP
-.I num.query.class.IN
-The total number of queries over all threads with query class IN (internet).
-Also printed for other classes (such as CH (CHAOS) sometimes used for
-debugging), or NONE, ANY, used by dynamic update.
-num.query.class.other is printed for classes 256\-65535.
-.TP
-.I num.query.opcode.QUERY
-The total number of queries over all threads with query opcode QUERY.
-Also printed for other opcodes, UPDATE, ...
-.TP
-.I num.query.tcp
-Number of queries that were made using TCP towards the unbound server.
-.TP
-.I num.query.tcpout
-Number of queries that the unbound server made using TCP outgoing towards
-other servers.
-.TP
-.I num.query.ipv6
-Number of queries that were made using IPv6 towards the unbound server.
-.TP
-.I num.query.flags.RD
-The number of queries that had the RD flag set in the header.
-Also printed for flags QR, AA, TC, RA, Z, AD, CD.
-Note that queries with flags QR, AA or TC may have been rejected
-because of that.
-.TP
-.I num.query.edns.present
-number of queries that had an EDNS OPT record present.
-.TP
-.I num.query.edns.DO
-number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
-These queries are also included in the num.query.edns.present number.
-.TP
-.I num.answer.rcode.NXDOMAIN
-The number of answers to queries, from cache or from recursion, that had the
-return code NXDOMAIN. Also printed for the other return codes.
-.TP
-.I num.answer.rcode.nodata
-The number of answers to queries that had the pseudo return code nodata.
-This means the actual return code was NOERROR, but additionally, no data was
-carried in the answer (making what is called a NOERROR/NODATA answer).
-These queries are also included in the num.answer.rcode.NOERROR number.
-Common for AAAA lookups when an A record exists, and no AAAA.
-.TP
-.I num.answer.secure
-Number of answers that were secure. The answer validated correctly.
-The AD bit might have been set in some of these answers, where the client
-signalled (with DO or AD bit in the query) that they were ready to accept
-the AD bit in the answer.
-.TP
-.I num.answer.bogus
-Number of answers that were bogus. These answers resulted in SERVFAIL
-to the client because the answer failed validation.
-.TP
-.I num.rrset.bogus
-The number of rrsets marked bogus by the validator. Increased for every
-RRset inspection that fails.
-.TP
-.I unwanted.queries
-Number of queries that were refused or dropped because they failed the
-access control settings.
-.TP
-.I unwanted.replies
-Replies that were unwanted or unsolicited. Could have been random traffic,
-delayed duplicates, very late answers, or could be spoofing attempts.
-Some low level of late answers and delayed duplicates are to be expected
-with the UDP protocol. Very high values could indicate a threat (spoofing).
-.TP
-.I msg.cache.count
-The number of items (DNS replies) in the message cache.
-.TP
-.I rrset.cache.count
-The number of RRsets in the rrset cache. This includes rrsets used by
-the messages in the message cache, but also delegation information.
-.TP
-.I infra.cache.count
-The number of items in the infra cache. These are IP addresses with their
-timing and protocol support information.
-.TP
-.I key.cache.count
-The number of items in the key cache. These are DNSSEC keys, one item
-per delegation point, and their validation status.
-.SH "FILES"
-.TP
-.I @ub_conf_file@
-unbound configuration file.
-.TP
-.I @UNBOUND_RUN_DIR@
-directory with private keys (unbound_server.key and unbound_control.key) and
-self\-signed certificates (unbound_server.pem and unbound_control.pem).
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
diff --git a/external/unbound/doc/unbound-host.1.in b/external/unbound/doc/unbound-host.1.in
deleted file mode 100644
index 1d698e16d..000000000
--- a/external/unbound/doc/unbound-host.1.in
+++ /dev/null
@@ -1,116 +0,0 @@
-.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound-host.1 -- unbound DNS lookup utility
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-host
-\- unbound DNS lookup utility
-.SH "SYNOPSIS"
-.B unbound\-host
-.RB [ \-vdhr46D ]
-.RB [ \-c
-.IR class ]
-.RB [ \-t
-.IR type ]
-.I hostname
-.RB [ \-y
-.IR key ]
-.RB [ \-f
-.IR keyfile ]
-.RB [ \-F
-.IR namedkeyfile ]
-.RB [ \-C
-.IR configfile ]
-.SH "DESCRIPTION"
-.B Unbound\-host
-uses the unbound validating resolver to query for the hostname and display
-results. With the \fB\-v\fR option it displays validation
-status: secure, insecure, bogus (security failure).
-.P
-By default it reads no configuration file whatsoever. It attempts to reach
-the internet root servers. With \fB\-C\fR an unbound config file and with
-\fB\-r\fR resolv.conf can be read.
-.P
-The available options are:
-.TP
-.I hostname
-This name is resolved (looked up in the DNS).
-If a IPv4 or IPv6 address is given, a reverse lookup is performed.
-.TP
-.B \-h
-Show the version and commandline option help.
-.TP
-.B \-v
-Enable verbose output and it shows validation results, on every line.
-Secure means that the NXDOMAIN (no such domain name), nodata (no such data)
-or positive data response validated correctly with one of the keys.
-Insecure means that that domain name has no security set up for it.
-Bogus (security failure) means that the response failed one or more checks,
-it is likely wrong, outdated, tampered with, or broken.
-.TP
-.B \-d
-Enable debug output to stderr. One \-d shows what the resolver and validator
-are doing and may tell you what is going on. More times, \-d \-d, gives a
-lot of output, with every packet sent and received.
-.TP
-.B \-c \fIclass
-Specify the class to lookup for, the default is IN the internet class.
-.TP
-.B \-t \fItype
-Specify the type of data to lookup. The default looks for IPv4, IPv6 and
-mail handler data, or domain name pointers for reverse queries.
-.TP
-.B \-y \fIkey
-Specify a public key to use as trust anchor. This is the base for a chain
-of trust that is built up from the trust anchor to the response, in order
-to validate the response message. Can be given as a DS or DNSKEY record.
-For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
-.TP
-.B \-D
-Enables DNSSEC validation. Reads the root anchor from the default configured
-root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
-.TP
-.B \-f \fIkeyfile
-Reads keys from a file. Every line has a DS or DNSKEY record, in the format
-as for \-y. The zone file format, the same as dig and drill produce.
-.TP
-.B \-F \fInamedkeyfile
-Reads keys from a BIND\-style named.conf file. Only the trusted\-key {}; entries
-are read.
-.TP
-.B \-C \fIconfigfile
-Uses the specified unbound.conf to prime
-.IR libunbound (3).
-.TP
-.B \-r
-Read /etc/resolv.conf, and use the forward DNS servers from there (those could
-have been set by DHCP). More info in
-.IR resolv.conf (5).
-Breaks validation if those servers do not support DNSSEC.
-.TP
-.B \-4
-Use solely the IPv4 network for sending packets.
-.TP
-.B \-6
-Use solely the IPv6 network for sending packets.
-.SH "EXAMPLES"
-Some examples of use. The keys shown below are fakes, thus a security failure
-is encountered.
-.P
-$ unbound\-host www.example.com
-.P
-$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
-.P
-$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
-.SH "EXIT CODE"
-The unbound\-host program exits with status code 1 on error,
-0 on no error. The data may not be available on exit code 0, exit code 1
-means the lookup encountered a fatal error.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
diff --git a/external/unbound/doc/unbound.8.in b/external/unbound/doc/unbound.8.in
deleted file mode 100644
index cca759b62..000000000
--- a/external/unbound/doc/unbound.8.in
+++ /dev/null
@@ -1,79 +0,0 @@
-.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound.8 -- unbound manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound
-\- Unbound DNS validating resolver 1.6.3.
-.SH "SYNOPSIS"
-.B unbound
-.RB [ \-h ]
-.RB [ \-d ]
-.RB [ \-v ]
-.RB [ \-c
-.IR cfgfile ]
-.SH "DESCRIPTION"
-.B Unbound
-is a caching DNS resolver.
-.P
-It uses a built in list of authoritative nameservers for the root zone (.),
-the so called root hints.
-On receiving a DNS query it will ask the root nameservers for
-an answer and will in almost all cases receive a delegation to a top level
-domain (TLD) authoritative nameserver.
-It will then ask that nameserver for an answer.
-It will recursively continue until an answer is found or no answer is
-available (NXDOMAIN).
-For performance and efficiency reasons that answer is cached for a
-certain time (the answer's time\-to\-live or TTL).
-A second query for the same name will then be answered from the cache.
-Unbound can also do DNSSEC validation.
-.P
-To use a locally running
-.B Unbound
-for resolving put
-.sp
-.RS 6n
-nameserver 127.0.0.1
-.RE
-.sp
-into
-.IR resolv.conf (5).
-.P
-If authoritative DNS is needed as well using
-.IR nsd (8),
-careful setup is required because authoritative nameservers and
-resolvers are using the same port number (53).
-.P
-The available options are:
-.TP
-.B \-h
-Show the version and commandline option help.
-.TP
-.B \-c\fI cfgfile
-Set the config file with settings for unbound to read instead of reading the
-file at the default location, @ub_conf_file@. The syntax is
-described in \fIunbound.conf\fR(5).
-.TP
-.B \-d
-Debug flag: do not fork into the background, but stay attached to
-the console. This flag will also delay writing to the log file until
-the thread\-spawn time, so that most config and setup errors appear on
-stderr. If given twice or more, logging does not switch to the log file
-or to syslog, but the log messages are printed to stderr all the time.
-.TP
-.B \-v
-Increase verbosity. If given multiple times, more information is logged.
-This is in addition to the verbosity (if any) from the config file.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\-checkconf\fR(8),
-\fInsd\fR(8).
-.SH "AUTHORS"
-.B Unbound
-developers are mentioned in the CREDITS file in the distribution.
diff --git a/external/unbound/doc/unbound.conf.5.in b/external/unbound/doc/unbound.conf.5.in
deleted file mode 100644
index b2c76ac95..000000000
--- a/external/unbound/doc/unbound.conf.5.in
+++ /dev/null
@@ -1,1578 +0,0 @@
-.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
-.\"
-.\" unbound.conf.5 -- unbound.conf manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound.conf
-\- Unbound configuration file.
-.SH "SYNOPSIS"
-.B unbound.conf
-.SH "DESCRIPTION"
-.B unbound.conf
-is used to configure
-\fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
-The notation is: attribute: value.
-.P
-Comments start with # and last to the end of line. Empty lines are
-ignored as is whitespace at the beginning of a line.
-.P
-The utility
-\fIunbound\-checkconf\fR(8)
-can be used to check unbound.conf prior to usage.
-.SH "EXAMPLE"
-An example config file is shown below. Copy this to /etc/unbound/unbound.conf
-and start the server with:
-.P
-.nf
- $ unbound \-c /etc/unbound/unbound.conf
-.fi
-.P
-Most settings are the defaults. Stop the server with:
-.P
-.nf
- $ kill `cat /etc/unbound/unbound.pid`
-.fi
-.P
-Below is a minimal config file. The source distribution contains an extensive
-example.conf file with all the options.
-.P
-.nf
-# unbound.conf(5) config file for unbound(8).
-server:
- directory: "/etc/unbound"
- username: unbound
- # make sure unbound can access entropy from inside the chroot.
- # e.g. on linux the use these commands (on BSD, devfs(8) is used):
- # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
- # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
- chroot: "/etc/unbound"
- # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
- pidfile: "/etc/unbound/unbound.pid"
- # verbosity: 1 # uncomment and increase to get more logging.
- # listen on all interfaces, answer queries from the local subnet.
- interface: 0.0.0.0
- interface: ::0
- access\-control: 10.0.0.0/8 allow
- access\-control: 2001:DB8::/64 allow
-.fi
-.SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
-.P
-Files can be included using the
-.B include:
-directive. It can appear anywhere, it accepts a single file name as argument.
-Processing continues as if the text from the included file was copied into
-the config file at that point. If also using chroot, using full path names
-for the included files works, relative pathnames for the included names work
-if the directory where the daemon is started equals its chroot/working
-directory or is specified before the include statement with directory: dir.
-Wildcards can be used to include multiple files, see \fIglob\fR(7).
-.SS "Server Options"
-These options are part of the
-.B server:
-clause.
-.TP
-.B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1
-gives operational information. Level 2 gives detailed operational
-information. Level 3 gives query level information, output per query.
-Level 4 gives algorithm level information. Level 5 logs client
-identification for cache misses. Default is level 1.
-The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
-.TP
-.B statistics\-interval: \fI<seconds>
-The number of seconds between printing statistics to the log for every thread.
-Disable with value 0 or "". Default is disabled. The histogram statistics
-are only printed if replies were sent during the statistics interval,
-requestlist statistics are printed for every interval (but can be 0).
-This is because the median calculation requires data to be present.
-.TP
-.B statistics\-cumulative: \fI<yes or no>
-If enabled, statistics are cumulative since starting unbound, without clearing
-the statistics counters after logging the statistics. Default is no.
-.TP
-.B extended\-statistics: \fI<yes or no>
-If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
-Default is off, because keeping track of more statistics takes time. The
-counters are listed in \fIunbound\-control\fR(8).
-.TP
-.B num\-threads: \fI<number>
-The number of threads to create to serve clients. Use 1 for no threading.
-.TP
-.B port: \fI<port number>
-The port number, default 53, on which the server responds to queries.
-.TP
-.B interface: \fI<ip address[@port]>
-Interface to use to connect to the network. This interface is listened to
-for queries from clients, and answers to clients are given from it.
-Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost.
-The interfaces are not changed on a reload (kill \-HUP) but only on restart.
-A port number can be specified with @port (without spaces between
-interface and port number), if not specified the default port (from
-\fBport\fR) is used.
-.TP
-.B ip\-address: \fI<ip address[@port]>
-Same as interface: (for easy of compatibility with nsd.conf).
-.TP
-.B interface\-automatic: \fI<yes or no>
-Detect source interface on UDP queries and copy them to replies. This
-feature is experimental, and needs support in your OS for particular socket
-options. Default value is no.
-.TP
-.B outgoing\-interface: \fI<ip address or ip6 netblock>
-Interface to use to connect to the network. This interface is used to send
-queries to authoritative servers and receive their replies. Can be given
-multiple times to work on several interfaces. If none are given the
-default (all) is used. You can specify the same interfaces in
-.B interface:
-and
-.B outgoing\-interface:
-lines, the interfaces are then used for both purposes. Outgoing queries are
-sent via a random outgoing interface to counter spoofing.
-.IP
-If an IPv6 netblock is specified instead of an individual IPv6 address,
-outgoing UDP queries will use a randomised source address taken from the
-netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
-host running unbound, and requires OS support for unprivileged non-local binds
-(currently only supported on Linux). Several netblocks may be specified with
-multiple
-.B outgoing\-interface:
-options, but do not specify both an individual IPv6 address and an IPv6
-netblock, or the randomisation will be compromised. Consider combining with
-.B prefer\-ip6: yes
-to increase the likelihood of IPv6 nameservers being selected for queries.
-On Linux you need these two commands to be able to use the freebind socket
-option to receive traffic for the ip6 netblock:
-ip \-6 addr add mynetblock/64 dev lo &&
-ip \-6 route add local mynetblock/64 dev lo
-.TP
-.B outgoing\-range: \fI<number>
-Number of ports to open. This number of file descriptors can be opened per
-thread. Must be at least 1. Default depends on compile options. Larger
-numbers need extra resources from the operating system. For performance a
-very large value is best, use libevent to make this possible.
-.TP
-.B outgoing\-port\-permit: \fI<port number or range>
-Permit unbound to open this port or range of ports for use to send queries.
-A larger number of permitted outgoing ports increases resilience against
-spoofing attempts. Make sure these ports are not needed by other daemons.
-By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low\-high", without spaces.
-.IP
-The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
-are processed in the line order of the config file, adding the permitted ports
-and subtracting the avoided ports from the set of allowed ports. The
-processing starts with the non IANA allocated ports above 1024 in the set
-of allowed ports.
-.TP
-.B outgoing\-port\-avoid: \fI<port number or range>
-Do not permit unbound to open this port or range of ports for use to send
-queries. Use this to make sure unbound does not grab a port that another
-daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
-By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low\-high", without spaces.
-.TP
-.B outgoing\-num\-tcp: \fI<number>
-Number of outgoing TCP buffers to allocate per thread. Default is 10. If
-set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
-are done. For larger installations increasing this value is a good idea.
-.TP
-.B incoming\-num\-tcp: \fI<number>
-Number of incoming TCP buffers to allocate per thread. Default is
-10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
-accepted. For larger installations increasing this value is a good idea.
-.TP
-.B edns\-buffer\-size: \fI<number>
-Number of bytes size to advertise as the EDNS reassembly buffer size.
-This is the value put into datagrams over UDP towards peers. The actual
-buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
-not set higher than that value. Default is 4096 which is RFC recommended.
-If you have fragmentation reassembly problems, usually seen as timeouts,
-then a value of 1480 can fix it. Setting to 512 bypasses even the most
-stringent path MTU problems, but is seen as extreme, since the amount
-of TCP fallback generated is excessive (probably also for this resolver,
-consider tuning the outgoing tcp number).
-.TP
-.B max\-udp\-size: \fI<number>
-Maximum UDP response size (not applied to TCP response). 65536 disables the
-udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096.
-.TP
-.B msg\-buffer\-size: \fI<number>
-Number of bytes size of the message buffers. Default is 65552 bytes, enough
-for 64 Kb packets, the maximum DNS message size. No message larger than this
-can be sent or received. Can be reduced to use less memory, but some requests
-for DNS data, such as for huge resource records, will result in a SERVFAIL
-reply to the client.
-.TP
-.B msg\-cache\-size: \fI<number>
-Number of bytes size of the message cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
-or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B msg\-cache\-slabs: \fI<number>
-Number of slabs in the message cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
-reasonable guess.
-.TP
-.B num\-queries\-per\-thread: \fI<number>
-The number of queries that every thread will service simultaneously.
-If more queries arrive that need servicing, and no queries can be jostled out
-(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
-the client to resend after a timeout; allowing the server time to work on
-the existing queries. Default depends on compile options, 512 or 1024.
-.TP
-.B jostle\-timeout: \fI<msec>
-Timeout used when the server is very busy. Set to a value that usually
-results in one roundtrip to the authority servers. If too many queries
-arrive, then 50% of the queries are allowed to run to completion, and
-the other 50% are replaced with the new incoming query if they have already
-spent more than their allowed time. This protects against denial of
-service by slow queries or high query rates. Default 200 milliseconds.
-The effect is that the qps for long-lasting queries is about
-(numqueriesperthread / 2) / (average time for such long queries) qps.
-The qps for short queries can be about (numqueriesperthread / 2)
-/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
-qps by default.
-.TP
-.B delay\-close: \fI<msec>
-Extra delay for timeouted UDP ports before they are closed, in msec.
-Default is 0, and that disables it. This prevents very delayed answer
-packets from the upstream (recursive) servers from bouncing against
-closed ports and setting off all sort of close-port counters, with
-eg. 1500 msec. When timeouts happen you need extra sockets, it checks
-the ID and remote IP of packets, and unwanted packets are added to the
-unwanted packet counter.
-.TP
-.B so\-rcvbuf: \fI<number>
-If not 0, then set the SO_RCVBUF socket option to get more buffer
-space on UDP port 53 incoming queries. So that short spikes on busy
-servers do not drop packets (see counter in netstat \-su). Default is
-0 (use system value). Otherwise, the number of bytes to ask for, try
-"4m" on a busy server. The OS caps it at a maximum, on linux unbound
-needs root permission to bypass the limit, or the admin can use sysctl
-net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
-On OpenBSD change header and recompile kernel. On Solaris ndd \-set
-/dev/udp udp_max_buf 8388608.
-.TP
-.B so\-sndbuf: \fI<number>
-If not 0, then set the SO_SNDBUF socket option to get more buffer space on
-UDP port 53 outgoing queries. This for very busy servers handles spikes
-in answer traffic, otherwise 'send: resource temporarily unavailable'
-can get logged, the buffer overrun is also visible by netstat \-su.
-Default is 0 (use system value). Specify the number of bytes to ask
-for, try "4m" on a very busy server. The OS caps it at a maximum, on
-linux unbound needs root permission to bypass the limit, or the admin
-can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
-to so\-rcvbuf.
-.TP
-.B so\-reuseport: \fI<yes or no>
-If yes, then open dedicated listening sockets for incoming queries for each
-thread and try to set the SO_REUSEPORT socket option on each socket. May
-distribute incoming queries to threads more evenly. Default is no. On Linux
-it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may
-also work. You can enable it (on any platform and kernel),
-it then attempts to open the port and passes the option if it was available
-at compile time, if that works it is used, if it fails, it continues
-silently (unless verbosity 3) without the option.
-.TP
-.B ip\-transparent: \fI<yes or no>
-If yes, then use IP_TRANSPARENT socket option on sockets where unbound
-is listening for incoming traffic. Default no. Allows you to bind to
-non\-local interfaces. For example for non\-existant IP addresses that
-are going to exist later on, with host failover configuration. This is
-a lot like interface\-automatic, but that one services all interfaces
-and with this option you can select which (future) interfaces unbound
-provides service on. This option needs unbound to be started with root
-permissions on some systems. The option uses IP_BINDANY on FreeBSD systems.
-.TP
-.B ip\-freebind: \fI<yes or no>
-If yes, then use IP_FREEBIND socket option on sockets where unbound
-is listening to incoming traffic. Default no. Allows you to bind to
-IP addresses that are nonlocal or do not exist, like when the network
-interface or IP address is down. Exists only on Linux, where the similar
-ip\-transparent option is also available.
-.TP
-.B rrset\-cache\-size: \fI<number>
-Number of bytes size of the RRset cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
-or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B rrset\-cache\-slabs: \fI<number>
-Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2.
-.TP
-.B cache\-max\-ttl: \fI<seconds>
-Time to live maximum for RRsets and messages in the cache. Default is
-86400 seconds (1 day). If the maximum kicks in, responses to clients
-still get decrementing TTLs based on the original (larger) values.
-When the internal TTL expires, the cache item has expired.
-Can be set lower to force the resolver to query for data often, and not
-trust (very large) TTL values.
-.TP
-.B cache\-min\-ttl: \fI<seconds>
-Time to live minimum for RRsets and messages in the cache. Default is 0.
-If the minimum kicks in, the data is cached for longer than the domain
-owner intended, and thus less queries are made to look up the data.
-Zero makes sure the data in the cache is as the domain owner intended,
-higher values, especially more than an hour or so, can lead to trouble as
-the data in the cache does not match up with the actual data any more.
-.TP
-.B cache\-max\-negative\-ttl: \fI<seconds>
-Time to live maximum for negative responses, these have a SOA in the
-authority section that is limited in time. Default is 3600.
-.TP
-.B infra\-host\-ttl: \fI<seconds>
-Time to live for entries in the host cache. The host cache contains
-roundtrip timing, lameness and EDNS support information. Default is 900.
-.TP
-.B infra\-cache\-slabs: \fI<number>
-Number of slabs in the infrastructure cache. Slabs reduce lock contention
-by threads. Must be set to a power of 2.
-.TP
-.B infra\-cache\-numhosts: \fI<number>
-Number of hosts for which information is cached. Default is 10000.
-.TP
-.B infra\-cache\-min\-rtt: \fI<msec>
-Lower limit for dynamic retransmit timeout calculation in infrastructure
-cache. Default is 50 milliseconds. Increase this value if using forwarders
-needing more time to do recursive name resolution.
-.TP
-.B define\-tag: \fI<"list of tags">
-Define the tags that can be used with local\-zone and access\-control.
-Enclose the list between quotes ("") and put spaces between tags.
-.TP
-.B do\-ip4: \fI<yes or no>
-Enable or disable whether ip4 queries are answered or issued. Default is yes.
-.TP
-.B do\-ip6: \fI<yes or no>
-Enable or disable whether ip6 queries are answered or issued. Default is yes.
-If disabled, queries are not answered on IPv6, and queries are not sent on
-IPv6 to the internet nameservers. With this option you can disable the
-ipv6 transport for sending DNS traffic, it does not impact the contents of
-the DNS traffic, which may have ip4 and ip6 addresses in it.
-.TP
-.B prefer\-ip6: \fI<yes or no>
-If enabled, prefer IPv6 transport for sending DNS queries to internet
-nameservers. Default is no.
-.TP
-.B do\-udp: \fI<yes or no>
-Enable or disable whether UDP queries are answered or issued. Default is yes.
-.TP
-.B do\-tcp: \fI<yes or no>
-Enable or disable whether TCP queries are answered or issued. Default is yes.
-.TP
-.B tcp\-mss: \fI<number>
-Maximum segment size (MSS) of TCP socket on which the server responds
-to queries. Value lower than common MSS on Ethernet
-(1220 for example) will address path MTU problem.
-Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
-Default is system default MSS determined by interface MTU and
-negotiation between server and client.
-.TP
-.B outgoing\-tcp\-mss: \fI<number>
-Maximum segment size (MSS) of TCP socket for outgoing queries
-(from Unbound to other servers). Value lower than
-common MSS on Ethernet (1220 for example) will address path MTU problem.
-Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
-Default is system default MSS determined by interface MTU and
-negotiation between Unbound and other servers.
-.TP
-.B tcp\-upstream: \fI<yes or no>
-Enable or disable whether the upstream queries use TCP only for transport.
-Default is no. Useful in tunneling scenarios.
-.TP
-.B ssl\-upstream: \fI<yes or no>
-Enabled or disable whether the upstream queries use SSL only for transport.
-Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
-TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
-.TP
-.B ssl\-service-key: \fI<file>
-If enabled, the server provider SSL service on its TCP sockets. The clients
-have to use ssl\-upstream: yes. The file is the private key for the TLS
-session. The public certificate is in the ssl\-service\-pem file. Default
-is "", turned off. Requires a restart (a reload is not enough) if changed,
-because the private key is read while root permissions are held and before
-chroot (if any). Normal DNS TCP service is not provided and gives errors,
-this service is best run with a different \fBport:\fR config or \fI@port\fR
-suffixes in the \fBinterface\fR config.
-.TP
-.B ssl\-service\-pem: \fI<file>
-The public key certificate pem file for the ssl service. Default is "",
-turned off.
-.TP
-.B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 853, only
-interfaces configured with that port number as @number get the SSL service.
-.TP
-.B use\-systemd: \fI<yes or no>
-Enable or disable systemd socket activation.
-Default is no.
-.TP
-.B do\-daemonize: \fI<yes or no>
-Enable or disable whether the unbound server forks into the background as
-a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
-Default is yes.
-.TP
-.B access\-control: \fI<IP netblock> <action>
-The netblock is given as an IP4 or IP6 address with /size appended for a
-classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIdeny\fR is used.
-.IP
-The action \fIdeny\fR stops queries from hosts from that netblock.
-.IP
-The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
-error message back.
-.IP
-The action \fIallow\fR gives access to clients from that netblock.
-It gives only access for recursion clients (which is
-what almost all clients need). Nonrecursive queries are refused.
-.IP
-The \fIallow\fR action does allow nonrecursive queries to access the
-local\-data that is configured. The reason is that this does not involve
-the unbound server recursive lookup algorithm, and static data is served
-in the reply. This supports normal operations where nonrecursive queries
-are made for the authoritative data. For nonrecursive queries any replies
-from the dynamic cache are refused.
-.IP
-The action \fIallow_snoop\fR gives nonrecursive access too. This give
-both recursive and non recursive access. The name \fIallow_snoop\fR refers
-to cache snooping, a technique to use nonrecursive queries to examine
-the cache contents (for malicious acts). However, nonrecursive queries can
-also be a valuable debugging tool (when you want to examine the cache
-contents). In that case use \fIallow_snoop\fR for your administration host.
-.IP
-By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
-The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
-protocol is not designed to handle dropped packets due to policy, and
-dropping may result in (possibly excessive) retried queries.
-.IP
-The deny_non_local and refuse_non_local settings are for hosts that are
-only allowed to query for the authoritative local\-data, they are not
-allowed full recursion but only the static data. With deny_non_local,
-messages that are disallowed are dropped, with refuse_non_local they
-receive error code REFUSED.
-.TP
-.B access\-control\-tag: \fI<IP netblock> <"list of tags">
-Assign tags to access-control elements. Clients using this access control
-element use localzones that are tagged with one of these tags. Tags must be
-defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
-spaces between tags. If access\-control\-tag is configured for a netblock that
-does not have an access\-control, an access\-control element with action
-\fIallow\fR is configured for this netblock.
-.TP
-.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
-Set action for particular tag for given access control element. If you have
-multiple tag values, the tag used to lookup the action is the first tag match
-between access\-control\-tag and local\-zone\-tag where "first" comes from the
-order of the define-tag values.
-.TP
-.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
-Set redirect data for particular tag for given access control element.
-.TP
-.B access\-control\-view: \fI<IP netblock> <view name>
-Set view for given access control element.
-.TP
-.B chroot: \fI<directory>
-If chroot is enabled, you should pass the configfile (from the
-commandline) as a full path from the original root. After the
-chroot has been performed the now defunct portion of the config
-file path is removed to be able to reread the config after a reload.
-.IP
-All other file paths (working dir, logfile, roothints, and
-key files) can be specified in several ways:
-as an absolute path relative to the new root,
-as a relative path to the working directory, or
-as an absolute path relative to the original root.
-In the last case the path is adjusted to remove the unused portion.
-.IP
-The pidfile can be either a relative path to the working directory, or
-an absolute path relative to the original root. It is written just prior
-to chroot and dropping permissions. This allows the pidfile to be
-/var/run/unbound.pid and the chroot to be /var/unbound, for example.
-.IP
-Additionally, unbound may need to access /dev/random (for entropy)
-from inside the chroot.
-.IP
-If given a chroot is done to the given directory. The default is
-"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
-.TP
-.B username: \fI<name>
-If given, after binding the port the user privileges are dropped. Default is
-"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
-.IP
-If this user is not capable of binding the
-port, reloads (by signal HUP) will still retain the opened ports.
-If you change the port number in the config file, and that new port number
-requires privileges, then a reload will fail; a restart is needed.
-.TP
-.B directory: \fI<directory>
-Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
-On Windows the string "%EXECUTABLE%" tries to change to the directory
-that unbound.exe resides in.
-If you give a server: directory: dir before include: file statements
-then those includes can be relative to the working directory.
-.TP
-.B logfile: \fI<filename>
-If "" is given, logging goes to stderr, or nowhere once daemonized.
-The logfile is appended to, in the following format:
-.nf
-[seconds since 1970] unbound[pid:tid]: type: message.
-.fi
-If this option is given, the use\-syslog is option is set to "no".
-The logfile is reopened (for append) when the config file is reread, on
-SIGHUP.
-.TP
-.B use\-syslog: \fI<yes or no>
-Sets unbound to send log messages to the syslogd, using
-\fIsyslog\fR(3).
-The log facility LOG_DAEMON is used, with identity "unbound".
-The logfile setting is overridden when use\-syslog is turned on.
-The default is to log to syslog.
-.TP
-.B log\-identity: \fI<string>
-If "" is given (default), then the name of the executable, usually "unbound"
-is used to report to the log. Enter a string to override it
-with that, which is useful on systems that run more than one instance of
-unbound, with different configurations, so that the logs can be easily
-distinguished against.
-.TP
-.B log\-time\-ascii: \fI<yes or no>
-Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
-prints the seconds since 1970 in brackets. No effect if using syslog, in
-that case syslog formats the timestamp printed into the log files.
-.TP
-.B log\-queries: \fI<yes or no>
-Prints one line per query to the log, with the log timestamp and IP address,
-name, type and class. Default is no. Note that it takes time to print these
-lines which makes the server (significantly) slower. Odd (nonprintable)
-characters in names are printed as '?'.
-.TP
-.B log\-replies: \fI<yes or no>
-Prints one line per reply to the log, with the log timestamp and IP address,
-name, type, class, return code, time to resolve, from cache and response size.
-Default is no. Note that it takes time to print these
-lines which makes the server (significantly) slower. Odd (nonprintable)
-characters in names are printed as '?'.
-.TP
-.B pidfile: \fI<filename>
-The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
-So,
-.nf
-kill \-HUP `cat @UNBOUND_PIDFILE@`
-.fi
-triggers a reload,
-.nf
-kill \-TERM `cat @UNBOUND_PIDFILE@`
-.fi
-gracefully terminates.
-.TP
-.B root\-hints: \fI<filename>
-Read the root hints from this file. Default is nothing, using builtin hints
-for the IN class. The file has the format of zone files, with root
-nameserver names and addresses only. The default may become outdated,
-when servers change, therefore it is good practice to use a root\-hints file.
-.TP
-.B hide\-identity: \fI<yes or no>
-If enabled id.server and hostname.bind queries are refused.
-.TP
-.B identity: \fI<string>
-Set the identity to report. If set to "", the default, then the hostname
-of the server is returned.
-.TP
-.B hide\-version: \fI<yes or no>
-If enabled version.server and version.bind queries are refused.
-.TP
-.B version: \fI<string>
-Set the version to report. If set to "", the default, then the package
-version is returned.
-.TP
-.B hide\-trustanchor: \fI<yes or no>
-If enabled trustanchor.unbound queries are refused.
-.TP
-.B target\-fetch\-policy: \fI<"list of numbers">
-Set the target fetch policy used by unbound to determine if it should fetch
-nameserver target addresses opportunistically. The policy is described per
-dependency depth.
-.IP
-The number of values determines the maximum dependency depth
-that unbound will pursue in answering a query.
-A value of \-1 means to fetch all targets opportunistically for that dependency
-depth. A value of 0 means to fetch on demand only. A positive value fetches
-that many targets opportunistically.
-.IP
-Enclose the list between quotes ("") and put spaces between numbers.
-The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
-closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
-rumoured to be closer to that of BIND 8.
-.TP
-.B harden\-short\-bufsize: \fI<yes or no>
-Very small EDNS buffer sizes from queries are ignored. Default is off, since
-it is legal protocol wise to send these, and unbound tries to give very
-small answers to these queries, where possible.
-.TP
-.B harden\-large\-queries: \fI<yes or no>
-Very large queries are ignored. Default is off, since it is legal protocol
-wise to send these, and could be necessary for operation if TSIG or EDNS
-payload is very large.
-.TP
-.B harden\-glue: \fI<yes or no>
-Will trust glue only if it is within the servers authority. Default is on.
-.TP
-.B harden\-dnssec\-stripped: \fI<yes or no>
-Require DNSSEC data for trust\-anchored zones, if such data is absent,
-the zone becomes bogus. If turned off, and no DNSSEC data is received
-(or the DNSKEY data fails to validate), then the zone is made insecure,
-this behaves like there is no trust anchor. You could turn this off if
-you are sometimes behind an intrusive firewall (of some sort) that
-removes DNSSEC data from packets, or a zone changes from signed to
-unsigned to badly signed often. If turned off you run the risk of a
-downgrade attack that disables security for a zone. Default is on.
-.TP
-.B harden\-below\-nxdomain: \fI<yes or no>
-From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
-returns nxdomain to queries for a name
-below another name that is already known to be nxdomain. DNSSEC mandates
-noerror for empty nonterminals, hence this is possible. Very old software
-might return nxdomain for empty nonterminals (that usually happen for reverse
-IP address lookups), and thus may be incompatible with this. To try to avoid
-this only DNSSEC-secure nxdomains are used, because the old software does not
-have DNSSEC. Default is off.
-The nxdomain must be secure, this means nsec3 with optout is insufficient.
-.TP
-.B harden\-referral\-path: \fI<yes or no>
-Harden the referral path by performing additional queries for
-infrastructure data. Validates the replies if trust anchors are configured
-and the zones are signed. This enforces DNSSEC validation on nameserver
-NS sets and the nameserver addresses that are encountered on the referral
-path to the answer.
-Default off, because it burdens the authority servers, and it is
-not RFC standard, and could lead to performance problems because of the
-extra query load that is generated. Experimental option.
-If you enable it consider adding more numbers after the target\-fetch\-policy
-to increase the max depth that is checked to.
-.TP
-.B harden\-algo\-downgrade: \fI<yes or no>
-Harden against algorithm downgrade when multiple algorithms are
-advertised in the DS record. If no, allows the weakest algorithm to
-validate the zone. Default is no. Zone signers must produce zones
-that allow this feature to work, but sometimes they do not, and turning
-this option off avoids that validation failure.
-.TP
-.B use\-caps\-for\-id: \fI<yes or no>
-Use 0x20\-encoded random bits in the query to foil spoof attempts.
-This perturbs the lowercase and uppercase of query names sent to
-authority servers and checks if the reply still has the correct casing.
-Disabled by default.
-This feature is an experimental implementation of draft dns\-0x20.
-.TP
-.B caps\-whitelist: \fI<domain>
-Whitelist the domain so that it does not receive caps\-for\-id perturbed
-queries. For domains that do not support 0x20 and also fail with fallback
-because they keep sending different answers, like some load balancers.
-Can be given multiple times, for different domains.
-.TP
-.B qname\-minimisation: \fI<yes or no>
-Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to NS when
-possible. Best effort approach; full QNAME and original QTYPE will be sent when
-upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is off.
-.TP
-.B qname\-minimisation\-strict: \fI<yes or no>
-QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
-potentially broken nameservers. A lot of domains will not be resolvable when
-this option in enabled. Only use if you know what you are doing.
-This option only has effect when qname-minimisation is enabled. Default is off.
-.TP
-.B private\-address: \fI<IP address or subnet>
-Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for
-public internet names. Any occurrence of such addresses are removed
-from DNS answers. Additionally, the DNSSEC validator may mark the
-answers bogus. This protects against so\-called DNS Rebinding, where
-a user browser is turned into a network proxy, allowing remote access
-through the browser to other parts of your private network. Some names
-can be allowed to contain your private addresses, by default all the
-\fBlocal\-data\fR that you configured is allowed to, and you can specify
-additional names using \fBprivate\-domain\fR. No private addresses are
-enabled by default. We consider to enable this for the RFC1918 private
-IP address space by default in later releases. That would enable private
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
-fd00::/8 and fe80::/10, since the RFC standards say these addresses
-should not be visible on the public internet. Turning on 127.0.0.0/8
-would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
-stops IPv4-mapped IPv6 addresses from bypassing the filter.
-.TP
-.B private\-domain: \fI<domain name>
-Allow this domain, and all its subdomains to contain private addresses.
-Give multiple times to allow multiple domain names to contain private
-addresses. Default is none.
-.TP
-.B unwanted\-reply\-threshold: \fI<number>
-If set, a total number of unwanted replies is kept track of in every thread.
-When it reaches the threshold, a defensive action is taken and a warning
-is printed to the log. The defensive action is to clear the rrset and
-message caches, hopefully flushing away any poison. A value of 10 million
-is suggested. Default is 0 (turned off).
-.TP
-.B do\-not\-query\-address: \fI<IP address>
-Do not query the given IP address. Can be IP4 or IP6. Append /num to
-indicate a classless delegation netblock, for example like
-10.2.3.4/24 or 2001::11/64.
-.TP
-.B do\-not\-query\-localhost: \fI<yes or no>
-If yes, localhost is added to the do\-not\-query\-address entries, both
-IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
-queries to. Default is yes.
-.TP
-.B prefetch: \fI<yes or no>
-If yes, message cache elements are prefetched before they expire to
-keep the cache up to date. Default is no. Turning it on gives about
-10 percent more traffic and load on the machine, but popular items do
-not expire from the cache.
-.TP
-.B prefetch-key: \fI<yes or no>
-If yes, fetch the DNSKEYs earlier in the validation process, when a DS
-record is encountered. This lowers the latency of requests. It does use
-a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
-.TP
-.B rrset-roundrobin: \fI<yes or no>
-If yes, Unbound rotates RRSet order in response (the random number is taken
-from the query ID, for speed and thread safety). Default is no.
-.TP
-.B minimal-responses: \fI<yes or no>
-If yes, Unbound doesn't insert authority/additional sections into response
-messages when those sections are not required. This reduces response
-size significantly, and may avoid TCP fallback for some responses.
-This may cause a slight speedup. The default is no, because the DNS
-protocol RFCs mandate these sections, and the additional content could
-be of use and save roundtrips for clients.
-.TP
-.B disable-dnssec-lame-check: \fI<yes or no>
-If true, disables the DNSSEC lameness check in the iterator. This check
-sees if RRSIGs are present in the answer, when dnssec is expected,
-and retries another authority if RRSIGs are unexpectedly missing.
-The validator will insist in RRSIGs for DNSSEC signed domains regardless
-of this setting, if a trust anchor is loaded.
-.TP
-.B module\-config: \fI<"module names">
-Module configuration, a list of module names separated by spaces, surround
-the string with quotes (""). The modules can be validator, iterator.
-Setting this to "iterator" will result in a non\-validating server.
-Setting this to "validator iterator" will turn on DNSSEC validation.
-The ordering of the modules is important.
-You must also set trust\-anchors for validation to be useful.
-.TP
-.B trust\-anchor\-file: \fI<filename>
-File with trusted keys for validation. Both DS and DNSKEY entries can appear
-in the file. The format of the file is the standard DNS Zone file format.
-Default is "", or no trust anchor file.
-.TP
-.B auto\-trust\-anchor\-file: \fI<filename>
-File with trust anchor for one zone, which is tracked with RFC5011 probes.
-The probes are several times per month, thus the machine must be online
-frequently. The initial file can be one with contents as described in
-\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
-so the unbound user must have write permission. Write permission to the file,
-but also to the directory it is in (to create a temporary file, which is
-necessary to deal with filesystem full events), it must also be inside the
-chroot (if that is used).
-.TP
-.B trust\-anchor: \fI<"Resource Record">
-A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
-given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
-The resource record is entered in the same format as 'dig' or 'drill' prints
-them, the same format as in the zone file. Has to be on a single line, with
-"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
-A class can be specified, but class IN is default.
-.TP
-.B trusted\-keys\-file: \fI<filename>
-File with trusted keys for validation. Specify more than one file
-with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
-but has a different file format. Format is BIND\-9 style format,
-the trusted\-keys { name flag proto algo "key"; }; clauses are read.
-It is possible to use wildcards with this statement, the wildcard is
-expanded on start and on reload.
-.TP
-.B dlv\-anchor\-file: \fI<filename>
-This option was used during early days DNSSEC deployment when no parent-side
-DS record registrations were easily available. Nowadays, it is best to have
-DS records registered with the parent zone (many top level zones are signed).
-File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
-DNSKEY entries can be used in the file, in the same format as for
-\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned. Please do not use it any more.
-.TP
-.B dlv\-anchor: \fI<"Resource Record">
-Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
-DLV is going to be decommissioned. Please do not use it any more.
-.TP
-.B domain\-insecure: \fI<domain name>
-Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
-the domain name. So a trust anchor above the domain name can not make the
-domain secure with a DS record, such a DS record is then ignored.
-Also keys from DLV are ignored for the domain. Can be given multiple times
-to specify multiple domains that are treated as if unsigned. If you set
-trust anchors for the domain they override this setting (and the domain
-is secured).
-.IP
-This can be useful if you want to make sure a trust anchor for external
-lookups does not affect an (unsigned) internal domain. A DS record
-externally can create validation failures for that internal domain.
-.TP
-.B val\-override\-date: \fI<rrsig\-style date spec>
-Default is "" or "0", which disables this debugging feature. If enabled by
-giving a RRSIG style date, that date is used for verifying RRSIG inception
-and expiration dates, instead of the current date. Do not set this unless
-you are debugging signature inception and expiration. The value \-1 ignores
-the date altogether, useful for some special applications.
-.TP
-.B val\-sig\-skew\-min: \fI<seconds>
-Minimum number of seconds of clock skew to apply to validated signatures.
-A value of 10% of the signature lifetime (expiration \- inception) is
-used, capped by this setting. Default is 3600 (1 hour) which allows for
-daylight savings differences. Lower this value for more strict checking
-of short lived signatures.
-.TP
-.B val\-sig\-skew\-max: \fI<seconds>
-Maximum number of seconds of clock skew to apply to validated signatures.
-A value of 10% of the signature lifetime (expiration \- inception)
-is used, capped by this setting. Default is 86400 (24 hours) which
-allows for timezone setting problems in stable domains. Setting both
-min and max very low disables the clock skew allowances. Setting both
-min and max very high makes the validator check the signature timestamps
-less strictly.
-.TP
-.B val\-bogus\-ttl: \fI<number>
-The time to live for bogus data. This is data that has failed validation;
-due to invalid signatures or other checks. The TTL from that data cannot be
-trusted, and this value is used instead. The value is in seconds, default 60.
-The time interval prevents repeated revalidation of bogus data.
-.TP
-.B val\-clean\-additional: \fI<yes or no>
-Instruct the validator to remove data from the additional section of secure
-messages that are not signed properly. Messages that are insecure, bogus,
-indeterminate or unchecked are not affected. Default is yes. Use this setting
-to protect the users that rely on this validator for authentication from
-potentially bad data in the additional section.
-.TP
-.B val\-log\-level: \fI<number>
-Have the validator print validation failures to the log. Regardless of
-the verbosity setting. Default is 0, off. At 1, for every user query
-that fails a line is printed to the logs. This way you can monitor what
-happens with validation. Use a diagnosis tool, such as dig or drill,
-to find out why validation is failing for these queries. At 2, not only
-the query that failed is printed but also the reason why unbound thought
-it was wrong and which server sent the faulty data.
-.TP
-.B val\-permissive\-mode: \fI<yes or no>
-Instruct the validator to mark bogus messages as indeterminate. The security
-checks are performed, but if the result is bogus (failed security), the
-reply is not withheld from the client with SERVFAIL as usual. The client
-receives the bogus data. For messages that are found to be secure the AD bit
-is set in replies. Also logging is performed as for full validation.
-The default value is "no".
-.TP
-.B ignore\-cd\-flag: \fI<yes or no>
-Instruct unbound to ignore the CD flag from clients and refuse to
-return bogus answers to them. Thus, the CD (Checking Disabled) flag
-does not disable checking any more. This is useful if legacy (w2008)
-servers that set the CD flag but cannot validate DNSSEC themselves are
-the clients, and then unbound provides them with DNSSEC protection.
-The default value is "no".
-.TP
-.B serve\-expired: \fI<yes or no>
-If enabled, unbound attempts to serve old responses from cache with a
-TTL of 0 in the response without waiting for the actual resolution to finish.
-The actual resolution answer ends up in the cache later on. Default is "no".
-.TP
-.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
-List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
-maximum allowed NSEC3 iteration count before a message is simply marked
-insecure instead of performing the many hashing iterations. The list must
-be in ascending order and have at least one entry. If you set it to
-"1024 65535" there is no restriction to NSEC3 iteration values.
-This table must be kept short; a very long list could cause slower operation.
-.TP
-.B add\-holddown: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to add new trust anchors only after they have been
-visible for this time. Default is 30 days as per the RFC.
-.TP
-.B del\-holddown: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to remove revoked trust anchors after they have been
-kept in the revoked list for this long. Default is 30 days as per
-the RFC.
-.TP
-.B keep\-missing: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to remove missing trust anchors after they have been
-unseen for this long. This cleans up the state file if the target zone
-does not perform trust anchor revocation, so this makes the auto probe
-mechanism work with zones that perform regular (non\-5011) rollovers.
-The default is 366 days. The value 0 does not remove missing anchors,
-as per the RFC.
-.TP
-.B permit\-small\-holddown: \fI<yes or no>
-Debug option that allows the autotrust 5011 rollover timers to assume
-very small values. Default is no.
-.TP
-.B key\-cache\-size: \fI<number>
-Number of bytes size of the key cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
-or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B key\-cache\-slabs: \fI<number>
-Number of slabs in the key cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
-reasonable guess.
-.TP
-.B neg\-cache\-size: \fI<number>
-Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
-or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B unblock\-lan\-zones: \fI<yesno>
-Default is disabled. If enabled, then for private address space,
-the reverse lookups are no longer filtered. This allows unbound when
-running as dns service on a host where it provides service for that host,
-to put out all of the queries for the 'lan' upstream. When enabled,
-only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
-with default local zones. Disable the option when unbound is running
-as a (DHCP-) DNS network resolver for a group of machines, where such
-lookups should be filtered (RFC compliance), this also stops potential
-data leakage about the local network to the upstream DNS servers.
-.TP
-.B insecure\-lan\-zones: \fI<yesno>
-Default is disabled. If enabled, then reverse lookups in private
-address space are not validated. This is usually required whenever
-\fIunblock\-lan\-zones\fR is used.
-.TP
-.B local\-zone: \fI<zone> <type>
-Configure a local zone. The type determines the answer to give if
-there is no match from local\-data. The types are deny, refuse, static,
-transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-always_transparent, always_refuse, always_nxdomain,
-and are explained below. After that the default settings are listed. Use
-local\-data: to enter data into the local zone. Answers for local zones
-are authoritative DNS answers. By default the zones are class IN.
-.IP
-If you need more complicated authoritative data, with referrals, wildcards,
-CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
-it as detailed in the stub zone section below.
-.TP 10
-\h'5'\fIdeny\fR
-Do not send an answer, drop the query.
-If there is a match from local data, the query is answered.
-.TP 10
-\h'5'\fIrefuse\fR
-Send an error message reply, with rcode REFUSED.
-If there is a match from local data, the query is answered.
-.TP 10
-\h'5'\fIstatic\fR
-If there is a match from local data, the query is answered.
-Otherwise, the query is answered with nodata or nxdomain.
-For a negative answer a SOA is included in the answer if present
-as local\-data for the zone apex domain.
-.TP 10
-\h'5'\fItransparent\fR
-If there is a match from local data, the query is answered.
-Otherwise if the query has a different name, the query is resolved normally.
-If the query is for a name given in localdata but no such type of data is
-given in localdata, then a noerror nodata answer is returned.
-If no local\-zone is given local\-data causes a transparent zone
-to be created by default.
-.TP 10
-\h'5'\fItypetransparent\fR
-If there is a match from local data, the query is answered. If the query
-is for a different name, or for the same name but for a different type,
-the query is resolved normally. So, similar to transparent but types
-that are not listed in local data are resolved normally, so if an A record
-is in the local data that does not cause a nodata reply for AAAA queries.
-.TP 10
-\h'5'\fIredirect\fR
-The query is answered from the local data for the zone name.
-There may be no local data beneath the zone name.
-This answers queries for the zone, and all subdomains of the zone
-with the local data for the zone.
-It can be used to redirect a domain to return a different address record
-to the end user, with
-local\-zone: "example.com." redirect and
-local\-data: "example.com. A 127.0.0.1"
-queries for www.example.com and www.foo.example.com are redirected, so
-that users with web browsers cannot access sites with suffix example.com.
-.TP 10
-\h'5'\fIinform\fR
-The query is answered normally, same as transparent. The client IP
-address (@portnumber) is printed to the logfile. The log message is:
-timestamp, unbound-pid, info: zonename inform IP@port queryname type
-class. This option can be used for normal resolution, but machines
-looking up infected names are logged, eg. to run antivirus on them.
-.TP 10
-\h'5'\fIinform_deny\fR
-The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
-infected machines without answering the queries.
-.TP 10
-\h'5'\fIalways_transparent\fR
-Like transparent, but ignores local data and resolves normally.
-.TP 10
-\h'5'\fIalways_refuse\fR
-Like refuse, but ignores local data and refuses the query.
-.TP 10
-\h'5'\fIalways_nxdomain\fR
-Like static, but ignores local data and returns nxdomain for the query.
-.TP 10
-\h'5'\fInodefault\fR
-Used to turn off default contents for AS112 zones. The other types
-also turn off default contents for the zone. The 'nodefault' option
-has no other effect than turning off default contents for the
-given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
-use a subzone, use \fItransparent\fR.
-.P
-The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
-the AS112 zones. The AS112 zones are reverse DNS zones for private use and
-reserved IP addresses for which the servers on the internet cannot provide
-correct answers. They are configured by default to give nxdomain (no reverse
-information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a
-list of the default zone contents.
-.TP 10
-\h'5'\fIlocalhost\fR
-The IP4 and IP6 localhost information is given. NS and SOA records are provided
-for completeness and to satisfy some DNS update tools. Default content:
-.nf
-local\-zone: "localhost." static
-local\-data: "localhost. 10800 IN NS localhost."
-local\-data: "localhost. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "localhost. 10800 IN A 127.0.0.1"
-local\-data: "localhost. 10800 IN AAAA ::1"
-.fi
-.TP 10
-\h'5'\fIreverse IPv4 loopback\fR
-Default content:
-.nf
-local\-zone: "127.in\-addr.arpa." static
-local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
-local\-data: "127.in\-addr.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
- PTR localhost."
-.fi
-.TP 10
-\h'5'\fIreverse IPv6 loopback\fR
-Default content:
-.nf
-local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- NS localhost."
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- PTR localhost."
-.fi
-.TP 10
-\h'5'\fIonion (RFC 7686)\fR
-Default content:
-.nf
-local\-zone: "onion." static
-local\-data: "onion. 10800 IN NS localhost."
-local\-data: "onion. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-.fi
-.TP 10
-\h'5'\fIreverse RFC1918 local use zones\fR
-Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
-31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
-The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
-records are provided.
-.TP 10
-\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
-Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
-2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
-113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
-And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
-.TP 10
-\h'5'\fIreverse RFC4291 IP6 unspecified\fR
-Reverse data for zone
-.nf
-0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
-0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
-.fi
-.TP 10
-\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
-Reverse data for zone D.F.ip6.arpa.
-.TP 10
-\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
-Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
-.TP 10
-\h'5'\fIreverse IPv6 Example Prefix\fR
-Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
-tutorials and examples. You can remove the block on this zone with:
-.nf
- local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
-.fi
-You can also selectively unblock a part of the zone by making that part
-transparent with a local\-zone statement.
-This also works with the other default zones.
-.\" End of local-zone listing.
-.TP 5
-.B local\-data: \fI"<resource record string>"
-Configure local data, which is served in reply to queries for it.
-The query has to match exactly unless you configure the local\-zone as
-redirect. If not matched exactly, the local\-zone type determines
-further processing. If local\-data is configured that is not a subdomain of
-a local\-zone, a transparent local\-zone is configured.
-For record types such as TXT, use single quotes, as in
-local\-data: 'example. TXT "text"'.
-.IP
-If you need more complicated authoritative data, with referrals, wildcards,
-CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
-it as detailed in the stub zone section below.
-.TP 5
-.B local\-data\-ptr: \fI"IPaddr name"
-Configure local data shorthand for a PTR record with the reversed IPv4 or
-IPv6 address and the host name. For example "192.0.2.4 www.example.com".
-TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
-.TP 5
-.B local\-zone\-tag: \fI<zone> <"list of tags">
-Assign tags to localzones. Tagged localzones will only be applied when the
-used access-control element has a matching tag. Tags must be defined in
-\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
-tags.
-.TP 5
-.B local\-zone\-override: \fI<zone> <IP netblock> <type>
-Override the localzone type for queries from addresses matching netblock.
-Use this localzone type, regardless the type configured for the local-zone
-(both tagged and untagged) and regardless the type configured using
-access\-control\-tag\-action.
-.TP 5
-.B ratelimit: \fI<number or 0>
-Enable ratelimiting of queries sent to nameserver for performing recursion.
-If 0, the default, it is disabled. This option is experimental at this time.
-The ratelimit is in queries per second that are allowed. More queries are
-turned away with an error (servfail). This stops recursive floods, eg. random
-query names, but not spoofed reflection floods. Cached responses are not
-ratelimited by this setting. The zone of the query is determined by examining
-the nameservers for it, the zone name is used to keep track of the rate.
-For example, 1000 may be a suitable value to stop the server from being
-overloaded with random names, and keeps unbound from sending traffic to the
-nameservers for those zones.
-.TP 5
-.B ratelimit\-size: \fI<memory size>
-Give the size of the data structure in which the current ongoing rates are
-kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The ratelimit structure is small, so this data structure likely does
-not need to be large.
-.TP 5
-.B ratelimit\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the ratelimit tracking data structure. Close to the number of cpus is
-a fairly good setting.
-.TP 5
-.B ratelimit\-factor: \fI<number>
-Set the amount of queries to rate limit when the limit is exceeded.
-If set to 0, all queries are dropped for domains where the limit is
-exceeded. If set to another value, 1 in that number is allowed through
-to complete. Default is 10, allowing 1/10 traffic to flow normally.
-This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigating the traffic flow by the
-factor given.
-.TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps>
-Override the global ratelimit for an exact match domain name with the listed
-number. You can give this for any number of names. For example, for
-a top\-level\-domain you may want to have a higher limit than other names.
-.TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps>
-Override the global ratelimit for a domain name that ends in this name.
-You can give this multiple times, it then describes different settings
-in different parts of the namespace. The closest matching suffix is used
-to determine the qps limit. The rate for the exact matching domain name
-is not changed, use ratelimit\-for\-domain to set that, you might want
-to use different settings for a top\-level\-domain and subdomains.
-.TP 5
-.B ip\-ratelimit: \fI<number or 0>
-Enable global ratelimiting of queries accepted per ip address.
-If 0, the default, it is disabled. This option is experimental at this time.
-The ratelimit is in queries per second that are allowed. More queries are
-completely dropped and will not receive a reply, SERVFAIL or otherwise.
-IP ratelimiting happens before looking in the cache. This may be useful for
-mitigating amplification attacks.
-.TP 5
-.B ip\-ratelimit\-size: \fI<memory size>
-Give the size of the data structure in which the current ongoing rates are
-kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The ip ratelimit structure is small, so this data structure likely does
-not need to be large.
-.TP 5
-.B ip\-ratelimit\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the ip ratelimit tracking data structure. Close to the number of cpus is
-a fairly good setting.
-.TP 5
-.B ip\-ratelimit\-factor: \fI<number>
-Set the amount of queries to rate limit when the limit is exceeded.
-If set to 0, all queries are dropped for addresses where the limit is
-exceeded. If set to another value, 1 in that number is allowed through
-to complete. Default is 10, allowing 1/10 traffic to flow normally.
-This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigating the traffic flow by the
-factor given.
-.SS "Remote Control Options"
-In the
-.B remote\-control:
-clause are the declarations for the remote control facility. If this is
-enabled, the \fIunbound\-control\fR(8) utility can be used to send
-commands to the running unbound server. The server uses these clauses
-to setup SSLv3 / TLSv1 security for the connection. The
-\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
-section for options. To setup the correct self\-signed certificates use the
-\fIunbound\-control\-setup\fR(8) utility.
-.TP 5
-.B control\-enable: \fI<yes or no>
-The option is used to enable remote control, default is "no".
-If turned off, the server does not listen for control commands.
-.TP 5
-.B control\-interface: \fI<ip address or path>
-Give IPv4 or IPv6 addresses or local socket path to listen on for
-control commands.
-By default localhost (127.0.0.1 and ::1) is listened to.
-Use 0.0.0.0 and ::0 to listen to all interfaces.
-If you change this and permissions have been dropped, you must restart
-the server for the change to take effect.
-.TP 5
-.B control\-port: \fI<port number>
-The port number to listen on for IPv4 or IPv6 control interfaces,
-default is 8953.
-If you change this and permissions have been dropped, you must restart
-the server for the change to take effect.
-.TP 5
-.B control\-use\-cert: \fI<yes or no>
-Whether to require certificate authentication of control connections.
-The default is "yes".
-This should not be changed unless there are other mechanisms in place
-to prevent untrusted users from accessing the remote control
-interface.
-.TP 5
-.B server\-key\-file: \fI<private key file>
-Path to the server private key, by default unbound_server.key.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the unbound server, but not by \fIunbound\-control\fR.
-.TP 5
-.B server\-cert\-file: \fI<certificate file.pem>
-Path to the server self signed certificate, by default unbound_server.pem.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the unbound server, and also by \fIunbound\-control\fR.
-.TP 5
-.B control\-key\-file: \fI<private key file>
-Path to the control client private key, by default unbound_control.key.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by \fIunbound\-control\fR.
-.TP 5
-.B control\-cert\-file: \fI<certificate file.pem>
-Path to the control client certificate, by default unbound_control.pem.
-This certificate has to be signed with the server certificate.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by \fIunbound\-control\fR.
-.SS "Stub Zone Options"
-.LP
-There may be multiple
-.B stub\-zone:
-clauses. Each with a name: and zero or more hostnames or IP addresses.
-For the stub zone this list of nameservers is used. Class IN is assumed.
-The servers should be authority servers, not recursors; unbound performs
-the recursive processing itself for stub zones.
-.P
-The stub zone can be used to configure authoritative data to be used
-by the resolver that cannot be accessed using the public internet servers.
-This is useful for company\-local data or private zones. Setup an
-authoritative server on a different host (or different port). Enter a config
-entry for unbound with
-.B stub\-addr:
-<ip address of host[@port]>.
-The unbound resolver can then access the data, without referring to the
-public internet for it.
-.P
-This setup allows DNSSEC signed zones to be served by that
-authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that unbound can validate the data and set the AD
-bit on replies for the private zone (authoritative servers do not set the
-AD bit). This setup makes unbound capable of answering queries for the
-private zone, and can even set the AD bit ('authentic'), but the AA
-('authoritative') bit is not set on these replies.
-.P
-Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
-for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
-served zone. The insecure clause stops DNSSEC from invalidating the
-zone. The local zone nodefault (or \fItransparent\fR) clause makes the
-(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
-.TP
-.B name: \fI<domain name>
-Name of the stub zone.
-.TP
-.B stub\-host: \fI<domain name>
-Name of stub zone nameserver. Is itself resolved before it is used.
-.TP
-.B stub\-addr: \fI<IP address>
-IP address of stub zone nameserver. Can be IP 4 or IP 6.
-To use a nondefault port for DNS communication append '@' with the port number.
-.TP
-.B stub\-prime: \fI<yes or no>
-This option is by default off. If enabled it performs NS set priming,
-which is similar to root hints, where it starts using the list of nameservers
-currently published by the zone. Thus, if the hint list is slightly outdated,
-the resolver picks up a correct list online.
-.TP
-.B stub\-first: \fI<yes or no>
-If enabled, a query is attempted without the stub clause if it fails.
-The data could not be retrieved and would have caused SERVFAIL because
-the servers are unreachable, instead it is tried without this clause.
-The default is no.
-.TP
-.B stub\-ssl\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this stub use SSL for transport.
-Default is no.
-.SS "Forward Zone Options"
-.LP
-There may be multiple
-.B forward\-zone:
-clauses. Each with a \fBname:\fR and zero or more hostnames or IP
-addresses. For the forward zone this list of nameservers is used to
-forward the queries to. The servers listed as \fBforward\-host:\fR and
-\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
-those servers are not authority servers, but are (just like unbound is)
-recursive servers too; unbound does not perform recursion itself for the
-forward zone, it lets the remote server do it. Class IN is assumed.
-A forward\-zone entry with name "." and a forward\-addr target will
-forward all queries to that other server (unless it can answer from
-the cache).
-.TP
-.B name: \fI<domain name>
-Name of the forward zone.
-.TP
-.B forward\-host: \fI<domain name>
-Name of server to forward to. Is itself resolved before it is used.
-.TP
-.B forward\-addr: \fI<IP address>
-IP address of server to forward to. Can be IP 4 or IP 6.
-To use a nondefault port for DNS communication append '@' with the port number.
-.TP
-.B forward\-first: \fI<yes or no>
-If enabled, a query is attempted without the forward clause if it fails.
-The data could not be retrieved and would have caused SERVFAIL because
-the servers are unreachable, instead it is tried without this clause.
-The default is no.
-.TP
-.B forward\-ssl\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this forwarder use SSL for transport.
-Default is no.
-.SS "View Options"
-.LP
-There may be multiple
-.B view:
-clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
-.TP
-.B name: \fI<view name>
-Name of the view. Must be unique. This name is used in access\-control\-view
-elements.
-.TP
-.B local\-zone: \fI<zone> <type>
-View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements.
-.TP
-.B local\-data: \fI"<resource record string>"
-View specific local\-data elements. Has the same behaviour as the global
-local\-data elements.
-.TP
-.B local\-data\-ptr: \fI"IPaddr name"
-View specific local\-data\-ptr elements. Has the same behaviour as the global
-local\-data\-ptr elements.
-.TP
-.B view\-first: \fI<yes or no>
-If enabled, it attempts to use the global local\-zone and local\-data if there
-is no match in the view specific options.
-The default is no.
-.SS "Python Module Options"
-.LP
-The
-.B python:
-clause gives the settings for the \fIpython\fR(1) script module. This module
-acts like the iterator and validator modules do, on queries and answers.
-To enable the script module it has to be compiled into the daemon,
-and the word "python" has to be put in the \fBmodule\-config:\fR option
-(usually first, or between the validator and iterator).
-.LP
-If the \fBchroot:\fR option is enabled, you should make sure Python's
-library directory structure is bind mounted in the new root environment, see
-\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
-absolute path relative to the new root, or as a relative path to the working
-directory.
-.TP
-.B python\-script: \fI<python file>\fR
-The script file to load.
-.SS "DNS64 Module Options"
-.LP
-The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
-validator iterator" directive and be compiled into the daemon to be
-enabled. These settings go in the \fBserver:\fR section.
-.TP
-.B dns64\-prefix: \fI<IPv6 prefix>\fR
-This sets the DNS64 prefix to use to synthesize AAAA records with.
-It must be /96 or shorter. The default prefix is 64:ff9b::/96.
-.TP
-.B dns64\-synthall: \fI<yes or no>\fR
-Debug option, default no. If enabled, synthesize all AAAA records
-despite the presence of actual AAAA records.
-.SS "DNSCrypt Options"
-.LP
-The
-.B dnscrypt:
-clause give the settings of the dnscrypt channel. While those options are
-available, they are only meaningful if unbound was compiled with
-\fB\-\-enable\-dnscrypt\fR.
-Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
-.TP
-.B dnscrypt\-enable: \fI<yes or no>\fR
-Whether or not the \fBdnscrypt\fR config should be enabled. You may define
-configuration but not activate it.
-The default is no.
-.TP
-.B dnscrypt\-port: \fI<port number>
-On which port should \fBdnscrypt\fR should be activated. Note that you should
-have a matching \fBinterface\fR option defined in the \fBserver\fR section for
-this port.
-.TP
-.B dnscrypt\-provider: \fI<provider name>\fR
-The provider name to use to distribute certificates. This is of the form:
-\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
-.TP
-.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
-Path to the time limited secret key file. This option may be specified multiple
-times.
-.TP
-.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
-.SS "EDNS Client Subnet Module Options"
-.LP
-The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
-validator iterator" directive and be compiled into the daemon to be
-enabled. These settings go in the \fBserver:\fR section.
-.LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
-.LP
-Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
-.LP
-The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
-configuration file. On top of that, for each query only 100 different subnets
-are allowed to be stored for each address family. Exceeding that number, older
-entries will be purged from cache.
-.TP
-.B send\-client\-subnet: \fI<IP address>\fR
-Send client source address to this authority. Append /num to indicate a
-classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
-be given multiple times. Authorities not listed will not receive edns-subnet
-information.
-.TP
-.B client\-subnet\-always\-forward: \fI<yes or no>\fR
-Specify whether the ECS whitelist check (configured using
-\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
-query contains an ECS record, or only for queries for which the ECS record is
-generated using the querier address (and therefore did not contain ECS data in
-the client query). If enabled, the whitelist check is skipped when the client
-query contains an ECS record. Default is no.
-.TP
-.B max\-client\-subnet\-ipv6: \fI<number>\fR
-Specifies the maximum prefix length of the client source address we are willing
-to expose to third parties for IPv6. Defaults to 56.
-.TP
-.B max\-client\-subnet\-ipv4: \fI<number>\fR
-Specifies the maximum prefix length of the client source address we are willing
-to expose to third parties for IPv4. Defaults to 24.
-.SH "MEMORY CONTROL EXAMPLE"
-In the example config settings below memory usage is reduced. Some service
-levels are lower, notable very large data and a high TCP load are no longer
-supported. Very large data and high TCP loads are exceptional for the DNS.
-DNSSEC validation is enabled, just add trust anchors.
-If you do not have to worry about programs using more than 3 Mb of memory,
-the below example is not for you. Use the defaults to receive full service,
-which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
-.P
-.nf
-# example settings that reduce memory usage
-server:
- num\-threads: 1
- outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
- incoming\-num\-tcp: 1
- outgoing\-range: 60 # uses less memory, but less performance.
- msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
- msg\-cache\-size: 100k
- msg\-cache\-slabs: 1
- rrset\-cache\-size: 100k
- rrset\-cache\-slabs: 1
- infra\-cache\-numhosts: 200
- infra\-cache\-slabs: 1
- key\-cache\-size: 100k
- key\-cache\-slabs: 1
- neg\-cache\-size: 10k
- num\-queries\-per\-thread: 30
- target\-fetch\-policy: "2 1 0 0 0 0"
- harden\-large\-queries: "yes"
- harden\-short\-bufsize: "yes"
-.fi
-.SH "FILES"
-.TP
-.I @UNBOUND_RUN_DIR@
-default unbound working directory.
-.TP
-.I @UNBOUND_CHROOT_DIR@
-default
-\fIchroot\fR(2)
-location.
-.TP
-.I @ub_conf_file@
-unbound configuration file.
-.TP
-.I @UNBOUND_PIDFILE@
-default unbound pidfile with process ID of the running daemon.
-.TP
-.I unbound.log
-unbound log file. default is to log to
-\fIsyslog\fR(3).
-.SH "SEE ALSO"
-\fIunbound\fR(8),
-\fIunbound\-checkconf\fR(8).
-.SH "AUTHORS"
-.B Unbound
-was written by NLnet Labs. Please see CREDITS file
-in the distribution for further details.
diff --git a/external/unbound/doc/unbound.doxygen b/external/unbound/doc/unbound.doxygen
deleted file mode 100644
index fe3987681..000000000
--- a/external/unbound/doc/unbound.doxygen
+++ /dev/null
@@ -1,1650 +0,0 @@
-# Doxyfile 1.7.1
-
-# This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
-#
-# All text after a hash (#) is considered a comment and will be ignored
-# The format is:
-# TAG = value [value, ...]
-# For lists items can also be appended using:
-# TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
-
-#---------------------------------------------------------------------------
-# Project related configuration options
-#---------------------------------------------------------------------------
-
-# This tag specifies the encoding used for all characters in the config file
-# that follow. The default is UTF-8 which is also the encoding used for all
-# text before the first occurrence of this tag. Doxygen uses libiconv (or the
-# iconv built into libc) for the transcoding. See
-# http://www.gnu.org/software/libiconv for the list of possible encodings.
-
-DOXYFILE_ENCODING = UTF-8
-
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
-# by quotes) that should identify the project.
-
-PROJECT_NAME = unbound
-
-# The PROJECT_NUMBER tag can be used to enter a project or revision number.
-# This could be handy for archiving the generated documentation or
-# if some version control system is used.
-
-PROJECT_NUMBER = 0.1
-
-# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
-# base path where the generated documentation will be put.
-# If a relative path is entered, it will be relative to the location
-# where doxygen was started. If left blank the current directory will be used.
-
-OUTPUT_DIRECTORY = doc
-
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
-# 4096 sub-directories (in 2 levels) under the output directory of each output
-# format and will distribute the generated files over these directories.
-# Enabling this option can be useful when feeding doxygen a huge amount of
-# source files, where putting all generated files in the same directory would
-# otherwise cause performance problems for the file system.
-
-CREATE_SUBDIRS = NO
-
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all
-# documentation generated by doxygen is written. Doxygen will use this
-# information to generate all constant output in the proper language.
-# The default language is English, other supported languages are:
-# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
-# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German,
-# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English
-# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian,
-# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak,
-# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese.
-
-OUTPUT_LANGUAGE = English
-
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
-# include brief member descriptions after the members that are listed in
-# the file and class documentation (similar to JavaDoc).
-# Set to NO to disable this.
-
-BRIEF_MEMBER_DESC = YES
-
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
-# the brief description of a member or function before the detailed description.
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
-# brief descriptions will be completely suppressed.
-
-REPEAT_BRIEF = YES
-
-# This tag implements a quasi-intelligent brief description abbreviator
-# that is used to form the text in various listings. Each string
-# in this list, if found as the leading text of the brief description, will be
-# stripped from the text and the result after processing the whole list, is
-# used as the annotated text. Otherwise, the brief description is used as-is.
-# If left blank, the following values are used ("$name" is automatically
-# replaced with the name of the entity): "The $name class" "The $name widget"
-# "The $name file" "is" "provides" "specifies" "contains"
-# "represents" "a" "an" "the"
-
-ABBREVIATE_BRIEF =
-
-# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
-# Doxygen will generate a detailed section even if there is only a brief
-# description.
-
-ALWAYS_DETAILED_SEC = NO
-
-# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
-# inherited members of a class in the documentation of that class as if those
-# members were ordinary class members. Constructors, destructors and assignment
-# operators of the base classes will not be shown.
-
-INLINE_INHERITED_MEMB = NO
-
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
-# path before files name in the file list and in the header files. If set
-# to NO the shortest path that makes the file name unique will be used.
-
-FULL_PATH_NAMES = YES
-
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
-# can be used to strip a user-defined part of the path. Stripping is
-# only done if one of the specified strings matches the left-hand part of
-# the path. The tag can be used to show relative paths in the file list.
-# If left blank the directory from which doxygen is run is used as the
-# path to strip.
-
-STRIP_FROM_PATH =
-
-# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
-# the path mentioned in the documentation of a class, which tells
-# the reader which header file to include in order to use a class.
-# If left blank only the name of the header file containing the class
-# definition is used. Otherwise one should specify the include paths that
-# are normally passed to the compiler using the -I flag.
-
-STRIP_FROM_INC_PATH =
-
-# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
-# (but less readable) file names. This can be useful is your file systems
-# doesn't support long names like on DOS, Mac, or CD-ROM.
-
-SHORT_NAMES = NO
-
-# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
-# will interpret the first line (until the first dot) of a JavaDoc-style
-# comment as the brief description. If set to NO, the JavaDoc
-# comments will behave just like regular Qt-style comments
-# (thus requiring an explicit @brief command for a brief description.)
-
-JAVADOC_AUTOBRIEF = YES
-
-# If the QT_AUTOBRIEF tag is set to YES then Doxygen will
-# interpret the first line (until the first dot) of a Qt-style
-# comment as the brief description. If set to NO, the comments
-# will behave just like regular Qt-style comments (thus requiring
-# an explicit \brief command for a brief description.)
-
-QT_AUTOBRIEF = NO
-
-# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
-# treat a multi-line C++ special comment block (i.e. a block of //! or ///
-# comments) as a brief description. This used to be the default behaviour.
-# The new default is to treat a multi-line C++ comment block as a detailed
-# description. Set this tag to YES if you prefer the old behaviour instead.
-
-MULTILINE_CPP_IS_BRIEF = NO
-
-# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
-# member inherits the documentation from any documented member that it
-# re-implements.
-
-INHERIT_DOCS = YES
-
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
-# a new page for each member. If set to NO, the documentation of a member will
-# be part of the file/class/namespace that contains it.
-
-SEPARATE_MEMBER_PAGES = NO
-
-# The TAB_SIZE tag can be used to set the number of spaces in a tab.
-# Doxygen uses this value to replace tabs by spaces in code fragments.
-
-TAB_SIZE = 8
-
-# This tag can be used to specify a number of aliases that acts
-# as commands in the documentation. An alias has the form "name=value".
-# For example adding "sideeffect=\par Side Effects:\n" will allow you to
-# put the command \sideeffect (or @sideeffect) in the documentation, which
-# will result in a user-defined paragraph with heading "Side Effects:".
-# You can put \n's in the value part of an alias to insert newlines.
-
-ALIASES =
-
-# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
-# sources only. Doxygen will then generate output that is more tailored for C.
-# For instance, some of the names that are used will be different. The list
-# of all members will be omitted, etc.
-
-OPTIMIZE_OUTPUT_FOR_C = YES
-
-# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
-# sources only. Doxygen will then generate output that is more tailored for
-# Java. For instance, namespaces will be presented as packages, qualified
-# scopes will look different, etc.
-
-OPTIMIZE_OUTPUT_JAVA = NO
-
-# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
-# sources only. Doxygen will then generate output that is more tailored for
-# Fortran.
-
-OPTIMIZE_FOR_FORTRAN = NO
-
-# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
-# sources. Doxygen will then generate output that is tailored for
-# VHDL.
-
-OPTIMIZE_OUTPUT_VHDL = NO
-
-# Doxygen selects the parser to use depending on the extension of the files it
-# parses. With this tag you can assign which parser to use for a given extension.
-# Doxygen has a built-in mapping, but you can override or extend it using this
-# tag. The format is ext=language, where ext is a file extension, and language
-# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C,
-# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions
-# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen.
-
-EXTENSION_MAPPING =
-
-# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
-# to include (a tag file for) the STL sources as input, then you should
-# set this tag to YES in order to let doxygen match functions declarations and
-# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
-# func(std::string) {}). This also make the inheritance and collaboration
-# diagrams that involve STL classes more complete and accurate.
-
-BUILTIN_STL_SUPPORT = NO
-
-# If you use Microsoft's C++/CLI language, you should set this option to YES to
-# enable parsing support.
-
-CPP_CLI_SUPPORT = NO
-
-# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only.
-# Doxygen will parse them like normal C++ but will assume all classes use public
-# instead of private inheritance when no explicit protection keyword is present.
-
-SIP_SUPPORT = NO
-
-# For Microsoft's IDL there are propget and propput attributes to indicate getter
-# and setter methods for a property. Setting this option to YES (the default)
-# will make doxygen to replace the get and set methods by a property in the
-# documentation. This will only work if the methods are indeed getting or
-# setting a simple type. If this is not the case, or you want to show the
-# methods anyway, you should set this option to NO.
-
-IDL_PROPERTY_SUPPORT = YES
-
-# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
-# member in the group (if any) for the other members of the group. By default
-# all members of a group must be documented explicitly.
-
-DISTRIBUTE_GROUP_DOC = NO
-
-# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
-# the same type (for instance a group of public functions) to be put as a
-# subgroup of that type (e.g. under the Public Functions section). Set it to
-# NO to prevent subgrouping. Alternatively, this can be done per class using
-# the \nosubgrouping command.
-
-SUBGROUPING = YES
-
-# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
-# is documented as struct, union, or enum with the name of the typedef. So
-# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
-# with name TypeT. When disabled the typedef will appear as a member of a file,
-# namespace, or class. And the struct will be named TypeS. This can typically
-# be useful for C code in case the coding convention dictates that all compound
-# types are typedef'ed and only the typedef is referenced, never the tag name.
-
-TYPEDEF_HIDES_STRUCT = NO
-
-# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to
-# determine which symbols to keep in memory and which to flush to disk.
-# When the cache is full, less often used symbols will be written to disk.
-# For small to medium size projects (<1000 input files) the default value is
-# probably good enough. For larger projects a too small cache size can cause
-# doxygen to be busy swapping symbols to and from disk most of the time
-# causing a significant performance penality.
-# If the system has enough physical memory increasing the cache will improve the
-# performance by keeping more symbols in memory. Note that the value works on
-# a logarithmic scale so increasing the size by one will rougly double the
-# memory usage. The cache size is given by this formula:
-# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
-# corresponding to a cache size of 2^16 = 65536 symbols
-
-#SYMBOL_CACHE_SIZE = 0
-
-#---------------------------------------------------------------------------
-# Build related configuration options
-#---------------------------------------------------------------------------
-
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
-# documentation are documented, even if no documentation was available.
-# Private class members and static file members will be hidden unless
-# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
-
-EXTRACT_ALL = NO
-
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
-# will be included in the documentation.
-
-EXTRACT_PRIVATE = YES
-
-# If the EXTRACT_STATIC tag is set to YES all static members of a file
-# will be included in the documentation.
-
-EXTRACT_STATIC = YES
-
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
-# defined locally in source files will be included in the documentation.
-# If set to NO only classes defined in header files are included.
-
-EXTRACT_LOCAL_CLASSES = YES
-
-# This flag is only useful for Objective-C code. When set to YES local
-# methods, which are defined in the implementation section but not in
-# the interface are included in the documentation.
-# If set to NO (the default) only methods in the interface are included.
-
-EXTRACT_LOCAL_METHODS = YES
-
-# If this flag is set to YES, the members of anonymous namespaces will be
-# extracted and appear in the documentation as a namespace called
-# 'anonymous_namespace{file}', where file will be replaced with the base
-# name of the file that contains the anonymous namespace. By default
-# anonymous namespace are hidden.
-
-EXTRACT_ANON_NSPACES = NO
-
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
-# undocumented members of documented classes, files or namespaces.
-# If set to NO (the default) these members will be included in the
-# various overviews, but no documentation section is generated.
-# This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_MEMBERS = NO
-
-# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
-# undocumented classes that are normally visible in the class hierarchy.
-# If set to NO (the default) these classes will be included in the various
-# overviews. This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_CLASSES = NO
-
-# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
-# friend (class|struct|union) declarations.
-# If set to NO (the default) these declarations will be included in the
-# documentation.
-
-HIDE_FRIEND_COMPOUNDS = NO
-
-# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
-# documentation blocks found inside the body of a function.
-# If set to NO (the default) these blocks will be appended to the
-# function's detailed documentation block.
-
-HIDE_IN_BODY_DOCS = NO
-
-# The INTERNAL_DOCS tag determines if documentation
-# that is typed after a \internal command is included. If the tag is set
-# to NO (the default) then the documentation will be excluded.
-# Set it to YES to include the internal documentation.
-
-INTERNAL_DOCS = NO
-
-# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
-# file names in lower-case letters. If set to YES upper-case letters are also
-# allowed. This is useful if you have classes or files whose names only differ
-# in case and if your file system supports case sensitive file names. Windows
-# and Mac users are advised to set this option to NO.
-
-CASE_SENSE_NAMES = YES
-
-# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
-# will show members with their full class and namespace scopes in the
-# documentation. If set to YES the scope will be hidden.
-
-HIDE_SCOPE_NAMES = NO
-
-# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
-# will put a list of the files that are included by a file in the documentation
-# of that file.
-
-SHOW_INCLUDE_FILES = YES
-
-# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen
-# will list include files with double quotes in the documentation
-# rather than with sharp brackets.
-
-FORCE_LOCAL_INCLUDES = NO
-
-# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
-# is inserted in the documentation for inline members.
-
-INLINE_INFO = YES
-
-# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
-# will sort the (detailed) documentation of file and class members
-# alphabetically by member name. If set to NO the members will appear in
-# declaration order.
-
-SORT_MEMBER_DOCS = NO
-
-# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
-# brief documentation of file, namespace and class members alphabetically
-# by member name. If set to NO (the default) the members will appear in
-# declaration order.
-
-SORT_BRIEF_DOCS = NO
-
-# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen
-# will sort the (brief and detailed) documentation of class members so that
-# constructors and destructors are listed first. If set to NO (the default)
-# the constructors will appear in the respective orders defined by
-# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS.
-# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO
-# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO.
-
-SORT_MEMBERS_CTORS_1ST = NO
-
-# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
-# hierarchy of group names into alphabetical order. If set to NO (the default)
-# the group names will appear in their defined order.
-
-SORT_GROUP_NAMES = NO
-
-# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
-# sorted by fully-qualified names, including namespaces. If set to
-# NO (the default), the class list will be sorted only by class name,
-# not including the namespace part.
-# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
-# Note: This option applies only to the class list, not to the
-# alphabetical list.
-
-SORT_BY_SCOPE_NAME = NO
-
-# The GENERATE_TODOLIST tag can be used to enable (YES) or
-# disable (NO) the todo list. This list is created by putting \todo
-# commands in the documentation.
-
-GENERATE_TODOLIST = YES
-
-# The GENERATE_TESTLIST tag can be used to enable (YES) or
-# disable (NO) the test list. This list is created by putting \test
-# commands in the documentation.
-
-GENERATE_TESTLIST = YES
-
-# The GENERATE_BUGLIST tag can be used to enable (YES) or
-# disable (NO) the bug list. This list is created by putting \bug
-# commands in the documentation.
-
-GENERATE_BUGLIST = YES
-
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
-# disable (NO) the deprecated list. This list is created by putting
-# \deprecated commands in the documentation.
-
-GENERATE_DEPRECATEDLIST= YES
-
-# The ENABLED_SECTIONS tag can be used to enable conditional
-# documentation sections, marked by \if sectionname ... \endif.
-
-ENABLED_SECTIONS =
-
-# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
-# the initial value of a variable or define consists of for it to appear in
-# the documentation. If the initializer consists of more lines than specified
-# here it will be hidden. Use a value of 0 to hide initializers completely.
-# The appearance of the initializer of individual variables and defines in the
-# documentation can be controlled using \showinitializer or \hideinitializer
-# command in the documentation regardless of this setting.
-
-MAX_INITIALIZER_LINES = 30
-
-# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
-# at the bottom of the documentation of classes and structs. If set to YES the
-# list will mention the files that were used to generate the documentation.
-
-SHOW_USED_FILES = YES
-
-# If the sources in your project are distributed over multiple directories
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
-# in the documentation. The default is NO.
-
-#SHOW_DIRECTORIES = YES
-
-# Set the SHOW_FILES tag to NO to disable the generation of the Files page.
-# This will remove the Files entry from the Quick Index and from the
-# Folder Tree View (if specified). The default is YES.
-
-SHOW_FILES = YES
-
-# Set the SHOW_NAMESPACES tag to NO to disable the generation of the
-# Namespaces page.
-# This will remove the Namespaces entry from the Quick Index
-# and from the Folder Tree View (if specified). The default is YES.
-
-SHOW_NAMESPACES = YES
-
-# The FILE_VERSION_FILTER tag can be used to specify a program or script that
-# doxygen should invoke to get the current version for each file (typically from
-# the version control system). Doxygen will invoke the program by executing (via
-# popen()) the command <command> <input-file>, where <command> is the value of
-# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
-# provided by doxygen. Whatever the program writes to standard output
-# is used as the file version. See the manual for examples.
-
-FILE_VERSION_FILTER =
-
-# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
-# by doxygen. The layout file controls the global structure of the generated
-# output files in an output format independent way. The create the layout file
-# that represents doxygen's defaults, run doxygen with the -l option.
-# You can optionally specify a file name after the option, if omitted
-# DoxygenLayout.xml will be used as the name of the layout file.
-
-LAYOUT_FILE =
-
-#---------------------------------------------------------------------------
-# configuration options related to warning and progress messages
-#---------------------------------------------------------------------------
-
-# The QUIET tag can be used to turn on/off the messages that are generated
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
-
-QUIET = YES
-
-# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated by doxygen. Possible values are YES and NO. If left blank
-# NO is used.
-
-WARNINGS = YES
-
-# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
-# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
-# automatically be disabled.
-
-WARN_IF_UNDOCUMENTED = NO
-
-# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
-# potential errors in the documentation, such as not documenting some
-# parameters in a documented function, or documenting parameters that
-# don't exist or using markup commands wrongly.
-
-WARN_IF_DOC_ERROR = YES
-
-# This WARN_NO_PARAMDOC option can be abled to get warnings for
-# functions that are documented, but have no documentation for their parameters
-# or return value. If set to NO (the default) doxygen will only warn about
-# wrong or incomplete parameter documentation, but not about the absence of
-# documentation.
-
-WARN_NO_PARAMDOC = YES
-
-# The WARN_FORMAT tag determines the format of the warning messages that
-# doxygen can produce. The string should contain the $file, $line, and $text
-# tags, which will be replaced by the file and line number from which the
-# warning originated and the warning text. Optionally the format may contain
-# $version, which will be replaced by the version of the file (if it could
-# be obtained via FILE_VERSION_FILTER)
-
-WARN_FORMAT = "$file:$line: $text"
-
-# The WARN_LOGFILE tag can be used to specify a file to which warning
-# and error messages should be written. If left blank the output is written
-# to stderr.
-
-WARN_LOGFILE =
-
-#---------------------------------------------------------------------------
-# configuration options related to the input files
-#---------------------------------------------------------------------------
-
-# The INPUT tag can be used to specify the files and/or directories that contain
-# documented source files. You may enter file names like "myfile.cpp" or
-# directories like "/usr/src/myproject". Separate the files or directories
-# with spaces.
-
-INPUT = .
-
-# This tag can be used to specify the character encoding of the source files
-# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
-# also the default input encoding. Doxygen uses libiconv (or the iconv built
-# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for
-# the list of possible encodings.
-
-INPUT_ENCODING = UTF-8
-
-# If the value of the INPUT tag contains directories, you can use the
-# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
-# and *.h) to filter out the source-files in the directories. If left
-# blank the following patterns are tested:
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
-
-FILE_PATTERNS =
-
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories
-# should be searched for input files as well. Possible values are YES and NO.
-# If left blank NO is used.
-
-RECURSIVE = YES
-
-# The EXCLUDE tag can be used to specify files and/or directories that should
-# excluded from the INPUT source files. This way you can easily exclude a
-# subdirectory from a directory tree whose root is specified with the INPUT tag.
-
-EXCLUDE = ./build \
- ./compat \
- util/configparser.c \
- util/configparser.h \
- util/configlexer.c \
- util/locks.h \
- pythonmod/unboundmodule.py \
- pythonmod/interface.h \
- pythonmod/examples/resgen.py \
- pythonmod/examples/resmod.py \
- pythonmod/examples/resip.py \
- libunbound/python/unbound.py \
- libunbound/python/libunbound_wrap.c \
- ./ldns-src \
- doc/control_proto_spec.txt \
- doc/requirements.txt
-
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
-# directories that are symbolic links (a Unix filesystem feature) are excluded
-# from the input.
-
-EXCLUDE_SYMLINKS = NO
-
-# If the value of the INPUT tag contains directories, you can use the
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
-# certain files from those directories. Note that the wildcards are matched
-# against the file with absolute path, so to exclude all test directories
-# for example use the pattern */test/*
-
-EXCLUDE_PATTERNS =
-
-# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
-# (namespaces, classes, functions, etc.) that should be excluded from the
-# output. The symbol name can be a fully qualified name, a word, or if the
-# wildcard * is used, a substring. Examples: ANamespace, AClass,
-# AClass::ANamespace, ANamespace::*Test
-
-EXCLUDE_SYMBOLS =
-
-# The EXAMPLE_PATH tag can be used to specify one or more files or
-# directories that contain example code fragments that are included (see
-# the \include command).
-
-EXAMPLE_PATH =
-
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the
-# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
-# and *.h) to filter out the source-files in the directories. If left
-# blank all files are included.
-
-EXAMPLE_PATTERNS =
-
-# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
-# searched for input files to be used with the \include or \dontinclude
-# commands irrespective of the value of the RECURSIVE tag.
-# Possible values are YES and NO. If left blank NO is used.
-
-EXAMPLE_RECURSIVE = NO
-
-# The IMAGE_PATH tag can be used to specify one or more files or
-# directories that contain image that are included in the documentation (see
-# the \image command).
-
-IMAGE_PATH =
-
-# The INPUT_FILTER tag can be used to specify a program that doxygen should
-# invoke to filter for each input file. Doxygen will invoke the filter program
-# by executing (via popen()) the command <filter> <input-file>, where <filter>
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
-# input file. Doxygen will then use the output that the filter program writes
-# to standard output.
-# If FILTER_PATTERNS is specified, this tag will be
-# ignored.
-
-INPUT_FILTER =
-
-# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
-# basis.
-# Doxygen will compare the file name with each pattern and apply the
-# filter if there is a match.
-# The filters are a list of the form:
-# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
-# is applied to all files.
-
-FILTER_PATTERNS =
-
-# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER) will be used to filter the input files when producing source
-# files to browse (i.e. when SOURCE_BROWSER is set to YES).
-
-FILTER_SOURCE_FILES = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to source browsing
-#---------------------------------------------------------------------------
-
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will
-# be generated. Documented entities will be cross-referenced with these sources.
-# Note: To get rid of all source code in the generated output, make sure also
-# VERBATIM_HEADERS is set to NO.
-
-SOURCE_BROWSER = NO
-
-# Setting the INLINE_SOURCES tag to YES will include the body
-# of functions and classes directly in the documentation.
-
-INLINE_SOURCES = NO
-
-# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
-# doxygen to hide any special comment blocks from generated source code
-# fragments. Normal C and C++ comments will always remain visible.
-
-STRIP_CODE_COMMENTS = YES
-
-# If the REFERENCED_BY_RELATION tag is set to YES
-# then for each documented function all documented
-# functions referencing it will be listed.
-
-REFERENCED_BY_RELATION = YES
-
-# If the REFERENCES_RELATION tag is set to YES
-# then for each documented function all documented entities
-# called/used by that function will be listed.
-
-REFERENCES_RELATION = YES
-
-# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
-# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
-# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.
-# Otherwise they will link to the documentation.
-
-REFERENCES_LINK_SOURCE = YES
-
-# If the USE_HTAGS tag is set to YES then the references to source code
-# will point to the HTML generated by the htags(1) tool instead of doxygen
-# built-in source browser. The htags tool is part of GNU's global source
-# tagging system (see http://www.gnu.org/software/global/global.html). You
-# will need version 4.8.6 or higher.
-
-USE_HTAGS = NO
-
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
-# will generate a verbatim copy of the header file for each class for
-# which an include is specified. Set to NO to disable this.
-
-VERBATIM_HEADERS = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the alphabetical class index
-#---------------------------------------------------------------------------
-
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
-# of all compounds will be generated. Enable this if the project
-# contains a lot of classes, structs, unions or interfaces.
-
-ALPHABETICAL_INDEX = YES
-
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
-# in which this list will be split (can be a number in the range [1..20])
-
-COLS_IN_ALPHA_INDEX = 5
-
-# In case all classes in a project start with a common prefix, all
-# classes will be put under the same header in the alphabetical index.
-# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
-# should be ignored while generating the index headers.
-
-IGNORE_PREFIX =
-
-#---------------------------------------------------------------------------
-# configuration options related to the HTML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
-# generate HTML output.
-
-GENERATE_HTML = YES
-
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `html' will be used as the default path.
-
-HTML_OUTPUT = html
-
-# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
-# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
-# doxygen will generate files with .html extension.
-
-HTML_FILE_EXTENSION = .html
-
-# The HTML_HEADER tag can be used to specify a personal HTML header for
-# each generated HTML page. If it is left blank doxygen will generate a
-# standard header.
-
-HTML_HEADER =
-
-# The HTML_FOOTER tag can be used to specify a personal HTML footer for
-# each generated HTML page. If it is left blank doxygen will generate a
-# standard footer.
-
-HTML_FOOTER =
-
-# If the HTML_TIMESTAMP tag is set to YES then the generated HTML
-# documentation will contain the timesstamp.
-
-HTML_TIMESTAMP = NO
-
-# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
-# style sheet that is used by each HTML page. It can be used to
-# fine-tune the look of the HTML output. If the tag is left blank doxygen
-# will generate a default style sheet. Note that doxygen will try to copy
-# the style sheet file to the HTML output directory, so don't put your own
-# stylesheet in the HTML output directory as well, or it will be erased!
-
-HTML_STYLESHEET =
-
-# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
-# Doxygen will adjust the colors in the stylesheet and background images
-# according to this color. Hue is specified as an angle on a colorwheel,
-# see http://en.wikipedia.org/wiki/Hue for more information.
-# For instance the value 0 represents red, 60 is yellow, 120 is green,
-# 180 is cyan, 240 is blue, 300 purple, and 360 is red again.
-# The allowed range is 0 to 359.
-
-#HTML_COLORSTYLE_HUE = 220
-
-# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of
-# the colors in the HTML output. For a value of 0 the output will use
-# grayscales only. A value of 255 will produce the most vivid colors.
-
-#HTML_COLORSTYLE_SAT = 100
-
-# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to
-# the luminance component of the colors in the HTML output. Values below
-# 100 gradually make the output lighter, whereas values above 100 make
-# the output darker. The value divided by 100 is the actual gamma applied,
-# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2,
-# and 100 does not change the gamma.
-
-#HTML_COLORSTYLE_GAMMA = 80
-
-# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
-# page will contain the date and time when the page was generated. Setting
-# this to NO can help when comparing the output of multiple runs.
-
-HTML_TIMESTAMP = YES
-
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
-# NO a bullet list will be used.
-
-#HTML_ALIGN_MEMBERS = YES
-
-# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
-# documentation will contain sections that can be hidden and shown after the
-# page has loaded. For this to work a browser that supports
-# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
-# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
-
-HTML_DYNAMIC_SECTIONS = NO
-
-# If the GENERATE_DOCSET tag is set to YES, additional index files
-# will be generated that can be used as input for Apple's Xcode 3
-# integrated development environment, introduced with OSX 10.5 (Leopard).
-# To create a documentation set, doxygen will generate a Makefile in the
-# HTML output directory. Running make will produce the docset in that
-# directory and running "make install" will install the docset in
-# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
-# it at startup.
-# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
-# for more information.
-
-GENERATE_DOCSET = NO
-
-# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the
-# feed. A documentation feed provides an umbrella under which multiple
-# documentation sets from a single provider (such as a company or product suite)
-# can be grouped.
-
-DOCSET_FEEDNAME = "Doxygen generated docs"
-
-# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that
-# should uniquely identify the documentation set bundle. This should be a
-# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen
-# will append .docset to the name.
-
-DOCSET_BUNDLE_ID = org.doxygen.Project
-
-# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify
-# the documentation publisher. This should be a reverse domain-name style
-# string, e.g. com.mycompany.MyDocSet.documentation.
-
-#DOCSET_PUBLISHER_ID = org.doxygen.Publisher
-
-# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher.
-
-#DOCSET_PUBLISHER_NAME = Publisher
-
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
-# of the generated HTML documentation.
-
-GENERATE_HTMLHELP = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
-# be used to specify the file name of the resulting .chm file. You
-# can add a path in front of the file if the result should not be
-# written to the html output directory.
-
-CHM_FILE =
-
-# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
-# be used to specify the location (absolute path including file name) of
-# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
-# the HTML help compiler on the generated index.hhp.
-
-HHC_LOCATION =
-
-# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
-# controls if a separate .chi index file is generated (YES) or that
-# it should be included in the master .chm file (NO).
-
-GENERATE_CHI = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING
-# is used to encode HtmlHelp index (hhk), content (hhc) and project file
-# content.
-
-CHM_INDEX_ENCODING =
-
-# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
-# controls whether a binary table of contents is generated (YES) or a
-# normal table of contents (NO) in the .chm file.
-
-BINARY_TOC = NO
-
-# The TOC_EXPAND flag can be set to YES to add extra items for group members
-# to the contents of the HTML help documentation and to the tree view.
-
-TOC_EXPAND = NO
-
-# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
-# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated
-# that can be used as input for Qt's qhelpgenerator to generate a
-# Qt Compressed Help (.qch) of the generated HTML documentation.
-
-GENERATE_QHP = NO
-
-# If the QHG_LOCATION tag is specified, the QCH_FILE tag can
-# be used to specify the file name of the resulting .qch file.
-# The path specified is relative to the HTML output folder.
-
-QCH_FILE =
-
-# The QHP_NAMESPACE tag specifies the namespace to use when generating
-# Qt Help Project output. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#namespace
-
-QHP_NAMESPACE = org.doxygen.Project
-
-# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating
-# Qt Help Project output. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#virtual-folders
-
-QHP_VIRTUAL_FOLDER = doc
-
-# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to
-# add. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#custom-filters
-
-QHP_CUST_FILTER_NAME =
-
-# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the
-# custom filter to add. For more information please see
-# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters">
-# Qt Help Project / Custom Filters</a>.
-
-QHP_CUST_FILTER_ATTRS =
-
-# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
-# project's
-# filter section matches.
-# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes">
-# Qt Help Project / Filter Attributes</a>.
-
-QHP_SECT_FILTER_ATTRS =
-
-# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can
-# be used to specify the location of Qt's qhelpgenerator.
-# If non-empty doxygen will try to run qhelpgenerator on the generated
-# .qhp file.
-
-QHG_LOCATION =
-
-# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files
-# will be generated, which together with the HTML files, form an Eclipse help
-# plugin. To install this plugin and make it available under the help contents
-# menu in Eclipse, the contents of the directory containing the HTML and XML
-# files needs to be copied into the plugins directory of eclipse. The name of
-# the directory within the plugins directory should be the same as
-# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before
-# the help appears.
-
-GENERATE_ECLIPSEHELP = NO
-
-# A unique identifier for the eclipse help plugin. When installing the plugin
-# the directory name containing the HTML and XML files should also have
-# this name.
-
-ECLIPSE_DOC_ID = org.doxygen.Project
-
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
-
-DISABLE_INDEX = NO
-
-# This tag can be used to set the number of enum values (range [1..20])
-# that doxygen will group on one line in the generated HTML documentation.
-
-ENUM_VALUES_PER_LINE = 4
-
-# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
-# structure should be generated to display hierarchical information.
-# If the tag value is set to YES, a side panel will be generated
-# containing a tree-like index structure (just like the one that
-# is generated for HTML Help). For this to work a browser that supports
-# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
-# Windows users are probably better off using the HTML help feature.
-
-GENERATE_TREEVIEW = NO
-
-# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories,
-# and Class Hierarchy pages using a tree view instead of an ordered list.
-
-#USE_INLINE_TREES = NO
-
-# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
-# used to set the initial width (in pixels) of the frame in which the tree
-# is shown.
-
-TREEVIEW_WIDTH = 250
-
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open
-# links to external symbols imported via tag files in a separate window.
-
-#EXT_LINKS_IN_WINDOW = NO
-
-# Use this tag to change the font size of Latex formulas included
-# as images in the HTML documentation. The default is 10. Note that
-# when you change the font size after a successful doxygen run you need
-# to manually remove any form_*.png images from the HTML output directory
-# to force them to be regenerated.
-
-FORMULA_FONTSIZE = 10
-
-# Use the FORMULA_TRANPARENT tag to determine whether or not the images
-# generated for formulas are transparent PNGs. Transparent PNGs are
-# not supported properly for IE 6.0, but are supported on all modern browsers.
-# Note that when changing this option you need to delete any form_*.png files
-# in the HTML output before the changes have effect.
-
-#FORMULA_TRANSPARENT = YES
-
-# When the SEARCHENGINE tag is enabled doxygen will generate a search box
-# for the HTML output. The underlying search engine uses javascript
-# and DHTML and should work on any modern browser. Note that when using
-# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets
-# (GENERATE_DOCSET) there is already a search function so this one should
-# typically be disabled. For large projects the javascript based search engine
-# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution.
-
-SEARCHENGINE = NO
-
-# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
-# implemented using a PHP enabled web server instead of at the web client
-# using Javascript. Doxygen will generate the search PHP script and index
-# file to put on the web server. The advantage of the server
-# based approach is that it scales better to large projects and allows
-# full text search. The disadvances is that it is more difficult to setup
-# and does not have live searching capabilities.
-
-SERVER_BASED_SEARCH = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the LaTeX output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
-# generate Latex output.
-
-GENERATE_LATEX = NO
-
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `latex' will be used as the default path.
-
-LATEX_OUTPUT = latex
-
-# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
-# invoked. If left blank `latex' will be used as the default command name.
-# Note that when enabling USE_PDFLATEX this option is only used for
-# generating bitmaps for formulas in the HTML output, but not in the
-# Makefile that is written to the output directory.
-
-LATEX_CMD_NAME = latex
-
-# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
-# generate index for LaTeX. If left blank `makeindex' will be used as the
-# default command name.
-
-MAKEINDEX_CMD_NAME = makeindex
-
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
-# LaTeX documents. This may be useful for small projects and may help to
-# save some trees in general.
-
-COMPACT_LATEX = NO
-
-# The PAPER_TYPE tag can be used to set the paper type that is used
-# by the printer. Possible values are: a4, a4wide, letter, legal and
-# executive. If left blank a4wide will be used.
-
-PAPER_TYPE = a4wide
-
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
-# packages that should be included in the LaTeX output.
-
-EXTRA_PACKAGES =
-
-# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
-# the generated latex document. The header should contain everything until
-# the first chapter. If it is left blank doxygen will generate a
-# standard header. Notice: only use this tag if you know what you are doing!
-
-LATEX_HEADER =
-
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will
-# contain links (just like the HTML output) instead of page references
-# This makes the output suitable for online browsing using a pdf viewer.
-
-PDF_HYPERLINKS = NO
-
-# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
-# plain latex in the generated Makefile. Set this option to YES to get a
-# higher quality PDF documentation.
-
-USE_PDFLATEX = NO
-
-# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
-# command to the generated LaTeX files. This will instruct LaTeX to keep
-# running if errors occur, instead of asking the user for help.
-# This option is also used when generating formulas in HTML.
-
-LATEX_BATCHMODE = NO
-
-# If LATEX_HIDE_INDICES is set to YES then doxygen will not
-# include the index chapters (such as File Index, Compound Index, etc.)
-# in the output.
-
-LATEX_HIDE_INDICES = NO
-
-# If LATEX_SOURCE_CODE is set to YES then doxygen will include
-# source code with syntax highlighting in the LaTeX output.
-# Note that which sources are shown also depends on other settings
-# such as SOURCE_BROWSER.
-
-LATEX_SOURCE_CODE = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the RTF output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
-# The RTF output is optimized for Word 97 and may not look very pretty with
-# other RTF readers or editors.
-
-GENERATE_RTF = NO
-
-# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `rtf' will be used as the default path.
-
-RTF_OUTPUT = rtf
-
-# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
-# RTF documents. This may be useful for small projects and may help to
-# save some trees in general.
-
-COMPACT_RTF = NO
-
-# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
-# will contain hyperlink fields. The RTF file will
-# contain links (just like the HTML output) instead of page references.
-# This makes the output suitable for online browsing using WORD or other
-# programs which support those fields.
-# Note: wordpad (write) and others do not support links.
-
-RTF_HYPERLINKS = NO
-
-# Load stylesheet definitions from file. Syntax is similar to doxygen's
-# config file, i.e. a series of assignments. You only have to provide
-# replacements, missing definitions are set to their default value.
-
-RTF_STYLESHEET_FILE =
-
-# Set optional variables used in the generation of an rtf document.
-# Syntax is similar to doxygen's config file.
-
-RTF_EXTENSIONS_FILE =
-
-#---------------------------------------------------------------------------
-# configuration options related to the man page output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
-# generate man pages
-
-GENERATE_MAN = NO
-
-# The MAN_OUTPUT tag is used to specify where the man pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `man' will be used as the default path.
-
-MAN_OUTPUT = man
-
-# The MAN_EXTENSION tag determines the extension that is added to
-# the generated man pages (default is the subroutine's section .3)
-
-MAN_EXTENSION = .3
-
-# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
-# then it will generate one additional man file for each entity
-# documented in the real man page(s). These additional files
-# only source the real man page, but without them the man command
-# would be unable to find the correct page. The default is NO.
-
-MAN_LINKS = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the XML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_XML tag is set to YES Doxygen will
-# generate an XML file that captures the structure of
-# the code including all documentation.
-
-GENERATE_XML = YES
-
-# The XML_OUTPUT tag is used to specify where the XML pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `xml' will be used as the default path.
-
-XML_OUTPUT = xml
-
-# The XML_SCHEMA tag can be used to specify an XML schema,
-# which can be used by a validating XML parser to check the
-# syntax of the XML files.
-
-#XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify an XML DTD,
-# which can be used by a validating XML parser to check the
-# syntax of the XML files.
-
-#XML_DTD =
-
-# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
-# dump the program listings (including syntax highlighting
-# and cross-referencing information) to the XML output. Note that
-# enabling this will significantly increase the size of the XML output.
-
-XML_PROGRAMLISTING = YES
-
-#---------------------------------------------------------------------------
-# configuration options for the AutoGen Definitions output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
-# generate an AutoGen Definitions (see autogen.sf.net) file
-# that captures the structure of the code including all
-# documentation. Note that this feature is still experimental
-# and incomplete at the moment.
-
-GENERATE_AUTOGEN_DEF = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the Perl module output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_PERLMOD tag is set to YES Doxygen will
-# generate a Perl module file that captures the structure of
-# the code including all documentation. Note that this
-# feature is still experimental and incomplete at the
-# moment.
-
-GENERATE_PERLMOD = NO
-
-# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
-# the necessary Makefile rules, Perl scripts and LaTeX code to be able
-# to generate PDF and DVI output from the Perl module output.
-
-PERLMOD_LATEX = NO
-
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
-# nicely formatted so it can be parsed by a human reader.
-# This is useful
-# if you want to understand what is going on.
-# On the other hand, if this
-# tag is set to NO the size of the Perl module output will be much smaller
-# and Perl will parse it just the same.
-
-PERLMOD_PRETTY = YES
-
-# The names of the make variables in the generated doxyrules.make file
-# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
-# This is useful so different doxyrules.make files included by the same
-# Makefile don't overwrite each other's variables.
-
-PERLMOD_MAKEVAR_PREFIX =
-
-#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor
-#---------------------------------------------------------------------------
-
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
-# evaluate all C-preprocessor directives found in the sources and include
-# files.
-
-ENABLE_PREPROCESSING = YES
-
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
-# names in the source code. If set to NO (the default) only conditional
-# compilation will be performed. Macro expansion can be done in a controlled
-# way by setting EXPAND_ONLY_PREDEF to YES.
-
-MACRO_EXPANSION = YES
-
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
-# then the macro expansion is limited to the macros specified with the
-# PREDEFINED and EXPAND_AS_DEFINED tags.
-
-EXPAND_ONLY_PREDEF = YES
-
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
-
-SEARCH_INCLUDES = YES
-
-# The INCLUDE_PATH tag can be used to specify one or more directories that
-# contain include files that are not input files but should be processed by
-# the preprocessor.
-
-INCLUDE_PATH =
-
-# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
-# patterns (like *.h and *.hpp) to filter out the header-files in the
-# directories. If left blank, the patterns specified with FILE_PATTERNS will
-# be used.
-
-INCLUDE_FILE_PATTERNS = *.h
-
-# The PREDEFINED tag can be used to specify one or more macro names that
-# are defined before the preprocessor is started (similar to the -D option of
-# gcc). The argument of the tag is a list of macros of the form: name
-# or name=definition (no spaces). If the definition and the = are
-# omitted =1 is assumed. To prevent a macro definition from being
-# undefined via #undef or recursively expanded use the := operator
-# instead of the = operator.
-
-PREDEFINED = DOXYGEN
-
-# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
-# this tag can be used to specify a list of macro names that should be expanded.
-# The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition.
-
-EXPAND_AS_DEFINED = ATTR_UNUSED
-
-# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
-# doxygen's preprocessor will remove all function-like macros that are alone
-# on a line, have an all uppercase name, and do not end with a semicolon. Such
-# function macros are typically used for boiler-plate code, and will confuse
-# the parser if not removed.
-
-SKIP_FUNCTION_MACROS = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to external references
-#---------------------------------------------------------------------------
-
-# The TAGFILES option can be used to specify one or more tagfiles.
-# Optionally an initial location of the external documentation
-# can be added for each tagfile. The format of a tag file without
-# this location is as follows:
-#
-# TAGFILES = file1 file2 ...
-# Adding location for the tag files is done as follows:
-#
-# TAGFILES = file1=loc1 "file2 = loc2" ...
-# where "loc1" and "loc2" can be relative or absolute paths or
-# URLs. If a location is present for each tag, the installdox tool
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen
-# is run, you must also specify the path to the tagfile here.
-
-TAGFILES =
-
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create
-# a tag file that is based on the input files it reads.
-
-GENERATE_TAGFILE =
-
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed
-# in the class index. If set to NO only the inherited external classes
-# will be listed.
-
-ALLEXTERNALS = NO
-
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
-# in the modules index. If set to NO, only the current project's groups will
-# be listed.
-
-EXTERNAL_GROUPS = YES
-
-# The PERL_PATH should be the absolute path and name of the perl script
-# interpreter (i.e. the result of `which perl').
-
-PERL_PATH = /usr/bin/perl
-
-#---------------------------------------------------------------------------
-# Configuration options related to the dot tool
-#---------------------------------------------------------------------------
-
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
-# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
-# or super classes. Setting the tag to NO turns the diagrams off. Note that
-# this option is superseded by the HAVE_DOT option below. This is only a
-# fallback. It is recommended to install and use dot, since it yields more
-# powerful graphs.
-
-CLASS_DIAGRAMS = YES
-
-# You can define message sequence charts within doxygen comments using the \msc
-# command. Doxygen will then run the mscgen tool (see
-# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the
-# documentation. The MSCGEN_PATH tag allows you to specify the directory where
-# the mscgen tool resides. If left empty the tool is assumed to be found in the
-# default search path.
-
-MSCGEN_PATH =
-
-# If set to YES, the inheritance and collaboration graphs will hide
-# inheritance and usage relations if the target is undocumented
-# or is not a class.
-
-HIDE_UNDOC_RELATIONS = YES
-
-# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
-# available from the path. This tool is part of Graphviz, a graph visualization
-# toolkit from AT&T and Lucent Bell Labs. The other options in this section
-# have no effect if this option is set to NO (the default)
-
-HAVE_DOT = NO
-
-# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is
-# allowed to run in parallel. When set to 0 (the default) doxygen will
-# base this on the number of processors available in the system. You can set it
-# explicitly to a value larger than 0 to get control over the balance
-# between CPU load and processing speed.
-
-#DOT_NUM_THREADS = 0
-
-# By default doxygen will write a font called FreeSans.ttf to the output
-# directory and reference it in all dot files that doxygen generates. This
-# font does not include all possible unicode characters however, so when you need
-# these (or just want a differently looking font) you can specify the font name
-# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
-# which can be done by putting it in a standard location or by setting the
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
-# containing the font.
-
-#DOT_FONTNAME = FreeSans.ttf
-
-# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs.
-# The default size is 10pt.
-
-DOT_FONTSIZE = 10
-
-# By default doxygen will tell dot to use the output directory to look for the
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a
-# different font using DOT_FONTNAME you can set the path where dot
-# can find it using this tag.
-
-DOT_FONTPATH =
-
-# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for each documented class showing the direct and
-# indirect inheritance relations. Setting this tag to YES will force the
-# the CLASS_DIAGRAMS tag to NO.
-
-CLASS_GRAPH = YES
-
-# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for each documented class showing the direct and
-# indirect implementation dependencies (inheritance, containment, and
-# class references variables) of the class with other documented classes.
-
-COLLABORATION_GRAPH = YES
-
-# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for groups, showing the direct groups dependencies
-
-GROUP_GRAPHS = YES
-
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
-# collaboration diagrams in a style similar to the OMG's Unified Modeling
-# Language.
-
-UML_LOOK = NO
-
-# If set to YES, the inheritance and collaboration graphs will show the
-# relations between templates and their instances.
-
-TEMPLATE_RELATIONS = NO
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
-# tags are set to YES then doxygen will generate a graph for each documented
-# file showing the direct and indirect include dependencies of the file with
-# other documented files.
-
-INCLUDE_GRAPH = YES
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
-# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
-# documented header file showing the documented files that directly or
-# indirectly include this file.
-
-INCLUDED_BY_GRAPH = YES
-
-# If the CALL_GRAPH and HAVE_DOT options are set to YES then
-# doxygen will generate a call dependency graph for every global function
-# or class method. Note that enabling this option will significantly increase
-# the time of a run. So in most cases it will be better to enable call graphs
-# for selected functions only using the \callgraph command.
-
-CALL_GRAPH = NO
-
-# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then
-# doxygen will generate a caller dependency graph for every global function
-# or class method. Note that enabling this option will significantly increase
-# the time of a run. So in most cases it will be better to enable caller
-# graphs for selected functions only using the \callergraph command.
-
-CALLER_GRAPH = NO
-
-# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
-# will graphical hierarchy of all classes instead of a textual one.
-
-GRAPHICAL_HIERARCHY = YES
-
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
-# then doxygen will show the dependencies a directory has on other directories
-# in a graphical way. The dependency relations are determined by the #include
-# relations between the files in the directories.
-
-DIRECTORY_GRAPH = YES
-
-# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
-
-DOT_IMAGE_FORMAT = png
-
-# The tag DOT_PATH can be used to specify the path where the dot tool can be
-# found. If left blank, it is assumed the dot tool can be found in the path.
-
-DOT_PATH =
-
-# The DOTFILE_DIRS tag can be used to specify one or more directories that
-# contain dot files that are included in the documentation (see the
-# \dotfile command).
-
-DOTFILE_DIRS =
-
-# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
-# nodes that will be shown in the graph. If the number of nodes in a graph
-# becomes larger than this value, doxygen will truncate the graph, which is
-# visualized by representing a node as a red box. Note that doxygen if the
-# number of direct children of the root node in a graph is already larger than
-# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note
-# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
-
-DOT_GRAPH_MAX_NODES = 50
-
-# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the
-# graphs generated by dot. A depth value of 3 means that only nodes reachable
-# from the root by following a path via at most 3 edges will be shown. Nodes
-# that lay further from the root node will be omitted. Note that setting this
-# option to 1 or 2 may greatly reduce the computation time needed for large
-# code bases. Also note that the size of a graph can be further restricted by
-# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
-
-MAX_DOT_GRAPH_DEPTH = 0
-
-# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
-# background. This is disabled by default, because dot on Windows does not
-# seem to support this out of the box. Warning: Depending on the platform used,
-# enabling this option may lead to badly anti-aliased labels on the edges of
-# a graph (i.e. they become hard to read).
-
-DOT_TRANSPARENT = NO
-
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
-# files in one run (i.e. multiple -o and -T options on the command line). This
-# makes dot run faster, but since only newer versions of dot (>1.8.10)
-# support this, this feature is disabled by default.
-
-DOT_MULTI_TARGETS = NO
-
-# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
-# generate a legend page explaining the meaning of the various boxes and
-# arrows in the dot generated graphs.
-
-GENERATE_LEGEND = YES
-
-# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
-# remove the intermediate dot files that are used to generate
-# the various graphs.
-
-DOT_CLEANUP = YES