diff options
Diffstat (limited to '')
22 files changed, 0 insertions, 13361 deletions
diff --git a/external/unbound/doc/CREDITS b/external/unbound/doc/CREDITS deleted file mode 100644 index 805327ad6..000000000 --- a/external/unbound/doc/CREDITS +++ /dev/null @@ -1,23 +0,0 @@ -Unbound was developed at NLnet Labs by Wouter Wijngaards. - -Unbound was architected in January of 2004 by Jakob Schlyter of Kirei -and Roy Arends of Nominet. VeriSign and EP.Net funded development of -the prototype, which was built by David Blacka and Matt Larson of VeriSign. -Late in 2006, NLnet Labs joined the effort, writing an implementation in C -based on the existing prototype and using experience NLnet Labs gained -during the development of NSD, an authoritative DNS server. - -At NLnet Labs, Jelte Jansen, Mark Santcroos and Matthijs Mekking -reviewed the unbound C sources. - -Jakob Schlyter - for advice on secure settings, random numbers and blacklists. -Ondřej Surý - running coverity analysis tool on 0.9 dev version. -Alexander Gall - multihomed, anycast testing of unbound resolver server. -Zdenek Vasicek and Marek Vavrusa - python module. -cz.nic - sponsoring 'summer of code' development by Zdenek and Marek. -Brett Carr - windows beta testing. -Luca Bruno - patch for windows support in libunbound hosts and resolvconf(). -Tom Hendrikx - contributed split-itar.sh a useful script to 5011-track ITAR. -Daisuke HIGASHI - patch for rrset-roundrobin and minimal-responses. -Simon Perrault - DNS64 module. -Robert Edmonds - dnstap code. diff --git a/external/unbound/doc/Changelog b/external/unbound/doc/Changelog deleted file mode 100644 index 8f8d6daea..000000000 --- a/external/unbound/doc/Changelog +++ /dev/null @@ -1,7114 +0,0 @@ -13 June 2017: Wouter - - Fix #1280: Unbound fails assert when response from authoritative - contains malformed qname. When 0x20 caps-for-id is enabled, when - assertions are not enabled the malformed qname is handled correctly. - - tag for 1.6.3 - -13 April 2017: Wouter - - Fix #1250: inconsistent indentation in services/listen_dnsport.c. - - tag for 1.6.2rc1 - -12 April 2017: Wouter - - subnet mem value is available in shm, also when not enabled, - to make the struct easier to memmap by other applications, - independent of the configuration of unbound. - -12 April 2017: Ralph - - Fix #1247: unbound does not shorten source prefix length when - forwarding ECS. - - Properly check for allocation failure in local_data_find_tag_datas. - - Fix #1249: unbound doesn't return FORMERR to bogus ECS. - - Set SHM ECS memory usage to 0 when module not loaded. - -11 April 2017: Ralph - - Display ECS module memory usage. - -10 April 2017: Wouter - - harden-algo-downgrade: no also makes unbound more lenient about - digest algorithms in DS records. - -10 April 2017: Ralph - - Remove ECS option after REFUSED answer. - - Fix small memory leak in edns_opt_copy_alloc. - - Respip dereference after NULL check. - - Zero initialize addrtree allocation. - - Use correct identifier for SHM destroy. - -7 April 2017: George - - Fix pythonmod for cb changes. - - Some whitespace fixup. - -7 April 2017: Ralph - - Unlock view in respip unit test - -6 April 2017: Ralph - - Generalise inplace callback (de)registration - - (de)register inplace callbacks for module id - - No unbound-control set_option for ECS options - - Deprecated client-subnet-opcode config option - - Introduced client-subnet-always-forward config option - - Changed max-client-subnet-ipv6 default to 56 (as in RFC) - - Removed extern ECS config options - - module_restart_next now calls clear on all following modules - - Also create ECS module qstate on module_event_pass event - - remove malloc from inplace_cb_register - -6 April 2017: Wouter - - Small fixup for documentation. - - iana portlist update - - Fix respip for braces when locks arent used. - - Fix pythonmod for cb changes. - -4 April 2017: Wouter - - Fix #1244: document that use of chroot requires trust anchor file to - be under chroot. - - iana portlist update - -3 April 2017: Ralph - - Do not add current time twice to TTL before ECS cache store. - - Do not touch rrset cache after ECS cache message generation. - - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode. - -3 April 2017: Wouter - - Fix #1217: Add metrics to unbound-control interface showing - crypted, cert request, plaintext and malformed queries (from - Manu Bretelle). - - iana portlist update - -27 March 2017: Wouter - - Remove (now unused) event2 include from dnscrypt code. - -24 March 2017: George - - Fix to prevent non-referal query from being cached as referal when the - no_cache_store flag was set. - -23 March 2017: Wouter - - Fix #1239: configure fails to find python distutils if python - prints warning. - -22 March 2017: Wouter - - Fix #1238: segmentation fault when adding through the remote - interface a per-view local zone to a view with no previous - (configured) local zones. - - Fix #1229: Systemd service sandboxing, options in wrong sections. - -21 March 2017: Ralph - - Merge EDNS Client subnet implementation from feature branch into main - branch, using new EDNS processing framework. - -21 March 2017: Wouter - - Fix doxygen for dnscrypt files. - -20 March 2017: Wouter - - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then - enabled in the config file from Manu Bretelle. - - make depend, autoconf, remove warnings about statement before var. - - lru_demote and lruhash_insert_or_retrieve functions for getdns. - - fixup for lruhash (whitespace and header file comment). - - dnscrypt tests. - -17 March 2017: Wouter - - Patch for view functionality for local-data-ptr from Björn Ketelaars. - - Fix #1237 - Wrong resolving in chain, for norec queries that get - SERVFAIL returned. - -16 March 2017: Wouter - - Fix that SHM is not inited if not enabled. - - Add trustanchor.unbound CH TXT that gets a response with a number - of TXT RRs with a string like "example.com. 2345 1234" with - the trust anchors and their keytags. - - Fix that looped DNAMEs do not cause unbound to spend effort. - - trustanchor tags are sorted. reusable routine to fetch taglist. - -13 March 2017: Wouter - - testbound understands Deckard MATCH rcode question answer commands. - - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead - of YXDOMAIN + query loop, reported by Petr Spacek. - -10 March 2017: Wouter - - Fix #1234: shortening DNAME loop produces duplicate DNAME records - in ANSWER section. - -9 March 2017: Wouter - - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and - DS records. NSEC3 is not disabled. - - fake-sha1 test option; print warning if used. To make unit tests. - - unbound-control list local zone and data commands listed in the - help output. - -8 March 2017: Wouter - - make depend for build dependencies. - - swig version 2.0.1 required. - - fix enum conversion warnings - -7 March 2017: Wouter - - Fix #1230: swig version 2.0.0 is required for pythonmod, with - 1.3.40 it crashes when running repeatly unbound-control reload. - - Response actions based on IP address from Jinmei Tatuya (Infoblox). - -6 March 2017: Wouter - - Fix #1229: Systemd service sandboxing in contrib/unbound.service. - - iana portlist update - -28 February 2017: Ralph - - Fix testpkts.c, check if DO bit is set, not only if there is an OPT - record. - -28 February 2017: Wouter - - For #1227: if we have sha256, set the cipher list to have no - known vulns. - -27 February 2017: Wouter - - Fix #1227: Fix that Unbound control allows weak ciphersuits. - - Fix #1226: provide official 32bit binary for windows. - -24 February 2017: Wouter - - include sys/time.h for new shm code on NetBSD. - -23 February 2017: Wouter - - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to - redirect. - - Patch from Luiz Fernando Softov for Stats Shared Memory. - - unbound-control stats_shm command prints stats using shared memory, - which uses less cpu. - - make depend, autoconf, doxygen and lint fixed up. - -22 February 2017: Wouter - - Fix #1224: Fix that defaults should not fall back to "Program Files - (x86) if Unbound is 64bit by default on windows. - -21 February 2017: Wouter - - iana portlist update - -16 February 2017: Wouter - - sldns updated for vfixed and buffer resize indication from getdns. - -15 February 2017: Wouter - - sldns has ED25519 and ED448 algorithm number and name for display. - -14 February 2017: Wouter - - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2 - -13 February 2017: Wouter - - Fix autoconf of systemd check for lack of pkg-config. - -10 February 2017: Wouter - - Fix pythonmod for typedef changes. - - Fix dnstap for warning of set but not used. - - tag 1.6.1rc2. - -9 February 2017: Wouter - - tag 1.6.1rc1. - -8 February 2017: Wouter - - Fix for type name change and fix warning on windows compile. - -7 February 2017: Wouter - - Include root trust anchor id 20326 in unbound-anchor. - -6 February 2017: Wouter - - Fix compile on solaris of the fix to use $host detect. - -4 February 2017: Wouter - - fix root_anchor test for updated icannbundle.pem lower certificates. - -26 January 2017: Wouter - - Fix 1211: Fix can't enable interface-automatic if no IPv6 with - more helpful error message. - -20 January 2017: Wouter - - Increase MAX_MODULE to 16. - -19 January 2017: Wouter - - Fix to Rename ub_callback_t to ub_callback_type, because POSIX - reserves _t typedefs. - - Fix to rename internally used types from _t to _type, because _t - type names are reserved by POSIX. - - iana portlist update - -12 January 2017: Wouter - - Fix to also block meta types 128 through to 248 with formerr. - - Fix #1206: Some view-related commands are missing from 'unbound-control -h' - -9 January 2017: Wouter - - Fix #1202: Fix code comment that packed_rrset_data is not always - 'packed'. - -6 January 2017: Wouter - - Fix #1201: Fix missing unlock in answer_from_cache error condition. - -5 January 2017: Wouter - - Fix to return formerr for queries for meta-types, to avoid - packet amplification if this meta-type is sent on to upstream. - - Fix #1184: Log DNS replies. This includes the same logging - information that DNS queries and response code and response size, - patch from Larissa Feng. - - Fix #1185: Source IP rate limiting, patch from Larissa Feng. - -3 January 2017: Wouter - - configure --enable-systemd and lets unbound use systemd sockets if - you enable use-systemd: yes in unbound.conf. - Also there are contrib/unbound.socket and contrib/unbound.service: - systemd files for unbound, install them in /usr/lib/systemd/system. - Contributed by Sami Kerola and Pavel Odintsov. - - Fix reload chdir failure when also chrooted to that directory. - -2 January 2017: Wouter - - Fix #1194: Cross build fails when $host isn't `uname` for getentropy. - -23 December 2016: Ralph - - Fix #1190: Do not echo back EDNS options in local-zone error response. - - iana portlist update - -21 December 2016: Ralph - - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built - with Nettle - -19 December 2016: Ralph - - Fix #1191: remove comment about view deletion. - -15 December 2016: Wouter - - iana portlist update - - 64bit is default for windows builds. - - Fix inet_ntop and inet_pton warnings in windows compile. - -14 December 2016: Wouter - - Fix #1178: attempt to fix setup error at end, pop result values - at end of install. - -13 December 2016: Wouter - - Fix #1182: Fix Resource leak (socket), at startup. - - Fix unbound-control and ipv6 only. - -9 December 2016: Wouter - - Fix #1176: stack size too small for Alpine Linux. - -8 December 2016: Wouter - - Fix downcast warnings from visual studio in sldns code. - - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1. - -7 December 2016: Ralph - - Add DSA support for OpenSSL 1.1.0 - - Fix remote control without cert for LibreSSL - -6 December 2016: George - - Added generic EDNS code for registering known EDNS option codes, - bypassing the cache response stage and uniquifying mesh states. Four EDNS - option lists were added to module_qstate (module_qstate.edns_opts_*) to - store EDNS options from/to front/back side. - - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that - control the modules' cache interactions. - - Added code for registering inplace callback functions. The registered - functions can be called just before replying with local data or Chaos, - replying from cache, replying with SERVFAIL, replying with a resolved - query, sending a query to a nameserver. The functions can inspect the - available data and maybe change response/query related data (i.e. append - EDNS options). - - Updated Python module for the above. - - Updated Python documentation. - -5 December 2016: Ralph - - Fix #1173: differ local-zone type deny from unset - tag_actions element. - -5 December 2016: Wouter - - Fix #1170: document that 'inform' local-zone uses local-data. - -1 December 2016: Ralph - - hyphen as minus fix, by Andreas Schulze - -30 November 2016: Ralph - - Added local-zones and local-data bulk addition and removal - functionality in unbound-control (local_zones, local_zones_remove, - local_datas and local_datas_remove). - - iana portlist update - -29 November 2016: Wouter - - version 1.6.0 is in the development branch. - - braces in view.c around lock statements. - -28 November 2016: Wouter - - new install-sh. - -25 November 2016: Wouter - - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by - using no encryption over the unix socket. - -22 Novenber 2016: Ralph - - Make access-control-tag-data RDATA absolute. This makes the RDATA - origin consistent between local-data and access-control-tag-data. - - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a - subdomain of the NSEC owner. - - QNAME minimisation uses QTYPE=A, therefore always check cache for - this type in harden-below-nxdomain functionality. - - Added unit test for QNAME minimisation + harden below nxdomain - synergy. - -22 November 2016: Wouter - - iana portlist update. - - Fix unit tests for DS hash processing for fake-dsa test option. - - patch from Dag-Erling Smorgrav that removes code that relies - on sbrk(). - -21 November 2016: Wouter - - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing - Underneath" for the harden-below-nxdomain option. - -10 November 2016: Ralph - - Fix #1155: test status code of unbound-control in 04-checkconf, - not the status code from the tee command. - -4 November 2016: Ralph - - Added stub-ssl-upstream and forward-ssl-upstream options. - -4 November 2016: Wouter - - configure detects ssl security level API function in the autoconf - manner. Every function on its own, so that other libraries (eg. - LibreSSL) can develop their API without hindrance. - - Fix #1154: segfault when reading config with duplicate zones. - - Note that for harden-below-nxdomain the nxdomain must be secure, - this means nsec3 with optout is insufficient. - -3 November 2016: Ralph - - Set OpenSSL security level to 0 when using aNULL ciphers. - -3 November 2016: Wouter - - .gitattributes line for githubs code language display. - - log-identity: config option to set sys log identity, patch from - "Robin H. Johnson" <robbat2@gentoo.org> - -2 November 2016: Wouter - - iana portlist update. - -31 October 2016: Wouter - - Fix failure to build on arm64 with no sbrk. - - iana portlist update. - -28 October 2016: Wouter - - Patch for server.num.zero_ttl stats for count of expired replies, - from Pavel Odintsov. - -26 October 2016: Wouter - - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled - with the undocumented switch 'fake-dsa'. It logs a warning. - -25 October 2016: Wouter - - Fix #1134: unbound-control set_option -- val-override-date: -1 works - immediately to ignore datetime, or back to 0 to enable it again. - The -- is to ignore the '-1' as an option flag. - -24 October 2016: Wouter - - serve-expired config option: serve expired responses with TTL 0. - - g.root-servers.net has AAAA address. - -21 October 2016: Wouter - - Ported tests for local_cname unit test to testbound framework. - -20 October 2016: Wouter - - suppress compile warning in lex files. - - init lzt variable, for older gcc compiler warnings. - - fix --enable-dsa to work, instead of copying ecdsa enable. - - Fix DNSSEC validation of query type ANY with DNAME answers. - - Fixup query_info local_alias init. - -19 October 2016: Wouter - - Fix #1130: whitespace in example.conf.in more consistent. - -18 October 2016: Wouter - - Patch that resolves CNAMEs entered in local-data conf statements that - point to data on the internet, from Jinmei Tatuya (Infoblox). - - Removed patch comments from acllist.c and msgencode.c - - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, - from Jinmei Tatuya (Infoblox). - - Fix #1125: unbound could reuse an answer packet incorrectly for - clients with different EDNS parameters, from Jinmei Tatuya. - - Fix #1118: libunbound.pc sets strange Libs, Libs.private values. - - Added Requires line to libunbound.pc - - Please doxygen by modifying mesh.h - -17 October 2016: Wouter - - Re-fix #839 from view commit overwrite. - - Fixup const void cast warning. - -12 October 2016: Ralph - - Free view config elements. - -11 October 2016: Ralph - - Added qname-minimisation-strict config option. - - iana portlist update. - - fix memoryleak logfile when in debug mode. - -5 October 2016: Ralph - - Added views functionality. - - Fix #1117: spelling errors, from Robert Edmonds. - -30 September 2016: Wouter - - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav. - -29 September 2016: Wouter - - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX. - - Fix #839: Memory grows unexpectedly with large RPZ files. - - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile. - - Fix #841: big local-zone's make it consume large amounts of memory. - -27 September 2016: Wouter - - tag for 1.5.10 release - - trunk contains 1.5.11 in development. - - Fix dnstap relaying "random" messages instead of resolver/forwarder - responses, from Nikolay Edigaryev. - - Fix #836: unbound could echo back EDNS options in an error response. - -20 September 2016: Wouter - - iana portlist update. - - Fix #835: fix --disable-dsa with nettle verify. - - tag for 1.5.10rc1 release. - -15 September 2016: Wouter - - Fix 883: error for duplicate local zone entry. - - Test for openssl init_crypto and init_ssl functions. - -15 September 2016: Ralph - - fix potential memory leak in daemon/remote.c and nullpointer - dereference in validator/autotrust. - - iana portlist update. - -13 September 2016: Wouter - - Silenced flex-generated sign-unsigned warning print with gcc - diagnostic pragma. - - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len. - -9 September 2016: Wouter - - Fix #831: workaround for spurious fread_chk warning against petal.c - -5 September 2016: Ralph - - Take configured minimum TTL into consideration when reducing TTL - to original TTL from RRSIG. - -5 September 2016: Wouter - - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an - off-by-one typo, from Jinmei Tatuya (Infoblox). - - Fix incomplete prototypes reported by Dag-Erling Smørgrav. - - Fix #828: missing type in access-control-tag-action redirect results - in NXDOMAIN. - -2 September 2016: Wouter - - Fix compile with openssl 1.1.0 with api=1.1.0. - -1 September 2016: Wouter - - RFC 7958 is now out, updated docs for unbound-anchor. - - Fix for compile without warnings with openssl 1.1.0. - - Fix #826: Fix refuse_non_local could result in a broken response. - - iana portlist update. - -29 August 2016: Wouter - - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. - Siewior. - - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e. - -25 August 2016: Ralph - - Clarify local-zone-override entry in unbound.conf.5 - -25 August 2016: Wouter - - 64bit build option for makedist windows compile, -w64. - -24 August 2016: Ralph - - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter - in each iteration in find_tag_datas(). - - unbound.conf.5 entries for define-tag, access-control-tag, - access-control-tag-action, access-control-tag-data, local-zone-tag, - and local-zone-override. - -23 August 2016: Wouter - - Fix #804: unbound stops responding after outage. Fixes queries - that attempt to wait for an empty list of subqueries. - - Fix #804: lower num_target_queries for iterator also for failed - lookups. - -8 August 2016: Wouter - - Note that OPENPGPKEY type is RFC 7929. - -4 August 2016: Wouter - - Fix #807: workaround for possible some "unused" function parameters - in test code, from Jinmei Tatuya. - -3 August 2016: Wouter - - use sendmsg instead of sendto for TFO. - -28 July 2016: Wouter - - Fix #806: wrong comment removed. - -26 July 2016: Wouter - - nicer ratelimit-below-domain explanation. - -22 July 2016: Wouter - - Fix #801: missing error condition handling in - daemon_create_workers(). - - Fix #802: workaround for function parameters that are "unused" - without log_assert. - - Fix #803: confusing (and incorrect) code comment in daemon_cleanup(). - -20 July 2016: Wouter - - Fix typo in unbound.conf. - -18 July 2016: Wouter - - Fix #798: Client-side TCP fast open fails (Linux). - -14 July 2016: Wouter - - TCP Fast open patch from Sara Dickinson. - - Fixed unbound.doxygen for 1.8.11. - -7 July 2016: Wouter - - access-control-tag-data implemented. verbose(4) prints tag debug. - -5 July 2016: Wouter - - Fix dynamic link of anchor-update.exe on windows. - - Fix detect of mingw for MXE package build. - - Fixes for 64bit windows compile. - - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and - --with-libunbound-only --with-nettle. - -4 July 2016: Wouter - - For #787: prefer-ip6 option for unbound.conf prefers to send - upstream queries to ipv6 servers. - - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux - freebind to use 64bits of entropy for every query with random local - part. - -30 June 2016: Wouter - - Document always_transparent, always_refuse, always_nxdomain types. - -29 June 2016: Wouter - - Fix static compile on windows missing gdi32. - -28 June 2016: Wouter - - Create a pkg-config file for libunbound in contrib. - -27 June 2016: Wouter - - Fix #784: Build configure assumess that having getpwnam means there - is endpwent function available. - - Updated repository with newer flex and bison output. - -24 June 2016: Ralph - - Possibility to specify local-zone type for an acl/tag pair - - Possibility to specify (override) local-zone type for a source address - block -16 June 2016: Ralph - - Decrease dp attempts at each QNAME minimisation iteration - -16 June 2016: Wouter - - Fix tcp timeouts in tv.usec. - -15 June 2016: Wouter - - TCP_TIMEOUT is specified in milliseconds. - - If more than half of tcp connections are in use, a shorter timeout - is used (200 msec, vs 2 minutes) to pressure tcp for new connects. - -14 June 2016: Ralph - - QNAME minimisation unit test for dropped QTYPE=A queries. - -14 June 2016: Wouter - - Fix 775: unbound-host and unbound-anchor crash on windows, ignore - null delete for wsaevent. - - Fix spelling in freebind option man page text. - - Fix windows link of ssl with crypt32. - - Fix 779: Union casting is non-portable. - - Fix 780: MAP_ANON not defined in HP-UX 11.31. - - Fix 781: prealloc() is an HP-UX system library call. - -13 June 2016: Ralph - - Use QTYPE=A for QNAME minimisation. - - Keep track of number of time-outs when performing QNAME minimisation. - Stop minimising when number of time-outs for a QNAME/QTYPE pair is - more than three. - -13 June 2016: Wouter - - Fix #778: unbound 1.5.9: -h segfault (null deref). - - Fix directory: fix for unbound-checkconf, it restores cwd. - -10 June 2016: Wouter - - And delete service.conf.shipped on uninstall. - - In unbound.conf directory: dir immediately changes to that directory, - so that include: file below that is relative to that directory. - With chroot, make the directory an absolute path inside chroot. - - keep debug symbols in windows build. - - do not delete service.conf on windows uninstall. - - document directory immediate fix and allow EXECUTABLE syntax in it - on windows. - -9 June 2016: Wouter - - Trunk is called 1.5.10 (with previous fixes already in there to 2 - june). - - Revert fix for NetworkService account on windows due to breakage - it causes. - - Fix that windows install will not overwrite existing service.conf - file (and ignore gui config choices if it exists). - -7 June 2016: Ralph - - Lookup localzones by taglist from acl. - - Possibility to lookup local_zone, regardless the taglist. - - Added local_zone/taglist/acl unit test. - -7 June 2016: Wouter - - Fix #773: Non-standard Python location build failure with pyunbound. - - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. - -6 June 2016: Wouter - - Better help text from -h (from Ray Griffith). - - access-control-tag config directive. - - local-zone-override config directive. - - access-control-tag-action and access-control-tag-data config - directives. - - free acl-tags, acltag-action and acltag-data config lists during - initialisation to free up memory for more entries. - -3 June 2016: Wouter - - Fix to not ignore return value of chown() in daemon startup. - -2 June 2016: Wouter - - Fix libubound for edns optlist feature. - - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc. - - Fix #752: retry resource temporarily unavailable on control pipe. - - un-document localzone tags. - - tag for release 1.5.9rc1. - And this also became release 1.5.9. - - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to - Program Files with (x86) appended. - - re-documented localzone tags in example.conf. - -31 May 2016: Wouter - - Fix windows service to be created run with limited rights, as a - network service account, from Mario Turschmann. - - compat strsep implementation. - - generic edns option parse and store code. - - and also generic edns options for upstream messages (and replies). - after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID), - to insert use edns_opt_append(edns, region, code, len, bindata) on - the opt_list passed to send_query, or in edns_opt_inplace_reply. - -30 May 2016: Wouter - - Fix time in case answer comes from cache in ub_resolve_event(). - - Attempted fix for #765: _unboundmodule missing for python3. - -27 May 2016: Wouter - - Fix #770: Small subgroup attack on DH used in unix pipe on localhost - if unbound control uses a unix local named pipe. - - Document write permission to directory of trust anchor needed. - - Fix #768: Unbound Service Sometimes Can Not Shutdown - Completely, WER Report Shown Up. Close handle before closing WSA. - -26 May 2016: Wouter - - Updated patch from Charles Walker. - -24 May 2016: Wouter - - disable-dnssec-lame-check config option from Charles Walker. - - remove memory leak from lame-check patch. - - iana portlist update. - -23 May 2016: Wouter - - Fix #767: Reference to an expired Internet-Draft in - harden-below-nxdomain documentation. - -20 May 2016: Ralph - - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC - signed zones. - - iana portlist update. - -19 May 2016: Wouter - - Fix #766: dns64 should synthesize results on timeout/errors. - -18 May 2016: Wouter - - Fix #761: DNSSEC LAME false positive resolving nic.club. - -17 May 2016: Wouter - - trunk updated with output of flex 2.6.0. - -6 May 2016: Wouter - - Fix memory leak in out-of-memory conditions of local zone add. - -29 April 2016: Wouter - - Fix sldns with static checking fixes copied from getdns. - -28 April 2016: Wouter - - Fix #759: 0x20 capsforid no longer checks type PTR, for - compatibility with cisco dns guard. This lowers false positives. - -18 April 2016: Wouter - - Fix some malformed reponses to edns queries get fallback to nonedns. - -15 April 2016: Wouter - - cachedb module event handling design. - -14 April 2016: Wouter - - cachedb module framework (empty). - - iana portlist update. - -12 April 2016: Wouter - - Fix #753: document dump_requestlist is for first thread. - -24 March 2016: Wouter - - Document permit-small-holddown for 5011 debug. - - Fix #749: unbound-checkconf gets SIGSEGV when use against a - malformatted conf file. - -23 March 2016: Wouter - - OpenSSL 1.1.0 portability, --disable-dsa configure option. - -21 March 2016: Wouter - - Fix compile of getentropy_linux for SLES11 servicepack 4. - - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev. - - Fix test for openssl to use HMAC_Update for 1.1.0. - - acx_nlnetlabs.m4 to v33, with HMAC_Update. - - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto. - - ERR_remove_state deprecated since openssl 1.0.0. - - OPENSSL_config is deprecated, removing. - -18 March 2016: Ralph - - Validate QNAME minimised NXDOMAIN responses. - - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in - harden-below-nxdomain. - -17 March 2016: Ralph - - Limit number of QNAME minimisation iterations. - -17 March 2016: Wouter - - Fix #746: Fix unbound sets CD bit on all forwards. - If no trust anchors, it'll not set CD bit when forwarding to another - server. If a trust anchor, no CD bit on the first attempt to a - forwarder, but CD bit thereafter on repeated attempts to get DNSSEC. - - iana portlist update. - -16 March 2016: Wouter - - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma. - - Fix ip-transparent for tcp on freebsd. - -15 March 2016: Wouter - - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for - binding to an IP address while the interface or address is down. - -14 March 2016: Wouter - - Fix warnings in ifdef corner case, older or unknown libevent. - - Fix compile for ub_event code with older libev. - -11 March 2016: Wouter - - Remove warning about unused parameter in event_pluggable.c. - - Fix libev usage of dispatch return value. - - No side effects in tolower() call, in case it is a macro. - - For test put free in pluggable api in parenthesis. - -10 March 2016: Wouter - - Fixup backend2str for libev. - -09 March 2016: Willem - - User defined pluggable event API for libunbound - - Fixup of compile fix for pluggable event API from P.Y. Adi - Prasaja. - -09 March 2016: Wouter - - Updated configure and ltmain.sh. - - Updated L root IPv6 address. - -07 March 2016: Wouter - - Fix #747: assert in outnet_serviced_query_stop. - - iana ports fetched via https. - - iana portlist update. - -03 March 2016: Wouter - - configure tests for the weak attribute support by the compiler. - -02 March 2016: Wouter - - 1.5.8 release tag - - trunk contains 1.5.9 in development. - - iana portlist update. - - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname - contains trailing dot. - -24 February 2016: Wouter - - Fix OpenBSD asynclook lock free that gets used later (fix test code). - - Fix that NSEC3 negative cache is used when there is no salt. - -23 February 2016: Wouter - - ub_ctx_set_stub() function for libunbound to config stub zones. - - sorted ubsyms.def file with exported libunbound functions. - -19 February 2016: Wouter - - Print understandable debug log when unusable DS record is seen. - - load gost algorithm if digest is seen before key algorithm. - - iana portlist update. - -17 February 2016: Wouter - - Fix that "make install" fails due to "text file busy" error. - -16 February 2016: Wouter - - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error. - -15 February 2016: Wouter - - ip-transparent option for FreeBSD with IP_BINDANY socket option. - - wait for sendto to drain socket buffers when they are full. - -9 February 2016: Wouter - - Test for type OPENPGPKEY. - - insecure-lan-zones: yesno config option, patch from Dag-Erling - Smørgrav. - -8 February 2016: Wouter - - Fix patch typo in prevuous commit for 734 from Adi Prasaja. - - RR Type CSYNC support RFC 7477, in debug printout and config input. - - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07). - -29 January 2016: Wouter - - Neater cmdline_verbose increment patch from Edgar Pettijohn. - -27 January 2016: Wouter - - Made netbsd sendmsg test nonfatal, in case of false positives. - - Fix #741: log message for dnstap socket connection is more clear. - -26 January 2016: Wouter - - Fix #734: chown the pidfile if it resides inside the chroot. - - Use arc4random instead of random in tests (because it is - available, possibly as compat, anyway). - - Fix cmsg alignment for argument to sendmsg on NetBSD. - - Fix that unbound complains about unimplemented IP_PKTINFO for - sendmsg on NetBSD (for interface-automatic). - -25 January 2016: Wouter - - Fix #738: Swig should not be invoked with CPPFLAGS. - -19 January 2016: Wouter - - Squelch 'cannot assign requested address' log messages unless - verbosity is high, it was spammed after network down. - -14 January 2016: Wouter - - Fix to simplify empty string checking from Michael McConville. - - iana portlist update. - -12 January 2016: Wouter - - Fix #734: Do not log an error when the PID file cannot be chown'ed. - Patch from Simon Deziel. - -11 January 2016: Wouter - - Fix test if -pthreads unused to use better grep for portability. - -06 January 2016: Wouter - - Fix mingw crosscompile for recent mingw. - - Update aclocal, autoconf output with new versions (1.15, 2.4.6). - -05 January 2016: Wouter - - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch - from Daisuke Higashi. - - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked - by default, and can be unblocked with "nodefault" localzone config. - -04 January 2016: Wouter - - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined, - for Linux glibc 2.20. - - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the - source code, so it applies cleanly again. Removed unused variable - warnings. - -15 December 2015: Ralph - - Fix #729: omit use of escape sequences in echo since they are not - portable (unbound-control-setup). - -11 December 2015: Wouter - - remove NULL-checks before free, patch from Michael McConville. - - updated ax_pthread.m4 to version 21 with clang support, this - removes a warning from compilation. - - OSX portability, detect if sbrk is deprecated. - - OSX clang, stop -pthread unused during link stage warnings. - - OSX clang new flto check. - -10 December 2015: Wouter - - 1.5.7 release - - trunk has 1.5.8 in development. - -8 December 2015: Wouter - - Fixup 724 for unbound-control. - -7 December 2015: Ralph - - Do not minimise forwarded requests. - -4 December 2015: Wouter - - Removed unneeded whitespace from example.conf. - -3 December 2015: Ralph - - (after rc1 tag) - - Committed fix to qname minimisation and unit test case for it. - -3 December 2015: Wouter - - iana portlist update. - - 1.5.7rc1 prerelease tag. - -2 December 2015: Wouter - - Fixup 724: Fix PCA prompt for unbound-service-install.exe. - re-enable stdout printout. - - For 724: Add Changelog to windows binary dist. - -1 December 2015: Ralph - - Qname minimisation review fixes - -1 December 2015: Wouter - - Fixup 724 fix for fname_after_chroot() calls. - - Remove stdout printout for unbound-service-install.exe - - .gitignore for git users. - -30 November 2015: Ralph - - Implemented qname minimisation - -30 November 2015: Wouter - - Fix for #724: conf syntax to read files from run dir (on Windows). - -25 November 2015: Wouter - - Fix for #720, fix unbound-control-setup windows batch file. - -24 November 2015: Wouter - - Fix #720: add windows scripts to zip bundle. - - iana portlist update. - -20 November 2015: Wouter - - Added assert on rrset cache correctness. - - Fix that malformed EDNS query gets a response without malformed EDNS. - -18 November 2015: Wouter - - newer acx_nlnetlabs.m4. - - spelling fixes from Igor Sobrado Delgado. - -17 November 2015: Wouter - - Fix #594. libunbound: optionally use libnettle for crypto. - Contributed by Luca Bruno. Added --with-nettle for use with - --with-libunbound-only. - - refactor nsec3 hash implementation to be more library-portable. - - iana portlist update. - - Fixup DER encoded DSA signatures for libnettle. - -16 November 2015: Wouter - - Fix for lenient accept of reverse order DNAME and CNAME. - -6 November 2015: Wouter - - Change example.conf: ftp.internic.net to https://www.internic.net - -5 November 2015: Wouter - - ACX_SSL_CHECKS no longer adds -ldl needlessly. - -3 November 2015: Wouter - - Fix #718: Fix unbound-control-setup with support for env - without HEREDOC bash support. - -29 October 2015: Wouter - - patch from Doug Hogan for SSL_OP_NO_SSLvx options. - - Fix #716: nodata proof with empty non-terminals and wildcards. - -28 October 2015: Wouter - - Fix checklock testcode for linux threads on exit. - -27 October 2015: Wouter - - isblank() compat implementation. - - detect libexpat without xml_StopParser function. - - portability fixes. - - portability, replace snprintf if return value broken. - -23 October 2015: Wouter - - Fix #714: Document config to block private-address for IPv4 - mapped IPv6 addresses. - -22 October 2015: Wouter - - Fix #712: unbound-anchor appears to not fsync root.key. - -20 October 2015: Wouter - - 1.5.6 release. - - trunk tracks development of 1.5.7. - -15 October 2015: Wouter - - Fix segfault in the dns64 module in the formaterror error path. - - Fix sldns_wire2str_rdata_scan for malformed RRs. - - tag for 1.5.6rc1 release. - -14 October 2015: Wouter - - ANY responses include DNAME records if present, as per Evan Hunt's - remark in dnsop. - - Fix manpage to suggest using SIGTERM to terminate the server. - -9 October 2015: Wouter - - Default for ssl-port is port 853, the temporary port assignment - for secure domain name system traffic. - If you used to rely on the older default of port 443, you have - to put a clause in unbound.conf for that. The new value is likely - going to be the standardised port number for this traffic. - - iana portlist update. - -6 October 2015: Wouter - - 1.5.5 release. - - trunk tracks the development of 1.5.6. - -28 September 2015: Wouter - - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution - failures. - - tag for 1.5.5rc1 release. - - makedist.sh: pgp sig echo commands. - -25 September 2015: Wouter - - Fix unbound-control flush that does not succeed in removing data. - -22 September 2015: Wouter - - Fix config globbed include chroot treatment, this fixes reload of - globs (patch from Dag-Erling Smørgrav). - - iana portlist update. - - Fix #702: New IPs for for h.root-servers.net. - - Remove confusion comment from canonical_compare() function. - - Fix #705: ub_ctx_set_fwd() return value mishandled on windows. - - testbound selftest also works in non-debug mode. - - Fix minor error in unbound.conf.5.in - - Fix unbound.conf(5) access-control description for precedence - and default. - -31 August 2015: Wouter - - changed windows setup compression to be more transparent. - -28 August 2015: Wouter - - Fix #697: Get PY_MAJOR_VERSION failure at configure for python - 2.4 to 2.6. - - Feature #699: --enable-pie option to that builds PIE binary. - - Feature #700: --enable-relro-now option that enables full read-only - relocation. - -24 August 2015: Wouter - - Fix deadlock for local data add and zone add when unbound-control - list_local_data printout is interrupted. - - iana portlist update. - - Change default of harden-algo-downgrade to off. This is lenient - for algorithm rollover. - -13 August 2015: Wouter - - 5011 implementation does not insist on all algorithms, when - harden-algo-downgrade is turned off. - - Reap the child process that libunbound spawns. - -11 August 2015: Wouter - - Fix #694: configure script does not detect LibreSSL 2.2.2 - -4 August 2015: Wouter - - Document that local-zone nodefault matches exactly and transparent - can be used to release a subzone. - -3 August 2015: Wouter - - Document in the manual more text about configuring locally served - zones. - - Fix 5011 anchor update timer after reload. - - Fix mktime in unbound-anchor not using UTC. - -30 July 2015: Wouter - - please afl-gcc (llvm) for uninitialised variable warning. - - Added permit-small-holddown config to debug fast 5011 rollover. - -24 July 2015: Wouter - - Fix #690: Reload fails when so-reuseport is yes after changing - num-threads. - - iana portlist update. - -21 July 2015: Wouter - - Fix configure to detect SSL_CTX_set_ecdh_auto. - - iana portlist update. - -20 July 2015: Wouter - - Enable ECDHE for servers. Where available, use - SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to - enable ECDHE. Otherwise, manually offer curve p256. - Client connections should automatically use ECDHE when available. - (thanks Daniel Kahn Gillmor) - -18 July 2015: Willem - - Allow certificate chain files to allow for intermediate certificates. - (thanks Daniel Kahn Gillmor) - -13 July 2015: Wouter - - makedist produces sha1 and sha256 files for created binaries too. - -9 July 2015: Wouter - - 1.5.4 release tag - - trunk has 1.5.5 in development. - - Fix #681: Setting forwarders with unbound-control forward - implicitly turns on forward-first. - -29 June 2015: Wouter - - iana portlist update. - - Fix alloc with log for allocation size checks. - -26 June 2015: Wouter - - Fix #677 Fix DNAME responses from cache that failed internal chain - test. - - iana portlist update. - -22 June 2015: Wouter - - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly - and was therefore always synthesized (thanks to Valentin Dietrich). - -4 June 2015: Wouter - - RFC 7553 RR type URI support, is now enabled by default. - -2 June 2015: Wouter - - Fix #674: Do not free pointers given by getenv. - -29 May 2015: Wouter - - Fix that unparseable error responses are ratelimited. - - SOA negative TTL is capped at minimumttl in its rdata section. - - cache-max-negative-ttl config option, default 3600. - -26 May 2015: Wouter - - Document that ratelimit works with unbound-control set_option. - -21 May 2015: Wouter - - iana portlist update. - - documentation proposes ratelimit of 1000 (closer to what upstream - servers expect from us). - -20 May 2015: Wouter - - DLV is going to be decommissioned. Advice to stop using it, and - put text in the example configuration and man page to that effect. - -10 May 2015: Wouter - - Change syntax of particular validator error to be easier for - machine parse, swap rrset and ip adres info so it looks like: - validation failure <www.example.nl. TXT IN>: signature crypto - failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> - -1 May 2015: Wouter - - caps-whitelist in unbound.conf allows whitelist of loadbalancers - that cannot work with caps-for-id or its fallback. - -30 April 2015: Wouter - - Unit test for type ANY synthesis. - -22 April 2015: Wouter - - Removed contrib/unbound_unixsock.diff, because it has been - integrated, use control-interface: /path in unbound.conf. - - iana portlist update. - -17 April 2015: Wouter - - Synthesize ANY responses from cache. Does not search exhaustively, - but MX,A,AAAA,SOA,NS also CNAME. - - Fix leaked dns64prefix configuration string. - -16 April 2015: Wouter - - Add local-zone type inform_deny, that logs query and drops answer. - - Ratelimit does not apply to prefetched queries, and ratelimit-factor - is default 10. Repeated normal queries get resolved and with - prefetch stay in the cache. - - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza) - Use print_function also for Python2. - libunbound examples: produce sorted output. - libunbound-Python: libldns is not used anymore. - Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. - -10 April 2015: Wouter - - unbound-control ratelimit_list lists high rate domains. - - ratelimit feature, ratelimit: 100, or some sensible qps, can be - used to turn it on. It ratelimits recursion effort per zone. - For particular names you can configure exceptions in unbound.conf. - - Fix that get_option for cache-sizes does not print double newline. - - Fix#663: ssl handshake fails when using unix socket because dh size - is too small. - -8 April 2015: Wouter - - Fix crash in dnstap: Do not try to log TCP responses after timeout. - -7 April 2015: Wouter - - Libunbound skips dos-line-endings from etc/hosts. - - Unbound exits with a fatal error when the auto-trust-anchor-file - fails to be writable. This is seconds after startup. You can - load a readonly auto-trust-anchor-file with trust-anchor-file. - The file has to be writable to notice the trust anchor change, - without it, a trust anchor change will be unnoticed and the system - will then become inoperable. - - unbound-control list_insecure command shows the negative trust - anchors currently configured, patch from Jelte Jansen. - -2 April 2015: Wouter - - Fix #660: Fix interface-automatic broken in the presence of - asymmetric routing. - -26 March 2015: Wouter - - remote.c probedelay line is easier to read. - - rename ldns subdirectory to sldns to avoid name collision. - -25 March 2015: Wouter - - Fix #657: libunbound(3) recommends deprecated - CRYPTO_set_id_callback. - - If unknown trust anchor algorithm, and libressl is used, error - message encourages upgrade of the libressl package. - -23 March 2015: Wouter - - Fix segfault on user not found at startup (from Maciej Soltysiak). - -20 March 2015: Wouter - - Fixed to add integer overflow checks on allocation (defense in depth). - -19 March 2015: Wouter - - Add ip-transparent config option for bind to non-local addresses. - -17 March 2015: Wouter - - Use reallocarray for integer overflow protection, patch submitted - by Loganaden Velvindron. - -16 March 2015: Wouter - - Fixup compile on cygwin, more portable openssl thread id. - -12 March 2015: Wouter - - Updated default keylength in unbound-control-setup to 3k. - -10 March 2015: Wouter - - Fix lintian warning in unbound-checkconf man page (from Andreas - Schulze). - - print svnroot when building windows dist. - - iana portlist update. - - Fix warning on sign compare in getentropy_linux. - -9 March 2015: Wouter - - Fix #644: harden-algo-downgrade option, if turned off, fixes the - reported excessive validation failure when multiple algorithms - are present. It allows the weakest algorithm to validate the zone. - - iana portlist update. - -5 March 2015: Wouter - - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal - scripts. Contributed by Yuri Voinov. - - Document that incoming-num-tcp increase is good for large servers. - - stats reports tcp usage, of incoming-num-tcp buffers. - -4 March 2015: Wouter - - Patch from Brad Smith that syncs compat/getentropy_linux with - OpenBSD's version (2015-03-04). - - 0x20 fallback improved: servfail responses do not count as missing - comparisons (except if all responses are errors), - inability to find nameservers does not fail equality comparisons, - many nameservers does not try to compare more than max-sent-count, - parse failures start 0x20 fallback procedure. - - store caps_response with best response in case downgrade response - happens to be the last one. - - Document windows 8 tests. - -3 March 2015: Wouter - - tag 1.5.3rc1 - [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ] - -2 March 2015: Wouter - - iana portlist update. - -20 February 2015: Wouter - - Use the getrandom syscall introduced in Linux 3.17 (from Heiner - Kallweit). - - Fix #645 Portability to Solaris 10, use AF_LOCAL. - - Fix #646 Portability to Solaris, -lrt for getentropy_solaris. - - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after - reload. - -19 February 2015: Wouter - - 1.5.2 release tag. - - svn trunk contains 1.5.3 under development. - -13 February 2015: Wouter - - Fix #643: doc/example.conf.in: unnecessary whitespace. - -12 February 2015: Wouter - - tag 1.5.2rc1 - -11 February 2015: Wouter - - iana portlist update. - -10 February 2015: Wouter - - Fix scrubber with harden-glue turned off to reject NS (and other - not-address) records. - -9 February 2015: Wouter - - Fix validation failure in case upstream forwarder (ISC BIND) does - not have the same trust anchors and decides to insert unsigned NS - record in authority section. - -2 February 2015: Wouter - - infra-cache-min-rtt patch from Florian Riehm, for expected long - uplink roundtrip times. - -30 January 2015: Wouter - - Fix 0x20 capsforid fallback to omit gratuitous NS and additional - section changes. - - Portability fix for Solaris ('sun' is not usable for a variable). - -29 January 2015: Wouter - - Fix pyunbound byte string representation for python3. - -26 January 2015: Wouter - - Fix unintended use of gcc extension for incomplete enum types, - compile with pedantic c99 compliance (from Daniel Dickman). - -23 January 2015: Wouter - - windows port fixes, no AF_LOCAL, no chown, no chmod(grp). - -16 January 2015: Wouter - - unit test for local unix connection. Documentation and log_addr - does not inspect port for AF_LOCAL. - - unbound-checkconf -f prints chroot with pidfile path. - -13 January 2015: Wouter - - iana portlist update. - -12 January 2015: Wouter - - Cast sun_len sizeof to socklen_t. - - Fix pyunbound ord call, portable for python 2 and 3. - -7 January 2015: Wouter - - Fix warnings in pythonmod changes. - -6 January 2015: Wouter - - iana portlist update. - - patch for remote control over local sockets, from Dag-Erling - Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and - control-use-cert: no. - - Fixup that patch and uid lookup (only for daemon). - - coded the default of control-use-cert, to yes. - -5 January 2015: Wouter - - getauxval test for ppc64 linux compatibility. - - make strip works for unbound-host and unbound-anchor. - - patch from Stephane Lapie that adds to the python API, that - exposes struct delegpt, and adds the find_delegation function. - - print query name when max target count is exceeded. - - patch from Stuart Henderson that fixes DESTDIR in - unbound-control-setup for installs where config is not in - the prefix location. - - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing - IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne). - - Updated contrib warmup.cmd/sh to support two modes - load - from pre-defined list of domains or (with filename as argument) - load from user-specified list of domains, and updated contrib - unbound_cache.sh/cmd to support loading/save/reload cache to/from - default path or (with secondary argument) arbitrary path/filename, - from Yuri Voinov. - - Patch from Philip Paeps to contrib/unbound_munin_ that uses - type ABSOLUTE. Allows munin.conf: [idleserver.example.net] - unbound_munin_hits.graph_period minute - -9 December 2014: Wouter - - svn trunk has 1.5.2 in development. - - config.guess and config.sub update from libtoolize. - - local-zone: example.com inform makes unbound log a message with - client IP for queries in that zone. Eg. for finding infected hosts. - -8 December 2014: Wouter - - Fix CVE-2014-8602: denial of service by making resolver chase - endless series of delegations. - -1 December 2014: Wouter - - Fix bug#632: unbound fails to build on AArch64, protects - getentropy compat code from calling sysctl if it is has been removed. - -29 November 2014: Wouter - - Add include to getentropy_linux.c, hopefully fixing debian build. - -28 November 2014: Wouter - - Fix makefile for build from noexec source tree. - -26 November 2014: Wouter - - Fix libunbound undefined symbol errors for main. - Referencing main does not seem to be possible for libunbound. - -24 November 2014: Wouter - - Fix log at high verbosity and memory allocation failure. - - iana portlist update. - -21 November 2014: Wouter - - Fix crash on multiple thread random usage on systems without - arc4random. - -20 November 2014: Wouter - - fix compat/getentropy_win.c check if CryptGenRandom works and no - immediate exit on windows. - -19 November 2014: Wouter - - Fix cdflag dns64 processing. - -18 November 2014: Wouter - - Fix that CD flag disables DNS64 processing, returning the DNSSEC - signed AAAA denial. - - iana portlist update. - -17 November 2014: Wouter - - Fix #627: SSL_CTX_load_verify_locations return code not properly - checked. - -14 November 2014: Wouter - - parser with bison 2.7 - -13 November 2014: Wouter - - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter, - added to contrib/aaaa-filter-iterator.patch. - -12 November 2014: Wouter - - trunk has 1.5.1 in development. - - Patch from Robert Edmonds to build pyunbound python module - differently. No versioninfo, with -shared and without $(LIBS). - - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page. - - Removed 'increased limit open files' log message that is written - to console. It is only written on verbosity 4 and higher. - This keeps system bootup console cleaner. - - Patch from James Raftery, always print stats for rcodes 0..5. - -11 November 2014: Wouter - - iana portlist update. - - Fix bug where forward or stub addresses with same address but - different port number were not tried. - - version number in svn trunk is 1.5.0 - - tag 1.5.0rc1 - - review fix from Ralph. - -7 November 2014: Wouter - - dnstap fixes by Robert Edmonds: - dnstap/dnstap.m4: cosmetic fixes - dnstap/: Remove compiled protoc-c output files - dnstap/dnstap.m4: Error out if required libraries are not found - dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of - protobuf-c 1.0.0 - dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0) - -4 November 2014: Wouter - - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically - tracked trust anchor to libunbound. - - Redefine internal minievent symbols to unique symbols that helps - linking on platforms where the linker leaks names across modules. - -27 October 2014: Wouter - - Disabled use of SSLv3 in remote-control and ssl-upstream. - - iana portlist update. - -16 October 2014: Wouter - - Documented dns64 configuration in unbound.conf man page. - -13 October 2014: Wouter - - Fix #617: in ldns in unbound, lowercase WKS services. - - Fix ctype invocation casts. - -10 October 2014: Wouter - - Fix unbound-checkconf check for module config with dns64 module. - - Fix unbound capsforid fallback, it ignores TTLs in comparison. - -6 October 2014: Wouter - - Fix #614: man page variable substitution bug. -6 October 2014: Willem - - Whitespaces after $ORIGIN are not part of the origin dname (ldns). - - $TTL's value starts at position 5 (ldns). - -1 October 2014: Wouter - - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire). - -29 September 2014: Wouter - - Fix #612: create service with service.conf in present directory and - auto load it. - - Fix for mingw compile openssl ranlib. - -25 September 2014: Wouter - - updated configure and aclocal with newer autoconf 1.13. - -22 September 2014: Wouter - - Fix swig and python examples for Python 3.x. - - Fix for mingw compile with openssl-1.0.1i. - -19 September 2014: Wouter - - improve python configuration detection to build on Fedora 22. - -18 September 2014: Wouter - - patches to also build with Python 3.x (from Pavel Simerda). - -16 September 2014: Wouter - - Fix tcp timer waiting list removal code. - - iana portlist update. - - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue - is longer and more tcp connections can be handled. - -15 September 2014: Wouter - - Fix unit test for CDS typecode. - -5 September 2014: Wouter - - type CDS and CDNSKEY types in sldns. - -25 August 2014: Wouter - - Fixup checklock code for log lock and its mutual initialization - dependency. - - iana portlist update. - - Removed necessity for pkg-config from the dnstap.m4, new are - the --with-libfstrm and --with-protobuf-c configure options. - -19 August 2014: Wouter - - Update unbound manpage with more explanation (from Florian Obser). - -18 August 2014: Wouter - - Fix #603: unbound-checkconf -o <option> should skip verification - checks. - - iana portlist update. - - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings. - -5 August 2014: Wouter - - dnstap support, with a patch from Farsight Security, written by - Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c. - It is BSD licensed (see dnstap/dnstap.c). - Building with --enable-dnstap needs pkg-config with this patch. - - Noted dnstap in doc/README and doc/CREDITS. - - Changes to the dnstap patch. - - lint fixes. - - dnstap/dnstap_config.h should not have been added to the repo, - because is it generated. - -1 August 2014: Wouter - - Patch add msg, rrset, infra and key cache sizes to stats command - from Maciej Soltysiak. - - iana portlist update. - -31 July 2014: Wouter - - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault. - Initial commit of the patch from the FreeBSD base (with its fixes). - This adds a module (for module-config in unbound.conf) dns64 that - performs DNS64 processing, see README.DNS64. - - Changes from DNS64: - strcpy changed to memmove. - arraybound check fixed from prefix_net/8/4 to prefix_net/8+4. - allocation of result consistently in the correct region. - time_t is now used for ttl in unbound (since the patch's version). - - testdata/dns64_lookup.rpl for unit test for dns64 functionality. - -29 July 2014: Wouter - - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd - does not fork in the background and also logs to stderr. - -21 July 2014: Wouter - - Fix endian.h include for OpenBSD. - -16 July 2014: Wouter - - And Fix#596: Bail out of unbound-control dump_infra when ssl - write fails. - -15 July 2014: Wouter - - Fix #596: Bail out of unbound-control list_local_zones when ssl - write fails. - - iana portlist update. - -13 July 2014: Wouter - - Configure tests if main can be linked to from getentropy compat. - -12 July 2014: Wouter - - Fix getentropy compat code, function refs were not portable. - - Fix to check openssl version number only for OpenSSL. - - LibreSSL provides compat items, check for that in configure. - - Fix bug in fix for log locks that caused deadlock in signal handler. - - update compat/getentropy and arc4random to the most recent ones from OpenBSD. - -11 July 2014: Matthijs - - fake-rfc2553 patch (thanks Benjamin Baier). - -11 July 2014: Wouter - - arc4random in compat/ and getentropy, explicit_bzero, chacha for - dependencies, from OpenBSD. arc4_lock and sha512 in compat. - This makes arc4random available on all platforms, except when - compiled with LIBNSS (it uses libNSS crypto random). - - fix strptime implicit declaration error on OpenBSD. - - arc4random, getentropy and explicit_bzero compat for Windows. - -4 July 2014: Wouter - - Fix #593: segfault or crash upon rotating logfile. - -3 July 2014: Wouter - - DLV tests added. - - signit tool fixup for compile with libldns library. - - iana portlist updated. - -27 June 2014: Wouter - - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X. - -26 June 2014: Wouter - - unbound-control status reports if so-reuseport was successful. - - iana portlist updated. - -24 June 2014: Wouter - - Fix caps-for-id fallback, and added fallback attempt when servers - drop 0x20 perturbed queries. - - Fixup testsetup for VM tests (run testcode/run_vm.sh). - -17 June 2014: Wouter - - iana portlist updated. - -3 June 2014: Wouter - - Add AAAA for B root server to default root hints. - -2 June 2014: Wouter - - Remove unused define from iterator.h - -30 May 2014: Wouter - - Fixup sldns_enum_edns_option typedef definition. - -28 May 2014: Wouter - - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue - fixes from FreeBSD's copy of Unbound, he notes: - Generate unbound-control-setup.sh at build time so it respects - prefix and sysconfdir from the configure script. Also fix the - umask to match the comment, and the comment to match the umask. - Add const and static where needed. Use unions instead of - playing pointer poker. Move declarations that are needed in - multiple source files into a shared header. Move sldns_bgetc() - from parse.c to buffer.c where it belongs. Introduce a new - header file, worker.h, which declares the callbacks that - all workers must define. Remove those declarations from - libworker.h. Include the correct headers in the correct places. - Fix a few dummy callbacks that don't match their prototype. - Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK. - Remove a useless printf which breaks reproducible builds. - Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're - no longer used. Add unbound-control-setup.sh to the list of - generated files. The prototype for libworker_event_done_cb() - needs to be moved from libunbound/libworker.h to - libunbound/worker.h. - - Fixup out-of-directory compile with unbound-control-setup.sh.in. - - make depend. - -23 May 2014: Wouter - - unbound-host -D enabled dnssec and reads root trust anchor from - the default root key file that was compiled in. - -20 May 2014: Wouter - - Feature, unblock-lan-zones: yesno that you can use to make unbound - perform 10.0.0.0/8 and other reverse lookups normally, for use if - unbound is running service for localhost on localhost. - -16 May 2014: Wouter - - Updated create_unbound_ad_servers and unbound_cache scripts from - Yuri Voinov in the source/contrib directory. Added - warmup.cmd (and .sh): warm up the DNS cache with your MRU domains. - -9 May 2014: Wouter - - Implement draft-ietf-dnsop-rfc6598-rfc6303-01. - - iana portlist updated. - -8 May 2014: Wouter - - Contrib windows scripts from Yuri Voinov added to src/contrib: - create_unbound_ad_servers.cmd: enters anti-ad server lists. - unbound_cache.cmd: saves and loads the cache. - - Added unbound-control-setup.cmd from Yuri Voinov to the windows - unbound distribution set. It requires openssl installed in %PATH%. - -6 May 2014: Wouter - - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier. - -5 May 2014: Wouter - - More #567: remove : from output of stub and forward lists, this is - easier to parse. - -29 April 2014: Wouter - - iana portlist updated. - - Add unbound-control flush_negative that flushed nxdomains, nodata, - and errors from the cache. For dnssec-trigger and NetworkManager, - fixes cases where network changes have localdata that was already - negatively cached from the previous network. - -23 April 2014: Wouter - - Patch from Jeremie Courreges-Anglas to use arc4random_uniform - if available on the OS, it gets entropy from the OS. - -15 April 2014: Wouter - - Fix compile with libevent2 on FreeBSD. - -11 April 2014: Wouter - - Fix #502: explain that do-ip6 disable does not stop AAAA lookups, - but it stops the use of the ipv6 transport layer for DNS traffic. - - iana portlist updated. - -10 April 2014: Wouter - - iana portlist updated. - - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation - option for DNS fragmentation defense. - - Document that dump_requestlist only prints queries from thread 0. - - unbound-control stats prints num.query.tcpout with number of TCP - outgoing queries made in the previous statistics interval. - - Fix #567: unbound lists if forward zone is secure or insecure with - +i annotation in output of list_forwards, also for list_stubs - (for NetworkManager integration.) - - Fix #554: use unsigned long to print 64bit statistics counters on - 64bit systems. - - Fix #558: failed prefetch lookup does not remove cached response - but delays next prefetch (in lieu of caching a SERVFAIL). - - Fix #545: improved logging, the ip address of the error is printed - on the same log-line as the error. - -8 April 2014: Wouter - - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control - in testbound scripts. - - iana portlist updated. - -7 April 2014: Wouter - - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root - hints (patch from Anand Buddhdev). - - Fix #572: Fix unit test failure for systems with different - /etc/services. - -28 March 2014: Wouter - - Fix #569: do_tcp is do-tcp in unbound.conf man page. - -25 March 2014: Wouter - - Patch from Stuart Henderson to build unbound-host man from .1.in. - -24 March 2014: Wouter - - Fix print filename of encompassing config file on read failure. - -12 March 2014: Wouter - - tag 1.4.22 - - trunk has 1.4.23 in development. - -10 March 2014: Wouter - - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes - because of spelling. Patch from Chris Coates. - -27 February 2014: Wouter - - tag 1.4.22rc1 - -21 February 2014: Wouter - - iana portlist updated. - -20 February 2014: Matthijs - - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is - received. This is okay according 4035, but not after revising - existence in 4592. NSEC empty non-terminals exist and thus the - RCODE should have been NOERROR. If this occurs, and the RRsets - are secure, we set the RCODE to NOERROR and the security status - of the response is also considered secure. - -14 February 2014: Wouter - - Works on Minix (3.2.1). - -11 February 2014: Wouter - - Fix parse of #553(NSD) string in sldns, quotes without spaces. - -7 February 2014: Wouter - - iana portlist updated. - - add body to ifstatement if locks disabled. - - add TXT string"string" test case to unit test. - - Fix #551: License change "Regents" to "Copyright holder", matching - the BSD license on opensource.org. - -6 February 2014: Wouter - - sldns has type HIP. - - code documentation on the module interface. - -5 February 2014: Wouter - - Fix sldns parse tests on osx. - -3 February 2014: Wouter - - Detect libevent2 install automatically by configure. - - Fixup link with lib/event2 subdir. - - Fix parse in sldns of quoted parenthesized text strings. - -31 January 2014: Wouter - - unit test for ldns wire to str and back with zones, root, nlnetlabs - and types.sidnlabs. - - Fix for hex to string in unknown, atma and nsap. - - fixup nss compile (no ldns in it). - - fixup warning in unitldns - - fixup WKS and rdata type service to print unsigned because strings - are not portable; they cannot be read (for sure) on other computers. - - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string - parse sldns. - -30 January 2014: Wouter - - delay-close does not act if there are udp-wait queries, so that - it does not make a socketdrain DoS easier. - -28 January 2014: Wouter - - iana portlist updated. - - iana portlist test updated so it does not touch the source - if there are no changes. - - delay-close: msec option that delays closing ports for which - the UDP reply has timed out. Keeps the port open, only accepts - the correct reply. This correct reply is not used, but the port - is open so that no port-denied ICMPs are generated. - -27 January 2014: Wouter - - reuseport is attempted, then fallback to without on failure. - -24 January 2014: Wouter - - Change unbound-event.h to use void* buffer, length idiom. - - iana portlist updated. - - unbound-event.h is installed if you configure --enable-event-api. - - speed up unbound (reports say it could be up to 10%), by reducing - lock contention on localzones.lock. It is changed to an rwlock. - - so-reuseport: yesno option to distribute queries evenly over - threads on Linux (Thanks Robert Edmonds). - - made lint clean. - -21 January 2014: Wouter - - Fix #547: no trustanchor written if filesystem full, fclose checked. - -17 January 2014: Wouter - - Fix isprint() portability in sldns, uses unsigned int. - - iana portlist updated. - -16 January 2014: Wouter - - fix #544: Fixed +i causes segfault when running with module conf - "iterator". - - Windows port, adjust %lld to %I64d, and warning in win_event.c. - -14 January 2014: Wouter - - iana portlist updated. - -5 Dec 2013: Wouter - - Fix bug in cachedump that uses sldns. - - update pythonmod for ldns_ to sldns_ name change. - -3 Dec 2013: Wouter - - Fix sldns to use sldns_ prefix for all ldns_ variables. - - Fix windows compile to compile with sldns. - -30 Nov 2013: Wouter - - Fix sldns to make globals use sldns_ prefix. This fixes - linking with libldns that uses global variables ldns_ . - -13 Nov 2013: Wouter - - Fix bug#537: compile python plugin without ldns library. - -12 Nov 2013: Wouter - - Fix bug#536: acl_deny_non_local and refuse_non_local added. - -5 Nov 2013: Wouter - - Patch from Neel Goyal to fix async id assignment if callback - is called by libunbound in the mesh attach. - - Accept ip-address: as an alternative for interface: for - consistency with nsd.conf syntax. - -4 Nov 2013: Wouter - - Patch from Neel Goyal to fix callback in libunbound. - -3 Nov 2013: Wouter - - if configured --with-libunbound-only fix make install. - -31 Oct 2013: Wouter - - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a - more specific interface port 53 can be used at the same time, and - one of the daemons is unbound. - - iana portlist update. - - separate ldns into core ldns inside ldns/ subdirectory. No more - --with-ldns is needed and unbound does not rely on libldns. - - portability fixes for new USE_SLDNS ldns subdir codebase. - -22 Oct 2013: Wouter - - Patch from Neel Goyal: Add an API call to set an event base on an - existing ub_ctx. This basically just destroys the current worker and - sets the event base to the current. And fix a deadlock in - ub_resolve_event – the cfglock is held when libworker_create is - called. This ends up trying to acquire the lock again in - context_obtain_alloc in the call chain. - - Fix #528: if very high logging (4 or more) segfault on allow_snoop. - -26 Sep 2013: Wouter - - unbound-event.h is installed if configured --with-libevent. It - contains low-level library calls, that use libevent's event_base - and an ldns_buffer for the wire return packet to perform async - resolution in the client's eventloop. - -19 Sep 2013: Wouter - - 1.4.21 tag created. - - trunk has 1.4.22 number inside it. - - iana portlist updated. - - acx_nlnetlabs.m4 to 26; improve FLTO help text. - -16 Sep 2013: Wouter - - Fix#524: max-udp-size not effective to non-EDNS0 queries, from - Daisuke HIGASHI. - -10 Sep 2013: Wouter - - MIN_TTL and MAX_TTL also in time_t. - - tag 1.4.21rc1 made again. - -26 Aug 2013: Wouter - - More fixes for bug#519: for the threaded case test if the bg - thread has been killed, on ub_ctx_delete, to avoid hangs. - -22 Aug 2013: Wouter - - more fixes that I overlooked. - - review fixes from Willem. - -21 Aug 2013: Wouter - - Fix#520: Errors found by static analysis from Tomas Hozza(redhat). - -20 Aug 2013: Wouter - - Fix for 2038, with time_t instead of uint32_t. - -19 Aug 2013: Wouter - - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound). - -14 Aug 2013: Wouter - - Fix uninit variable in fix#516. - -8 Aug 2013: Wouter - - Fix#516 dnssec lameness detection for answers that are improper. - -30 Jun 2013: Wouter - - tag 1.4.21rc1 - -29 Jun 2013: Wouter - - Fix#512 memleak in testcode for testbound (if it fails). - - Fix#512 NSS returned arrays out of setup function to be statics. - -26 Jun 2013: Wouter - - max include of 100.000 files (depth and globbed at one time). - This is to preserve system memory in bug cases, or endless cases. - - iana portlist updated. - -19 Jun 2013: Wouter - - streamtcp man page, contributed by Tomas Hozza. - - iana portlist updated. - - libunbound documentation on how to avoid openssl race conditions. - -25 Jun 2013: Wouter - - Squelch sendto-permission denied errors when the network is - not connected, to avoid spamming syslog. - - configure --disable-flto option (from Robert Edmonds). - -18 Jun 2013: Wouter - - Fix for const string literals in C++ for libunbound, from Karel - Slany. - - iana portlist updated. - -17 Jun 2013: Wouter - - Fixup manpage syntax. - -14 Jun 2013: Wouter - - get_option and set_option support for log-time-ascii, python-script - val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect - immediately. The others are mostly useful for libunbound users. - -13 Jun 2013: Wouter - - get_option, set_option, unbound-checkconf -o and libunbound - getoption and setoption support cache-min-ttl and cache-max-ttl. - -10 Jun 2013: Wouter - - Fix#501: forward-first does not recurse, when forward name is ".". - - iana portlist update. - - Max include depth is unlimited. - -27 May 2013: Wouter - - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply - patch to it to not fail when -Werror is also specified, from the - autoconf-archives. - - iana portlist update. - -21 May 2013: Wouter - - Explain bogus and secure flags in libunbound more. - -16 May 2013: Wouter - - Fix#499 use-after-free in out-of-memory handling code (thanks Jake - Montgomery). - - Fix#500 use on non-initialised values on socket bind failures. - -15 May 2013: Wouter - - Fix round-robin doesn't work with some Windows clients (from Ilya - Bakulin). - -3 May 2013: Wouter - - update acx_nlnetlabs.m4 to v23, sleep w32 fix. - -26 April 2013: Wouter - - add unbound-control insecure_add and insecure_remove for the - administration of negative trust anchors. - -25 April 2013: Wouter - - Implement max-udp-size config option, default 4096 (thanks - Daisuke Higashi). - - Robust checks on dname validity from rdata for dname compare. - - updated iana portlist. - -19 April 2013: Wouter - - Fixup snprintf return value usage, fixed libunbound_get_option. - -18 April 2013: Wouter - - fix bug #491: pick program name (0th argument) as syslog identity. - - own implementation of compat/snprintf.c. - -15 April 2013: Wouter - - Fix so that for a configuration line of include: "*.conf" it is not - an error if there are no files matching the glob pattern. - - unbound-anchor review: BIO_write can return 0 successfully if it - has successfully appended a zero length string. - -11 April 2013: Wouter - - Fix queries leaking up for stubs and forwards, if the configured - nameservers all fail to answer. - -10 April 2013: Wouter - - code improve for minimal responses, small speed increase. - -9 April 2013: Wouter - - updated iana portlist. - - Fix crash in previous private address fixup of 22 March. - -28 March 2013: Wouter - - Make reverse zones easier by documenting the nodefault statements - commented-out in the example config file. - -26 March 2013: Wouter - - more fixes to lookup3.c endianness detection. - -25 March 2013: Wouter - - #492: Fix endianness detection, revert to older lookup3.c detection - and put new detect lines after previous tests, to avoid regressions - but allow new detections to succeed. - And add detection for machine/endian.h to it. - -22 March 2013: Wouter - - Fix resolve of names that use a mix of public and private addresses. - - iana portlist update. - - Fix makedist for new svn for -d option. - - unbound.h header file has UNBOUND_VERSION_MAJOR define. - - Fix windows RSRC version for long version numbers. - -21 March 2013: Wouter - - release 1.4.20 - - trunk has 1.4.21 - - committed libunbound version 4:1:2 for binary API updated in 1.4.20 - - install copy of unbound-control.8 man page for unbound-control-setup - -14 March 2013: Wouter - - iana portlist update. - - tag 1.4.20rc1 - -12 March 2013: Wouter - - Fixup makedist.sh for windows compile. - -11 March 2013: Wouter - - iana portlist update. - - testcode/ldns-testpkts.c check for makedist is informational. - -15 February 2013: Wouter - - fix defines in lookup3 for bigendian bsd alpha - -11 February 2013: Wouter - - Fixup openssl_thread init code to only run if compiled with SSL. - -7 February 2013: Wouter - - detect endianness in lookup3 on BSD. - - add libunbound.ttl at end of result structure, version bump for - libunbound and binary backwards compatible, but 1.4.19 is not - forward compatible with 1.4.20. - - update iana port list. - -30 January 2013: Wouter - - includes and have_ssl fixes for nss. - -29 January 2013: Wouter - - printout name of zone with duplicate fwd and hint errors. - -28 January 2013: Wouter - - updated fwd_zero for newer nc. Updated common.sh for newer netstat. - -17 January 2013: Wouter - - unbound-anchors checks the emailAddress of the signer of the - root.xml file, default is dnssec@iana.org. It also checks that - the signer has the correct key usage for a digital signature. - - update iana port list. - -3 January 2013: Wouter - - Test that unbound-control checks client credentials. - - Test that unbound can handle a CNAME at an intermediate node in - the chain of trust (where it seeks a DS record). - - Check the commonName of the signer of the root.xml file in - unbound-anchor, default is dnssec@iana.org. - -2 January 2013: Wouter - - Fix openssl lock free on exit (reported by Robert Fleischman). - - iana portlist updated. - - Tested that unbound implements the RFC5155 Technical Errata id 3441. - Unbound already implements insecure classification of an empty - nonterminal in NSEC3 optout zone. - -20 December 2012: Wouter - - Fix unbound-anchor xml parse of entity declarations for safety. - -19 December 2012: Wouter - - iana portlist updated. - -18 December 2012: Wouter - - iana portlist updated. - -14 December 2012: Wouter - - Change of D.ROOT-SERVERS.NET A address in default root hints. - -12 December 2012: Wouter - - 1.4.19 release. - - trunk has 1.4.20 under development. - -5 December 2012: Wouter - - note support for AAAA RR type RFC. - -4 December 2012: Wouter - - 1.4.19rc1 tag. - -30 November 2012: Wouter - - bug 481: fix python example0. - - iana portlist updated. - -27 November 2012: Wouter - - iana portlist updated. - -9 November 2012: Wouter - - Fix unbound-control forward disables configured stubs below it. - -7 November 2012: Wouter - - Fixup ldns-testpkts, identical to ldns/examples. - - iana portlist updated. - -30 October 2012: Wouter - - Fix bug #477: unbound-anchor segfaults if EDNS is blocked. - -29 October 2012: Matthijs - - Fix validation for responses with both CNAME and wildcard - expanded CNAME records in answer section. - -8 October 2012: Wouter - - update ldns-testpkts.c to ldns 1.6.14 version. - - fix build of pythonmod in objdir, for unbound.py. - - make clean and makerealclean remove generated python and docs. - -5 October 2012: Wouter - - fix build of pythonmod in objdir (thanks Jakob Schlyter). - -3 October 2012: Wouter - - fix text in unbound-anchor man page. - -1 October 2012: Wouter - - ignore trusted-keys globs that have no files (from Paul Wouters). - -27 September 2012: Wouter - - include: directive in config file accepts wildcards. Patch from - Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*" - - unbound-control -q option is quiet, patch from Mariano Absatz. - - iana portlist updated. - - updated contrib/unbound.spec, patch from Valentin Bud. - -21 September 2012: Wouter - - chdir to / after chroot call (suggested by Camiel Dobbelaar). - -17 September 2012: Wouter - - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation - otherwise it is treated as insecure. The RSAMD5 algorithm is - deprecated (RFC6725). The MD5 hash is considered weak for some - purposes, if you want to sign your zone, then RSASHA256 is an - uncontested hash. - -30 August 2012: Wouter - - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled. - - iana portlist updated. - -29 August 2012: Wouter - - Nicer comments outgoing-port-avoid, thanks Stu (bug #465). - -22 August 2012: Wouter - - Fallback to 1472 and 1232, one fragment size without headers. - -21 August 2012: Wouter - - Fix timeouts so that when a server has been offline for a while - and is probed to see it works, it becomes fully available for - server selection again. - -17 August 2012: Wouter - - Add documentation to libunbound for default nonuse of resolv.conf. - -2 August 2012: Wouter - - trunk has 1.4.19 under development (fixes from 1 aug and 31 july - are for 1.4.19). - - iana portlist updated. - -1 August 2012: Wouter - - Fix openssl race condition, initializes openssl locks, reported - by Einar Lonn and Patrik Wallstrom. - -31 July 2012: Wouter - - Improved forward-first and stub-first documentation. - - Fix that enables modules to register twice for the same - serviced_query, without race conditions or administration issues. - This should not happen with the current codebase, but it is robust. - - Fix forward-first option where it sets the RD flag wrongly. - - added manpage links for libunbound calls (Thanks Paul Wouters). - -30 July 2012: Wouter - - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012). - -27 July 2012: Wouter - - unbound-host works with libNSS - - fix bogus nodata cname chain not reported as bogus by validator, - (Thanks Peter van Dijk). - -26 July 2012: Wouter - - iana portlist updated. - - tag 1.4.18rc1. - -25 July 2012: Wouter - - review fix for libnss, check hash prefix allocation size. - -23 July 2012: Wouter - - fix missing break for GOST DS hash function. - - implemented forward_first for the root. - -20 July 2012: Wouter - - Fix bug#452 and another assertion failure in mesh.c, makes - assertions in mesh.c resist duplicates. Fixes DS NS search to - not generate duplicate sub queries. - -19 July 2012: Willem - - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac, - if CFLAGS is specified at configure time then '-g -O2' is not - appended to CFLAGS, so that the user can override them. - -18 July 2012: Willem - - Fix libunbound report of errors when in background mode. - -11 July 2012: Willem - - updated iana ports list. - -9 July 2012: Willem - - Add flush_bogus option for unbound-control - -6 July 2012: Wouter - - Fix validation of qtype DS queries that result in no data for - non-optout NSEC3 zones. - -4 July 2012: Wouter - - compile libunbound with libnss on Suse, passes regression tests. - -3 July 2012: Wouter - - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes. - -2 July 2012: Wouter - - updated iana ports list. - -29 June 2012: Wouter - - patch for unbound_munin_ script to handle arbitrary thread count by - Sven Ulland. - -28 June 2012: Wouter - - detect if openssl has FIPS_mode. - - code review: return value of cache_store can be ignored for better - performance in out of memory conditions. - - fix edns-buffer-size and msg-buffer-size manpage documentation. - - updated iana ports list. - -25 June 2012: Wouter - - disable RSAMD5 if in FIPS mode (for openssl and for libnss). - -22 June 2012: Wouter - - implement DS records, NSEC3 and ECDSA for compile with libnss. - -21 June 2012: Wouter - - fix error handling of alloc failure during rrsig verification. - - nss check for verification failure. - - nss crypto works for RSA and DSA. - -20 June 2012: Wouter - - work on --with-nss build option (for now, --with-libunbound-only). - -19 June 2012: Wouter - - --with-libunbound-only build option, only builds the library and - not the daemon and other tools. - -18 June 2012: Wouter - - code review. - -15 June 2012: Wouter - - implement log-time-ascii on windows. - - The key-cache bad key ttl is now 60 seconds. - - updated iana ports list. - - code review. - -11 June 2012: Wouter - - bug #452: fix crash on assert in mesh_state_attachment. - -30 May 2012: Wouter - - silence warning from swig-generated code (md set but not used in - swig initmodule, due to ifdefs in swig-generated code). - -27 May 2012: Wouter - - Fix debian-bugs-658021: Please enable hardened build flags. - -25 May 2012: Wouter - - updated iana ports list. - -24 May 2012: Wouter - - tag for 1.4.17 release. - - trunk is 1.4.18 in development. - -18 May 2012: Wouter - - Review comments, removed duplicate memset to zero in delegpt. - -16 May 2012: Wouter - - Updated doc/FEATURES with RFCs that are implemented but not listed. - - Protect if statements in val_anchor for compile without locks. - - tag for 1.4.17rc1. - -15 May 2012: Wouter - - fix configure ECDSA support in ldns detection for windows compile. - - fix possible uninitialised variable in windows pipe implementation. - -9 May 2012: Wouter - - Fix alignment problem in util/random on sparc64/freebsd. - -8 May 2012: Wouter - - Fix for accept spinning reported by OpenBSD. - - iana portlist updated. - -2 May 2012: Wouter - - Fix validation of nodata for DS query in NSEC zones, reported by - Ondrej Mikle. - -13 April 2012: Wouter - - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older - openssl. - -10 April 2012: Wouter - - Applied patch from Daisuke HIGASHI for rrset-roundrobin and - minimal-responses features. - - iana portlist updated. - -5 April 2012: Wouter - - fix bug #443: --with-chroot-dir not honoured by configure. - - fix bug #444: setusercontext was called too late (thanks Bjorn - Ketelaars). - -27 March 2012: Wouter - - fix bug #442: Fix that Makefile depends on pythonmod headers - even using --without-pythonmodule. - -22 March 2012: Wouter - - contrib/validation-reporter follows rotated log file (patch from - Augie Schwer). - -21 March 2012: Wouter - - new approach to NS fetches for DS lookup that works with - cornercases, and is more robust and considers forwarders. - -19 March 2012: Wouter - - iana portlist updated. - - fix to locate nameservers for DS lookup with NS fetches. - -16 March 2012: Wouter - - Patch for access to full DNS packet data in unbound python module - from Ondrej Mikle. - -9 March 2012: Wouter - - Applied line-buffer patch from Augie Schwer to validation.reporter.sh. - -2 March 2012: Wouter - - flush_infra cleans timeouted servers from the cache too. - - removed warning from --enable-ecdsa. - -1 March 2012: Wouter - - forward-first option. Tries without forward if a query fails. - Also stub-first option that is similar. - -28 February 2012: Wouter - - Fix from code review, if EINPROGRESS not defined chain if statement - differently. - -27 February 2012: Wouter - - Fix bug#434: on windows check registry for config file location - for unbound-control.exe, and unbound-checkconf.exe. - -23 February 2012: Wouter - - Fix to squelch 'network unreachable' errors from tcp connect in - logs, high verbosity will show them. - -16 February 2012: Wouter - - iter_hints is now thread-owned in module env, and thus threadsafe. - - Fix prefetch and sticky NS, now the prefetch works. It picks - nameservers that 'would be valid in the future', and if this makes - the NS timeout, it updates that NS by asking delegation from the - parent again. If child NS has longer TTL, that TTL does not get - refreshed from the lookup to the child nameserver. - -15 February 2012: Wouter - - Fix forward-zone memory, uses malloc and frees original root dp. - - iter hints (stubs) uses malloc inside for more dynamicity. - - unbound-control forward_add, forward_remove, stub_add, stub_remove - can modify stubs and forwards for running unbound (on mobile computer) - they can also add and remove domain-insecure for the zone. - -14 February 2012: Wouter - - Fix sticky NS (ghost domain problem) if prefetch is yes. - - iter forwards uses malloc inside for more dynamicity. - -13 February 2012: Wouter - - RT#2955. Fix for cygwin compilation. - - iana portlist updated. - -10 February 2012: Wouter - - Slightly smaller critical region in one case in infra cache. - - Fix timeouts to keep track of query type, A, AAAA and other, if - another has caused timeout blacklist, different type can still probe. - - unit test fix for nomem_cnametopos.rpl race condition. - -9 February 2012: Wouter - - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h. - -8 February 2012: Wouter - - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This - implementation is experimental at this time and not recommended - for use on the public internet (the protocol numbers have not - been assigned). Needs recent ldns with --enable-ecdsa. - - fix memory leak in errorcase for DSA signatures. - - iana portlist updated. - - workaround for openssl 0.9.8 ecdsa sha2 and evp problem. - -3 February 2012: Wouter - - fix for windows, rename() is not posix compliant on windows. - -2 February 2012: Wouter - - 1.4.16 release tag. - - svn trunk is 1.4.17 in development. - - iana portlist updated. - -1 February 2012: Wouter - - Fix validation failures (like: validation failure xx: no NSEC3 - closest encloser from yy for DS zz. while building chain of trust, - because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata - for an NSEC3. Now it does not change rdata, and fixes TTL. - -30 January 2012: Wouter - - Fix version-number in libtool to be version-info so it produces - libunbound.so.2 like it should. - -26 January 2012: Wouter - - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release. - - trunk 1.4.16; includes changes memset testcode, #424 openindiana, - and keyfile write fixup. - - applied patch to support outgoing-interface with ub_ctx_set_option. - -23 January 2012: Wouter - - Fix memset in test code. - -20 January 2012: Wouter - - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2. - -19 January 2012: Wouter - - Fix to write key files completely to a temporary file, and if that - succeeds, replace the real key file. So failures leave a useful file. - -18 January 2012: Wouter - - tag 1.4.15rc1 created - - updated libunbound/ubsyms.def and remade tag 1.4.15rc1. - -17 January 2012: Wouter - - Fix bug where canonical_compare of RRSIG did not downcase the - signer-name. This is mostly harmless because RRSIGs do not have - to be sorted in canonical order, usually. - -12 January 2012: Wouter - - bug#428: add ub_version() call to libunbound. API version increase, - with (binary) backwards compatibility for the previous version. - -10 January 2012: Wouter - - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL - that would be permissible by the RFCs but it is not the TTL in the - cache. - - iana portlist updated. - - uninitialised variable in reprobe for rtt blocked domains fixed. - - lintfix and new flex output. - -2 January 2012: Wouter - - Fix to randomize hash function, based on 28c3 congress, reported - by Peter van Dijk. - -24 December 2011: Wouter - - Fix for memory leak (about 20 bytes when a tcp or udp send operation - towards authority servers failed, takes about 50.000 such failures to - leak one Mb, such failures are also usually logged), reported by - Robert Fleischmann. - - iana portlist updated. - -19 December 2011: Wouter - - Fix for VU#209659 CVE-2011-4528: Unbound denial of service - vulnerabilities from nonstandard redirection and denial of existence - http://www.unbound.net/downloads/CVE-2011-4528.txt - - robust checks for next-closer NSEC3s. - - tag 1.4.14 created. - - trunk has 1.4.15 in development. - -15 December 2011: Wouter - - remove uninit warning from cachedump code. - - Fix parse error on negative SOA RRSIGs if badly ordered in the packet. - -13 December 2011: Wouter - - iana portlist updated. - - svn tag 1.4.14rc1 - - fix infra cache comparison. - - Fix to constrain signer_name to be a parent of the lookupname. - -5 December 2011: Wouter - - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc. - - Fix warnings with gcc 4.6 in compat/inet_ntop.c. - - Fix warning unused in compat/strptime.c. - - Fix malloc detection and double definition. - -2 December 2011: Wouter - - configure generated with autoconf 2.68. - -30 November 2011: Wouter - - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes - SERVFAILs. Also fixed for UDP (but less likely). - -28 November 2011: Wouter - - Fix quartile time estimate, it was too low, (thanks Jan Komissar). - - iana ports updated. - -11 November 2011: Wouter - - Makefile compat with SunOS make, BSD make and GNU make. - - iana ports updated. - -10 November 2011: Wouter - - Makefile changed for BSD make compatibility. - -9 November 2011: Wouter - - added unit test for SSL service and SSL-upstream. - -8 November 2011: Wouter - - can configure ssl service to one port number, and not on others. - - fixup windows compile with ssl support. - - Fix double free in unbound-host, reported by Steve Grubb. - - iana portlist updated. - -1 November 2011: Wouter - - dns over ssl support as a client, ssl-upstream yes turns it on. - It performs an SSL transaction for every DNS query (250 msec). - - documentation for new options: ssl-upstream, ssl-service-key and - ssl-service.pem. - - iana portlist updated. - - fix -flto detection on Lion for llvm-gcc. - -31 October 2011: Wouter - - dns over ssl support, ssl-service-pem and ssl-service-key files - can be given and then TCP queries are serviced wrapped in SSL. - -27 October 2011: Wouter - - lame-ttl and lame-size options no longer exist, it is integrated - with the host info. They are ignored (with verbose warning) if - encountered to keep the config file backwards compatible. - - fix iana-update for changing gzip compression of results. - - fix export-all-symbols on OSX. - -26 October 2011: Wouter - - iana portlist updated. - - Infra cache stores information about ping and lameness per IP, zone. - This fixes bug #416. - - fix iana_update target for gzipped file on iana site. - -24 October 2011: Wouter - - Fix resolve of partners.extranet.microsoft.com with a fix for the - server selection for choosing out of a (particular) list of bad - choices. (bug#415) - - Fix make_new_space function so that the incoming query is not - overwritten if a jostled out query causes a waiting query to be - resumed that then fails and sends an error message. (Thanks to - Matthew Lee). - -21 October 2011: Wouter - - fix --enable-allsymbols, fptr wlist is disabled on windows with this - option enabled because of memory layout exe vs dll. - -19 October 2011: Wouter - - fix unbound-anchor for broken strptime on OSX lion, detected - in configure. - - Detect if GOST really works, openssl1.0 on OSX fails. - - Implement ipv6%interface notation for scope_id usage. - -17 October 2011: Wouter - - better documentation for inform_super (Thanks Yang Zhe). - -14 October 2011: Wouter - - Fix for out-of-memory condition in libunbound (thanks - Robert Fleischman). - -13 October 2011: Wouter - - Fix --enable-allsymbols, it depended on link specifics of the - target platform, or fptr_wlist assertion failures could occur. - -12 October 2011: Wouter - - updated contrib/unbound_munin_ to family=auto so that it works with - munin-node-configure automatically (if installed as - /usr/local/share/munin/plugins/unbound_munin_ ). - -27 September 2011: Wouter - - unbound.exe -w windows option for start and stop service. - -23 September 2011: Wouter - - TCP-upstream calculates tcp-ping so server selection works if there - are alternatives. - -20 September 2011: Wouter - - Fix classification of NS set in answer section, where there is a - parent-child server, and the answer has the AA flag for dir.slb.com. - Thanks to Amanda Constant from Secure64. - -16 September 2011: Wouter - - fix bug #408: accept patch from Steve Snyder that comments out - unused functions in lookup3.c. - - iana portlist updated. - - fix EDNS1480 change memleak and TCP fallback. - - fix various compiler warnings (reported by Paul Wouters). - - max sent count. EDNS1480 only for rtt < 5000. No promiscuous - fetch if sentcount > 3, stop query if sentcount > 16. Count is - reset when referral or CNAME happens. This makes unbound better - at managing large NS sets, they are explored when there is continued - interest (in the form of queries). - -15 September 2011: Wouter - - release 1.4.13. - - trunk contains 1.4.14 in development. - - Unbound probes at EDNS1480 if there an EDNS0 timeout. - -12 September 2011: Wouter - - Reverted dns EDNS backoff fix, it did not help and needs - fragmentation fixes instead. - - tag 1.4.13rc2 - -7 September 2011: Wouter - - Fix operation in ipv6 only (do-ip4: no) mode. - -6 September 2011: Wouter - - fedora specfile updated. - -5 September 2011: Wouter - - tag 1.4.13rc1 - -2 September 2011: Wouter - - iana portlist updated. - -26 August 2011: Wouter - - Fix num-threads 0 does not segfault, reported by Simon Deziel. - - Fix validation failures due to EDNS backoff retries, the retry - for fetch of data has want_dnssec because the iter_indicate_dnssec - function returns true when validation failure retry happens, and - then the serviced query code does not fallback to noEDNS, even if - the cache says it has this. This helps for DLV deployment when - the DNSSEC status is not known for sure before the lookup concludes. - -24 August 2011: Wouter - - Applied patch from Karel Slany that fixes a memory leak in the - unbound python module, in string conversions. - -22 August 2011: Wouter - - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy - Zhang and Luo Ce). Unbound responds with the RR types that are - available at the name for qtype ANY and validates those RR types. - It does not test for completeness (i.e. with NSEC or NSEC3 query), - and it does not follow the CNAME or DNAME to another name (with - even more data for the already large response). - - Fix that internally, CNAMEs with NXDOMAIN have that as rcode. - - Documented the options that work with control set_option command. - - tcp-upstream yes/no option (works with set_option) for tunnels. - -18 August 2011: Wouter - - fix autoconf call in makedist crosscompile to RC or snapshot. - -17 August 2011: Wouter - - Fix validation of . DS query. - - new xml format at IANA, new awk for iana_update. - - iana portlist updated. - -10 August 2011: Wouter - - Fix python site-packages path to /usr/lib64. - - updated patch from Tom. - - fix memory and fd leak after out-of-memory condition. - -9 August 2011: Wouter - - patch from Tom Hendrikx fixes load of python modules. - -8 August 2011: Wouter - - make clean had ldns-src reference, removed. - -1 August 2011: Wouter - - Fix autoconf 2.68 warnings - -14 July 2011: Wouter - - Unbound implements RFC6303 (since version 1.4.7). - - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the - meantime, those are for 1.4.13). - - iana portlist updated. - -13 July 2011: Wouter - - Quick fix for contrib/unbound.spec example, no ldns-builtin any more. - -11 July 2011: Wouter - - Fix wildcard expansion no-data reply under an optout NSEC3 zone is - validated as insecure, reported by Jia Li (lijia@cnnic.cn). - -4 July 2011: Wouter - - 1.4.12rc1 tag created. - -1 July 2011: Wouter - - version number in example config file. - - fix that --enable-static-exe does not complain about it unknown. - -30 June 2011: Wouter - - tag relase 1.4.11, trunk is 1.4.12 development. - - iana portlist updated. - - fix bug#395: id bits of other query may leak out under conditions - - fix replyaddr count wrong after jostled queries, which leads to - eventual starvation where the daemon has no replyaddrs left to use. - - fix comment about rndc port, that referred to the old port number. - - fix that the listening socket is not closed when too many remote - control connections are made at the same time. - - removed ldns-src tarball inside the unbound tarball. - -23 June 2011: Wouter - - Changed -flto check to support clang compiler. - - tag 1.4.11rc3 created. - -17 June 2011: Wouter - - tag 1.4.11rc1 created. - - remove warning about signed/unsigned from flex (other flex version). - - updated aclocal.m4 and libtool to match. - - tag 1.4.11rc2 created. - -16 June 2011: Wouter - - log-queries: yesno option, default is no, prints querylog. - - version is 1.4.11. - -14 June 2011: Wouter - - Use -flto compiler flag for link time optimization, if supported. - - iana portlist updated. - -12 June 2011: Wouter - - IPv6 service address for d.root-servers.net (2001:500:2D::D). - -10 June 2011: Wouter - - unbound-control has version number in the header, - UBCT[version]_space_ is the header sent by the client now. - - Unbound control port number is registered with IANA: - ub-dns-control 8953/tcp unbound dns nameserver control - This is the new default for the control-port config setting. - - statistics-interval prints the number of jostled queries to log. - -30 May 2011: Wouter - - Fix Makefile for U in environment, since wrong U is more common than - deansification necessity. - - iana portlist updated. - - updated ldns tarball to 1.6.10rc2 snapshot of today. - -25 May 2011: Wouter - - Fix assertion failure when unbound generates an empty error reply - in response to a query, CVE-2011-1922 VU#531342. - - This fix is in tag 1.4.10. - - defense in depth against the above bug, an error is printed to log - instead of an assertion failure. - -10 May 2011: Wouter - - bug#386: --enable-allsymbols option links all binaries to libunbound - and reduces install size significantly. - - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers. - - iana portlist updated. - - Fix TTL of SOA so negative TTL is separately cached from normal TTL. - -14 April 2011: Wouter - - configure created with newer autoconf 2.66. - -12 April 2011: Wouter - - bug#378: Fix that configure checks for ldns_get_random presence. - -8 April 2011: Wouter - - iana portlist updated. - - queries with CD flag set cause DNSSEC validation, but the answer is - not withheld if it is bogus. Thus, unbound will retry if it is bad - and curb the TTL if it is bad, thus protecting the cache for use by - downstream validators. - - val-override-date: -1 ignores dates entirely, for NTP usage. - -29 March 2011: Wouter - - harden-below-nxdomain: changed so that it activates when the - cached nxdomain is dnssec secure. This avoids backwards - incompatibility because those old servers do not have dnssec. - -24 March 2011: Wouter - - iana portlist updated. - - release 1.4.9. - - trunk is 1.5.0 - -17 March 2011: Wouter - - bug#370: new unbound.spec for CentOS 5.x from Harold Jones. - Applied but did not do the --disable-gost. - -10 March 2011: Wouter - - tag 1.4.9 release candidate 1 created. - -3 March 2011: Wouter - - updated ldns to today. - -1 March 2011: Wouter - - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout. - - give config parse error for multiple names on a stub or forward zone. - - updated ldns tarball to 1.6.9(todays snapshot). - -24 February 2011: Wouter - - bug #361: Fix, time.elapsed variable not reset with stats_noreset. - -23 February 2011: Wouter - - iana portlist updated. - - common.sh to version 3. - -18 February 2011: Wouter - - common.sh in testdata updated to version 2. - -15 February 2011: Wouter - - Added explicit note on unbound-anchor usage: - Please note usage of unbound-anchor root anchor is at your own risk - and under the terms of our LICENSE (see that file in the source). - -11 February 2011: Wouter - - iana portlist updated. - - tpkg updated with common.sh for common functionality. - -7 February 2011: Wouter - - Added regression test for addition of a .net DS to the root, and - cache effects with different TTL for glue and DNSKEY. - - iana portlist updated. - -28 January 2011: Wouter - - Fix remove private address does not throw away entire response. - -24 January 2011: Wouter - - release 1.4.8 - -19 January 2011: Wouter - - fix bug#349: no -L/usr for ldns. - -18 January 2011: Wouter - - ldns 1.6.8 tarball included. - - release 1.4.8rc1. - -17 January 2011: Wouter - - add get and set option for harden-below-nxdomain feature. - - iana portlist updated. - -14 January 2011: Wouter - - Fix so a changed NS RRset does not get moved name stuck on old - server, for type NS the TTL is not increased. - -13 January 2011: Wouter - - Fix prefetch so it does not get stuck on old server for moved names. - -12 January 2011: Wouter - - iana portlist updated. - -11 January 2011: Wouter - - Fix insecure CNAME sequence marked as secure, reported by Bert - Hubert. - -10 January 2011: Wouter - - faster lruhash get_mem routine. - -4 January 2011: Wouter - - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root. - - iana portlist updated. - -23 December 2010: Wouter - - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept. - -21 December 2010: Wouter - - algorithm compromise protection using the algorithms signalled in - the DS record. Also, trust anchors, DLV, and RFC5011 receive this, - and thus, if you have multiple algorithms in your trust-anchor-file - then it will now behave different than before. Also, 5011 rollover - for algorithms needs to be double-signature until the old algorithm - is revoked. - It is not an option, because I see no use to turn the security off. - - iana portlist updated. - -17 December 2010: Wouter - - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them). - - fix validation in this case: CNAME to nodata for co-hosted opt-in - NSEC3 insecure delegation, was bogus, fixed to be insecure. - -16 December 2010: Wouter - - Fix our 'BDS' license (typo reported by Xavier Belanger). - -10 December 2010: Wouter - - iana portlist updated. - - review changes for unbound-anchor. - -2 December 2010: Wouter - - feature typetransparent localzone, does not block other RR types. - -1 December 2010: Wouter - - Fix bug#338: print address when socket creation fails. - -30 November 2010: Wouter - - Fix storage of EDNS failures in the infra cache. - - iana portlist updated. - -18 November 2010: Wouter - - harden-below-nxdomain option, default off (because very old - software may be incompatible). We could enable it by default in - the future. - -17 November 2010: Wouter - - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN. - - make test output nicer. - -15 November 2010: Wouter - - silence 'tcp connect: broken pipe' and 'net down' at low verbosity. - - iana portlist updated. - - so-sndbuf option for very busy servers, a bit like so-rcvbuf. - -9 November 2010: Wouter - - unbound-anchor compiles with openssl 0.9.7. - -8 November 2010: Wouter - - release tag 1.4.7. - - trunk is version 1.4.8. - - Be lenient and accept imgw.pl malformed packet (like BIND). - -5 November 2010: Wouter - - do not synthesize a CNAME message from cache for qtype DS. - -4 November 2010: Wouter - - Use central entropy to seed threads. - -3 November 2010: Wouter - - Change the rtt used to probe EDNS-timeout hosts to 1000 msec. - -2 November 2010: Wouter - - tag 1.4.7rc1. - - code review. - -1 November 2010: Wouter - - GOST code enabled by default (RFC 5933). - -27 October 2010: Wouter - - Fix uninit value in dump_infra print. - - Fix validation failure for parent and child on same server with an - insecure childzone and a CNAME from parent to child. - - Configure detects libev-4.00. - -26 October 2010: Wouter - - dump_infra and flush_infra commands for unbound-control. - - no timeout backoff if meanwhile a query succeeded. - - Change of timeout code. No more lost and backoff in blockage. - At 12sec timeout (and at least 2x lost before) one probe per IP - is allowed only. At 120sec, the IP is blocked. After 15min, a - 120sec entry has a single retry packet. - -25 October 2010: Wouter - - Configure errors if ldns is not found. - -22 October 2010: Wouter - - Windows 7 fix for the installer. - -21 October 2010: Wouter - - Fix bug where fallback_tcp causes wrong roundtrip and edns - observation to be noted in cache. Fix bug where EDNSprobe halted - exponential backoff if EDNS status unknown. - - new unresponsive host method, exponentially increasing block backoff. - - iana portlist updated. - -20 October 2010: Wouter - - interface automatic works for some people with ip6 disabled. - Therefore the error check is removed, so they can use the option. - -19 October 2010: Wouter - - Fix for request list growth, if a server has long timeout but the - lost counter is low, then its effective rtt is the one without - exponential backoff applied. Because the backoff is not working. - The lost counter can then increase and the server is blacklisted, - or the lost counter does not increase and the server is working - for some queries. - -18 October 2010: Wouter - - iana portlist updated. - -13 October 2010: Wouter - - Fix TCP so it uses a random outgoing-interface. - - unbound-anchor handles ADDPEND keystate. - -11 October 2010: Wouter - - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where - the zone has a secure delegation hosted on the same server did not - verify as secure (it was insecure by mistake). - - iana portlist updated. - - ldns tarball updated (for reading cachedumps with bad RR data). - -1 October 2010: Wouter - - test for unbound-anchor. fix for reading certs. - - Fix alloc_reg_release for longer uptime in out of memory conditions. - -28 September 2010: Wouter - - unbound-anchor working, it creates or updates a root.key file. - Use it before you start the validator (e.g. at system boot time). - -27 September 2010: Wouter - - iana portlist updated. - -24 September 2010: Wouter - - bug#329: in example.conf show correct ipv4 link-local 169.254/16. - -23 September 2010: Wouter - - unbound-anchor app, unbound requires libexpat (xml parser library). - -22 September 2010: Wouter - - compliance with draft-ietf-dnsop-default-local-zones-14, removed - reverse ipv6 orchid prefix from builtin list. - - iana portlist updated. - -17 September 2010: Wouter - - DLV has downgrade protection again, because the RFC says so. - - iana portlist updated. - -16 September 2010: Wouter - - Algorithm rollover operational reality intrudes, for trust-anchor, - 5011-store, and DLV-anchor if one key matches it's good enough. - - iana portlist updated. - - Fix reported validation error in out of memory condition. - -15 September 2010: Wouter - - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. - -14 September 2010: Wouter - - increased mesh-max-activation from 1000 to 3000 for crazy domains - like _tcp.slb.com with 262 servers. - - iana portlist updated. - -13 September 2010: Wouter - - bug#327: Fix for cannot access stub zones until the root is primed. - -9 September 2010: Wouter - - unresponsive servers are not completely blacklisted (because of - firewalls), but also not probed all the time (because of the request - list size it generates). The probe rate is 1%. - - iana portlist updated. - -20 August 2010: Wouter - - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled. - iterator get_mem includes priv_get_mem. delegpt nodup removed. - listen_pushback, query_info_allocqname, write_socket, send_packet, - comm_point_set_cb_arg and listen_resume removed. - -19 August 2010: Wouter - - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20. - Delegpt structures checked for duplicates always. - No more nameserver lookups generated when depth is full anyway. - - example.conf notes how to do DNSSEC validation and track the root. - - iana portlist updated. - -18 August 2010: Wouter - - Fix bug#322: configure does not respect CFLAGS on Solaris. - Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line - if use sun-cc, but some systems need different flags. - -16 August 2010: Wouter - - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP - changes, uses m4_bpatsubst now. - - make test (or make check) should be more portable and run the unit - test and testbound scripts. (make longtest has special requirements). - -13 August 2010: Wouter - - More pleasant remote control command parsing. - - documentation added for return values reported by doxygen 1.7.1. - - iana portlist updated. - -9 August 2010: Wouter - - Fix name of rrset printed that failed validation. - -5 August 2010: Wouter - - Return NXDOMAIN after chain of CNAMEs ends at name-not-found. - -4 August 2010: Wouter - - Fix validation in case a trust anchor enters into a zone with - unsupported algorithms. - -3 August 2010: Wouter - - updated ldns tarball with bugfixes. - - release tag 1.4.6. - - trunk becomes 1.4.7 develop. - - iana portlist updated. - -22 July 2010: Wouter - - more error details on failed remote control connection. - -15 July 2010: Wouter - - rlimit adjustments for select and ulimit can happen at the same time. - -14 July 2010: Wouter - - Donation text added to README. - - Fix integer underflow in prefetch ttl creation from cache. This - fixes a potential negative prefetch ttl. - -12 July 2010: Wouter - - Changed the defaults for num-queries-per-thread/outgoing-range. - For builtin-select: 512/960, for libevent 1024/4096 and for - windows 24/48 (because of win api). This makes the ratio this way - to improve resilience under heavy load. For high performance, use - libevent and possibly higher numbers. - -10 July 2010: Wouter - - GOST enabled if SSL is recent and ldns has GOST enabled too. - - ldns tarball updated. - -9 July 2010: Wouter - - iana portlist updated. - - Fix validation of qtype DNSKEY when a key-cache entry exists but - no rr-cache entry is used (it expired or prefetch), it then goes - back up to the DS or trust-anchor to validate the DNSKEY. - -7 July 2010: Wouter - - Neat function prototypes, unshadowed local declarations. - -6 July 2010: Wouter - - failure to chown the pidfile is not fatal any more. - - testbound uses UTC timezone. - - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add - /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake. - -5 July 2010: Wouter - - log if a server is skipped because it is on the donotquery list, - at verbosity 4, to enable diagnosis why no queries to 127.0.0.1. - - added feature to print configure date, target and options with -h. - - added feature to print event backend system details with -h. - - wdiff is not actually required by make test, updated requirements. - -1 July 2010: Wouter - - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex - must be signed with all algorithms from the DS rrset at the parent. - This is now checked and becomes bogus if not. - -28 June 2010: Wouter - - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps - in overload situations to be about 5 qps for the class of shortly - serviced queries. - The capacity of the resolver is then about (numqueriesperthread / 2) - / (average time for such long queries) qps for long queries. - And about (numqueriesperthread / 2)/(jostletimeout in whole seconds) - qps for short queries, per thread. - - Fix the max number of reply-address count to be applied for duplicate - queries, and not for new query list entries. This raises the memory - usage to a max of (16+1)*numqueriesperthread reply addresses. - -25 June 2010: Wouter - - Fix handling of corner case reply from lame server, follows rfc2308. - It could lead to a nodata reply getting into the cache if the search - for a non-lame server turned up other misconfigured servers. - - unbound.h has extern "C" statement for easier include in c++. - -23 June 2010: Wouter - - iana portlist updated. - - makedist upgraded cross compile openssl option, like this: - ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost - -22 June 2010: Wouter - - Unbound reports libev or libevent correctly in logs in verbose mode. - - Fix to unload gost dynamic library module for leak testing. - -18 June 2010: Wouter - - iana portlist updated. - -17 June 2010: Wouter - - Add AAAA to root hints for I.ROOT-SERVERS.NET. - -16 June 2010: Wouter - - Fix assertion failure reported by Kai Storbeck from XS4ALL, the - assertion was wrong. - - updated ldns tarball. - -15 June 2010: Wouter - - tag 1.4.5 created. - - trunk contains 1.4.6 in development. - - Fix TCPreply on systems with no writev, if just 1 byte could be sent. - - Fix to use one pointer less for iterator query state store_parent_NS. - - makedist crosscompile to windows uses builtin ldns not host ldns. - - Max referral count from 30 to 130, because 128 one character domains - is valid DNS. - - added documentation for the histogram printout to syslog. - -11 June 2010: Wouter - - When retry to parent the retrycount is not wiped, so failed - nameservers are not tried again. - - iana portlist updated. - -10 June 2010: Wouter - - Fix bug where a long loop could be entered, now cycle detection - has a loop-counter and maximum search amount. - -4 June 2010: Wouter - - iana portlist updated. - - 1.4.5rc1 tag created. - -3 June 2010: Wouter - - ldns tarball updated, 1.6.5. - - review comments, split dependency cycle tracking for parentside - last resort lookups for A and AAAA so there are more lookup options. - -2 June 2010: Wouter - - Fix compile warning if compiled without threads. - - updated ldns-tarball with current ldns svn (pre 1.6.5). - - GOST disabled-by-default, the algorithm number is allocated but the - RFC is still has to pass AUTH48 at the IETF. - -1 June 2010: Wouter - - Ignore Z flag in incoming messages too. - - Fix storage of negative parent glue if that last resort fails. - - libtoolize 2.2.6b, autoconf 2.65 applied to configure. - - new splint flags for newer splint install. - -31 May 2010: Wouter - - Fix AD flag handling, it could in some cases mistakenly copy the AD - flag from upstream servers. - - alloc_special_obtain out of memory is not a fatal error any more, - enabling unbound to continue longer in out of memory conditions. - - parentside names are dispreferred but not said to be dnssec-lame. - - parentside check for cached newname glue. - - fix parentside and querytargets modulestate, for dump_requestlist. - - unbound-control-setup makes keys -rw-r--- so not all users permitted. - - fix parentside from cache to be marked dispreferred for bad names. - -28 May 2010: Wouter - - iana portlist updated. - - parent-child disagreement approach altered. Older fixes are - removed in place of a more exhaustive search for misconfigured data - available via the parent of a delegation. - This is designed to be throttled by cache entries, with TTL from the - parent if possible. Additionally the loop-counter is used. - It also tests for NS RRset differences between parent and child. - The fetch of misconfigured data should be more reliable and thorough. - It should work reliably even with no or only partial data in cache. - Data received from the child (as always) is deemed more - authoritative than information received from the delegation parent. - The search for misconfigured data is not performed normally. - -26 May 2010: Wouter - - Contribution from Migiel de Vos (Surfnet): nagios patch for - unbound-host, in contrib/ (in the source tarball). Makes - unbound-host suitable for monitoring dnssec(-chain) status. - -21 May 2010: Wouter - - EDNS timeout code will not fire if EDNS status already known. - - EDNS failure not stored if EDNS status known to work. - -19 May 2010: Wouter - - Fix resolution for domains like safesvc.com.cn. If the iterator - can not recurse further and it finds the delegation in a state - where it would otherwise have rejected it outhand if so received - from a cache lookup, then it can try to ask higherup (with loop - protection). - - Fix comments in iter_utils:dp_is_useless. - -18 May 2010: Wouter - - Fix various compiler warnings from the clang llvm compiler. - - iana portlist updated. - -6 May 2010: Wouter - - Fix bug#308: spelling error in variable name in parser and lexer. - -4 May 2010: Wouter - - Fix dnssec-missing detection that was turned off by server selection. - - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default - reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa, - 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa. - -29 April 2010: Wouter - - Fix for dnssec lameness detection to use the key cache. - - infra cache entries that are expired are wiped clean. Previously - it was possible to not expire host data (if accessed often). - -28 April 2010: Wouter - - ldns tarball updated and GOST support is detected and then enabled. - - iana portlist updated. - - Fix detection of gost support in ldns (reported by Chris Smith). - -27 April 2010: Wouter - - unbound-control get_option domain-insecure shows config file items. - - fix retry sequence if prime hints are recursion-lame. - - autotrust anchor file can be initialized with a ZSK key as well. - - harden-referral-path does not result in failures due to max-depth. - You can increase the max-depth by adding numbers (' 0') after the - target-fetch-policy, this increases the depth to which is checked. - -26 April 2010: Wouter - - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use - CPPFLAGS during configure process. - - if libev is installed on the base system (not libevent), detect - it from the event.h header file and link with -lev. - - configlexer.lex gets config.h, and configyyrename.h added by make, - no more double include. - - More strict scrubber (Thanks to George Barwood for the idea): - NS set must be pertinent to the query (qname subdomain nsname). - - Fix bug#307: In 0x20 backoff fix fallback so the number of - outstanding queries does not become -1 and block the request. - Fixed handling of recursion-lame in combination with 0x20 fallback. - Fix so RRsets are compared canonicalized and sorted if the immediate - comparison fails, this makes it work around round-robin sites. - -23 April 2010: Wouter - - Squelch log message: sendto failed permission denied for - 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2). - - Fix to fetch data as last resort more tenaciously. When cycle - targets cause the server selection to believe there are more options - when they really are not there, the server selection is reinitiated. - - Fix fetch from blacklisted dnssec lame servers as last resort. The - server's IP address is then given in validator errors as well. - - Fix local-zone type redirect that did not use the query name for - the answer rrset. - -22 April 2010: Wouter - - tag 1.4.4. - - trunk contains 1.4.5 in development. - - Fix validation failure for qtype ANY caused by a RRSIG parse failure. - The validator error message was 'no signatures from ...'. - -16 April 2010: Wouter - - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN. - - tag 1.4.4rc1. - -15 April 2010: Wouter - - ECC-GOST algorithm number 12 that is assigned by IANA. New test - example key and signatures for GOST. GOST requires openssl-1.0.0. - GOST is still disabled by default. - -9 April 2010: Wouter - - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or - get into an endless loop, if 0x20 was enabled, and buffers are small - or particular broken packets are received. - - Fix chain of trust with CNAME at an intermediate step, for the DS - processing proof. - -8 April 2010: Wouter - - Fix validation of queries with wildcard names (*.example). - -6 April 2010: Wouter - - Fix EDNS probe for .de DNSSEC testbed failure, where the infra - cache timeout coincided with a server update, the current EDNS - backoff is less sensitive, and does not cache the backoff unless - the backoff actually works and the domain is not expecting DNSSEC. - - GOST support with correct algorithm numbers. - -1 April 2010: Wouter - - iana portlist updated. - -24 March 2010: Wouter - - unbound control flushed items are not counted when flushed again. - -23 March 2010: Wouter - - iana portlist updated. - -22 March 2010: Wouter - - unbound-host disables use-syslog from config file so that the - config file for the main server can be used more easily. - - fix bug#301: unbound-checkconf could not parse interface - '0.0.0.0@5353', even though unbound itself worked fine. - -19 March 2010: Wouter - - fix fwd_ancil test to pass if the socket options are not supported. - -18 March 2010: Wouter - - Fixed random numbers for port, interface and server selection. - Removed very small bias. - - Refer to the listing in unbound-control man page in the extended - statistics entry in the unbound.conf man page. - -16 March 2010: Wouter - - Fix interface-automatic for OpenBSD: msg.controllen was too small, - also assertions on ancillary data buffer. - - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO. - - for NSEC3 check if signatures are cached. - -15 March 2010: Wouter - - unit test for util/regional.c. - -12 March 2010: Wouter - - Reordered configure checks so fork and -lnsl -lsocket checks are - earlier, and thus later checks benefit from and do not hinder them. - - iana portlist updated. - - ldns tarball updated. - - Fix python use when multithreaded. - - Fix solaris python compile. - - Include less in config.h and include per code file for ldns, ssl. - -11 March 2010: Wouter - - another memory allocation option: --enable-alloc-nonregional. - exposes the regional allocations to other memory purifiers. - - fix for memory alignment in struct sock_list allocation. - - Fix for MacPorts ldns without ssl default, unbound checks if ldns - has dnssec functionality and uses the builtin if not. - - Fix daemonize on Solaris 10, it did not detach from terminal. - - tag 1.4.3 created. - - trunk is 1.4.4 in development. - - spelling fix in validation error involving cnames. - -10 March 2010: Wouter - - --enable-alloc-lite works with test set. - - portability in the testset: printf format conversions, prototypes. - -9 March 2010: Wouter - - tag 1.4.2 created. - - trunk is 1.4.3 in development. - - --enable-alloc-lite debug option. - -8 March 2010: Wouter - - iana portlist updated. - -4 March 2010: Wouter - - Fix crash in control channel code. - -3 March 2010: Wouter - - better casts in pipe code, brackets placed wrongly. - - iana portlist updated. - -1 March 2010: Wouter - - make install depends on make all. - - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs. - - --enable-checking: enables assertions but does not look nonproduction. - - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with - nxdomain and nodata distinguished. - - ldns tarball updated. - - --disable-rpath fixed for libtool not found errors. - - new fedora specfile from Fedora13 in contrib from Paul Wouters. - -26 February 2010: Wouter - - Fixup prototype for lexer cleanup in daemon code. - - unbound-control list_stubs, list_forwards, list_local_zones and - list_local_data. - -24 February 2010: Wouter - - Fix scrubber bug that potentially let NS records through. Reported - by Amanda Constant. - - Also delete potential poison references from additional. - - Fix: no classification of a forwarder as lame, throw away instead. - -23 February 2010: Wouter - - libunbound ub_ctx_get_option() added. - - unbound-control set_option and get_option commands. - - iana portlist updated. - -18 February 2010: Wouter - - A little more strict DS scrubbing. - - No more blacklisting of unresponsive servers, a 2 minute timeout - is backed off to. - - RD flag not enabled for dnssec-blacklisted tries, unless necessary. - - pickup ldns compile fix, libdl for libcrypto. - - log 'tcp connect: connection timed out' only in high verbosity. - - unbound-control log_reopen command. - - moved get_option code from unbound-checkconf to util/config_file.c - -17 February 2010: Wouter - - Disregard DNSKEY from authority section for chain of trust. - DS records that are irrelevant to a referral scrubbed. Anti-poison. - - iana portlist updated. - -16 February 2010: Wouter - - Check for 'no space left on device' (or other errors) when - writing updated autotrust anchors and print errno to log. - -15 February 2010: Wouter - - Fixed the requery protection, the TTL was 0, it is now 900 seconds, - hardcoded. We made the choice to send out more conservatively, - protecting against an aggregate effect more than protecting a - single user (from their own folly, perhaps in case of misconfig). - -12 February 2010: Wouter - - Re-query pattern changed on validation failure. To protect troubled - authority servers, unbound caches a failure for the DNSKEY or DS - records for the entire zone, and only retries that 900 seconds later. - This implies that only a handful of packets are sent extra to the - authority if the zone fails. - -11 February 2010: Wouter - - ldns tarball update for long label length syntax error fix. - - iana portlist updated. - -9 February 2010: Wouter - - Fixup in compat snprintf routine, %f 1.02 and %g support. - - include math.h for testbound test compile portability. - -2 February 2010: Wouter - - Updated url of IANA itar, interim trust anchor repository, in script. - -1 February 2010: Wouter - - iana portlist updated. - - configure test for memcmp portability. - -27 January 2010: Wouter - - removed warning on format string in validator error log statement. - - iana portlist updated. - -22 January 2010: Wouter - - libtool finish the install of unbound python dynamic library. - -21 January 2010: Wouter - - acx_nlnetlabs.m4 synchronised with nsd's version. - -20 January 2010: Wouter - - Fixup lookup trouble for parent-child domains on the first query. - -14 January 2010: Wouter - - Fixup ldns detection to also check for header files. - -13 January 2010: Wouter - - prefetch-key option that performs DNSKEY queries earlier in the - validation process, and that could halve the latency on DNSSEC - queries. It takes some extra processing (CPU, a cache is needed). - -12 January 2010: Wouter - - Fix unbound-checkconf for auto-trust-anchor-file present checks. - -8 January 2010: Wouter - - Fix for parent-child disagreement code which could have trouble - when (a) ipv6 was disabled and (b) the TTL for parent and child - were different. There were two bugs, the parent-side information - is fixed to no longer block lookup of child side information and - the iterator is fixed to no longer attempt to get ipv6 when it is - not enabled and then give up in failure. - - test and fixes to make prefetch actually store the answer in the - cache. Considers some rrsets 'already expired' but does not allow - overwriting of rrsets considered more secure. - -7 January 2010: Wouter - - Fixup python documentation (thanks Leo Vandewoestijne). - - Work on cache prefetch feature. - - Stats for prefetch, in log print stats, unbound-control stats - and in unbound_munin plugin. - -6 January 2010: Wouter - - iana portlist updated. - - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length. - - verbose output includes parent-side-address notion for lameness. - - documented val-log-level: 2 setting in example.conf and man page. - - change unbound-control-setup from 1024(sha1) to 1536(sha256). - -1 January 2010: Wouter - - iana portlist updated. - -22 December 2009: Wouter - - configure with newer libtool 2.2.6b. - -17 December 2009: Wouter - - review comments. - - tag 1.4.1. - - trunk to version 1.4.2. - -15 December 2009: Wouter - - Answer to qclass=ANY queries, with class IN contents. - Test that validation also works. - - updated ldns snapshot tarball with latest fixes (parsing records). - -11 December 2009: Wouter - - on IPv4 UDP turn off DF flag. - -10 December 2009: Wouter - - requirements.txt updated with design choice explanations. - - Reading fixes: fix to set unlame when child confirms parent glue, - and fix to avoid duplicate addresses in delegation point. - - verify_rrsig routine checks expiration last. - -9 December 2009: Wouter - - Fix Bug#287(reopened): update of ldns tarball with fix for parse - errors generated for domain names like '.example.com'. - - Fix SOA excluded from negative DS responses. Reported by Hauke - Lampe. The negative cache did not include proper SOA records for - negative qtype DS responses which makes BIND barf on it, such - responses are now only used internally. - - Fix negative cache lookup of closestencloser check of DS type bit. - -8 December 2009: Wouter - - Fix for lookup of parent-child disagreement domains, where the - parent-side glue works but it does not provide proper NS, A or AAAA - for itself, fixing domains such as motorcaravanners.eu. - - Feature: you can specify a port number in the interface: line, so - you can bind the same interface multiple times at different ports. - -7 December 2009: Wouter - - Bug#287: Fix segfault when unbound-control remove nonexistent local - data. Added check to tests. - -1 December 2009: Wouter - - Fix crash with module-config "iterator". - - Added unit test that has "iterator" module-config. - -30 November 2009: Wouter - - bug#284: fix parse of # without end-of-line at end-of-file. - -26 November 2009: Wouter - - updated ldns with release candidate for version 1.6.3. - - tag for 1.4.0 release. - - 1.4.1 version in trunk. - - Fixup major libtool version to 2 because of why_bogus change. - It was 1:5:0 but should have been 2:0:0. - -23 November 2009: Wouter - - Patch from David Hubbard for libunbound manual page. - - Fixup endless spinning in unbound-control stats reported by - Attila Nagy. Probably caused by clock reversal. - -20 November 2009: Wouter - - contrib/split-itar.sh contributed by Tom Hendrikx. - -19 November 2009: Wouter - - better argument help for unbound-control. - - iana portlist updated. - -17 November 2009: Wouter - - noted multiple entries for multiple domain names in example.conf. - - iana portlist updated. - -16 November 2009: Wouter - - Fixed signer detection of CNAME responses without signatures. - - Fix#282 libunbound memleak on error condition by Eric Sesterhenn. - - Tests for CNAMEs to deeper trust anchors, secure and bogus. - - svn tag 1.4.0rc1 made. - -13 November 2009: Wouter - - Fixed validation failure for CNAME to optout NSEC3 nodata answer. - - unbound-host does not fail on type ANY. - - Fixed wireparse failure to put RRSIGs together with data in some - long ANY mix cases, which fixes validation failures. - -12 November 2009: Wouter - - iana portlist updated. - - fix manpage errors reported by debian lintian. - - review comments. - - fixup very long vallog2 level error strings. - -11 November 2009: Wouter - - ldns tarball updated (to 1.6.2). - - review comments. - -10 November 2009: Wouter - - Thanks to Surfnet found bug in new dnssec-retry code that failed - to combine well when combined with DLV and a particular failure. - - Fixed unbound-control -h output about argument optionality. - - review comments. - -5 November 2009: Wouter - - lint fixes and portability tests. - - better error text for multiple domain keys in one autotrust file. - -2 November 2009: Wouter - - Fix bug where autotrust does not work when started with a DS. - - Updated GOST unit tests for unofficial algorithm number 249 - and DNSKEY-format changes in draft version -01. - -29 October 2009: Wouter - - iana portlist updated. - - edns-buffer-size option, default 4096. - - fixed do-udp: no. - -28 October 2009: Wouter - - removed abort on prealloc failure, error still printed but softfail. - - iana portlist updated. - - RFC 5702: RSASHA256 and RSASHA512 support enabled by default. - - ldns tarball updated (which also enables rsasha256 support). - -27 October 2009: Wouter - - iana portlist updated. - -8 October 2009: Wouter - - please doxygen - - add val-log-level print to corner case (nameserver.epost.bg). - - more detail to errors from insecure delegation checks. - - Fix double time subtraction in negative cache reported by - Amanda Constant and Hugh Mahon. - - Made new validator error string available from libunbound for - applications. It is in result->why_bogus, a zero-terminated string. - unbound-host prints it by default if a result is bogus. - Also the errinf is public in module_qstate (for other modules). - -7 October 2009: Wouter - - retry for validation failure in DS and prime results. Less mem use. - unit test. Provisioning in other tests for requeries. - - retry for validation failure in DNSKEY in middle of chain of trust. - unit test. - - retry for empty non terminals in chain of trust and unit test. - - Fixed security bug where the signatures for NSEC3 records were not - checked when checking for absence of DS records. This could have - enabled the substitution of an insecure delegation. - - moved version number to 1.4.0 because of 1.3.4 release with only - the NSEC3 patch from the entry above. - - val-log-level: 2 shows extended error information for validation - failures, but still one (longish) line per failure. For example: - validation failure <example.com. DNSKEY IN>: signature expired from - 192.0.2.4 for trust anchor example.com. while building chain of trust - validation failure <www.example.com. A IN>: no signatures from - 192.0.2.6 for key example.com. while building chain of trust - -6 October 2009: Wouter - - Test set updated to provide additional ns lookup result. - The retry would attempt to fetch the data from other nameservers - for bogus data, and this needed to be provisioned in the tests. - -5 October 2009: Wouter - - first validation failure retry code. Retries for data failures. - And unit test. - -2 October 2009: Wouter - - improve 5011 modularization. - - fix unbound-host so -d can be given before -C. - - iana portlist updated. - -28 September 2009: Wouter - - autotrust-anchor-file can read multiline input and $ORIGIN. - - prevent integer overflow in holddown calculation. review fixes. - - fixed race condition in trust point revocation. review fix. - - review fixes to comments, removed unused code. - -25 September 2009: Wouter - - so-rcvbuf: 4m option added. Set this on large busy servers to not - drop the occasional packet in spikes due to full socket buffers. - netstat -su keeps a counter of UDP dropped due to full buffers. - - review of validator/autotrust.c, small fixes and comments. - -23 September 2009: Wouter - - 5011 query failed counts verification failures, not lookup failures. - - 5011 probe failure handling fixup. - - test unbound reading of original autotrust data. - The metadata per-key, such as key state (PENDING, MISSING, VALID) is - picked up, otherwise performs initial probe like usual. - -22 September 2009: Wouter - - autotrust test with algorithm rollover, new ordering of checks - assists in orderly rollover. - - autotrust test with algorithm rollover to unknown algorithm. - checks if new keys are supported before adding them. - - autotrust test with trust point revocation, becomes unsigned. - - fix DNSSEC-missing-signature detection for minimal responses - for qtype DNSKEY (assumes DNSKEY occurs at zone apex). - -18 September 2009: Wouter - - autotrust tests, fix trustpoint timer deletion code. - fix count of valid anchors during missing remove. - - autotrust: pick up REVOKE even if not signed with known other keys. - -17 September 2009: Wouter - - fix compile of unbound-host when --enable-alloc-checks. - - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis. - - Manual page fixes reported by Tony Finch. - -16 September 2009: Wouter - - Fix memory leak reported by Tao Ma. - - Fix memstats test tool for log-time-ascii log format. - -15 September 2009: Wouter - - iana portlist updated. - -10 September 2009: Wouter - - increased MAXSYSLOGLEN so .bg key can be printed in debug output. - - use linebuffering for log-file: output, this can be significantly - faster than the previous fflush method and enable some class of - resolvers to use high verbosity (for short periods). - Not on windows, because line buffering does not work there. - -9 September 2009: Wouter - - Fix bug where DNSSEC-bogus messages were marked with too high TTL. - The RRsets would still expire at the normal time, but this would - keep messages bogus in the cache for too long. - - regression test for that bug. - - documented that load_cache is meant for debugging. - -8 September 2009: Wouter - - fixup printing errors when load_cache, they were printed to the - SSL connection which broke, now to the log. - - new ldns - with fixed parse of large SOA values. - -7 September 2009: Wouter - - autotrust testbound scenarios. - - autotrust fix that failure count is written to file. - - autotrust fix that keys may become valid after add holddown time - alone, before the probe returns. - -4 September 2009: Wouter - - Changes to make unbound work with libevent-2.0.3 alpha. (in - configure detection due to new ssl dependency in libevent) - - do not call sphinx for documentation when python is disabled. - - remove EV_PERSIST from libevent timeout code to make the code - compatible with the libevent-2.0. Works with older libevent too. - - fix memory leak in python code. - -3 September 2009: Wouter - - Got a patch from Luca Bruno for libunbound support on windows to - pick up the system resolvconf nameservers and hosts there. - - included ldns updated (enum warning fixed). - - makefile fix for parallel makes. - - Patch from Zdenek Vasicek and Attila Nagy for using the source IP - from python scripts. See pythonmod/examples/resip.py. - - doxygen comment fixes. - -2 September 2009: Wouter - - TRAFFIC keyword for testbound. Simplifies test generation. - ${range lower val upper} to check probe timeout values. - - test with 5011-prepublish rollover and revocation. - - fix revocation of RR for autotrust, stray exclamation mark. - -1 September 2009: Wouter - - testbound variable arithmetic. - - autotrust probe time is randomised. - - autotrust: the probe is active and does not fetch from cache. - -31 August 2009: Wouter - - testbound variable processing. - -28 August 2009: Wouter - - fixup unbound-control lookup to print forward and stub servers. - -27 August 2009: Wouter - - autotrust: mesh answer callback is empty. - -26 August 2009: Wouter - - autotrust probing. - - iana portlist updated. - -25 August 2009: Wouter - - fixup memleak in trust anchor unsupported algorithm check. - - iana portlist updated. - - autotrust options: add-holddown, del-holddown, keep-missing. - - autotrust store revoked status of trust points. - - ctime_r compat definition. - - detect yylex_destroy() in configure. - - detect SSL_get_compression_methods declaration in configure. - - fixup DS lookup at anchor point with unsigned parent. - - fixup DLV lookup for DS queries to unsigned domains. - -24 August 2009: Wouter - - cleaner memory allocation on exit. autotrust test routines. - - free all memory on program exit, fix for ssl and flex. - -21 August 2009: Wouter - - autotrust: debug routines. Read,write and conversions work. - -20 August 2009: Wouter - - autotrust: save and read trustpoint variables. - -19 August 2009: Wouter - - autotrust: state table updates. - - iana portlist updated. - -17 August 2009: Wouter - - autotrust: process events. - -17 August 2009: Wouter - - Fix so that servers are only blacklisted if they fail to reply - to 16 queries in a row and the timeout gets above 2 minutes. - - autotrust work, split up DS verification of DNSKEYs. - -14 August 2009: Wouter - - unbound-control lookup prints out infra cache information, like RTT. - - Fix bug in DLV lookup reported by Amanda from Secure64. - It could sometimes wrongly classify a domain as unsigned, which - does not give the AD bit on replies. - -13 August 2009: Wouter - - autotrust read anchor files. locked trust anchors. - -12 August 2009: Wouter - - autotrust import work. - -11 August 2009: Wouter - - Check for openssl compatible with gost if enabled. - - updated unit test for GOST=211 code. - Nicer naming of test files. - - iana portlist updated. - -7 August 2009: Wouter - - call OPENSSL_config() in unbound and unit test so that the - operator can use openssl.cnf for configuration options. - - removed small memory leak from config file reader. - -6 August 2009: Wouter - - configure --enable-gost for GOST support, experimental - implementation of draft-dolmatov-dnsext-dnssec-gost-01. - - iana portlist updated. - - ldns tarball updated (with GOST support). - -5 August 2009: Wouter - - trunk moved to 1.3.4. - -4 August 2009: Wouter - - Added test that the examples from draft rsasha256-14 verify. - - iana portlist updated. - - tagged 1.3.3 - -3 August 2009: Wouter - - nicer warning when algorithm not supported, tells you to upgrade. - - iana portlist updated. - -27 July 2009: Wouter - - Updated unbound-cacti contribution from Dmitriy Demidov, with - the queue statistics displayed in its own graph. - - iana portlist updated. - -22 July 2009: Wouter - - Fix bug found by Michael Tokarev where unbound would try to - prime the root servers even though forwarders are configured for - the root. - - tagged 1.3.3rc1 - -21 July 2009: Wouter - - Fix server selection, so that it waits for open target queries when - faced with lameness. - -20 July 2009: Wouter - - Ignore transient sendto errors, no route to host, and host, net down. - - contrib/update-anchor.sh has -r option for root-hints. - - feature val-log-level: 1 prints validation failures so you can - keep track of them during dnssec deployment. - -16 July 2009: Wouter - - fix replacement malloc code. Used in crosscompile. - - makedist -w creates crosscompiled setup.exe on fedora11. - -15 July 2009: Wouter - - dependencies for compat items, for crosscompile. - - mingw32 crosscompile changes, dependencies and zipfile creation. - and with System.dll from the windows NSIS you can make setup.exe. - - package libgcc_s_sjlj exception handler for NSISdl.dll. - -14 July 2009: Wouter - - updated ldns tarball for solaris x64 compile assistance. - - no need to define RAND_MAX from config.h. - - iana portlist updated. - - configure changes and ldns update for mingw32 crosscompile. - -13 July 2009: Wouter - - Fix for crash at start on windows. - - tag for release 1.3.2. - - trunk has version 1.3.3. - - Fix for ID bits on windows to use all 16. RAND_MAX was not - defined like you'd expect on mingw. Reported by Mees de Roo. - -9 July 2009: Wouter - - tag for release 1.3.1. - - trunk has version 1.3.2. - -7 July 2009: Wouter - - iana portlist updated. - -6 July 2009: Wouter - - prettier error handling in SSL setup. - - makedist.sh uname fix (same as ldns). - - updated fedora spec file. - -3 July 2009: Wouter - - fixup linking when ldnsdir is "". - -30 June 2009: Wouter - - more lenient truncation checks. - -29 June 2009: Wouter - - ldns trunk r2959 imported as tarball, because of solaris cc compile - support for c99. r2960 for better configure. - - better wrongly_truncated check. - - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to - avoid dropped packets at routers. - -26 June 2009: Wouter - - Fix EDNS fallback when EDNS works for short answers but long answers - are dropped. - -22 June 2009: Wouter - - fixup iter priv strict aliasing while preserving size of sockaddr. - - iana portlist updated. (one less port allocated, one more fraction - of a bit for security!) - - updated fedora specfile in contrib from Paul Wouters. - -19 June 2009: Wouter - - Fixup strict aliasing warning in iter priv code. - and config_file code. - - iana portlist updated. - - harden-referral-path: handle cases where NS is in answer section. - -18 June 2009: Wouter - - Fix of message parse bug where (specifically) an NSEC and RRSIG - in the wrong order would be parsed, but put wrongly into internal - structures so that later validation would fail. - - Extreme lenience for wrongly truncated replies where a positive - reply has an NS in the authority but no signatures. They are - turned into minimal responses with only the (secure) answer. - - autoconf 2.63 for configure. - - python warnings suppress. Keep python API away from header files. - -17 June 2009: Wouter - - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was - used for the python code in unbound. (http://www.nic.cz/vip/ in cz). - -16 June 2009: Wouter - - Fixup opportunistic target query generation to it does not - generate queries that are known to fail. - - Touchup on munin total memory report. - - messages picked out of the cache by the iterator are checked - if their cname chain is still correct and if validation status - has to be reexamined. - -15 June 2009: Wouter - - iana portlist updated. - -14 June 2009: Wouter - - Fixed bug where cached responses would lose their security - status on second validation, which especially impacted dlv - lookups. Reported by Hauke Lampe. - -13 June 2009: Wouter - - bug #254. removed random whitespace from example.conf. - -12 June 2009: Wouter - - Fixup potential wrong NSEC picked out of the cache. - - If unfulfilled callbacks are deleted they are called with an error. - - fptr wlist checks for mesh callbacks. - - fwd above stub in configuration works. - -11 June 2009: Wouter - - Fix queries for type DS when forward or stub zones are there. - They are performed to higherup domains, and thus treated as if - going to higher zones when looking up the right forward or stub - server. This makes a stub pointing to a local server that has - a local view of example.com signed with the same keys as are - publicly used work. Reported by Johan Ihren. - - Added build-unbound-localzone-from-hosts.pl to contrib, from - Dennis DeDonatis. It converts /etc/hosts into config statements. - - same thing fixed for forward-zone and DS, chain of trust from - public internet into the forward-zone works now. Added unit test. - -9 June 2009: Wouter - - openssl key files are opened apache-style, when user is root and - before chrooting. This makes permissions on remote-control key - files easier to set up. Fixes bug #251. - - flush_type and flush_name remove msg cache entries. - - codereview - dp copy bogus setting fix. - -8 June 2009: Wouter - - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause - inadvertant behaviour. - - 1.3.0 tarball for release created. - - 1.3.1 development in svn trunk. - - iana portlist updated. - - fix lint from complaining on ldns/sha.h. - - help compiler figure out aliasing in priv_rrset_bad() routine. - - fail to configure with python if swig is not found. - - unbound_munin_ in contrib uses ps to show rss if sbrk does not work. - -3 June 2009: Wouter - - fixup bad free() when wrongly encoded DSA signature is seen. - Reported by Paul Wouters. - - review comments from Matthijs. - -2 June 2009: Wouter - - --enable-sha2 option. The draft rsasha256 changed its algorithm - numbers too often. Therefore it is more prudent to disable the - RSASHA256 and RSASHA512 support by default. - - ldns trunk included as new tarball. - - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point. - -29 May 2009: Wouter - - fixup doc bug in README reported by Matthew Dempsky. - -28 May 2009: Wouter - - update iana port list - - update ldns lib tarball - -27 May 2009: Wouter - - detect lack of IPv6 support on XP (with a different error code). - - Fixup a crash-on-exit which was triggered by a very long queue. - Unbound would try to re-use ports that came free, but this is - of course not really possible because everything is deleted. - Most easily triggered on XP (not Vista), maybe because of the - network stack encouraging large messages backlogs. - - change in debug statements. - - Fixed bug that could cause a crash if root prime failed when there - were message backlogs. - -26 May 2009: Wouter - - Thanks again to Brett Carr, found an assertion that was not true. - Assertion checked if recursion parent query still existed. - -29 April 2009: Wouter - - Thanks to Brett Carr, caught windows resource leak, use - closesocket() and not close() on sockets or else the network stack - starts to leak handles. - - Removed usage of windows Mutex because windows cannot handle enough - mutexes open. Provide own mutex implementation using primitives. - -28 April 2009: Wouter - - created svn tag for 1.3.0. - -27 April 2009: Wouter - - optimised cname from cache. - - ifdef windows functions in testbound. - -23 April 2009: Wouter - - fix for threadsafety in solaris thr_key_create() in tests. - - iana portlist updated. - - fix pylib test for Darwin. - - fix pymod test for Darwin and a python threading bug in pymod init. - - check python >= 2.4 in configure. - - -ldl check for libcrypto 1.0.0beta. - -21 April 2009: Wouter - - fix for build outside sourcedir. - - fix for configure script swig detection. - -17 April 2009: Wouter - - Fix reentrant in minievent handler for unix. Could have resulted - in spurious event callbacks. - - timers do not take up a fd slot for winsock handler. - - faster fix for winsock reentrant check. - - fix rsasha512 unit test for new (interim) algorithm number. - - fix test:ldns doesn't like DOS line endings in keyfiles on unix. - - fix compile warning on ubuntu (configlexer fwrite return value). - - move python include directives into CPPFLAGS instead of CFLAGS. - -16 April 2009: Wouter - - winsock event handler exit very quickly on signal, even if - under heavy load. - - iana portlist updated. - - fixup windows winsock handler reentrant problem. - -14 April 2009: Wouter - - bug #245: fix munin plugin, perform cleanup of stale lockfiles. - - makedist.sh; better help text. - - cache-min-ttl option and tests. - - mingw detect error condition on TCP sockets (NOTCONN). - -9 April 2009: Wouter - - Fix for removal of RSASHA256_NSEC3 protonumber from ldns. - - ldns tarball updated. - - iana portlist update. - - detect GOST support in openssl-1.0.0-beta1, and fix compile problem - because that openssl defines the name STRING for itself. - -6 April 2009: Wouter - - windows compile fix. - - Detect FreeBSD jail without ipv6 addresses assigned. - - python libunbound wrapper unit test. - - installs the following files. Default is to not build them. - from configure --with-pythonmodule: - /usr/lib/python2.x/site-packages/unboundmodule.py - from configure --with-pyunbound: - /usr/lib/python2.x/site-packages/unbound.py - /usr/lib/python2.x/site-packages/_unbound.so* - The example python scripts (pythonmod/examples and - libunbound/python/examples) are not installed. - - python invalidate routine respects packed rrset ids and locks. - - clock skew checks in unbound, config statements. - - nxdomain ttl considerations in requirements.txt - -3 April 2009: Wouter - - Fixed a bug that caused messages to be stored in the cache too - long. Hard to trigger, but NXDOMAINs for nameservers or CNAME - targets have been more vulnerable to the TTL miscalculation bug. - - documentation test fixed for python addition. - -2 April 2009: Wouter - - pyunbound (libunbound python plugin) compiles using libtool. - - documentation for pythonmod and pyunbound is generated in doc/html. - - iana portlist updated. - - fixed bug in unbound-control flush_zone where it would not flush - every message in the target domain. This especially impacted - NXDOMAIN messages which could remain in the cache regardless. - - python module test package. - -1 April 2009: Wouter - - suppress errors when trying to contact authority servers that gave - ipv6 AAAA records for their nameservers with ipv4 mapped contents. - Still tries to do so, could work when deployed in intranet. - Higher verbosity shows the error. - - new libunbound calls documented. - - pyunbound in libunbound/python. Removed compile warnings. - Makefile to make it. - -30 March 2009: Wouter - - Fixup LDFLAGS from libevent sourcedir compile configure restore. - - Fixup so no non-absolute rpaths are added. - - Fixup validation of RRSIG queries, they are let through. - - read /dev/random before chroot - - checkconf fix no python checks when no python module enabled. - - fix configure, pthread first, so other libs do not change outcome. - -27 March 2009: Wouter - - nicer -h output. report linked libraries and modules. - - prints modules in intuitive order (config file friendly). - - python compiles easily on BSD. - -26 March 2009: Wouter - - ignore swig varargs warnings with gcc. - - remove duplicate example.conf text from python example configs. - - outofdir compile fix for python. - - pyunbound works. - - print modules compiled in on -h. manpage. - -25 March 2009: Wouter - - initial import of the python contribution from Zdenek Vasicek and - Marek Vavrusa. - - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0. - -24 March 2009: Wouter - - more neat configure.ac. Removed duplicate config.h includes. - - neater config.h.in. - - iana portlist updated. - - fix util/configlexer.c and solaris -std=c99 flag. - - fix postcommit aclocal errors. - - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R. - - swap order of host detect and libtool generation. - -23 March 2009: Wouter - - added launchd plist example file for MacOSX to contrib. - - deprecation test for daemon(3). - - moved common configure actions to m4 include, prettier Makefile. - -20 March 2009: Wouter - - bug #239: module-config entries order is important. Documented. - - build fix for test asynclook. - -19 March 2009: Wouter - - winrc/README.txt dos-format text file. - - iana portlist updated. - - use _beginthreadex() when available (performs stack alignment). - - defaults for windows baked into configure.ac (used if on mingw). - -18 March 2009: Wouter - - Added tests, unknown algorithms become insecure. fallback works. - - Fix for and test for unknown algorithms in a trust anchor - definition. Trust anchors with no supported algos are ignored. - This means a (higher)DS or DLV entry for them could succeed, and - otherwise they are treated as insecure. - - domain-insecure: "example.com" statement added. Sets domain - insecure regardless of chain of trust DSs or DLVs. The inverse - of a trust-anchor. - -17 March 2009: Wouter - - unit test for unsupported algorithm in anchor warning. - - fixed so queries do not fail on opportunistic target queries. - -16 March 2009: Wouter - - fixup diff error printout in contrib/update-itar.sh. - - added contrib/unbound_cacti for statistics support in cacti, - contributed by Dmitriy Demidov. - -13 March 2009: Wouter - - doxygen and lex/yacc on linux. - - strip update-anchor on makedist -w. - - fix testbound on windows. - - default log to syslog for windows. - - uninstaller can stop unbound - changed text on it to reflect that. - - remove debugging from windows 'cron' actions. - -12 March 2009: Wouter - - log to App.logs on windows prints executable identity. - - fixup tests. - - munin plugin fix benign locking error printout. - - anchor-update for windows, called every 24 hours; unbound reloads. - -11 March 2009: Wouter - - winsock event handler resets WSAevents after signalled. - - winsock event handler tests if signals are really signalled. - - install and service with log to file works on XP and Vista on - default install location. - - on windows logging to the Application logbook works (as a service). - - fix RUN_DIR on windows compile setting in makedist. - - windows registry has Software\Unbound\ConfigFile element. - If does not exist, the default is used. The -c switch overrides it. - - fix makedist version cleanup function. - -10 March 2009: Wouter - - makedist -w strips out old rc.. and snapshot info from version. - - setup.exe starts and stops unbound after install, before uninstall. - - unbound-checkconf recognizes absolute pathnames on windows (C:...). - -9 March 2009: Wouter - - Nullsoft NSIS installer creation script. - -5 March 2009: Wouter - - fixup memory leak introduced on 18feb in mesh reentrant fix. - -3 March 2009: Wouter - - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8). - - service works on xp/vista, no config necessary (using defaults). - - windows registry settings. - -2 March 2009: Wouter - - fixup --export-symbols to be -export-symbls for libtool. - This should fix extraneous symbols exported from libunbound. - Thanks to Ondrej Sury and Robert Edmonds for finding it. - - iana portlist updated. - - document FAQ entry on stub/forward zones and default blocking. - - fix asynclook test app for libunbound not exporting symbols. - - service install and remove utils that work with vista UAC. - -27 February 2009: Wouter - - Fixup lexer, to not give warnings about fwrite. Appeared in - new lexer features. - - makedistro functionality for mingw. Has RC support. - - support spaces and backslashes in configured defaults paths. - - register, deregister in service control manager. - -25 February 2009: Wouter - - windres usage for application resources. - -24 February 2009: Wouter - - isc moved their dlv key download location. - - fixup warning on vista/mingw. - - makedist -w for window zip distribution first version. - -20 February 2009: Wouter - - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped. - Nicer script layout. Added url to site in -h output. - -19 February 2009: Wouter - - unbound-checkconf and unbound print warnings when trust anchors - have unsupported algorithms. - - added contrib/update-itar.sh This script is similar to - update-anchor.sh, and updates from the IANA ITAR repository. - You can provide your own PGP key and trust repo, or can use the - builtin. The program uses wget and gpg to work. - - iana portlist updated. - - update-itar.sh: using ftp:// urls because https godaddy certificate - is not available everywhere and then gives fatal errors. The - security is provided by pgp signature. - -18 February 2009: Wouter - - more cycle detection. Also for target queries. - - fixup bug where during deletion of the mesh queries the callbacks - that were reentrant caused assertion failures. Keep the mesh in - a reentrant safe state. Affects libunbound, reload of server, - on quit and flush_requestlist. - - iana portlist updated. - -13 February 2009: Wouter - - forwarder information now per-thread duplicated. - This keeps it read only for speed, with no locking necessary. - - forward command for unbound control to change forwarders to use - on the fly. - - document that unbound-host reads no config file by default. - - updated iana portlist. - -12 February 2009: Wouter - - call setusercontext if available (on BSD). - - small refactor of stats clearing. - - #227: flush_stats feature for unbound-control. - - stats_noreset feature for unbound-control. - - flush_requestlist feature for unbound-control. - - libunbound version upped API (was changed 5 feb). - - unbound-control status shows if root forwarding is in use. - - slightly nicer memory management in iter-fwd code. - -10 February 2009: Wouter - - keys with rfc5011 REVOKE flag are skipped and not considered when - validating data. - - iana portlist updated - - #226: dump_requestlist feature for unbound-control. - -6 February 2009: Wouter - - contrib contains specfile for fedora 1.2.1 (from Paul Wouters). - - iana portlist updated. - - fixup EOL in include directive (reported by Paul Wouters). - You can no longer specify newlines in the names of included files. - - config parser changed. Gives some syntax errors closer to where they - occurred. Does not enforce a space after keyword anymore. - Does not allow literal newlines inside quoted strings anymore. - - verbosity level 5 logs customer IP for new requestlist entries. - - test fix, lexer and cancel test. - - new option log-time-ascii: yes if you enable it prints timestamps - in the log file as Feb 06 13:45:26 (like syslog does). - - detect event_base_new in libevent-1.4.1 and later and use it. - - #231 unbound-checkconf -o option prints that value from config file. - Useful for scripting in management scripts and the like. - -5 February 2009: Wouter - - ldns 1.5.0 rc as tarball included. - - 1.3.0 development continues: - change in libunbound API: ub_cancel can return an error, that - the async_id did not exist, or that it was already delivered. - The result could have been delivered just before the cancel - routine managed to acquire the lock, so a caller may get the - result at the same time they call cancel. For this case, - ub_cancel tries to return an error code. - Fixes race condition in ub_cancel() libunbound function. - - MacOSX Leopard cleaner text output from configure. - - initgroups(3) is called to drop secondary group permissions, if - applicable. - - configure option --with-ldns-builtin forces the use of the - inluded ldns package with the unbound source. The -I include - is put before the others, so it avoids bad include files from - an older ldns install. - - daemon(3) posix call is used when available. - - testbound test for older fix added. - -4 February 2009: Wouter - - tag for release 1.2.1. - - trunk setup for 1.3.0 development. - -3 February 2009: Wouter - - noted feature requests in doc/TODO. - - printout more detailed errors on ssl certificate loading failures. - - updated IANA portlist. - -16 January 2009: Wouter - - more quiet about ipv6 network failures, i.e. when ipv6 is not - available (network unreachable). Debug still printed on high - verbosity. - - unbound-host -4 and -6 options. Stops annoying ipv6 errors when - debugging with unbound-host -4 -d ... - - more cycle detection for NS-check, addr-check, root-prime and - stub-prime queries in the iterator. Avoids possible deadlock - when priming fails. - -15 January 2009: Wouter - - bug #229: fixup configure checks for compilation with Solaris - Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc - - fixup suncc warnings. - - fix bug where unbound could crash using libevent 1.3 and older. - - update testset for recent retry change. - -14 January 2009: Wouter - - 1.2.1 feature: negative caching for failed queries. - Queries that failed are cached for 5 seconds (NORR_TTL). - If the failure is local, like out of memory, it is not cached. - - the TTL comparison for the cache used different comparisons, - causing many cache responses that used the iterator and validator - state machines unnecessarily. - - retry from 4 to 5 so that EDNS drop retry is part of the first - query resolve attempt, and cached error does not stop EDNS fallback. - - remove debug prints that protect against bad referrals. - - honor QUIET=no on make commandline (or QUIET=yes ). - -13 January 2009: Wouter - - fixed bug in lameness marking, removed printouts. - - find NS rrset more cleanly for qtype NS. - - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for - reporting and logs. - - 1.2.1 feature: stops resolving AAAAs promiscuously when they - are in the negative cache. - -12 January 2009: Wouter - - fixed bug in infrastructure lameness cache, did not lowercase - name of zone to hash when setting lame. - - lameness debugging printouts. - -9 January 2009: Wouter - - created svn tag for 1.2.0 release. - - svn trunk contains 1.2.1 version number. - - iana portlist updated for todays list. - - removed debug print. - -8 January 2009: Wouter - - new version of ldns-trunk (today) included as tarball, fixed - bug #224, building with -j race condition. - - remove possible race condition in the test for race conditions. - -7 January 2009: Wouter - - version 1.2.0 in preparation. - - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file - statements. (Adapted from patch by Paul Wouters). - - typo fix and iana portlist updated. - - porting testsuite; unused var warning, and type fixup. - -6 January 2009: Wouter - - fixup packet-of-death when compiled with --enable-debug. - A malformed packet could cause an internal assertion failure. - - added test for HINFO canonicalisation behaviour. - - fixup reported problem with transparent local-zone data where - queries with different type could get nxdomain. Now queries - with a different name get resolved normally, with different type - get a correct NOERROR/NODATA answer. - - HINFO no longer downcased for validation, making unbound compatible - with bind and ldns. - - fix reading included config files when chrooted. - Give full path names for include files. - Relative path names work if the start dir equals the working dir. - - fix libunbound message transport when no packet buffer is available. - -5 January 2009: Wouter - - fixup getaddrinfo failure handling for remote control port. - - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints. - - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/ - - comm_timer_set performs base_set operation after event_add. - -18 December 2008: Wouter - - fixed bug reported by Duane Wessels: error in DLV lookup, would make - some zones that had correct DLV keys as insecure. - - follows -rc makedist from ldns changes (no _rc). - - ldns tarball updated with 1.4.1rc for DLV unit test. - - verbose prints about recursion lame detection and server selection. - - fixup BSD port for infra host storage. It hashed wrongly. - - fixup makedist snapshot name generation. - - do not reopen syslog to avoid dev/log dependency. - -17 December 2008: Wouter - - follows ldns makedist.sh. -rc option. autom4te dir removed. - - unbound-control status command. - - extended statistics has a number of ipv6 queries counter. - contrib/unbound_munin_ was updated to draw ipv6 in the hits graph. - -16 December 2008: Wouter - - follow makedist improvements from ldns, for maintainers prereleases. - - snapshot version uses _ not - to help rpm distinguish the - version number. - -11 December 2008: Wouter - - better fix for bug #219: use LOG_NDELAY with openlog() call. - Thanks to Tamas Tevesz. - -9 December 2008: Wouter - - bug #221 fixed: unbound checkconf checks if key files exist if - remote control is enabled. Also fixed NULL printf when not chrooted. - - iana portlist updated. - -3 December 2008: Wouter - - Fix problem reported by Jaco Engelbrecht where unbound-control stats - freezes up unbound if this was compiled without threading, and - was using multiple processes. - - iana portlist updated. - - test for remote control with interprocess communication. - - created command distribution mechanism so that remote control - commands other than 'stats' work on all processes in a nonthreaded - compiled version. dump/load cache work, on the first process. - - fixup remote control local_data addition memory corruption bug. - -1 December 2008: Wouter - - SElinux policy files in contrib/selinux for the unbound daemon, - by Paul Wouters and Adam Tkac. - -25 November 2008: Wouter - - configure complains when --without-ssl is given (bug #220). - - skip unsupported feature tests on vista/mingw. - - fixup testcode/streamtcp to work on vista/mingw. - - root-hints test checks version of dig required. - - blacklisted servers are polled at a low rate (1%) to see if they - come back up. But not if there is some other working server. - -24 November 2008: Wouter - - document that the user of the server daemon needs read privileges - on the keys and certificates generated by unbound-control-setup. - This is different per system or distribution, usually, running the - script under the same username as the server uses suffices. - i.e. sudo -u unbound unbound-control-setup - - testset port to vista/mingw. - - tcp_sigpipe to freebsd port. - -21 November 2008: Wouter - - fixed tcp accept, errors were printed when they should not. - - unbound-control-setup.sh removes read/write permissions other - from the keys it creates (as suggested by Dmitriy Demidov). - -20 November 2008: Wouter - - fixup fatal error due to faulty error checking after tcp accept. - - add check in rlimit to avoid integer underflow. - - rlimit check with new formula; better estimate for number interfaces - - nicer comments in rlimit check. - - tag 1.1.1 created in svn. - - trunk label is 1.1.2 - -19 November 2008: Wouter - - bug #219: fixed so that syslog which delays opening until the first - log line is written, gets a log line while not chroot'ed yet. - -18 November 2008: Wouter - - iana portlist updated. - - removed cast in unit test debug print that was not 64bit safe. - - trunk back to 1.1.0; copied to tags 1.1.0 release. - - trunk to has version number 1.1.1 again. - - in 1.1.1; make clean nicer. grammar in manpage. - -17 November 2008: Wouter - - theoretical fix for problems reported on mailing list. - If a delegation point has no A but only AAAA and do-ip6 is no, - resolution would fail. Fixed to ask for the A and AAAA records. - It has to ask for both always, so that it can fail quietly, from - TLD perspective, when a zone is only reachable on one transport. - - test for above, only AAAA and doip6 is no. Fix causes A record - for nameserver to be fetched. - - fixup address duplication on cache fillup for delegation points. - - testset updated for new query answer requirements. - -14 November 2008: Wouter - - created 1.1.0 release tag in svn. - - trunk moved to 1.1.1 - - fixup unittest-neg for locking. - -13 November 2008: Wouter - - added fedora init and specfile to contrib (by Paul Wouters). - - added configure check for ldns 1.4.0 (using its compat funcs). - - neater comments in worker.h. - - removed doc/plan and updated doc/TODO. - - silenced EHOSTDOWN (verbosity 2 or higher to see it). - - review comments from Jelte, Matthijs. Neater code. - -12 November 2008: Wouter - - add unbound-control manpage to makedist replace list. - -11 November 2008: Wouter - - unit test for negative cache, stress tests the refcounting. - - fix for refcounting error that could cause fptr_wlist fatal exit - in the negative cache rbtree (upcoming 1.1 feature). (Thanks to - Attila Nagy for testing). - - nicer comments in cachedump about failed RR to string conversion. - - fix 32bit wrap around when printing large (4G and more) mem usage - for extended statistics. - -10 November 2008: Wouter - - fixup the getaddrinfo compat code rename. - -8 November 2008: Wouter - - added configure check for eee build warning. - -7 November 2008: Wouter - - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4. - - detect nonblocking problems in network stack in configure script. - -6 November 2008: Wouter - - dname_priv must decompress the name before comparison. - - iana portlist updated. - -5 November 2008: Wouter - - fixed possible memory leak in key_entry_key deletion. - Would leak a couple bytes when trust anchors were replaced. - - if query and reply qname overlap, the bytes are skipped not copied. - - fixed file descriptor leak when messages were jostled out that - had outstanding (TCP) replies. - - DNAMEs used from cache have their synthesized CNAMEs initialized - properly. - - fixed file descriptor leak for localzone type deny (for TCP). - - fixed memleak at exit for nsec3 negative cached zones. - - fixed memleak for the keyword 'nodefault' when reading config. - - made verbosity of 'edns incapable peer' warning higher, so you - do not get spammed by it. - - caught elusive Bad file descriptor error bug, that would print the - error while unnecessarily try to listen to a closed fd. Fixed. - -4 November 2008: Wouter - - fixed -Wwrite-strings warnings that result in better code. - -3 November 2008: Wouter - - fixup build process for Mac OSX linker, use ldns b32 compat funcs. - - generated configure with autoconf-2.61. - - iana portlist updated. - - detect if libssl needs libdl. For static linking with libssl. - - changed to use new algorithm identifiers for sha256/sha512 - from ldns 1.4.0 (need very latest version). - - updated the included ldns tarball. - - proper detection of SHA256 and SHA512 functions (not just sizes). - -23 October 2008: Wouter - - a little more debug info for failure on signer names. prints names. - -22 October 2008: Wouter - - CFLAGS are picked up by configure from the environment. - - iana portlist updated. - - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too. - - new stub-prime: yesno option. Default is off, so it does not prime. - can be turned on to get same behaviour as previous unbound release. - - made automated test that checks if builtin root hints are uptodate. - - finished draft-wijngaards-dnsext-resolver-side-mitigation - implementation. The unwanted-reply-threshold can be set. - - fixup so fptr_whitelist test in alloc.c works. - -21 October 2008: Wouter - - fix update-anchors.sh, so it does not report different RR order - as an update. Sorts the keys in the file. Updated copyright. - - fixup testbound on windows, the command control pipe doesn't exist. - - skip 08hostlib test on windows, no fork() available. - - made unbound-remote work on windows. - -20 October 2008: Wouter - - quench a log message that is debug only. - - iana portlist updated. - - do not query bogus nameservers. It is like nameservers that have - the NS or A or AAAA record bogus are listed as donotquery. - - if server selection is faced with only bad choices, it will - attempt to get more options to be fetched. - - changed bogus-ttl default value from 900 to 60 seconds. - In anticipation that operator caused failures are more likely than - actual attacks at this time. And thus repeated validation helps - the operators get the problem fixed sooner. It makes validation - failures go away sooner (60 seconds after the zone is fixed). - Also it is likely to try different nameserver targets every minute, - so that if a zone is bad on one server but not another, it is - likely to pick up the 'correct' one after a couple minutes, - and if the TTL is big enough that solves validation for the zone. - - fixup unbound-control compilation on windows. - -17 October 2008: Wouter - - port Leopard/G5: fixup type conversion size_t/uint32. - please ranlib, stop file without symbols warning. - - harden referral path now also validates the root after priming. - It looks up the root NS authoritatively as well as the root servers - and attemps to validate the entries. - -16 October 2008: Wouter - - Fixup negative TTL values appearing (reported by Attila Nagy). - -15 October 2008: Wouter - - better documentation for 0x20; remove fallback TODO, it is done. - - harden-referral-path feature includes A, AAAA queries for glue, - as well as very careful NS caching (only when doing NS query). - A, AAAA use the delegation from the NS-query. - -14 October 2008: Wouter - - fwd_three.tpkg test was flaky. If the three requests hit the - wrong threads by chance (or bad OS) then the test would fail. - Made less flaky by increasing number of retries. - - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs. - - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014). - Which includes the ldns_dname_absolute fix. - - fwd_three test remains flaky now that unbound does not stop - listening when full. Thus, removed timeout problem. - It may be serviced by three threads, or maybe by one. - Mostly only useful for lock-check testing now. - -13 October 2008: Wouter - - fixed recursion servers deployed as authoritative detection, so - that as a last resort, a +RD query is sent there to get the - correct answer. - - iana port list update. - - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013). - -10 October 2008: Wouter - - fixup tests - the negative cache contained the correct NSEC3s for - two tests that are supposed to fail to validate. - -9 October 2008: Wouter - - negative cache caps max iterations of NSEC3 done. - - NSEC3 negative cache for qtype DS works. - -8 October 2008: Wouter - - NSEC negative cache for DS. - -6 October 2008: Wouter - - jostle-timeout option, so you can config for slow links. - - 0x20 fallback code. Tries 3xnumber of nameserver addresses - queries that must all be the same. Sent to random nameservers. - - documented choices for DoS, EDNS, 0x20. - -2 October 2008: Wouter - - fixup unlink of pidfile. - - fixup SHA256 algorithm collation code. - - contrib/update-anchor.sh does not overwrite anchors if not needed. - exits 0 when a restart is needed, other values if not. - so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart - can restart unbound exactly when needed. - -30 September 2008: Wouter - - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1. - - tests for sha256 support and downgrade resistance. - - RSASHA256 and RSASHA512 support (using the draft in dnsext), - using the drafted protocol numbers. - - when using stub on localhost (127.0.0.1@10053) unbound works. - Like when running NSD to host a local zone, on the same machine. - The noprime feature. manpages more explanation. Added a test for it. - - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com" - -29 September 2008: Wouter - - EDNS lameness detection, if EDNS packets are dropped this is - detected, eventually. - - multiple query timeout rtt backoff does not backoff too much. - -26 September 2008: Wouter - - tests for remote-control. - - small memory leak in exception during remote control fixed. - - fixup for lock checking but not unchecking in remote control. - - iana portlist updated. - -23 September 2008: Wouter - - Msg cache is loaded. A cache load enables cache responses. - - unbound-control flush [name], flush_type and flush_zone. - -22 September 2008: Wouter - - dump_cache and load_cache statements in unbound-control. - RRsets are dumped and loaded correctly. - Msg cache is dumped. - -19 September 2008: Wouter - - locking on the localdata structure. - - add and remove local zone and data with unbound-control. - - ldns trunk snapshot updated, make tests work again. - -18 September 2008: Wouter - - fixup error in time calculation. - - munin plugin improvements. - - nicer abbreviations for high query types values (ixfr, axfr, any...) - - documented the statistics output in unbound-control man page. - - extended statistics prints out histogram, over unbound-control. - -17 September 2008: Wouter - - locking for threadsafe bogus rrset counter. - - ldns trunk no longer exports b32 functions, provide compat. - - ldns tarball updated. - - testcode/ldns-testpkts.c const fixups. - - fixed rcode stat printout. - - munin plugin in contrib. - - stats always printout uptime, because stats plugins need it. - -16 September 2008: Wouter - - extended-statistics: yesno config option. - - unwanted replies spoof nearmiss detector. - - iana portlist updated. - -15 September 2008: Wouter - - working start, stop, reload commands for unbound-control. - - test for unbound-control working; better exit value for control. - - verbosity control via unbound-control. - - unbound-control stats. - -12 September 2008: Wouter - - removed browser control mentions. Proto speccy. - -11 September 2008: Wouter - - set nonblocking on new TCP streams, because linux does not inherit - the socket options to the accepted socket. - - fix TCP timeouts. - - SSL protected connection between server and unbound-control. - -10 September 2008: Wouter - - remove memleak in privacy addresses on reloads and quits. - - remote control work. - -9 September 2008: Wouter - - smallapp/unbound-control-setup.sh script to set up certificates. - -4 September 2008: Wouter - - scrubber scrubs away private addresses. - - test for private addresses. man page entry. - - code refactored for name and address tree lookups. - -3 September 2008: Wouter - - options for 'DNS Rebinding' protection: private-address and - private-domain. - - dnstree for reuse of routines that help with domain, addr lookups. - - private-address and private-domain config option read, stored. - -2 September 2008: Wouter - - DoS protection features. Queries are jostled out to make room. - - testbound can pass time, increasing the internal timer. - - do not mark unsigned additionals bogus, leave unchecked, which - is removed too. - -1 September 2008: Wouter - - disallow nonrecursive queries for cache snooping by default. - You can allow is using access-control: <subnet> allow_snoop. - The defaults do allow access no authoritative data without RD bit. - - two tests for it and fixups of tests for nonrec refused. - -29 August 2008: Wouter - - version 1.1 number in trunk. - - harden-referral-path option for query for NS records. - Default turns off expensive, experimental option. - -28 August 2008: Wouter - - fixup logfile handling; it is created with correct permissions - again. (from bugfix#199). - Some errors are not written to logfile (pidfile writing, forking), - and these are only visible by using the -d commandline flag. - -27 August 2008: Wouter - - daemon(3) is causing problems for people. Reverting the patch. - bug#200, and 199 and 203 contain sideline discussion on it. - - bug#199 fixed: pidfile can be outside chroot. openlog is done before - chroot and drop permissions. - - config option to set size of aggressive negative cache, - neg-cache-size. - - bug#203 fixed: dlv has been implemented. - -26 August 2008: Wouter - - test for insecure zone when DLV is in use, also does negative cache. - - test for trustanchor when DLV is in use (the anchor works). - - test for DLV used for a zone below a trustanchor. - - added scrub filter for overreaching NSEC records and unit test. - - iana portlist update - - use of setresuid or setreuid when available. - - use daemon(3) if available. - -25 August 2008: Wouter - - realclean patch from Robert Edmonds. - -22 August 2008: Wouter - - nicer debuglogging of DLV. - - test with secure delegation inside the DLV repository. - -21 August 2008: Wouter - - negative cache code linked into validator, for DLV use. - negative cache works for DLV. - - iana portlist update. - - dlv-anchor option for unit tests. - - fixup NSEC_AT_APEX classification for short typemaps. - - ldns-testns has subdomain checks, for unit tests. - -20 August 2008: Wouter - - negative cache code, reviewed. - -18 August 2008: Wouter - - changes info: in logfile to notice: info: or debug: depending on - the verbosity of the statements. Better logfile message - classification. - - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd. - -15 August 2008: Wouter - - DLV nsec code fixed for better detection of closest existing - enclosers from NSEC responses. - - DLV works, straight to the dlv repository, so not for production. - - Iana port update. - -14 August 2008: Wouter - - synthesize DLV messages from the rrset cache, like done for DS. - -13 August 2008: Wouter - - bug #203: nicer do-auto log message when user sets incompatible - options. - - bug #204: variable name ameliorated in log.c. - - bug #206: in iana_update, no egrep, but awk use. - - ldns snapshot r2699 taken (includes DLV type). - - DLV work, config file element, trust anchor read in. - -12 August 2008: Wouter - - finished adjusting testset to provide qtype NS answers. - -11 August 2008: Wouter - - Fixup rrset security updates overwriting 2181 trust status. - This makes validated to be insecure data just as worthless as - nonvalidated data, and 2181 rules prevent cache overwrites to them. - - Fix assertion fail on bogus key handling. - - dnssec lameness detection works on first query at trust apex. - - NS queries get proper cache and dnssec lameness treatment. - - fixup compilation without pthreads on linux. - -8 August 2008: Wouter - - NS queries are done after every referral. - validator is used on those NS records (if anchors enabled). - -7 August 2008: Wouter - - Scrubber more strict. CNAME chains, DNAMEs from cache, other - irrelevant rrsets removed. - - 1.0.2 released from 1.0 support branch. - - fixup update-anchor.sh to work both in BSD shell and bash. - -5 August 2008: Wouter - - fixup DS test so apex nodata works again. - -4 August 2008: Wouter - - iana port update. - - TODO update. - - fix bug 201: null ptr deref on cleanup while udp pkts wait for port. - - added explanatory text for outgoing-port-permit in manpage. - -30 July 2008: Wouter - - fixup bug qtype DS for unsigned zone and signed parent validation. - -25 July 2008: Wouter - - added original copyright statement of OpenBSD arc4random code. - - created tube signaling solution on windows, as a pipe replacement. - this makes background asynchronous resolution work on windows. - - removed very insecure socketpair compat code. It also did not - work with event_waiting. Solved by pipe replacement. - - unbound -h prints openssl version number as well. - -22 July 2008: Wouter - - moved pipe actions to util/tube.c. easier porting and shared code. - - check _raw() commpoint callbacks with fptr_wlist. - - iana port update. - -21 July 2008: Wouter - - #198: nicer entropy warning message. manpage OS hints. - -19 July 2008: Wouter - - #198: fixup man page to suggest chroot entropy fix. - -18 July 2008: Wouter - - branch for 1.0 support. - - trunk work on tube.c. - -17 July 2008: Wouter - - fix bug #196, compile outside source tree. - - fix bug #195, add --with-username=user configure option. - - print error and exit if started with config that requires more - fds than the builtin minievent can handle. - -16 July 2008: Wouter - - made svn tag 1.0.1, trunk now 1.0.2 - - sha256 checksums enabled in makedist.sh - -15 July 2008: Wouter - - Follow draft-ietf-dnsop-default-local-zones-06 added reverse - IPv6 example prefix to AS112 default blocklist. - - fixup lookup of DS records by client with trustanchor for same. - - libunbound ub_resolve, fix handling of error condition during setup. - - lowered log_hex blocksize to fit through BSD syslog linesize. - - no useless initialisation if getpwnam not available. - - iana, ldns snapshot updated. - -3 July 2008: Wouter - - Matthijs fixed memory leaks in root hints file reading. - -26 June 2008: Wouter - - fixup streamtcp bounds setting for udp mode, in the test framework. - - contrib item for updating trust anchors. - -25 June 2008: Wouter - - fixup fwd_ancil test typos. - - Fix for newegg lameness : ok for qtype=A, but lame for others. - - fixup unit test for infra cache, test lame merging. - - porting to mingw, bind, listen, getsockopt and setsockopt error - handling. - -24 June 2008: Wouter - - removed testcode/checklocks from production code compilation path. - - streamtcp can use UDP mode (connected UDP socket), for testing IPv6 - on windows. - - fwd_ancil test fails if platform support is lacking. - -23 June 2008: Wouter - - fixup minitpkg to cleanup on windows with its file locking troubles. - - minitpkg shows skipped tests in report. - - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not - ipv6 connectivity). - - winsock event handler keeps track of sticky TCP events, that have - not been fully handled yet. when interest in the event(s) resumes, - they are sent again. When WOULDBLOCK is returned events are cleared. - - skip tests that need signals when testing on mingw. - -18 June 2008: Wouter - - open testbound replay files in binary mode, because fseek/ftell - do not work in ascii-mode on windows. The b does nothing on unix. - unittest and testbound tests work on windows (xp too). - - ioctlsocket prints nicer error message. - - fixed up some TCP porting for winsock. - - lack of IPv6 gives a warning, no fatal error. - - use WSAGetLastError() on windows instead of errno for some errors. - -17 June 2008: Wouter - - outgoing num fds 32 by default on windows ; it supports less - fds for waiting on than unixes. - - winsock_event minievent handler for windows. (you could also - attempt to link with libevent/libev ports for windows). - - neater crypto check and gdi32 detection. - - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista. - -16 June 2008: Wouter - - on windows, use windows threads, mutex and thread-local-storage(Tls). - - detect if openssl needs gdi32. - - if no threading, THREADS_DISABLED is defined for use in the code. - - sets USE_WINSOCK if using ws2_32 on windows. - - wsa_strerror() function for more readable errors. - - WSA Startup and Cleanup called in unbound.exe. - -13 June 2008: Wouter - - port mingw32, more signal ifdefs, detect sleep, usleep, - random, srandom (used inside the tests). - - signed or unsigned FD_SET is cast. - -10 June 2008: Wouter - - fixup warnings compiling on eeepc xandros linux. - -9 June 2008: Wouter - - in iteration response type code - * first check for SOA record (negative answer) before NS record - and lameness. - * check if no AA bit for non-forwarder, and thus lame zone. - In response to error report by Richard Doty for mail.opusnet.com. - - fixup unput warning from lexer on freeBSD. - - bug#183. pidfile, rundir, and chroot configure options. Also the - example.conf and manual pages get the configured defaults. - You can use: (or accept the defaults to /usr/local/etc/unbound/) - --with-conf-file=filename - --with-pidfile=filename - --with-run-dir=path - --with-chroot-dir=path - -8 June 2008: Wouter - - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug. - Reported by Robert Edmonds. - - iana port updated. - -4 June 2008: Wouter - - updated libtool files with newer version. - - iana portlist updated. - -3 June 2008: Wouter - - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the - trailing dot is not used during comparison. - -2 June 2008: Wouter - - Jelte fixed bugs in my absence - - bug 178: fixed unportable shell usage in configure (relied on - bash shell). - - bug 180: fixed buffer overflow in unbound-checkconf use of strncat. - - bug 181: fixed buffer overflow in ldns (called by unbound to parse - config file parts). - - fixes by Wouter - - bug 177: fixed compilation failure on opensuse, the - --disable-static configure flag caused problems. (Patch from - Klaus Singvogel) - - bug 179: same fix as 177. - - bug 185: --disable-shared not passed along to ldns included with - unbound. Fixed so that configure parameters are passed to the - subdir configure script. - fixed that ./libtool is used always, you can still override - manually with ./configure libtool=mylibtool or set $libtool in - the environment. - - update of the ldns tarball to current ldns svn version (fix 181). - - bug 184: -r option for unbound-host, read resolv.conf for - forwarder. (Note that forwarder must support DNSSEC for validation - to succeed). - -23 May 2008: Wouter - - mingw32 porting. - - test for sys/wait.h - - WSAEWOULDBLOCK test after nonblocking TCP connect. - - write_iov_buffer removed: unused and no struct iov on windows. - - signed/unsigned warning fixup mini_event. - - use ioctlsocket to set nonblocking I/O if fnctl is unavailable. - - skip signals that are not defined - - detect pwd.h. - - detect getpwnam, getrlimit, setsid, sbrk, chroot. - - default config has no chroot if chroot() unavailable. - - if no kill() then no pidfile is read or written. - - gmtime_r is replaced by nonthreadsafe alternative if unavail. - used in rrsig time validation errors. - -22 May 2008: Wouter - - contrib unbound.spec from Patrick Vande Walle. - - fixup bug#175: call tzset before chroot to have correct timestamps - in system log. - - do not generate lex input and lex unput functions. - - mingw port. replacement functions labelled _unbound. - - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed. - -19 May 2008: Wouter - - fedora 9, check in6_pktinfo define in configure. - - CREDITS fixup of history. - - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative. - -16 May 2008: Wouter - - fixup for MacOSX hosts file reading (reported by John Dickinson). - - created 1.0.0 svn tag. - - trunk version 1.0.1. - -14 May 2008: Wouter - - accepted patch from Ondrej Sury for library version libtool option. - - configure --disable-rpath fixes up libtool for rpath trouble. - Adapted from debian package patch file. - -13 May 2008: Wouter - - Added root ipv6 addresses to builtin root hints. - - TODO modified for post 1.0 plans. - - trunk version set to 1.0.0. - - no unnecessary linking with librt (only when libevent/libev used). - -7 May 2008: Wouter - - fixup no-ip4 problem with error callback in outside network. - -25 April 2008: Wouter - - DESTDIR is honored by the Makefile for rpms. - - contrib files unbound.spec and unbound.init, builds working RPM - on FC7 Linux, a chrooted caching resolver, and libunbound. - - iana ports update. - -24 April 2008: Wouter - - chroot checks improved. working directory relative to chroot. - checks if config file path is inside chroot. Documentation on it. - - nicer example.conf text. - - created 0.11 tag. - -23 April 2008: Wouter - - parseunbound.pl contrib update from Kai Storbeck for threads. - - iana ports update - -22 April 2008: Wouter - - ignore SIGPIPE. - - unit test for SIGPIPE ignore. - -21 April 2008: Wouter - - FEATURES document. - - fixup reread of config file if it was given as a full path - and chroot was used. - -16 April 2008: Wouter - - requirements doc, updated clean query returns. - - parseunbound.pl update from Kai Storbeck. - - sunos4 porting changes. - -15 April 2008: Wouter - - fixup default rc.d pidfile location to /usr/local/etc. - - iana ports updated. - - copyright updated in ldns-testpkts to keep same as in ldns. - - fixup checkconf chroot tests a bit more, chdir must be inside - chroot dir. - - documented 'gcc: unrecognized -KPIC option' errors on Solaris. - - example.conf values changed to /usr/local/etc/unbound - - DSA test work. - - DSA signatures: unbound is compatible with both encodings found. - It will detect and convert when necessary. - -14 April 2008: Wouter - - got update for parseunbound.pl statistics script from Kai Storbeck. - - tpkg tests for udp wait list. - - documented 0x20 status. - - fixup chroot and checkconf, it is much smarter now. - - fixup DSA EVP signature decoding. Solution that Jelte found copied. - - and check first sig byte for the encoding type. - -11 April 2008: Wouter - - random port selection out of the configged ports. - - fixup threadsafety for libevent-1.4.3+ (event_base_get_method). - - removed base_port. - - created 256-port ephemeral space for the OS, 59802 available. - - fixup consistency of port_if out array during heavy use. - -10 April 2008: Wouter - - --with-libevent works with latest libevent 1.4.99-trunk. - - added log file statistics perl script to contrib. - - automatic iana ports update from makefile. 60058 available. - -9 April 2008: Wouter - - configure can detect libev(from its build directory) when passed - --with-libevent=/home/wouter/libev-3.2 - libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%). - - unused commpoints not listed in epoll list. - - statistics-cumulative option so that the values are not reset. - - config creates array of available ports, 61841 available, - it excludes <1024 and iana assigned numbers. - config statements to modify the available port numbers. - -8 April 2008: Wouter - - unbound tries to set the ulimit fds when started as server. - if that does not work, it will scale back its requirements. - -27 March 2008: Wouter - - documented /dev/random symlink from chrootdir as FAQ entry. - -26 March 2008: Wouter - - implemented AD bit signaling. If a query sets AD bit (but not DO) - then the AD bit is set in the reply if the answer validated. - Without including DNSSEC signatures. Useful if you have a trusted - path from the client to the resolver. Follows dnssec-updates draft. - -25 March 2008: Wouter - - implemented check that for NXDOMAIN and NOERROR answers a query - section must be present in the reply (by the scrubber). And it must - be equal to the question sent, at least lowercase folded. - Previously this feature happened because the cache code refused - to store such messages. However blocking by the scrubber makes - sure nothing gets into the RRset cache. Also, this looks like a - timeout (instead of an allocation failure) and this retries are - done (which is useful in a spoofing situation). - - RTT banding. Band size 400 msec, this makes band around zero (fast) - include unknown servers. This makes unbound explore unknown servers. - -7 March 2008: Wouter - - -C config feature for harvest program. - - harvest handles CNAMEs too. - -5 March 2008: Wouter - - patch from Hugo Koji Kobayashi for iterator logs spelling. - -4 March 2008: Wouter - - From report by Jinmei Tatuya, rfc2181 trust value for remainder - of a cname trust chain is lower; not full answer_AA. - - test for this fix. - - default config file location is /usr/local/etc/unbound. - Thus prefix is used to determine the location. This is also the - chroot and pidfile default location. - -3 March 2008: Wouter - - Create 0.10 svn tag. - - 0.11 version in trunk. - - indentation nicer. - -29 February 2008: Wouter - - documentation update. - - fixup port to Solaris of perf test tool. - - updated ldns-tarball with decl-after-statement fixes. - -28 February 2008: Wouter - - fixed memory leaks in libunbound (during cancellation and wait). - - libunbound returns the answer packet in full. - - snprintf compat update. - - harvest performs lookup. - - ldns-tarball update with fix for ldns_dname_label. - - installs to sbin by default. - - install all manual pages (unbound-host and libunbound too). - -27 February 2008: Wouter - - option to use caps for id randomness. - - config file option use-caps-for-id: yes - - harvest debug tool - -26 February 2008: Wouter - - delay utility delays TCP as well. If the server that is forwarded - to has a TCP error, the delay utility closes the connection. - - delay does REUSE_ADDR, and can handle a server that closes its end. - - answers use casing from query. - -25 February 2008: Wouter - - delay utility works. Gets decent thoughput too (>20000). - -22 February 2008: Wouter - - +2% for recursions, if identical queries (except for destination - and query ID) in the reply list, avoid re-encoding the answer. - - removed TODO items for optimizations that do not show up in - profile reports. - - default is now minievent - not libevent. As its faster and - not needed for regular installs, only for very large port ranges. - - loop check different speedup pkt-dname-reading, 1% faster for - nocache-recursion check. - - less hashing during msg parse, 4% for recursion. - - small speed fix for dname_count_size_labels, +1 or +2% recursion. - - some speed results noted: - optimization resulted in +40% for recursion (cache miss) and - +70 to +80 for cache hits, and +96% for version.bind. - zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4 - www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3 - www with DO bit set : BIND 8269.31 Ub 28735.6 qps. - So, unbound can be about equal qps to NSD in cache hits. - And about 3.4x faster than BIND in cache performance. - - delay utility for testing. - -21 February 2008: Wouter - - speedup of root-delegation message encoding by 15%. - - minor speedup of compress tree_lookup, maybe 1%. - - speedup of dname_lab_cmp and memlowercmp - the top functions in - profiler output, maybe a couple percent when it matters. - -20 February 2008: Wouter - - setup speec_cache for need-ldns-testns in dotests. - - check number of queued replies on incoming queries to avoid overload - on that account. - - fptr whitelist checks are not disabled in optimize mode. - - do-daemonize config file option. - - minievent time share initializes time at start. - - updated testdata for nsec3 new algorithm numbers (6, 7). - - small performance test of packet encoding (root delegation). - -19 February 2008: Wouter - - applied patch to unbound-host man page from Jan-Piet Mens. - - fix donotquery-localhost: yes default (it erroneously was switched - to default 'no'). - - time is only gotten once and the value is shared across unbound. - - unittest cleans up crypto, so that it has no memory leaks. - - mini_event shares the time value with unbound this results in - +3% speed for cache responses and +9% for recursions. - - ldns tarball update with new NSEC3 sign code numbers. - - perform several reads per UDP operation. This improves performance - in DoS conditions, and costs very little in normal conditions. - improves cache response +50%, and recursions +10%. - - modified asynclook test. because the callback from async is not - in any sort of lock (and thus can use all library functions freely), - this causes a tiny race condition window when the last lock is - released for a callback and a new cancel() for that callback. - The only way to remove this is by putting callbacks into some - lock window. I'd rather have the small possibility of a callback - for a cancelled function then no use of library functions in - callbacks. Could be possible to only outlaw process(), wait(), - cancel() from callbacks, by adding another lock, but I'd rather not. - -18 February 2008: Wouter - - patch to unbound-host from Jan-Piet Mens. - - unbound host prints errors if fails to configure context. - - fixup perf to resend faster, so that long waiting requests do - not hold up the queue, they become lost packets or SERVFAILs, - or can be sent a little while later (i.e. processing time may - take long, but throughput has to be high). - - fixup iterator operating in no cache conditions (RD flag unset - after a CNAME). - - streamlined code for RD flag setting. - - profiled code and changed dname compares to be faster. - The speedup is about +3% to +8% (depending on the test). - - minievent tests for eintr and eagain. - -15 February 2008: Wouter - - added FreeBSD rc.d script to contrib. - - --prefix option for configure also changes directory: pidfile: - and chroot: defaults in config file. - - added cache speed test, for cache size OK and cache too small. - -14 February 2008: Wouter - - start without a config file (will complain, but start with - defaults). - - perf test program works. - -13 February 2008: Wouter - - 0.9 released. - - 1.0 development. Printout ldns version on unbound -h. - - start of perf tool. - - bugfix to read empty lines from /etc/hosts. - -12 February 2008: Wouter - - fixup problem with configure calling itself if ldns-src tarball - is not present. - -11 February 2008: Wouter - - changed library to use ub_ instead of ub_val_ as prefix. - - statistics output text nice. - - etc/hosts handling. - - library function to put logging to a stream. - - set any option interface. - -8 February 2008: Wouter - - test program for multiple queries over a TCP channel. - - tpkg test for stream tcp queries. - - unbound replies to multiple TCP queries on a TCP channel. - - fixup misclassification of root referral with NS in answer - when validating a nonrec query. - - tag 0.9 - - layout of manpages, spelling fix in header, manpages process by - makedist, list asynclook and tcpstream tests as ldns-testns - required. - -7 February 2008: Wouter - - moved up all current level 2 to be level 3. And 3 to 4. - to make room for new debug level 2 for detailed information - for operators. - - verbosity level 2. Describes recursion and validation. - - cleaner configure script and fixes for libevent solaris. - - signedness for log output memory sizes in high verbosity. - -6 February 2008: Wouter - - clearer explanation of threading configure options. - - fixup asynclook test for nothreading (it creates only one process - to do the extended test). - - changed name of ub_val_result_free to ub_val_resolve_free. - - removes warning message during library linking, renamed - libunbound/unbound.c -> libunbound.c and worker to libworker. - - fallback without EDNS if result is NOTIMPL as well as on FORMERR. - -5 February 2008: Wouter - - statistics-interval: seconds option added. - - test for statistics option - - ignore errors making directories, these can occur in parallel builds - - fixup Makefile strip command and libunbound docs typo. - -31 January 2008: Wouter - - bg thread/process reads and writes the pipe nonblocking all the time - so that even if the pipe is buffered or so, the bg thread does not - block, and services both pipes and queries. - -30 January 2008: Wouter - - check trailing / on chrootdir in checkconf. - - check if root hints and anchor files are in chrootdir. - - no route to host tcp error is verbosity level 2. - - removed unused send_reply_iov. and its configure check. - - added prints of 'remote address is 1.2.3.4 port 53' to errors - from netevent; the basic socket errors. - -28 January 2008: Wouter - - fixup uninit use of buffer by libunbound (query id, flags) for - local_zone answers. - - fixup uninit warning from random.c; also seems to fix sporadic - sigFPE coming out of openssl. - - made openssl entropy warning more silent for library use. Needs - verbosity 1 now. - - fixup forgotten locks for rbtree_searches on ctx->query tree. - - random generator cleanup - RND_STATE_SIZE removed, and instead - a super-rnd can be passed at init to chain init random states. - - test also does lock checks if available. - - protect config access in libworker_setup(). - - libevent doesn't like comm_base_exit outside of runloop. - - close fds after removing commpoints only (for epoll, kqueue). - -25 January 2008: Wouter - - added tpkg for asynclook and library use. - - allows localhost to be queried when as a library. - - fixup race condition between cancel and answer (in case of - really fast answers that beat the cancel). - - please doxygen, put doxygen comment in one place. - - asynclook -b blocking mode and test. - - refactor asynclook, nicer code. - - fixup race problems from opensll in rand init from library, with - a mutex around the rand init. - - fix pass async_id=NULL to _async resolve(). - - rewrote _wait() routine, so that it is threadsafe. - - cancelation is threadsafe. - - asynclook extended test in tpkg. - - fixed two races where forked bg process waits for (somehow shared?) - locks, so does not service the query pipe on the bg side. - Now those locks are only held for fg_threads and for bg_as_a_thread. - -24 January 2008: Wouter - - tested the cancel() function. - - asynclook -c (cancel) feature. - - fix fail to allocate context actions. - - make pipe nonblocking at start. - - update plane for retry mode with caution to limit bandwidth. - - fix Makefile for concurrent make of unbound-host. - - renamed ub_val_ctx_wait/poll/process/fd to ub_val*. - - new calls to set forwarding added to header and docs. - -23 January 2008: Wouter - - removed debug prints from if-auto, verb-algo enables some. - - libunbound QUIT setup, remove memory leaks, when using threads - will share memory for passing results instead of writing it over - the pipe, only writes ID number over the pipe (towards the handler - thread that does process() ). - -22 January 2008: Wouter - - library code for async in libunbound/unbound.c. - - fix link testbound. - - fixup exit bug in mini_event. - - background worker query enter and result functions. - - bg query test application asynclook, it looks up multiple - hostaddresses (A records) at the same time. - -21 January 2008: Wouter - - libworker work, netevent raw commpoints, write_msg, serialize. - -18 January 2008: Wouter - - touch up of manpage for libunbound. - - support for IP_RECVDSTADDR (for *BSD ip4). - - fix for BSD, do not use ip4to6 mapping, make two sockets, once - ip6 and once ip4, uses socket options. - - goodbye ip4to6 mapping. - - update ldns-testpkts with latest version from ldns-trunk. - - updated makedist for relative ldns pathnames. - - library API with more information inside the result structure. - - work on background resolves. - -17 January 2008: Wouter - - fixup configure in case -lldns is installed. - - fixup a couple of doxygen warnings, about enum variables. - - interface-automatic now copies the interface address from the - PKT_INFO structure as well. - - manual page with library API, all on one page 'man libunbound'. - - rewrite of PKTINFO structure, it also captures IP4 PKTINFO. - -16 January 2008: Wouter - - incoming queries to the server with TC bit on are replied FORMERR. - - interface-automatic replied the wrong source address on localhost - queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying - to use ifnum=-1 to mean 'no interface, use kernel route'. - -15 January 2008: Wouter - - interface-automatic feature. experimental. Nice for anycast. - - tpkg test for ip6 ancillary data. - - removed debug prints. - - porting experience, define for Solaris, test refined for BSD - compatibility. The feature probably will not work on OpenBSD. - - makedist fixup for ldns-src in build-dir. - -14 January 2008: Wouter - - in no debug sets NDEBUG to remove asserts. - - configure --enable-debug is needed for dependency generation - for assertions and for compiler warnings. - - ldns.tgz updated with ldns-trunk (where buffer.h is updated). - - fix lint, unit test in optimize mode. - - default access control allows ::ffff:127.0.0.1 v6mapped localhost. - -11 January 2008: Wouter - - man page, warning removed. - - added text describing the use of stub zones for private zones. - - checkconf tests for bad hostnames (IP address), and for doubled - interface lines. - - memory sizes can be given with 'k', 'Kb', or M or G appended. - -10 January 2008: Wouter - - typo in example.conf. - - made using ldns-src that is included the package more portable - by linking with .lo instead of .o files in the ldns package. - - nicer do-ip6: yes/no documentation. - - nicer linking of libevent .o files. - - man pages render correctly on solaris. - -9 January 2008: Wouter - - fixup openssl RAND problem, when the system is not configured to - give entropy, and the rng needs to be seeded. - -8 January 2008: Wouter - - print median and quartiles with extensive logging. - -4 January 2008: Wouter - - document misconfiguration in private network. - -2 January 2008: Wouter - - fixup typo in requirements. - - document that 'refused' is a better choice than 'drop' for - the access control list, as refused will stop retries. - -7 December 2007: Wouter - - unbound-host has a -d option to show what happens. This can help - with debugging (why do I get this answer). - - fixup CNAME handling, on nodata, sets and display canonname. - - dot removed from CNAME display. - - respect -v for NXDOMAINs. - - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes). - - size_t to int for portability of the header file. - - fixup bogus handling. - - dependencies and lint for unbound-host. - -6 December 2007: Wouter - - library resolution works in foreground mode, unbound-host app - receives data. - - unbound-host prints rdata using ldns. - - unbound-host accepts trust anchors, and prints validation - information when you give -v. - -5 December 2007: Wouter - - locking in context_new() inside the function. - - setup of libworker. - -4 December 2007: Wouter - - minor Makefile fixup. - - moved module-stack code out of daemon/daemon into services/modstack, - preparing for code-reuse. - - move context into own header file. - - context query structure. - - removed unused variable pwd from checkconf. - - removed unused assignment from outside netw. - - check timeval length of string. - - fixup error in val_utils getsigner. - - fixup same (*var) error in netblocktostr. - - fixup memleak on parse error in localzone. - - fixup memleak on packet parse error. - - put ; after union in parser.y. - - small hardening in iter_operate against iq==NULL. - - hardening, if error reply with rcode=0 (noerror) send servfail. - - fixup same (*var) error in find_rrset in msgparse, was harmless. - - check return value of evtimer_add(). - - fixup lockorder in lruhash_reclaim(), building up a list of locked - entries one at a time. Instead they are removed and unlocked. - - fptr_wlist for markdelfunc. - - removed is_locked param from lruhash delkeyfunc. - - moved bin_unlock during bin_split purely to please. - -3 December 2007: Wouter - - changed checkconf/ to smallapp/ to make room for more support tools. - (such as unbound-host). - - install dirs created with -m 755 because they need to be accessible. - - library extensive featurelist added to TODO. - - please doxygen, lint. - - library test application, with basic functionality. - - fix for building in a subdirectory. - - link lib fix for Leopard. - -30 November 2007: Wouter - - makefile that creates libunbound.la, basic file or libunbound.a - when creating static executables (no libtool). - - more API setup. - -29 November 2007: Wouter - - 0.9 public API start. - -28 November 2007: Wouter - - Changeup plan for 0.8 - no complication needed, a simple solution - has been chosen for authoritative features. - - you can use single quotes in the config file, so it is possible - to specify TXT records in local data. - - fixup small memory problem in implicit transparent zone creation. - - test for implicit zone creation and multiple RR RRsets local data. - - local-zone nodefault test. - - show testbound testlist on commit. - - iterator normalizer changes CNAME chains ending in NXDOMAIN where - the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial - domain exists). - - nicer verbosity: 0 and 1 levels. - - lower nonRDquery chance of eliciting wrongly typed validation - requiring message from the cache. - - fix for nonRDquery validation typing; nodata is detected when - SOA record in auth section (all validation-requiring nodata messages - have a SOA record in authority, so this is OK for the validator), - and NS record is needed to be a referral. - - duplicate checking when adding NSECs for a CNAME, and test. - - created svn tag 0.8, after completing testbed tests. - -27 November 2007: Wouter - - per suggestion in rfc2308, replaced default max-ttl value with 1 day. - - set size of msgparse lookup table to 32, from 1024, so that its size - is below the 2048 regional large size threshold, and does not cause - a call to malloc when a message is parsed. - - update of memstats tool to print number of allocation calls. - This is what is taking time (not space) and indicates the avg size - of the allocations as well. region_alloc stat is removed. - -22 November 2007: Wouter - - noted EDNS in-the-middle dropping trouble as a TODO. - At this point theoretical, no user trouble has been reported. - - added all default AS112 zones. - - answers from local zone content. - * positive answer, the rrset in question - * nodata answer (exist, but not that type). - * nxdomain answer (domain does not exist). - * empty-nonterminal answer. - * But not: wildcard, nsec, referral, rrsig, cname/dname, - or additional section processing, NS put in auth. - - test for correct working of static and transparent and couple - of important defaults (localhost, as112, reverses). - Also checks deny and refuse settings. - - fixup implicit zone generation and AA bit for NXDOMAIN on localdata. - -21 November 2007: Wouter - - local zone internal data setup. - -20 November 2007: Wouter - - 0.8 - str2list config support for double string config options. - - local-zone and local-data options, config storage and documentation. - -19 November 2007: Wouter - - do not downcase NSEC and RRSIG for verification. Follows - draft-ietf-dnsext-dnssec-bis-updates-06.txt. - - fixup leaking unbound daemons at end of tests. - - README file updated. - - nice libevent not found error. - - README talks about gnu make. - - 0.8: unit test for addr_mask and fixups for it. - and unit test for addr_in_common(). - - 0.8: access-control config file element. - and unit test rpl replay file. - - 0.8: fixup address reporting from netevent. - -16 November 2007: Wouter - - privilege separation is not needed in unbound at this time. - TODO item marked as such. - - created beta-0.7 branch for support. - - tagged 0.7 for beta release. - - moved trunk to 0.8 for 0.8(auth features) development. - - 0.8: access control list setup. - -15 November 2007: Wouter - - review fixups from Jelte. - -14 November 2007: Wouter - - testbed script does not recreate configure, since its in svn now. - - fixup checkconf test so that it does not test - /etc/unbound/unbound.conf. - - tag 0.6. - -13 November 2007: Wouter - - remove debug print. - - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists. - -12 November 2007: Wouter - - fixup signal handling where SIGTERM could be ignored if a SIGHUP - arrives later on. - - bugreports to unbound-bugs@nlnetlabs.nl - - fixup testbound so it exits cleanly. - - cleanup the caches on a reload, so that rrsetID numbers won't clash. - -9 November 2007: Wouter - - took ldns snapshot in repo. - - default config file is /etc/unbound/unbound.conf. - If it doesn't exist, it is installed with the doc/example.conf file. - The file is not deleted on uninstall. - - default listening is not all, but localhost interfaces. - -8 November 2007: Wouter - - Fixup chroot and drop user privileges. - - new L root ip address in default hints. - -1 November 2007: Wouter - - Fixup of crash on reload, due to anchors in env not NULLed after - dealloc during deinit. - - Fixup of chroot call. Happens after privileges are dropped, so - that checking the passwd entry still works. - - minor touch up of clear() hashtable function. - - VERB_DETAIL prints out what chdir, username, chroot is being done. - - when id numbers run out, caches are cleared, as in design notes. - Tested with a mock setup with very few bits in id, it worked. - - harden-dnssec-stripped: yes is now default. It insists on dnssec - data for trust anchors. Included tests for the feature. - -31 October 2007: Wouter - - cache-max-ttl config option. - - building outside sourcedir works again. - - defaults more secure: - username: "unbound" - chroot: "/etc/unbound" - The operator can override them to be less secure ("") if necessary. - - fix horrible oversight in sorting rrset references in a message, - sort per reference key pointer, not on referencepointer itself. - - pidfile: "/etc/unbound/unbound.pid" is now the default. - - tests changed to reflect the updated default. - - created hashtable clear() function that respects locks. - -30 October 2007: Wouter - - fixup assertion failure that relied on compressed names to be - smaller than uncompressed names. A packet from comrite.com was seen - to be compressed to a larger size. Added it as unit test. - - quieter logging at low verbosity level for common tcp messages. - - no greedy TTL update. - -23 October 2007: Wouter - - fixup (grand-)parent problem for dnssec-lameness detection. - - fixup tests to do additional section processing for lame replies, - since the detection needs that. - - no longer trust in query section in reply during dnssec lame detect. - - dnssec lameness does not make the server never ever queried, but - non-preferred. If no other servers exist or answer, the dnssec lame - server is used; the fastest dnssec lame server is chosen. - - added test then when trust anchor cannot be primed (nodata), the - insecure mode from unbound works. - - Fixup max queries per thread, any more are dropped. - -22 October 2007: Wouter - - added donotquerylocalhost config option. Can be turned off for - out test cases. - - ISO C compat changes. - - detect RA-no-AA lameness, as LAME. - - DNSSEC-lameness detection, as LAME. - See notes in requirements.txt for choices made. - - tests for lameness detection. - - added all to make test target; need unbound for fwd tests. - - testbound does not pollute /etc/unbound. - -19 October 2007: Wouter - - added configure (and its files) to svn, so that the trunk is easier - to use. ./configure, config.guess, config.sub, ltmain.sh, - and config.h.in. - - added yacc/lex generated files, util/configlexer.c, - util/configparser.c util/configparser.h, to svn. - - without lex no attempt to use it. - - unsecure response validation collated into one block. - - remove warning about const cast of cfgfile name. - - outgoing-interfaces can be different from service interfaces. - - ldns-src configure is done during unbound configure and - ldns-src make is done during unbound make, and so inherits the - make arguments from the unbound make invocation. - - nicer error when libevent problem causes instant exit on signal. - - read root hints from a root hint file (like BIND does). - -18 October 2007: Wouter - - addresses are logged with errors. - - fixup testcode fake event to remove pending before callback - since the callback may create new pending items. - - tests updated because retries are now in iterator module. - - ldns-testpkts code is checked for differences between unbound - and ldns by makedist.sh. - - ldns trunk from today added in svn repo for fallback in case - no ldns is installed on the system. - make download_ldns refreshes the tarball with ldns svn trunk. - - ldns-src.tar.gz is used if no ldns is found on the system, and - statically linked into unbound. - - start of regional allocator code. - - regional uses less memory and variables, simplified code. - - remove of region-allocator. - - alloc cache keeps a cache of recently released regional blocks, - up to a maximum. - - make unit test cleanly free memory. - -17 October 2007: Wouter - - fixup another cycle detect and ns-addr timeout resolution bug. - This time by refusing delegations from the cache without addresses - when resolving a mandatory-glue nameserver-address for that zone. - We're going to have to ask a TLD server anyway; might as well be - the TLD server for this name. And this resolves a lot of cases where - the other nameserver names lead to cycles or are not available. - - changed random generator from random(3) clone to arc4random wrapped - for thread safety. The random generator is initialised with - entropy from the system. - - fix crash where failure to prime DNSKEY tried to print null pointer - in the log message. - - removed some debug prints, only verb_algo (4) enables them. - - fixup test; new random generator took new paths; such as one - where no scripted answer was available. - - mark insecure RRs as insecure. - - fixup removal of nonsecure items from the additional. - - reduced timeout values to more realistic, 376 msec (262 msec has - 90% of roundtrip times, 512 msec has 99% of roundtrip times.) - - server selection failover to next server after timeout (376 msec). - -16 October 2007: Wouter - - no malloc in log_hex. - - assertions around system calls. - - protect against gethostname without ending zero. - - ntop output is null terminated by unbound. - - pidfile content null termination - - various snprintf use sizeof(stringbuf) instead of fixed constant. - - changed loopdetect % 8 with & 0x7 since % can become negative for - weird negative input and particular interpretation of integer math. - - dname_pkt_copy checks length of result, to protect result buffers. - prints an error, this should not happen. Bad strings should have - been rejected earlier in the program. - - remove a size_t underflow from msgreply size func. - -15 October 2007: Wouter - - nicer warning. - - fix IP6 TCP, wrong definition check. With test package. - - fixup the fact that the query section was not compressed to, - the code was there but was called by value instead of by reference. - And test for the case, uses xxd and nc. - - more portable ip6 check for sockaddr types. - -8 October 2007: Wouter - - --disable-rpath option in configure for 64bit systems with - several dynamic lib dirs. - -7 October 2007: Wouter - - fixup tests for no AD bit in non-DO queries. - - test that makes sure AD bit is not set on non-DO query. - -6 October 2007: Wouter - - removed logfile open early. It did not have the proper permissions; - it was opened as root instead of the user. And we cannot change user - id yet, since chroot and bind ports need to be done. - - callback checks for event callbacks done from mini_event. Because - of deletions cannot do this from netevent. This means when using - libevent the protection does not work on event-callbacks. - - fixup too small reply (did not zero counts). - - fixup reply no longer AD bit when query without DO bit. - -5 October 2007: Wouter - - function pointer whitelist. - -4 October 2007: Wouter - - overwrite sensitive random seed value after use. - - switch to logfile very soon if not -d (console attached). - - error messages do not reveal the trustanchor contents. - - start work on function pointer whitelists. - -3 October 2007: Wouter - - fix for multiple empty nonterminals, after multiple DSes in the - chain of trust. - - mesh checks if modules are looping, and stops them. - - refetch with CNAMEd nameserver address regression test added. - - fixup line count bug in testcode, so testbound prints correct line - number with parse errors. - - unit test for multiple ENT case. - - fix for cname out of validated unsec zone. - - fixup nasty id=0 reuse. Also added assertions to detect its - return (the assertion catches in the existing test cases). - -1 October 2007: Wouter - - skip F77, CXX, objC tests in configure step. - - fixup crash in refetch glue after a CNAME. - and protection against similar failures (with error print). - -28 September 2007: Wouter - - test case for unbound-checkconf, fixed so it also checks the - interface: statements. - -26 September 2007: Wouter - - SIGHUP will reopen the log file. - - Option to log to syslog. - - please lint, fixup tests (that went to syslog on open, oops). - - config check program. - -25 September 2007: Wouter - - tests for NSEC3. Fixup bitmap checks for NSEC3. - - positive ANY response needs to check if wildcard expansion, and - check that original data did not exist. - - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure - delegation, for abuse of child zone apex nsec3. - - create 0.5 release tag. - -24 September 2007: Wouter - - do not make test programs by default. - - But 'make test' will perform all of the tests. - - Advertise builtin select libevent alternative when no libevent - is found. - - signit can generate NSEC3 hashes, for generating tests. - - multiple nsec3 parameters in message test. - - too high nsec3 iterations becomes insecure test. - -21 September 2007: Wouter - - fixup empty_DS_name allocated in wrong region (port DEC Alpha). - - fixup testcode lock safety (port FreeBSD). - - removes subscript has type char warnings (port Solaris 9). - - fixup of field with format type to int (port MacOS/X intel). - - added test for infinite loop case in nonRD answer validation. - It was a more general problem, but hard to reproduce. When an - unsigned rrset is being validated and the key fetched, the DS - sequence is followed, but if the final name has no DS, then no - proof is possible - the signature has been stripped off. - -20 September 2007: Wouter - - fixup and test for NSEC wildcard with empty nonterminals. - - makedist.sh fixup for svn info. - - acl features request in plan. - - improved DS empty nonterminal handling. - - compat with ANS nxdomain for empty nonterminals. Attempts the nodata - proof anyway, which succeeds in ANS failure case. - - striplab protection in case it becomes -1. - - plans for static and blacklist config. - -19 September 2007: Wouter - - comments about non-packed usage. - - plan for overload support in 0.6. - - added testbound tests for a failed resolution from the logs - and for failed prime when missing glue. - - fixup so useless delegation points are not returned from the - cache. Also the safety belt is used if priming fails to complete. - - fixup NSEC rdata not to be lowercased, bind compat. - -18 September 2007: Wouter - - wildcard nsec3 testcases, and fixup to get correct wildcard name. - - validator prints subtype classification for debug. - -17 September 2007: Wouter - - NSEC3 hash cache unit test. - - validator nsec3 nameerror test. - -14 September 2007: Wouter - - nsec3 nodata proof, nods proof, wildcard proof. - - nsec3 support for cname chain ending in noerror or nodata. - - validator calls nsec3 proof routines if no NSECs prove anything. - - fixup iterator bug where it stored the answer to a cname under - the wrong qname into the cache. When prepending the cnames, the - qname has to be reset to the original qname. - -13 September 2007: Wouter - - nsec3 find matching and covering, ce proof, prove namerror msg. - -12 September 2007: Wouter - - fixup of manual page warnings, like for NSD bugreport. - - nsec3 work, config, max iterations, filter, and hash cache. - -6 September 2007: Wouter - - fixup to find libevent on mac port install. - - fixup size_t vs unsigned portability in validator/sigcrypt. - - please compiler on different platforms, for unreachable code. - - val_nsec3 file. - - pthread_rwlock type is optional, in case of old pthread libs. - -5 September 2007: Wouter - - cname, name error validator tests. - - logging of qtype ANY works. - - ANY type answers get RRSIG in answer section of replies (but not - in other sections, unless DO bit is on). - - testbound can replay a TCP query (set MATCH TCP in the QUERY). - - DS and noDS referral validation test. - - if you configure many trust anchors, parent trust anchors can - securely deny existence of child trust anchors, if validated. - - not all *.name NSECs are present because a wildcard was matched, - and *.name NSECs can prove nodata for empty nonterminals. - Also, for wildcard name NSECs, check they are not from the parent - zone (for wildcarded zone cuts), and check absence of CNAME bit, - for a nodata proof. - - configure option for memory allocation debugging. - - port configure option for memory allocation to solaris10. - -4 September 2007: Wouter - - fixup of Leakage warning when serviced queries processed multiple - callbacks for the same query from the same server. - - testbound removes config file from /tmp on failed exit. - - fixup for referral cleanup of the additional section. - - tests for cname, referral validation. - - neater testbound tpkg output. - - DNAMEs no longer match their apex when synthesized from the cache. - - find correct signer name for DNAME responses. - - wildcarded DNAME test and fixup code to detect. - - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs. - So that wildcarded CNAMEs get their NSEC with them to the answer. - - test for a CNAME to a DNAME to a CNAME to an answer, all from - different domains, for key fetching and signature checking of - CNAME'd messages. - -3 September 2007: Wouter - - Fixed error in iterator that would cause assertion failure in - validator. CNAME to a NXDOMAIN response was collated into a response - with both a CNAME and the NXDOMAIN rcode. Added a test that the - rcode is changed to NOERROR (because of the CNAME). - - timeout on tcp does not lead to spurious leakage detect. - - account memory for name of lame zones, so that memory leakages does - not show lame cache growth as a leakage growth. - - config setting for lameness cache expressed in bytes, instead of - number of entries. - - tool too summarize allocations per code line. - -31 August 2007: Wouter - - can read bind trusted-keys { ... }; files, in a compatibility mode. - - iterator should not detach target queries that it still could need. - the protection against multiple outstanding queries is moved to a - current_query num check. - - validator nodata, positive, referral tests. - - dname print can print '*' wildcard. - -30 August 2007: Wouter - - fixup override date config option. - - config options to control memory usage. - - caught bad free of un-alloced data in worker_send error case. - - memory accounting for key cache (trust anchors and temporary cache). - - memory accounting fixup for outside network tcp pending waits. - - memory accounting fixup for outside network tcp callbacks. - - memory accounting for iterator fixed storage. - - key cache size and slabs config options. - - lib crypto cleanups at exit. - -29 August 2007: Wouter - - test tool to sign rrsets for testing validator with. - - added RSA and DSA test keys, public and private pairs, 512 bits. - - default configuration is with validation enabled. - Only a trust-anchor needs to be configured for DNSSEC to work. - - do not convert to DER for DSA signature verification. - - validator replay test file, for a DS to DNSKEY DSA key prime and - positive response. - -28 August 2007: Wouter - - removed double use for udp buffers, that could fail, - instead performs a malloc to do the backup. - - validator validates referral messages, by validating all the rrsets - and stores the rrsets in the cache. Further referral (nonRD queries) - replies are made from the rrset cache directly. Unless unchecked - rrsets are encountered, there are then validated. - - enforce that signing is done by a parent domain (or same domain). - - adjust TTL downwards if rrset TTL bigger than signature allows. - - permissive mode feature, sets AD bit for secure, but bogus does - not give servfail (bogus is changed into indeterminate). - - optimization of rrset verification. rr canonical sorting is reused, - for the same rrset. canonical rrset image in buffer is reused for - the same signature. - - if the rrset is too big (64k exactly + large owner name) the - canonicalization routine will fail if it does not fit in buffer. - - faster verification for large sigsets. - - verb_detail mode reports validation failures, but not the entire - algorithm for validation. Key prime failures are reported as - verb_ops level. - -27 August 2007: Wouter - - do not garble the edns if a cache answer fails. - - answer norecursive from cache if possible. - - honor clean_additional setting when returning secure non-recursive - referrals. - - do not store referral in msg cache for nonRD queries. - - store verification status in the rrset cache to speed up future - verification. - - mark rrsets indeterminate and insecure if they are found to be so. - and store this in the cache. - -24 August 2007: Wouter - - message is bogus if unsecure authority rrsets are present. - - val-clean-additional option, so you can turn it off. - - move rrset verification out of the specific proof types into one - routine. This makes the proof routines prettier. - - fixup cname handling in validator, cname-to-positive and cname-to- - nodata work. - - Do not synthesize DNSKEY and DS responses from the rrset cache if - the rrset is from the additional section. Signatures may have - fallen off the packet, and cause validation failure. - - more verbose signature date errors (with the date attached). - - increased default infrastructure cache size. It is important for - performance, and 1000 entries are only 212k (or a 400 k total cache - size). To 10000 entries (for 2M entries, 4M cache size). - -23 August 2007: Wouter - - CNAME handling - move needs_validation to before val_new(). - val_new() setups the chase-reply to be an edited copy of the msg. - new classification, and find signer can find for it. - removal of unsigned crap from additional, and query restart for - cname. - - refuse to follow wildcarded DNAMEs when validating. - But you can query for qtype ANY, or qtype DNAME and validate that. - -22 August 2007: Wouter - - bogus TTL. - - review - use val_error(). - -21 August 2007: Wouter - - ANY response validation. - - store security status in cache. - - check cache security status and either send the query to be - validated, return the query to client, or send servfail to client. - Sets AD bit on validated replies. - - do not examine security status on an error reply in mesh_done. - - construct DS, DNSKEY messages from rrset cache. - - manual page entry for override-date. - -20 August 2007: Wouter - - validate and positive validation, positive wildcard NSEC validation. - - nodata validation, nxdomain validation. - -18 August 2007: Wouter - - process DNSKEY response in FINDKEY state. - -17 August 2007: Wouter - - work on DS2KE routine. - - val_nsec.c for validator NSEC proofs. - - unit test for NSEC bitmap reading. - - dname iswild and canonical_compare with unit tests. - -16 August 2007: Wouter - - DS sig unit test. - - latest release libevent 1.3c and 1.3d have threading fixed. - - key entry fixup data pointer and ttl absolute. - - This makes a key-prime succeed in validator, with DS or DNSKEY as - trust-anchor. - - fixup canonical compare byfield routine, fix bug and also neater. - - fixed iterator response type classification for queries of type - ANY and NS. - dig ANY gives sometimes NS rrset in AN and NS section, and parser - removes the NS section duplicate. dig NS gives sometimes the NS - in the answer section, as referral. - - validator FINDKEY state. - -15 August 2007: Wouter - - crypto calls to verify signatures. - - unit test for rrsig verification. - -14 August 2007: Wouter - - default outgoing ports changed to avoid port 2049 by default. - This port is widely blocked by firewalls. - - count infra lameness cache in memory size. - - accounting of memory improved - - outbound entries are allocated in the query region they are for. - - extensive debugging for memory allocations. - - --enable-lock-checks can be used to enable lock checking. - - protect undefs in config.h from autoheaders ministrations. - - print all received udp packets. log hex will print on multiple - lines if needed. - - fixed error in parser with backwards rrsig references. - - mark cycle targets for iterator did not have CD flag so failed - its task. - -13 August 2007: Wouter - - fixup makefile, if lexer is missing give nice error and do not - mess up the dependencies. - - canonical compare routine updated. - - canonical hinfo compare. - - printout list of the queries that the mesh is working on. - -10 August 2007: Wouter - - malloc and free overrides that track total allocation and frees. - for memory debugging. - - work on canonical sort. - -9 August 2007: Wouter - - canonicalization, signature checks - - dname signature label count and unit test. - - added debug heap size print to memory printout. - - typo fixup in worker.c - - -R needed on solaris. - - validator override option for date check testing. - -8 August 2007: Wouter - - ldns _raw routines created (in ldns trunk). - - sigcrypt DS digest routines - - val_utils uses sigcrypt to perform signature cryptography. - - sigcrypt keyset processing - -7 August 2007: Wouter - - security status type. - - security status is copied when rdata is equal for rrsets. - - rrset id is updated to invalidate all the message cache entries - that refer to NSEC, NSEC3, DNAME rrsets that have changed. - - val_util work - - val_sigcrypt file for validator signature checks. - -6 August 2007: Wouter - - key cache for validator. - - moved isroot and dellabel to own dname routines, with unit test. - -3 August 2007: Wouter - - replanning. - - scrubber check section of lame NS set. - - trust anchors can be in config file or read from zone file, - DS and DNSKEY entries. - - unit test trust anchor storage. - - trust anchors converted to packed rrsets. - - key entry definition. - -2 August 2007: Wouter - - configure change for latest libevent trunk version (needs -lrt). - - query_done and walk_supers are moved out of module interface. - - fixup delegation point duplicates. - - fixup iterator scrubber; lame NS set is let through the scrubber - so that the classification is lame. - - validator module exists, and does nothing but pass through, - with calling of next module and return. - - validator work. - -1 August 2007: Wouter - - set version to 0.5 - - module work for module to module interconnections. - - config of modules. - - detect cycle takes flags. - -31 July 2007: Wouter - - updated plan - - release 0.4 tag. - -30 July 2007: Wouter - - changed random state init, so that sequential process IDs are not - cancelled out by sequential thread-ids in the random number seed. - - the fwd_three test, which sends three queries to unbound, and - unbound is kept waiting by ldns-testns for 3 seconds, failed - because the retry timeout for default by unbound is 3 seconds too, - it would hit that timeout and fail the test. Changed so that unbound - is kept waiting for 2 seconds instead. - -27 July 2007: Wouter - - removed useless -C debug option. It did not work. - - text edit of documentation. - - added doc/CREDITS file, referred to by the manpages. - - updated planning. - -26 July 2007: Wouter - - cycle detection, for query state dependencies. Will attempt to - circumvent the cycle, but if no other targets available fails. - - unit test for AXFR, IXFR response. - - test for cycle detection. - -25 July 2007: Wouter - - testbound read ADDRESS and check it. - - test for version.bind and friends. - - test for iterator chaining through several referrals. - - test and fixup for refetch for glue. Refetch fails if glue - is still not provided. - -24 July 2007: Wouter - - Example section in config manual. - - Addr stored for range and moment in replay. - -20 July 2007: Wouter - - Check CNAME chain before returning cache entry with CNAMEs. - - Option harden-glue, default is on. It will discard out of zone - data. If disabled, performance is faster, but spoofing attempts - become a possibility. Note that still normalize scrubbing is done, - and that the potentially spoofed data is used for infrastructure - and not returned to the client. - - if glue times out, refetch by asking parent of delegation again. - Much like asking for DS at the parent side. - - TODO items from forgery-resilience draft. - and on memory handling improvements. - - renamed module_event_timeout to module_event_noreply. - - memory reporting code; reports on memory usage after handling - a network packet (not on cache replies). - -19 July 2007: Wouter - - shuffle NS selection when getting nameserver target addresses. - - fixup of deadlock warnings, yield cpu in checklock code so that - freebsd scheduler selects correct process to run. - - added identity and version config options and replies. - - store cname messages complete answers. - -18 July 2007: Wouter - - do not query addresses, 127.0.0.1, and ::1 by default. - -17 July 2007: Wouter - - forward zone options in config file. - - forward per zone in iterator. takes precedence over stubs. - - fixup commithooks. - - removed forward-to and forward-to-port features, subsumed by - new forward zones. - - fix parser to handle absent server: clause. - - change untrusted rrset test to account for scrubber that is now - applied during the test (which removes the poison, by the way). - - feature, addresses can be specified with @portnumber, like nsd.conf. - - test config files changed over to new forwarder syntax. - -27 June 2007: Wouter - - delete of mesh does a postorder traverse of the tree. - - found and fixed a memory leak. For TTL=0 messages, that would - not be cached, instead the msg-replyinfo structure was leaked. - - changed server selection so it will filter out hosts that are - unresponsive. This is defined as a host with the maximum rto value. - This means that unbound tried the host for retries up to 120 secs. - The rto value will time out after host-ttl seconds from the cache. - This keeps such unresolvable queries from taking up resources. - - utility for keeping histogram. - -26 June 2007: Wouter - - mesh is called by worker, and iterator uses it. - This removes the hierarchical code. - QueryTargets state and Finished state are merged for iterator. - - forwarder mode no longer sets AA bit on first reply. - - rcode in walk_supers is not needed. - -25 June 2007: Wouter - - more mesh work. - - error encode routine for ease. - -22 June 2007: Wouter - - removed unused _node iterator value from rbtree_t. Takes up space. - - iterator can handle querytargets state without a delegation point - set, so that a priming(stub) subquery error can be handled. - - iterator stores if it is priming or not. - - log_query_info() neater logging. - - changed iterator so that it does not alter module_qstate.qinfo - but keeps a chase query info. Also query_flags are not altered, - the iterator uses chase_flags. - - fixup crash in case no ports for the family exist. - -21 June 2007: Wouter - - Fixup secondary buffer in case of error callback. - - cleanup slumber list of runnable states. - - module_subreq_depth fails to work in slumber list. - - fixup query release for cached results to sub targets. - - neater error for tcp connection failure, shows addr in verbose. - - rbtree_init so that it can be used with preallocated memory. - -20 June 2007: Wouter - - new -C option to enable coredumps after forking away. - - doc update. - - fixup CNAME generation by scrubber, and memory allocation of it. - - fixup deletion of serviced queries when all callbacks delete too. - - set num target queries to 0 when you move them to slumber list. - - typo in check caused subquery errors to be ignored, fixed. - - make lint happy about rlim_t. - - freeup of modules after freeup of module-states. - - duplicate replies work, this uses secondary udp buffer in outnet. - -19 June 2007: Wouter - - nicer layout in stats.c, review 0.3 change. - - spelling improvement, review 0.3 change. - - uncapped timeout for server selection, so that very fast or slow - servers will stand out from the rest. - - target-fetch-policy: "3 2 1 0 0" config setting. - - fixup queries answered without RD bit (for root prime results). - - refuse AXFR and IXFR requests. - - fixup RD flag in error reply from iterator. fixup RA flag from - worker error reply. - - fixup encoding of very short edns buffer sizes, now sets TC bit. - - config options harden-short-bufsize and harden-large-queries. - -18 June 2007: Wouter - - same, move subqueries to slumber list when first has resolved. - - fixup last fix for duplicate callbacks. - - another offbyone in targetcounter. Also in Java prototype by the way. - -15 June 2007: Wouter - - if a query asks to be notified of the same serviced query result - multiple times, this will succeed. Only one callback will happen; - multiple outbound-list entries result (but the double cleanup of it - will not matter). - - when iterator moves on due to CNAME or referral, it will remove - the subqueries (for other targets). These are put on the slumber - list. - - state module wait subq is OK with no new subqs, an old one may have - stopped, with an error, and it is still waiting for other ones. - - if a query loops, halt entire query (easy way to clean up properly). - -14 June 2007: Wouter - - num query targets was > 0 , not >= 0 compared, so that fetch - policy of 0 did nothing. - -13 June 2007: Wouter - - debug option: configure --enable-static-exe for compile where - ldns and libevent are linked statically. Default is off. - - make install and make uninstall. Works with static-exe and without. - installation of unbound binary and manual pages. - - alignment problem fix on solaris 64. - - fixup address in case of TCP error. - -12 June 2007: Wouter - - num target queries was set to 0 at a bad time. Default it to 0 and - increase as target queries are done. - - synthesize CNAME and DNAME responses from the cache. - - Updated doxygen config for doxygen 1.5. - - aclocal newer version. - - doxygen 1.5 fixes for comments (for the strict check on docs). - -11 June 2007: Wouter - - replies on TCP queries have the address field set in replyinfo, - for serviced queries, because the initiator does not know that - a TCP fallback has occured. - - omit DNSSEC types from nonDO replies, except if qtype is ANY or - if qtype directly queries for the type (and then only show that - 'unknown type' in the answer section). - - fixed message parsing where rrsigs on their own would be put - in the signature list over the rrsig type. - -7 June 2007: Wouter - - fixup error in double linked list insertion for subqueries and - for outbound list of serviced queries for iterator module. - - nicer printout of outgoing port selection. - - fixup cname target readout. - - nicer debug output. - - fixup rrset counts when prepending CNAMEs to the answer. - - fixup rrset TTL for prepended CNAMEs. - - process better check for looping modules, and which submodule to - run next. - - subreq insertion code fixup for slumber list. - - VERB_DETAIL, verbosity: 2 level gives short but readable output. - VERB_ALGO, verbosity: 3 gives extensive output. - - fixup RA bit in cached replies. - - fixup CNAME responses from the cache no longer partial response. - - error in network send handled without leakage. - - enable ip6 from config, and try ip6 addresses if available, - if ip6 is not connected, skips to next server. - -5 June 2007: Wouter - - iterator state finished. - - subrequests without parent store in cache and stop. - - worker slumber list for ongoing promiscuous queries. - - subrequest error handling. - - priming failure returns SERVFAIL. - - priming gives LAME result, returns SERVFAIL. - - debug routine to print dns_msg as handled by iterator. - - memleak in config file stubs fixup. - - more small bugs, in scrubber, query compare no ID for lookup, - in dname validation for NS targets. - - sets entry.key for new special allocs. - - lognametypeclass can display unknown types and classes. - -4 June 2007: Wouter - - random selection of equally preferred nameserver targets. - - reply info copy routine. Reuses existing code. - - cache lameness in response handling. - - do not touch qstate after worker_process_query because it may have - been deleted by that routine. - - Prime response state. - - Process target response state. - - some memcmp changed to dname_compare for case preservation. - -1 June 2007: Wouter - - normalize incoming messages. Like unbound-java, with CNAME chain - checked, DNAME checked, CNAME's synthesized, glue checked. - - sanitize incoming messages. - - split msgreply encode functions into own file msgencode.c. - - msg_parse to queryinfo/replyinfo conversion more versatile. - - process_response, classify response, delegpt_from_message. - -31 May 2007: Wouter - - querytargets state. - - dname_subdomain_c() routine. - - server selection, based on RTT. ip6 is filtered out if not available, - and lameness is checked too. - - delegation point copy routine. - -30 May 2007: Wouter - - removed FLAG_CD from message and rrset caches. This was useful for - an agnostic forwarder, but not for a sophisticated (trust value per - rrset enabled) cache. - - iterator response typing. - - iterator cname handle. - - iterator prime start. - - subquery work. - - processInitRequest and processInitRequest2. - - cache synthesizes referral messages, with DS and NSEC. - - processInitRequest3. - - if a request creates multiple subrequests these are all activated. - -29 May 2007: Wouter - - routines to lock and unlock array of rrsets moved to cache/rrset. - - lookup message from msg cache (and copy to region). - - fixed cast error in dns msg lookup. - - message with duplicate rrset does not increase its TTLs twice. - - 'qnamesize' changed to 'qname_len' for similar naming scheme. - -25 May 2007: Wouter - - Acknowledge use of unbound-java code in iterator. Nicer readme. - - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and - rrset cache from module environment. - - packed rrset key has type and class as easily accessible struct - members. They are still kept in network format for fast msg encode. - - dns cache find_delegation routine. - - iterator main functions setup. - - dns cache lookup setup. - -24 May 2007: Wouter - - small changes to prepare for subqueries. - - iterator forwarder feature separated out. - - iterator hints stub code, config file stub code, so that first - testing can proceed locally. - - replay tests now have config option to enable forwarding mode. - -23 May 2007: Wouter - - outside network does precise timers for roundtrip estimates for rtt - and for setting timeout for UDP. Pending_udp takes milliseconds. - - cleaner iterator sockaddr conversion of forwarder address. - - iterator/iter_utils and iter_delegpt setup. - - root hints. - -22 May 2007: Wouter - - outbound query list for modules and support to callback with the - outbound entry to the module. - - testbound support for new serviced queries. - - test for retry to TCP cannot use testbound any longer. - - testns test for EDNS fallback, test for TCP fallback already exists. - - fixes for no-locking compile. - - mini_event timer precision and fix for change in timeouts during - timeout callback. Fix for fwd_three tests, performed nonexit query. - -21 May 2007: Wouter - - small comment on hash table locking. - - outside network serviced queries, contain edns and tcp fallback, - and udp retries and rtt timing. - -16 May 2007: Wouter - - lruhash_touch() would cause locking order problems. Fixup in - lock-verify in case locking cycle is found. - - services/cache/rrset.c for rrset cache code. - - special rrset_cache LRU updating function that uses the rrset id. - - no dependencies calculation when make clean is called. - - config settings for infra cache. - - daemon code slightly cleaner, only creates caches once. - -15 May 2007: Wouter - - host cache code. - - unit test for host cache. - -14 May 2007: Wouter - - Port to OS/X and Dec Alpha. Printf format and alignment fixes. - - extensive lock debug report on join timeout. - - proper RTT calculation, in utility code. - - setup of services/cache/infra, host cache. - -11 May 2007: Wouter - - iterator/iterator.c module. - - fixup to pass reply_info in testcode and in netevent. - -10 May 2007: Wouter - - created release-0.3 svn tag. - - util/module.h - - fixed compression - no longer compresses root name. - -9 May 2007: Wouter - - outside network cleans up waiting tcp queries on exit. - - fallback to TCP. - - testbound replay with retry in TCP mode. - - tpkg test for retry in TCP mode, against ldns-testns server. - - daemon checks max number of open files and complains if not enough. - - test where data expires in the cache. - - compiletests: fixed empty body ifstatements in alloc.c, in case - locks are disabled. - -8 May 2007: Wouter - - outgoing network keeps list of available tcp buffers for outgoing - tcp queries. - - outgoing-num-tcp config option. - - outgoing network keeps waiting list of queries waiting for buffer. - - netevent supports outgoing tcp commpoints, nonblocking connects. - -7 May 2007: Wouter - - EDNS read from query, used to make reply smaller. - - advertised edns value constants. - - EDNS BADVERS response, if asked for too high edns version. - - EDNS extended error responses once the EDNS record from the query - has successfully been parsed. - -4 May 2007: Wouter - - msgreply sizefunc is more accurate. - - config settings for rrset cache size and slabs. - - hashtable insert takes argument so that a thread can use its own - alloc cache to store released keys. - - alloc cache special_release() locks if necessary. - - rrset trustworthiness type added. - - thread keeps a scratchpad region for handling messages. - - writev used in netevent to write tcp length and data after another. - This saves a roundtrip on tcp replies. - - test for one rrset updated in the cache. - - test for one rrset which is not updated, as it is not deemed - trustworthy enough. - - test for TTL refreshed in rrset. - -3 May 2007: Wouter - - fill refs. Use new parse and encode to answer queries. - - stores rrsets in cache. - - uses new msgreply format in cache. - -2 May 2007: Wouter - - dname unit tests in own file and spread out neatly in functions. - - more dname unit tests. - - message encoding creates truncated TC flagged messages if they do - not fit, and will leave out (whole)rrsets from additional if needed. - -1 May 2007: Wouter - - decompress query section, extremely lenient acceptance. - But only for answers from other servers, not for plain queries. - - compression and decompression test cases. - - some stats added. - - example.conf interface: line is changed from 127.0.0.1 which leads - to problems if used (restricting communication to the localhost), - to a documentation and test address. - -27 April 2007: Wouter - - removed iov usage, it is not good for dns message encoding. - - owner name compression more optimal. - - rrsig owner name compression. - - rdata domain name compression. - -26 April 2007: Wouter - - floating point exception fix in lock-verify. - - lint uses make dependency - - fixup lint in dname owner domain name compression code. - - define for offset range that can be compressed to. - -25 April 2007: Wouter - - prettier code; parse_rrset->type kept in host byte order. - - datatype used for hashvalue of converted rrsig structure. - - unit test compares edns section data too. - -24 April 2007: Wouter - - ttl per RR, for RRSIG rrsets and others. - - dname_print debug function. - - if type is not known, size calc will skip DNAME decompression. - - RRSIG parsing and storing and putting in messages. - - dnssec enabled unit tests (from nlnetlabs.nl and se queries). - - EDNS extraction routine. - -20 April 2007: Wouter - - code comes through all of the unit tests now. - - disabled warning about spurious extra data. - - documented the RRSIG parse plan in msgparse.h. - - rrsig reading and outputting. - -19 April 2007: Wouter - - fix unit test to actually to tests. - - fix write iov helper, and fakevent code. - - extra builtin testcase (small packet). - - ttl converted to network format in packets. - - flags converted correctly - - rdatalen off by 2 error fixup. - - uses less iov space for header. - -18 April 2007: Wouter - - review of msgparse code. - - smaller test cases. - -17 April 2007: Wouter - - copy and decompress dnames. - - store calculated hash value too. - - routine to create message out of stored information. - - util/data/msgparse.c for message parsing code. - - unit test, and first fixes because of test. - * forgot rrset_count addition. - * did & of ptr on stack for memory position calculation. - * dname_pkt_copy forgot to read next label length. - - test from file and fixes - * double frees fixed in error conditions. - * types with less than full rdata allowed by parser. - Some dynamic update packets seem to use it. - -16 April 2007: Wouter - - following a small change in LDNS, parsing code calculates the - memory size to allocate for rrs. - - code to handle ID creation. - -13 April 2007: Wouter - - parse routines. Code that parses rrsets, rrs. - -12 April 2007: Wouter - - dname compare routine that preserves case, with unit tests. - -11 April 2007: Wouter - - parse work - dname packet parse, msgparse, querysection parse, - start of sectionparse. - -10 April 2007: Wouter - - Improved alignment of reply_info packet, nice for 32 and 64 bit. - - Put RRset counts in reply_info, because the number of RRs can change - due to RRset updates. - - import of region-allocator code from nsd. - - set alloc special type to ub_packed_rrset_key. - Uses lruhash entry overflow chain next pointer in alloc cache. - - doxygen documentation for region-allocator. - - setup for parse scratch data. - -5 April 2007: Wouter - - discussed packed rrset with Jelte. - -4 April 2007: Wouter - - moved to version 0.3. - - added util/data/dname.c - - layout of memory for rrsets. - -3 April 2007: Wouter - - detect sign of msghdr.msg_iovlen so that the cast to that type - in netevent (which is there to please lint) can be correct. - The type on several OSes ranges from int, int32, uint32, size_t. - Detects unsigned or signed using math trick. - - constants for DNS flags. - - compilation without locks fixup. - - removed include of unportable header from lookup3.c. - - more portable use of struct msghdr. - - casts for printf warning portability. - - tweaks to tests to port them to the testbed. - - 0.2 tag created. - -2 April 2007: Wouter - - check sizes of udp received messages, not too short. - - review changes. Some memmoves can be memcpys: 4byte aligned. - set id correctly on cached answers. - - review changes msgreply.c, memleak on error condition. AA flag - clear on cached reply. Lowercase queries on hashing. - unit test on lowercasing. Test AA bit not set on cached reply. - Note that no TTLs are managed. - -29 March 2007: Wouter - - writev or sendmsg used when answering from cache. - This avoids a copy of the data. - - do not do useless byteswap on query id. Store reply flags in uint16 - for easier access (and no repeated byteswapping). - - reviewed code. - - configure detects and config.h includes sys/uio.h for writev decl. - -28 March 2007: Wouter - - new config option: num-queries-per-thread. - - added tpkg test for answering three queries at the same time - using one thread (from the query service list). - -27 March 2007: Wouter - - added test for cache and not cached answers, in testbound replays. - - testbound can give config file and commandline options from the - replay file to unbound. - - created test that checks if items drop out of the cache. - - added word 'partitioned hash table' to documentation on slab hash. - A slab hash is a partitioned hash table. - - worker can handle multiple queries at a time. - -26 March 2007: Wouter - - config settings for slab hash message cache. - - test for cached answer. - - Fixup deleting fake answer from testbound list. - -23 March 2007: Wouter - - review of yesterday's commits. - - covered up memory leak of the entry locks. - - answers from the cache correctly. Copies flags correctly. - - sanity check for incoming query replies. - - slabbed hash table. Much nicer contention, need dual cpu to see. - -22 March 2007: Wouter - - AIX configure check. - - lock-verify can handle references to locks that are created - in files it has not yet read in. - - threaded hash table test. - - unit test runs lock-verify afterwards and checks result. - - need writelock to update data on hash_insert. - - message cache code, msgreply code. - -21 March 2007: Wouter - - unit test of hash table, fixup locking problem in table_grow(). - - fixup accounting of sizes for removing items from hashtable. - - unit test for hash table, single threaded test of integrity. - - lock-verify reports errors nicely. More quiet in operation. - -16 March 2007: Wouter - - lock-verifier, checks consistent order of locking. - -14 March 2007: Wouter - - hash table insert (and subroutines) and lookup implemented. - - hash table remove. - - unit tests for hash internal bin, lru functions. - -13 March 2007: Wouter - - lock_unprotect in checklocks. - - util/storage/lruhash.h for LRU hash table structure. - -12 March 2007: Wouter - - configure.ac moved to 0.2. - - query_info and replymsg util/data structure. - -9 March 2007: Wouter - - added rwlock writelock checking. - So it will keep track of the writelock, and readlocks are enforced - to not change protected memory areas. - - log_hex function to dump hex strings to the logfile. - - checklocks zeroes its destroyed lock after checking memory areas. - - unit test for alloc. - - identifier for union in checklocks to please older compilers. - - created 0.1 tag. - -8 March 2007: Wouter - - Reviewed checklock code. - -7 March 2007: Wouter - - created a wrapper around thread calls that performs some basic - checking for data race and deadlock, and basic performance - contention measurement. - -6 March 2007: Wouter - - Testbed works with threading (different machines, different options). - - alloc work, does the special type. - -2 March 2007: Wouter - - do not compile fork funcs unless needed. Otherwise will give - type errors as their typedefs have not been enabled. - - log shows thread numbers much more nicely (and portably). - - even on systems with nonthreadsafe libevent signal handling, - unbound will exit if given a signal. - Reloads will not work, and exit is not graceful. - - start of alloc framework layout. - -1 March 2007: Wouter - - Signals, libevent and threads work well, with libevent patch and - changes to code (close after event_del). - - set ipc pipes nonblocking. - -27 February 2007: Wouter - - ub_thread_join portable definition. - - forking is used if no threading is available. - Tested, it works, since pipes work across processes as well. - Thread_join is replaced with waitpid. - - During reloads the daemon will temporarily handle signals, - so that they do not result in problems. - - Also randomize the outgoing port range for tests. - - If query list is full, will stop selecting listening ports for read. - This makes all threads service incoming requests, instead of one. - No memory is leaking during reloads, service of queries, etc. - - test that uses ldns-testns -f to test threading. Have to answer - three queries at the same time. - - with verbose=0 operates quietly. - -26 February 2007: Wouter - - ub_random code used to select ID and port. - - log code prints thread id. - - unbound can thread itself, with reload(HUP) and quit working - correctly. - - don't open pipes for #0, doesn't need it. - - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload). - -23 February 2007: Wouter - - Can do reloads on sigHUP. Everything is stopped, and freed, - except the listening ports. Then the config file is reread. - And everything is started again (and listening ports if needed). - - Ports for queries are shared. - - config file added interface:, chroot: and username:. - - config file: directory, logfile, pidfile. And they work too. - - will daemonize by default now. Use -d to stay in the foreground. - - got BSD random[256 state] code, made it threadsafe. util/random. - -22 February 2007: Wouter - - Have a config file. Removed commandline options, moved to config. - - tests use config file. - -21 February 2007: Wouter - - put -c option in man page. - - minievent fd array capped by FD_SETSIZE. - -20 February 2007: Wouter - - Added locks code and pthread spinlock detection. - - can use no locks, or solaris native thread library. - - added yacc and lex configure, and config file parsing code. - also makedist.sh, and manpage. - - put include errno.h in config.h - -19 February 2007: Wouter - - Created 0.0 svn tag. - - added acx_pthread.m4 autoconf check for pthreads from - the autoconf archive. It is GPL-with-autoconf-exception Licensed. - You can specify --with-pthreads, or --without-pthreads to configure. - -16 February 2007: Wouter - - Updated testbed script, works better by using make on remote end. - - removed check decls, we can compile without them. - - makefile supports LIBOBJ replacements. - - docs checks ignore compat code. - - added util/mini-event.c and .h, a select based alternative used with - ./configure --with-libevent=no - It is limited to 1024 file descriptors, and has less features. - - will not create ip6 sockets if ip6 not on the machine. - -15 February 2007: Wouter - - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64, - Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc. - - malloc rndstate, so that it is aligned for access. - - fixed rbtree cleanup with postorder traverse. - - fixed pending messages are deleted when handled. - - You can control verbosity; default is not verbose, every -v - adds more verbosity. - -14 February 2007: Wouter - - Included configure.ac changes from ldns. - - detect (some) headers before the standards check. - - do not use isblank to test c99, since its not available on solaris9. - - review of testcode. - * entries in a RANGE are no longer reversed. - * print name of file with replay entry parse errors. - - port to OSX: cast to int for some prints of sizet. - - Makefile copies ldnstestpkts.c before doing dependencies on it. - -13 February 2007: Wouter - - work on fake events, first fwd replay works. - - events can do timeouts and errors on queries to servers. - - test package that runs replay scenarios. - -12 February 2007: Wouter - - work on fake events. - -9 February 2007: Wouter - - replay file reading. - - fake event setup, it creates fake structures, and teardowns, - added signal callbacks to reply to be able to fake those, - and main structure of event replay routines. - -8 February 2007: Wouter - - added tcp test. - - replay storage. - - testcode/fake_event work. - -7 February 2007: Wouter - - return answer with the same ID as query was sent with. - - created udp forwarder test. I've done some effort to make it perform - quickly. After servers are created, no big sleep statements but - it checks the logfiles to see if servers have come up. Takes 0.14s. - - set addrlen value when calling recvfrom. - - comparison of addrs more portable. - - LIBEVENT option for testbed to set libevent directory. - - work on tcp input. - -6 February 2007: Wouter - - reviewed code and improved in places. - -5 February 2007: Wouter - - Picked up stdc99 and other define tests from ldns. Improved - POSIX define test to include getaddrinfo. - - defined constants for netevent callback error code. - - unit test for strisip6. - -2 February 2007: Wouter - - Created udp4 and udp6 port arrays to provide service for both - address families. - - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets. - - listens on both ip4 and ip6 ports to provide correct return address. - - worker fwder address filled correctly. - - fixup timer code. - - forwards udp queries and sends answer. - -1 February 2007: Wouter - - outside network more UDP work. - - moved * closer to type. - - comm_timer object and events. - -31 January 2007: Wouter - - Added makedist.sh script to make release tarball. - - Removed listen callback layer, did not add anything. - - Added UDP recv to netevent, worker callback for udp. - - netevent communication reply storage structure. - - minimal query header sanity checking for worker. - - copied over rbtree implementation from NSD (BSD licensed too). - - outgoing network query service work. - -30 January 2007: Wouter - - links in example/ldns-testpkts.c and .h for premade packet support. - - added callback argument to listen_dnsport and daemon/worker. - -29 January 2007: Wouter - - unbound.8 a short manpage. - -26 January 2007: Wouter - - fixed memleak. - - make lint works on BSD and Linux (openssl defines). - - make tags works. - - testbound program start. - -25 January 2007: Wouter - - fixed lint so it may work on BSD. - - put license into header of every file. - - created verbosity flag. - - fixed libevent configure flag. - - detects event_base_free() in new libevent 1.2 version. - - getopt in daemon. fatal_exit() and verbose() logging funcs. - - created log_assert, that throws assertions to the logfile. - - listen_dnsport service. Binds ports. - -24 January 2007: Wouter - - cleaned up configure.ac. - -23 January 2007: Wouter - - added libevent to configure to link with. - - util/netevent setup work. - - configure searches for libevent. - - search for libs at end of configure (when other headers and types - have been found). - - doxygen works with ATTR_UNUSED(). - - util/netevent implementation. - -22 January 2007: Wouter - - Designed header file for network communication. - -16 January 2007: Wouter - - added readme.svn and readme.tests. - -4 January 2007: Wouter - - Testbed script (run on multiple platforms the test set). - Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5. - - added unit test tpkg. - -3 January 2007: Wouter - - committed first set of files into subversion repository. - svn co svn+ssh://unbound.net/svn/unbound - You need a ssh login. There is no https access yet. - - Added LICENSE, the BSD license. - - Added doc/README with compile help. - - main program stub and quiet makefile. - - minimal logging service (to stderr). - - added postcommit hook that serves emails. - - added first test 00-lint. postcommit also checks if build succeeds. - - 01-doc: doxygen doc target added for html docs. And stringent test - on documented files, functions and parameters. - -15 December 2006: Wouter - - Created Makefile.in and configure.ac. diff --git a/external/unbound/doc/FEATURES b/external/unbound/doc/FEATURES deleted file mode 100644 index 076988ea9..000000000 --- a/external/unbound/doc/FEATURES +++ /dev/null @@ -1,103 +0,0 @@ -Unbound Features - -(C) Copyright 2008, Wouter Wijngaards, NLnet Labs. - - -This document describes the features and RFCs that unbound -adheres to, and which ones are decided to be out of scope. - - -Big Features ------------- -Recursive service. -Caching service. -Forwarding and stub zones. -Very limited authoritative service. -DNSSEC Validation options. -EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types. -RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms. - -Details -------- -Processing support -RFC 1034-1035: as a recursive, caching server. Not authoritative. - including CNAMEs, referrals, wildcards, classes, ... - AAAA type, and IP6 dual stack support. - type ANY queries are supported, class ANY queries are supported. -RFC 1123, 6.1 Requirements for DNS of internet hosts. -RFC 4033-4035: as a validating caching server (unbound daemon). - as a validating stub (libunbound). -RFC 1918. -RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or - dynamic update services are appropriate. -RFC 2181: completely, including the trust model, keeping rrsets together. -RFC 2308: TTL directive, and the rest of the RFC too. -RFC 2671: EDNS0 support, default advertisement 4Kb size. -RFC 2672: DNAME support. -RFC 3597: Unknown RR type support. -RFC 4343: case insensitive handling of domain names. -RFC 4509: SHA256 DS hash. -RFC 4592: wildcards. -RFC 4697: No DNS Resolution Misbehavior. -RFC 5011: update of trust anchors with timers. -RFC 5155: NSEC3, NSEC3PARAM types -RFC 5358: reflectors-are-evil: access control list for recursive - service. In fact for all DNS service so cache snooping is halted. -RFC 5452: forgery resilience. all recommendations followed. -RFC 5702: RSASHA256 signature algorithm. -RFC 5933: GOST signature algorithm. -RFC 6303: default local zones. - It is possible to block zones or return an address for localhost. - This is a very limited authoritative service. Defaults as in draft. -RFC 6604: xNAME RCODE and status bits. -RFC 6605: ECDSA signature algorithm, SHA384 DS hash. - -chroot and drop-root-privileges support, default enabled in config file. - -AD bit in query can be used to request AD bit in response (w/o using DO bit). -CD bit in query can be used to request bogus data. -UDP and TCP service is provided downstream. -UDP and TCP are used to request from upstream servers. -SSL wrapped TCP service can be used upstream and provided downstream. -Multiple queries can be made over a TCP stream. - -No TSIG support at this time. -No SIG0 support at this time. -No dTLS support at this time. -This is not a DNS statistics package, but some operationally useful -values are provided via unbound-control stats. -TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported. - -draft-0x20: implemented, use caps-for-id option to enable use. - Also implements bitwise echo of the query to support downstream 0x20. -draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to - a safety belt list. -draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured - as trust anchors. Also DNSKEYs are allowed, by the way. -draft-ietf-dnsext-dnssec-bis-updates: supported. - -Record type syntax support, extensive, from lib ldns. -For these types only syntax and parsing support is needed. -RFC 1034-1035: basic RR types. -RFC 1183: RP, AFSDB, X25, ISDN, RT -RFC 1706: NSAP -RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete). -2163: PX -AAAA type -1876: LOC type -2782: SRV type -2915: NAPTR type. -2230: KX type. -2538: CERT type. -2672: DNAME type. -OPT type -3123: APL -3596: AAAA -SSHFP type -4025: IPSECKEY -4033-4035: DS, RRSIG, NSEC, DNSKEY -4701: DHCID -5155: NSEC3, NSEC3PARAM -4408: SPF -6944: DNSKEY algorithm status - diff --git a/external/unbound/doc/LICENSE b/external/unbound/doc/LICENSE deleted file mode 100644 index 1859c095a..000000000 --- a/external/unbound/doc/LICENSE +++ /dev/null @@ -1,30 +0,0 @@ -Copyright (c) 2007, NLnet Labs. All rights reserved. - -This software is open source. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. - -Redistributions in binary form must reproduce the above copyright notice, -this list of conditions and the following disclaimer in the documentation -and/or other materials provided with the distribution. - -Neither the name of the NLNET LABS nor the names of its contributors may -be used to endorse or promote products derived from this software without -specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/external/unbound/doc/README b/external/unbound/doc/README deleted file mode 100644 index 558a48071..000000000 --- a/external/unbound/doc/README +++ /dev/null @@ -1,149 +0,0 @@ -README for Unbound 1.6.3 -Copyright 2007 NLnet Labs -http://unbound.net - -This software is under BSD license, see LICENSE for details. -The DNS64 module has BSD license in dns64/dns64.c. -The DNSTAP code has BSD license in dnstap/dnstap.c. - -* Download the latest release version of this software from - http://unbound.net - or get a beta version from the svn repository at - http://unbound.net/svn/ - -* Uses the following libraries; - * libevent http://www.monkey.org/~provos/libevent/ (BSD license) - (optional) can use builtin alternative instead. - * libexpat (for the unbound-anchor helper program) (MIT license) - -* Make and install: ./configure; make; make install - * --with-libevent=/path/to/libevent - Can be set to either the system install or the build directory. - --with-libevent=no (default) gives a builtin alternative - implementation. libevent is useful when having many (thousands) - of outgoing ports. This improves randomization and spoof - resistance. For the default of 16 ports the builtin alternative - works well and is a little faster. - * --with-libexpat=/path/to/libexpat - Can be set to the install directory of libexpat. - * --without-pthreads - This disables pthreads. Without this option the pthreads library - is detected automatically. Use this option to disable threading - altogether, or, on Solaris, also use --with(out)-solaris-threads. - * --enable-checking - This enables assertions in the code that guard against a variety of - programming errors, among which buffer overflows. The program exits - with an error if an assertion fails (but the buffer did not overflow). - * --enable-static-exe - This enables a debug option to statically link against the - libevent library. - * --enable-lock-checks - This enables a debug option to check lock and unlock calls. It needs - a recent pthreads library to work. - * --enable-alloc-checks - This enables a debug option to check malloc (calloc, realloc, free). - The server periodically checks if the amount of memory used fits with - the amount of memory it thinks it should be using, and reports - memory usage in detail. - * --with-conf-file=filename - Set default location of config file, - the default is /usr/local/etc/unbound/unbound.conf. - * --with-pidfile=filename - Set default location of pidfile, - the default is /usr/local/etc/unbound/unbound.pid. - * --with-run-dir=path - Set default working directory, - the default is /usr/local/etc/unbound. - * --with-chroot-dir=path - Set default chroot directory, - the default is /usr/local/etc/unbound. - * --with-rootkey-file=path - Set the default root.key path. This file is read and written. - the default is /usr/local/etc/unbound/root.key - * --with-rootcert-file=path - Set the default root update certificate path. A builtin certificate - is used if this file is empty or does not exist. - the default is /usr/local/etc/unbound/icannbundle.pem - * --with-username=user - Set default user name to change to, - the default is the "unbound" user. - * --with-pyunbound - Create libunbound wrapper usable from python. - Needs python-devel and swig development tools. - * --with-pythonmodule - Compile the python module that processes responses in the server. - * --disable-sha2 - Disable support for RSASHA256 and RSASHA512 crypto. - * --disable-gost - Disable support for GOST crypto, RFC 5933. - -* 'make test' runs a series of self checks. - -Known issues ------------- -o If there are no replies for a forward or stub zone, for a reverse zone, - you may need to add a local-zone: name transparent or nodefault to the - server: section of the config file to unblock the reverse zone. - Only happens for (sub)zones that are blocked by default; e.g. 10.in-addr.arpa -o If libevent is older (before 1.3c), unbound will exit instead of reload - on sighup. On a restart 'did not exit gracefully last time' warning is - printed. Perform ./configure --with-libevent=no or update libevent, rerun - configure and recompile unbound to make sighup work correctly. - It is strongly suggested to use a recent version of libevent. -o If you are not receiving the correct source IP address on replies (e.g. - you are running a multihomed, anycast server), the interface-automatic - option can be enabled to set socket options to achieve the correct - source IP address on UDP replies. Listing all IP addresses explicitly in - the config file is an alternative. The interface-automatic option uses - non portable socket options, Linux and FreeBSD should work fine. -o The warning 'openssl has no entropy, seeding with time', with chroot - enabled, may be solved with a symbolic link to /dev/random from <chrootdir>. -o On Solaris 5.10 some libtool packages from repositories do not work with - gcc, showing errors gcc: unrecognized option `-KPIC' - To solve this do ./configure libtool=./libtool [your options...]. - On Solaris you may pass CFLAGS="-xO4 -xtarget=generic" if you use sun-cc. -o If unbound-control (or munin graphs) do not work, this can often be because - the unbound-control-setup script creates the keys with restricted - permissions, and the files need to be made readable or ownered by both the - unbound daemon and unbound-control. -o Crosscompile seems to hang. You tried to install unbound under wine. - wine regedit and remove all the unbound entries from the registry or - delete .wine/drive_c. - -Acknowledgements ----------------- -o Unbound was written in portable C by Wouter Wijngaards (NLnet Labs). -o Thanks to David Blacka and Matt Larson (Verisign) for the unbound-java - prototype. Design and code from that prototype has been used to create - this program. Such as the iterator state machine and the cache design. -o Other code origins are from the NSD (NLnet Labs) and LDNS (NLnet Labs) - projects. Such as buffer, region-allocator and red-black tree code. -o See Credits file for contributors. - - -Your Support ------------- -NLnet Labs offers all of its software products as open source, most are -published under a BSD license. You can download them, not only from the -NLnet Labs website but also through the various OS distributions for -which NSD, ldns, and Unbound are packaged. We therefore have little idea -who uses our software in production environments and have no direct ties -with 'our customers'. - -Therefore, we ask you to contact us at users@NLnetLabs.nl and tell us -whether you use one of our products in your production environment, -what that environment looks like, and maybe even share some praise. -We would like to refer to the fact that your organization is using our -products. We will only do that if you explicitly allow us. In all other -cases we will keep the information you share with us to ourselves. - -In addition to the moral support you can also support us -financially. NLnet Labs is a recognized not-for-profit charity foundation -that is chartered to develop open-source software and open-standards -for the Internet. If you use our software to satisfaction please express -that by giving us a donation. For small donations PayPal can be used. For -larger and regular donations please contact us at users@NLnetLabs.nl. Also -see http://www.nlnetlabs.nl/labs/contributors/. - - -* mailto:unbound-bugs@nlnetlabs.nl diff --git a/external/unbound/doc/README.DNS64 b/external/unbound/doc/README.DNS64 deleted file mode 100644 index 49446ac57..000000000 --- a/external/unbound/doc/README.DNS64 +++ /dev/null @@ -1,30 +0,0 @@ -The DNS64 code was written by Viagenie, 2009, by Simon Perrault as part -of the Ecdysis project. The code is copyright by them, and has the BSD -license (see the dns64/dns64.c file). - -To enable DNS64 functionality in Unbound, two directives in unbound.conf must -be edited: - -1. The "module-config" directive must start with "dns64". For example: - - module-config: "dns64 validator iterator" - -If you're not using DNSSEC then you may remove "validator". - -2. The "dns64-prefix" directive indicates your DNS64 prefix. For example: - - dns64-prefix: 64:FF9B::/96 - -The prefix must be a /96 or shorter. - -To test that things are working right, perform a query against Unbound for a -domain name for which no AAAA record exists. You should see a AAAA record in -the answer section. The corresponding IPv6 address will be inside the DNS64 -prefix. For example: - - $ unbound -c unbound.conf - $ dig @localhost jazz-v4.viagenie.ca aaaa - [...] - ;; ANSWER SECTION: - jazz-v4.viagenie.ca. 86400 IN AAAA 64:ff9b::ce7b:1f02 - diff --git a/external/unbound/doc/README.svn b/external/unbound/doc/README.svn deleted file mode 100644 index b887e308c..000000000 --- a/external/unbound/doc/README.svn +++ /dev/null @@ -1,17 +0,0 @@ -README.svn - -For a svn checkout: -* configure script, aclocal.m4, as well as yacc/lex output files are - committed to the repository. -* use --enable-debug flag for configure to enable dependency tracking and - assertions, otherwise, use make clean; make after svn update. - -* Note changes in the Changelog. -* Every check-in a postcommit hook is run - (the postcommit hook is in the svn/unbound/hooks directory). - * generates commit email with your changes and comment. - * compiles and runs the tests (with testcode/do-tests.sh). - * If build errors or test errors happen - * Please fix your errors and commit again. - -* Use gnu make to compile, make or 'gmake'. diff --git a/external/unbound/doc/README.tests b/external/unbound/doc/README.tests deleted file mode 100644 index 5385e2b22..000000000 --- a/external/unbound/doc/README.tests +++ /dev/null @@ -1,24 +0,0 @@ -README unbound tests - -For a quick test that runs unit tests and state machine tests, use - make test - -There is a long test setup for unbound that needs tools installed. Use - make longtest -To make and run the long tests. The results are summarized at the end. - -You need to have the following programs installed and in your PATH. -* dig - from the bind-tools package. Used to send DNS queries. -* splint (optional) - for lint test -* doxygen (optional) - for doc completeness test -* ldns-testns - from ldns examples. Used as DNS auth server. -* xxd and nc (optional) - for (malformed) packet transmission. -The optional programs are detected and can be omitted. - -testdata/ contains the data for tests. -testcode/ contains scripts and c code for the tests. - -do-tests.sh : runs all the tests in the testdata directory. -testbed.sh : compiles on a set of (user specific) hosts and runs do-tests. - -Tests are run using testcode/mini_tpkg.sh. diff --git a/external/unbound/doc/TODO b/external/unbound/doc/TODO deleted file mode 100644 index bfeef4aa4..000000000 --- a/external/unbound/doc/TODO +++ /dev/null @@ -1,76 +0,0 @@ -TODO items. These are interesting todo items. -o understand synthesized DNAMEs, so those TTL=0 packets are cached properly. -o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3 - will result in proper negative responses. -o (option) where port 53 is used for send and receive, no other ports are used. -o (option) to not send replies to clients after a timeout of (say 5 secs) has - passed, but keep task active for later retries by client. -o (option) private TTL feature (always report TTL x in answers). -o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops. -o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets. -o (option) reprime and refresh oft used data before timeout. -o (option) retain prime results in a overlaid roothints file. -o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers). -o windows version, auto update feature, a query to check for the version. -o command the server with TSIG inband. get-config, clearcache, - get stats, get memstats, get ..., reload, clear one zone from cache -o NSID rfc 5001 support. -o timers rfc 5011 support. -o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator. -o make timeout backoffs randomized (a couple percent random) to spread traffic. -o inspect date on executable, then warn user in log if its more than 1 year. -o (option) proactively prime root, stubs and trust anchors, feature. - early failure, faster on first query, but more traffic. -o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve. -o library add function to validate input from app that is signed. -o add dynamic-update requests (making a dynupd request) to libunbound api. -o SIG(0) and TSIG. -o support OPT record placement on recv anywhere in the additional section. -o add local-file: config with authority features. -o (option) to make local-data answers be secure for libunbound (default=no) -o (option) to make chroot: copy all needed files into jail (or make jail) - perhaps also print reminder to link /dev/random and sysloghack. -o overhaul outside-network servicedquery to merge with udpwait and tcpwait, - to make timers in servicedquery independent of udpwait queues. -o check into rebinding ports for efficiency, configure time test. -o EVP hardware crypto support. -o option to ignore all inception and expiration dates for rrsigs. -o cleaner code; return and func statements on newline. -o memcached module that sits before validator module; checks for memcached - data (on local lan), stores recursion lookup. Provides one cache for multiple resolver machines, coherent reply content in anycast setup. -o no openssl_add_all_algorithms, but only the ones necessary, less space. -o listen to NOTIFY messages for zones and flush the cache for that zone - if received. Useful when also having a stub to that auth server. - Needs proper protection, TSIG, in place. -o winevent - do not go more than 64 fds (by polling with select one by - one), win95/98 have 100fd limit in the kernel, so this ruins w9x portability. - -*** Features features, for later -* dTLS, TLS, look to need special port numbers, cert storage, recent libssl. -* aggressive negative caching for NSEC, NSEC3. -* multiple queries per question, server exploration, server selection. -* support TSIG on queries, for validating resolver deployment. -* retry-mode, where a bogus result triggers a retry-mode query, where a list - of responses over a time interval is collected, and each is validated. - or try in TCP mode. Do not 'try all servers several times', since we must - not create packet storms with operator errors. -o on windows version, implement that OS ancillary data capabilities for - interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. -o local-zone directive with authority service, full authority server - is a non-goal. -o infra and lame cache: easier size config (in Mb), show usage in graphs. -- store time of dump in cachedumps, so that on a load the ttls can be - compared to the absolute time, and now-expired items can be dealt with. - -later -- selective verbosity; ubcontrol trace example.com -- cache fork-dump, pre-load -- for fwds, send queries to N servers in fwd-list, use first reply. - document high scalable, high available unbound setup onepager. -- prefetch DNSKEY when DS in delegation seen (nonCD, underTA). -- use libevent if available on system by default(?), default outgoing 256to1024 - -[1] BIND-like query logging to see who's looking up what and when -[2] more logging about stuff like SERVFAIL and REFUSED responses -[3] a Makefile that works without gnumake - diff --git a/external/unbound/doc/control_proto_spec.txt b/external/unbound/doc/control_proto_spec.txt deleted file mode 100644 index d26258f1e..000000000 --- a/external/unbound/doc/control_proto_spec.txt +++ /dev/null @@ -1,70 +0,0 @@ - -Specification for the unbound-control protocol. - -Server listens on 8953 TCP (localhost by default). Client connects, -SSLv3 or TLSv1 connection setup (server selfsigned certificate, -client has cert signed by server certificate). - -Port 8953 is registered with IANA as: -ub-dns-control 8953/tcp unbound dns nameserver control -# Wouter Wijngaards <wouter&nlnetlabs.nl> 10 May 2011 -On may 11 2011, ticket [IANA #442315]. - -Query and Response ------------------- -Client sends - UBCT[version] [commandline] \n - fixed string UBCT1 (for version 1), then an ascii text line, - with a command, some whitespace allowed. Line ends with '\n'. - -Server executes command. And sends reply in ascii text over channel, -closes the channel when done. - in case of error the first line of the response is: - error <descriptive text possible> \n - or the remainder is data of the response, for many commands the - response is 'ok\n'. - -Queries and responses ---------------------- -stop - stops the server. -reload - reloads the config file, and flushes the cache. -verbosity <new value> - Change logging verbosity to new value. -stats - output is a list of [name]=[value] lines. - clears the counters. -dump_cache - output is a text representation of the cache contents. - data ends with a line 'EOF' before connection close. -load_cache - client sends cache contents (like from dump_cache), which is stored - in the cache. end of data indicated with a line with 'EOF' on it. - The data is sent after the query line. -flush <name> - flushes some information regarding the name from the cache. - removes the A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR types. - Does not remove other types. -flush_type <name> <RR type> - removes rrtype entry from the cache. -flush_zone <name> - removes name and everything below that name from the cache. - has to search through the cache item by item, so this is slow. -lookup <name> - see what servers would be queried for a lookup of the given name. -local_zone_remove <name of local-zone entry> - the local-zone entry is removed. - All data from the local zone is also deleted. - If it did not exist, nothing happens. -local_zone <name of local zone> <type> - As the config file entry. Adds new local zone or updates - existing zone type. -local_data_remove <name> - Removes local-data (all types) name. -local_data <resource record string> - Add new local data record (on the rest of the line). - local_data_add www.example.com. IN A 192.0.2.2 - if no local_zone exists for it; a transparent zone with the same - name as the data is created. -Other commands in the unbound-control manual page. diff --git a/external/unbound/doc/example.conf.in b/external/unbound/doc/example.conf.in deleted file mode 100644 index 3411d7edb..000000000 --- a/external/unbound/doc/example.conf.in +++ /dev/null @@ -1,809 +0,0 @@ -# -# Example configuration file. -# -# See unbound.conf(5) man page, version 1.6.3. -# -# this is a comment. - -#Use this to include other text into the file. -#include: "otherfile.conf" - -# The server clause sets the main parameters. -server: - # whitespace is not necessary, but looks cleaner. - - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # statistics-interval: 0 - - # enable shm for stats, default no. if you enable also enable - # statistics-interval, every time it also writes stats to the - # shared memory segment keyed with shm-key. - # shm-enable: no - - # shm for stats uses this key, and key+1 for the shared mem segment. - # shm-key: 11777 - - # enable cumulative statistics, without clearing them after printing. - # statistics-cumulative: no - - # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. - # extended-statistics: no - - # number of threads to create. 1 disables threading. - # num-threads: 1 - - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - # interface-automatic: no - - # port to answer queries from - # port: 53 - - # specify the interfaces to send outgoing queries to authoritative - # server from by ip-address. If none, the default (all) interface - # is used. Specify every interface on a 'outgoing-interface:' line. - # outgoing-interface: 192.0.2.153 - # outgoing-interface: 2001:DB8::5 - # outgoing-interface: 2001:DB8::6 - - # Specify a netblock to use remainder 64 bits as random bits for - # upstream queries. Uses freebind option (Linux). - # outgoing-interface: 2001:DB8::/64 - # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo - # And: ip -6 route add local 2001:db8::/64 dev lo - # And set prefer-ip6: yes to use the ip6 randomness from a netblock. - # Set this to yes to prefer ipv6 upstream servers over ipv4. - # prefer-ip6: no - - # number of ports to allocate per thread, determines the size of the - # port range that can be open simultaneously. About double the - # num-queries-per-thread, or, use as many as the OS will allow you. - # outgoing-range: 4096 - - # permit unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # outgoing-port-permit: 32768 - - # deny unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some - # other server on this computer needs. The default is to avoid - # IANA-assigned port numbers. - # If multiple outgoing-port-permit and outgoing-port-avoid options - # are present, they are processed in order. - # outgoing-port-avoid: "3200-3208" - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 - - # number of incoming simultaneous tcp buffers to hold per thread. - # incoming-num-tcp: 10 - - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). - # 0 is system default. Use 4m to catch query spikes for busy servers. - # so-rcvbuf: 0 - - # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 - - # use SO_REUSEPORT to distribute queries over threads. - # so-reuseport: no - - # use IP_TRANSPARENT so the interface: addresses can be non-local - # and you can config non-existing IPs that are going to work later on - # (uses IP_BINDANY on FreeBSD). - # ip-transparent: no - - # use IP_FREEBIND so the interface: addresses can be non-local - # and you can bind to nonexisting IPs and interfaces that are down. - # Linux only. On Linux you also have ip-transparent that is similar. - # ip-freebind: no - - # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). - # edns-buffer-size: 4096 - - # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # max-udp-size: 4096 - - # buffer size for handling DNS data. No messages larger than this - # size can be sent or received, by UDP or TCP. In bytes. - # msg-buffer-size: 65552 - - # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # msg-cache-size: 4m - - # the number of slabs to use for the message cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # msg-cache-slabs: 4 - - # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 - - # if very busy, 50% queries run to completion, 50% get timeout in msec - # jostle-timeout: 200 - - # msec to wait before close of port on timeout UDP. 0 disables. - # delay-close: 0 - - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # rrset-cache-size: 4m - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # rrset-cache-slabs: 4 - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # cache-min-ttl: 0 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - # cache-max-ttl: 86400 - - # the time to live (TTL) value cap for negative responses in the cache - # cache-max-negative-ttl: 3600 - - # the time to live (TTL) value for cached roundtrip times, lameness and - # EDNS version information for hosts. In seconds. - # infra-host-ttl: 900 - - # minimum wait time for responses, increase if uplink is long. In msec. - # infra-cache-min-rtt: 50 - - # the number of slabs to use for the Infrastructure cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # infra-cache-slabs: 4 - - # the maximum number of hosts that are cached (roundtrip, EDNS, lame). - # infra-cache-numhosts: 10000 - - # define a number of tags here, use with local-zone, access-control. - # repeat the define-tag statement to add additional tags. - # define-tag: "tag1 tag2 tag3" - - # Enable IPv4, "yes" or "no". - # do-ip4: yes - - # Enable IPv6, "yes" or "no". - # do-ip6: yes - - # Enable UDP, "yes" or "no". - # do-udp: yes - - # Enable TCP, "yes" or "no". - # do-tcp: yes - - # upstream connections use TCP only (and no UDP), "yes" or "no" - # useful for tunneling scenarios, default no. - # tcp-upstream: no - - # Maximum segment size (MSS) of TCP socket on which the server - # responds to queries. Default is 0, system default MSS. - # tcp-mss: 0 - - # Maximum segment size (MSS) of TCP socket for outgoing queries. - # Default is 0, system default MSS. - # outgoing-tcp-mss: 0 - - # Use systemd socket activation for UDP, TCP, and control sockets. - # use-systemd: no - - # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. - # do-daemonize: yes - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) - # deny_non_local (drop queries unless can be answered from local-data) - # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse - # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow - - # tag access-control with list of tags (in "" with spaces between) - # Clients using this access control element use localzones that - # are tagged with one of these tags. - # access-control-tag: 192.0.2.0/24 "tag2 tag3" - - # set action for particular tag for given access control element - # if you have multiple tag values, the tag used to lookup the action - # is the first tag match between access-control-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # access-control-tag-action: 192.0.2.0/24 tag3 refuse - - # set redirect data for particular tag for access control element - # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" - - # Set view for access control element - # access-control-view: 192.0.2.0/24 viewname - - # if given, a chroot(2) is done to the given directory. - # i.e. you can chroot to the working directory, for example, - # for extra security, but make sure all files are in that directory. - # - # If chroot is enabled, you should pass the configfile (from the - # commandline) as a full path from the original root. After the - # chroot has been performed the now defunct portion of the config - # file path is removed to be able to reread the config after a reload. - # - # All other file paths (working dir, logfile, roothints, and - # key files) can be specified in several ways: - # o as an absolute path relative to the new root. - # o as a relative path to the working directory. - # o as an absolute path relative to the original root. - # In the last case the path is adjusted to remove the unused portion. - # - # The pid file can be absolute and outside of the chroot, it is - # written just prior to performing the chroot and dropping permissions. - # - # Additionally, unbound may need to access /dev/random (for entropy). - # How to do this is specific to your OS. - # - # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "@UNBOUND_CHROOT_DIR@" - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - # username: "@UNBOUND_USERNAME@" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory - # is not changed. - # If you give a server: directory: dir before include: file statements - # then those includes can be relative to the working directory. - # directory: "@UNBOUND_RUN_DIR@" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". - # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to. If yes, it overrides the logfile. - # use-syslog: yes - - # Log identity to report. if empty, defaults to the name of argv[0] - # (usually "unbound"). - # log-identity: "" - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no - - # print one line with time, IP, name, type, class for every query. - # log-queries: no - - # print one line per reply, with time, IP, name, type, class, rcode, - # timetoresolve, fromcache and responsesize. - # log-replies: no - - # the pid file. Can be an absolute path outside of chroot/work dir. - # pidfile: "@UNBOUND_PIDFILE@" - - # file to read root hints from. - # get one from https://www.internic.net/domain/named.cache - # root-hints: "" - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no - - # enable to not answer version.server and version.bind queries. - # hide-version: no - - # enable to not answer trustanchor.unbound queries. - # hide-trustanchor: no - - # the identity to report. Leave "" or default to return hostname. - # identity: "" - - # the version to report. Leave "" or default to return package version. - # version: "" - - # the target fetch policy. - # series of integers describing the policy per dependency depth. - # The number of values in the list determines the maximum dependency - # depth the recursor will pursue before giving up. Each integer means: - # -1 : fetch all targets opportunistically, - # 0: fetch on demand, - # positive value: fetch that many targets opportunistically. - # Enclose the list of numbers between quotes (""). - # target-fetch-policy: "3 2 1 0 0" - - # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no - - # Harden against unseemly large queries. - # harden-large-queries: no - - # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes - - # Harden against receiving dnssec-stripped data. If you turn it - # off, failing to validate dnskey data for a trustanchor will - # trigger insecure mode for that zone (like without a trustanchor). - # Default on, which insists on dnssec data for trust-anchored zones. - # harden-dnssec-stripped: yes - - # Harden against queries that fall under dnssec-signed nxdomain names. - # harden-below-nxdomain: no - - # Harden the referral path by performing additional queries for - # infrastructure data. Validates the replies (if possible). - # Default off, because the lookups burden the server. Experimental - # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. - # harden-referral-path: no - - # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm - # to validate the zone. - # harden-algo-downgrade: no - - # Sent minimum amount of information to upstream servers to enhance - # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to NS when possible. - # qname-minimisation: no - - # QNAME minimisation in strict mode. Do not fall-back to sending full - # QNAME to potentially broken nameservers. A lot of domains will not be - # resolvable when this option in enabled. - # This option only has effect when qname-minimisation is enabled. - # qname-minimisation-strict: no - - # Use 0x20-encoded random bits in the query to foil spoof attempts. - # This feature is an experimental implementation of draft dns-0x20. - # use-caps-for-id: no - - # Domains (and domains in them) without support for dns-0x20 and - # the fallback fails because they keep sending different answers. - # caps-whitelist: "licdn.com" - # caps-whitelist: "senderbase.org" - - # Enforce privacy of these addresses. Strips them away from answers. - # It may cause DNSSEC validation to additionally mark it as bogus. - # Protects against 'DNS Rebinding' (uses browser as network proxy). - # Only 'private-domain' and 'local-data' names are allowed to have - # these private addresses. No default. - # private-address: 10.0.0.0/8 - # private-address: 172.16.0.0/12 - # private-address: 192.168.0.0/16 - # private-address: 169.254.0.0/16 - # private-address: fd00::/8 - # private-address: fe80::/10 - # private-address: ::ffff:0:0/96 - - # Allow the domain (and its subdomains) to contain private addresses. - # local-data statements are allowed to contain private addresses too. - # private-domain: "example.com" - - # If nonzero, unwanted replies are not only reported in statistics, - # but also a running total is kept per thread. If it reaches the - # threshold, a warning is printed and a defensive action is taken, - # the cache is cleared to flush potential poison out of it. - # A suggested value is 10000000, the default is 0 (turned off). - # unwanted-reply-threshold: 0 - - # Do not query the following addresses. No DNS queries are sent there. - # List one address per entry. List classless netblocks with /size, - # do-not-query-address: 127.0.0.1/8 - # do-not-query-address: ::1 - - # if yes, the above default do-not-query-address entries are present. - # if no, localhost can be queried (for testing and debugging). - # do-not-query-localhost: yes - - # if yes, perform prefetching of almost expired message cache entries. - # prefetch: no - - # if yes, perform key lookups adjacent to normal lookups. - # prefetch-key: no - - # if yes, Unbound rotates RRSet order in response. - # rrset-roundrobin: no - - # if yes, Unbound doesn't insert authority/additional sections - # into response messages when those sections are not required. - # minimal-responses: no - - # true to disable DNSSEC lameness check in iterator. - # disable-dnssec-lame-check: no - - # module configuration of the server. A string with identifiers - # separated by spaces. Syntax: "[dns64] [validator] iterator" - # module-config: "validator iterator" - - # File with trusted keys, kept uptodate using RFC5011 probes, - # initial file like trust-anchor-file, then it stores metadata. - # Use several entries, one per domain name, to track multiple zones. - # - # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). And enable: - # Please note usage of unbound-anchor root anchor is at your own risk - # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # File with DLV trusted keys. Same format as trust-anchor-file. - # There can be only one DLV configured, it is trusted from root down. - # DLV is going to be decommissioned. Please do not use it any more. - # dlv-anchor-file: "dlv.isc.org.key" - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. - # Zone file format, with DS and DNSKEY entries. - # Note this gets out of date, use auto-trust-anchor-file please. - # trust-anchor-file: "" - - # Trusted key for validation. DS or DNSKEY. specify the RR on a - # single line, surrounded by "". TTL is ignored. class is IN default. - # Note this gets out of date, use auto-trust-anchor-file please. - # (These examples are from August 2007 and may not be valid anymore). - # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" - # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" - - # File with trusted keys for validation. Specify more than one file - # with several entries, one file per entry. Like trust-anchor-file - # but has a different file format. Format is BIND-9 style format, - # the trusted-keys { name flag proto algo "key"; }; clauses are read. - # you need external update procedures to track changes in keys. - # trusted-keys-file: "" - - # Ignore chain of trust. Domain is treated as insecure. - # domain-insecure: "example.com" - - # Override the date for validation with a specific fixed date. - # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. -1 ignores date. - # val-override-date: "" - - # The time to live for bogus data, rrsets and messages. This avoids - # some of the revalidation, until the time interval expires. in secs. - # val-bogus-ttl: 60 - - # The signature inception and expiration dates are allowed to be off - # by 10% of the signature lifetime (expir-incep) from our local clock. - # This leeway is capped with a minimum and a maximum. In seconds. - # val-sig-skew-min: 3600 - # val-sig-skew-max: 86400 - - # Should additional section of secure message also be kept clean of - # unsecure data. Useful to shield the users of this validator from - # potential bogus data in the additional section. All unsigned data - # in the additional section is removed from secure messages. - # val-clean-additional: yes - - # Turn permissive mode on to permit bogus messages. Thus, messages - # for which security checks failed will be returned to clients, - # instead of SERVFAIL. It still performs the security checks, which - # result in interesting log files and possibly the AD bit in - # replies if the message is found secure. The default is off. - # val-permissive-mode: no - - # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) - # that set CD but cannot validate themselves. - # ignore-cd-flag: no - - # Serve expired reponses from cache, with TTL 0 in the response, - # and then attempt to fetch the data afresh. - # serve-expired: no - - # Have the validator log failed validations for your diagnosis. - # 0: off. 1: A line per failed user query. 2: With reason and bad IP. - # val-log-level: 0 - - # It is possible to configure NSEC3 maximum iteration counts per - # keysize. Keep this table very short, as linear search is done. - # A message with an NSEC3 with larger count is marked insecure. - # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" - - # instruct the auto-trust-anchor-file probing to add anchors after ttl. - # add-holddown: 2592000 # 30 days - - # instruct the auto-trust-anchor-file probing to del anchors after ttl. - # del-holddown: 2592000 # 30 days - - # auto-trust-anchor-file probing removes missing anchors after ttl. - # If the value 0 is given, missing anchors are not removed. - # keep-missing: 31622400 # 366 days - - # debug option that allows very small holddown times for key rollover, - # otherwise the RFC mandates probe intervals must be at least 1 hour. - # permit-small-holddown: no - - # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # key-cache-size: 4m - - # the number of slabs to use for the key cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # key-cache-slabs: 4 - - # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". - # neg-cache-size: 1m - - # By default, for a number of zones a small default 'nothing here' - # reply is built-in. Query traffic is thus blocked. If you - # wish to serve such zone you can unblock them by uncommenting one - # of the nodefault statements below. - # You may also have to use domain-insecure: zone to make DNSSEC work, - # unless you have your own trust anchors for this zone. - # local-zone: "localhost." nodefault - # local-zone: "127.in-addr.arpa." nodefault - # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "onion." nodefault - # local-zone: "10.in-addr.arpa." nodefault - # local-zone: "16.172.in-addr.arpa." nodefault - # local-zone: "17.172.in-addr.arpa." nodefault - # local-zone: "18.172.in-addr.arpa." nodefault - # local-zone: "19.172.in-addr.arpa." nodefault - # local-zone: "20.172.in-addr.arpa." nodefault - # local-zone: "21.172.in-addr.arpa." nodefault - # local-zone: "22.172.in-addr.arpa." nodefault - # local-zone: "23.172.in-addr.arpa." nodefault - # local-zone: "24.172.in-addr.arpa." nodefault - # local-zone: "25.172.in-addr.arpa." nodefault - # local-zone: "26.172.in-addr.arpa." nodefault - # local-zone: "27.172.in-addr.arpa." nodefault - # local-zone: "28.172.in-addr.arpa." nodefault - # local-zone: "29.172.in-addr.arpa." nodefault - # local-zone: "30.172.in-addr.arpa." nodefault - # local-zone: "31.172.in-addr.arpa." nodefault - # local-zone: "168.192.in-addr.arpa." nodefault - # local-zone: "0.in-addr.arpa." nodefault - # local-zone: "254.169.in-addr.arpa." nodefault - # local-zone: "2.0.192.in-addr.arpa." nodefault - # local-zone: "100.51.198.in-addr.arpa." nodefault - # local-zone: "113.0.203.in-addr.arpa." nodefault - # local-zone: "255.255.255.255.in-addr.arpa." nodefault - # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault - # local-zone: "d.f.ip6.arpa." nodefault - # local-zone: "8.e.f.ip6.arpa." nodefault - # local-zone: "9.e.f.ip6.arpa." nodefault - # local-zone: "a.e.f.ip6.arpa." nodefault - # local-zone: "b.e.f.ip6.arpa." nodefault - # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault - # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - - # If unbound is running service for the local host then it is useful - # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server - # for a network of computers, disabled is better and stops information - # leakage of local lan information. - # unblock-lan-zones: no - - # The insecure-lan-zones option disables validation for - # these zones, as if they were all listed as domain-insecure. - # insecure-lan-zones: no - - # a number of locally served zones can be configured. - # local-zone: <zone> <type> - # local-data: "<resource record string>" - # o deny serves local data (if any), else, drops queries. - # o refuse serves local data (if any), else, replies with error. - # o static serves local data, else, nxdomain or nodata answer. - # o transparent gives local data, but resolves normally for other names - # o redirect serves the zone data for any subdomain in the zone. - # o nodefault can be used to normally resolve AS112 zones. - # o typetransparent resolves normally for other types and other names - # o inform acts like transparent, but logs client IP address - # o inform_deny drops queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name. - # - # defaults are localhost address, reverse for 127.0.0.1 and ::1 - # and nxdomain for AS112 zones. If you configure one of these zones - # the default content is omitted, or you can omit it with 'nodefault'. - # - # If you configure local-data without specifying local-zone, by - # default a transparent local-zone is created for the data. - # - # You can add locally served data with - # local-zone: "local." static - # local-data: "mycomputer.local. IN A 192.0.2.51" - # local-data: 'mytext.local TXT "content of text record"' - # - # You can override certain queries with - # local-data: "adserver.example.com A 127.0.0.1" - # - # You can redirect a domain to a fixed address with - # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) - # local-zone: "example.com" redirect - # local-data: "example.com A 192.0.2.3" - # - # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". - # You can also add PTR records using local-data directly, but then - # you need to do the reverse notation yourself. - # local-data-ptr: "192.0.2.3 www.example.com" - - # tag a localzone with a list of tag names (in "" with spaces between) - # local-zone-tag: "example.com" "tag2 tag3" - - # add a netblock specific override to a localzone, with zone type - # local-zone-override: "example.com" 192.0.2.0/24 refuse - - # service clients over SSL (on the TCP sockets), with plain DNS inside - # the SSL stream. Give the certificate to use and private key. - # default is "" (disabled). requires restart to take effect. - # ssl-service-key: "path/to/privatekeyfile.key" - # ssl-service-pem: "path/to/publiccertfile.pem" - # ssl-port: 853 - - # request upstream over SSL (with plain DNS inside the SSL stream). - # Default is no. Can be turned on and off with unbound-control. - # ssl-upstream: no - - # DNS64 prefix. Must be specified when DNS64 is use. - # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. - # dns64-prefix: 64:ff9b::0/96 - - # ratelimit for uncached, new queries, this limits recursion effort. - # ratelimiting is experimental, and may help against randomqueryflood. - # if 0(default) it is disabled, otherwise state qps allowed per zone. - # ratelimit: 0 - - # ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ratelimit-size: 4m - # ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ratelimit-slabs: 4 - - # 0 blocks when ratelimited, otherwise let 1/xth traffic through - # ratelimit-factor: 10 - - # override the ratelimit for a specific domain name. - # give this setting multiple times to have multiple overrides. - # ratelimit-for-domain: example.com 1000 - # override the ratelimits for all domains below a domain name - # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: com 1000 - - # global query ratelimit for all ip addresses. - # feature is experimental. - # if 0(default) it is disabled, otherwise states qps allowed per ip address - # ip-ratelimit: 0 - - # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). - # ip-ratelimit-size: 4m - # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. - # ip-ratelimit-slabs: 4 - - # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through - # ip-ratelimit-factor: 10 - - -# Python config section. To enable: -# o use --with-pythonmodule to configure before compiling. -# o list python in the module-config string (above) to enable. -# o and give a python-script to run. -python: - # Script file to load - # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" - -# Remote control config section. -remote-control: - # Enable remote control with unbound-control(8) here. - # set up the keys and certificates with unbound-control-setup. - # control-enable: no - - # Set to no and use an absolute path as control-interface to use - # a unix local named pipe for unbound-control. - # control-use-cert: yes - - # what interfaces are listened to for remote control. - # give 0.0.0.0 and ::0 to listen to all interfaces. - # control-interface: 127.0.0.1 - # control-interface: ::1 - - # port number for remote control operations. - # control-port: 8953 - - # unbound server key file. - # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" - - # unbound server certificate file. - # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" - - # unbound-control key file. - # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" - - # unbound-control certificate file. - # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" - -# Stub zones. -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of nameservers. list zero or more -# nameservers by hostname or by ipaddress. If you set stub-prime to yes, -# the list is treated as priming hints (default is no). -# With stub-first yes, it attempts without the stub if it fails. -# Consider adding domain-insecure: name and local-zone: name nodefault -# to the server: section if the stub is a locally served zone. -# stub-zone: -# name: "example.com" -# stub-addr: 192.0.2.68 -# stub-prime: no -# stub-first: no -# stub-ssl-upstream: no -# stub-zone: -# name: "example.org" -# stub-host: ns.example.com. - -# Forward zones -# Create entries like below, to make all queries for 'example.com' and -# 'example.org' go to the given list of servers. These servers have to handle -# recursion to other nameservers. List zero or more nameservers by hostname -# or by ipaddress. Use an entry with name "." to forward all queries. -# If you enable forward-first, it attempts without the forward if it fails. -# forward-zone: -# name: "example.com" -# forward-addr: 192.0.2.68 -# forward-addr: 192.0.2.73@5355 # forward to port 5355. -# forward-first: no -# forward-ssl-upstream: no -# forward-zone: -# name: "example.org" -# forward-host: fwd.example.com - -# Views -# Create named views. Name must be unique. Map views to requests using -# the access-control-view option. Views can contain zero or more local-zone -# and local-data options. Options from matching views will override global -# options. Global options will be used if no matching view is found. -# With view-first yes, it will try to answer using the global local-zone and -# local-data elements if there is no view specific match. -# view: -# name: "viewname" -# local-zone: "example.com" redirect -# local-data: "example.com A 192.0.2.3" -# local-data-ptr: "192.0.2.3 www.example.com" -# view-first: no -# view: -# name: "anotherview" -# local-zone: "example.com" refuse - -# DNSCrypt -# Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper -# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to -# listen on `dnscrypt-port` with the follo0wing snippet: -# server: -# interface: 0.0.0.0@443 -# interface: ::0@443 -# -# Finally, `dnscrypt` config has its own section. -# dnscrypt: -# dnscrypt-enable: yes -# dnscrypt-port: 443 -# dnscrypt-provider: 2.dnscrypt-cert.example.com. -# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key -# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key -# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert -# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert diff --git a/external/unbound/doc/ietf67-design-02.odp b/external/unbound/doc/ietf67-design-02.odp Binary files differdeleted file mode 100644 index 8321b556f..000000000 --- a/external/unbound/doc/ietf67-design-02.odp +++ /dev/null diff --git a/external/unbound/doc/ietf67-design-02.pdf b/external/unbound/doc/ietf67-design-02.pdf Binary files differdeleted file mode 100644 index 1ebdaf92d..000000000 --- a/external/unbound/doc/ietf67-design-02.pdf +++ /dev/null diff --git a/external/unbound/doc/libunbound.3.in b/external/unbound/doc/libunbound.3.in deleted file mode 100644 index 70ed5c2d4..000000000 --- a/external/unbound/doc/libunbound.3.in +++ /dev/null @@ -1,415 +0,0 @@ -.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" libunbound.3 -- unbound library functions manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B libunbound, -.B unbound.h, -.B ub_ctx, -.B ub_result, -.B ub_callback_type, -.B ub_ctx_create, -.B ub_ctx_delete, -.B ub_ctx_set_option, -.B ub_ctx_get_option, -.B ub_ctx_config, -.B ub_ctx_set_fwd, -.B ub_ctx_set_stub, -.B ub_ctx_resolvconf, -.B ub_ctx_hosts, -.B ub_ctx_add_ta, -.B ub_ctx_add_ta_autr, -.B ub_ctx_add_ta_file, -.B ub_ctx_trustedkeys, -.B ub_ctx_debugout, -.B ub_ctx_debuglevel, -.B ub_ctx_async, -.B ub_poll, -.B ub_wait, -.B ub_fd, -.B ub_process, -.B ub_resolve, -.B ub_resolve_async, -.B ub_cancel, -.B ub_resolve_free, -.B ub_strerror, -.B ub_ctx_print_local_zones, -.B ub_ctx_zone_add, -.B ub_ctx_zone_remove, -.B ub_ctx_data_add, -.B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.6.3 functions. -.SH "SYNOPSIS" -.B #include <unbound.h> -.LP -\fIstruct ub_ctx *\fR -\fBub_ctx_create\fR(\fIvoid\fR); -.LP -\fIvoid\fR -\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val); -.LP -\fIint\fR -\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val); -.LP -\fIint\fR -\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr); -.LP -\fIint\fR -\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone, -\fIchar*\fR addr, -.br - \fIint\fR isprime); -.LP -\fIint\fR -\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta); -.LP -\fIint\fR -\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out); -.LP -\fIint\fR -\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d); -.LP -\fIint\fR -\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread); -.LP -\fIint\fR -\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_process\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result); -.LP -\fIint\fR -\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, -.br - \fIub_callback_type\fR callback, \fIint*\fR async_id); -.LP -\fIint\fR -\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id); -.LP -\fIvoid\fR -\fBub_resolve_free\fR(\fIstruct ub_result*\fR result); -.LP -\fIconst char *\fR -\fBub_strerror\fR(\fIint\fR err); -.LP -\fIint\fR -\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type); -.LP -\fIint\fR -\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name); -.LP -\fIint\fR -\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.LP -\fIint\fR -\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.SH "DESCRIPTION" -.B Unbound -is an implementation of a DNS resolver, that does caching and -DNSSEC validation. This is the library API, for using the \-lunbound library. -The server daemon is described in \fIunbound\fR(8). -The library can be used to convert hostnames to ip addresses, and back, -and obtain other information from the DNS. The library performs public\-key -validation of results with DNSSEC. -.P -The library uses a variable of type \fIstruct ub_ctx\fR to keep context -between calls. The user must maintain it, creating it with -.B ub_ctx_create -and deleting it with -.B ub_ctx_delete\fR. -It can be created and deleted at any time. Creating it anew removes any -previous configuration (such as trusted keys) and clears any cached results. -.P -The functions are thread\-safe, and a context an be used in a threaded (as -well as in a non\-threaded) environment. Also resolution (and validation) -can be performed blocking and non\-blocking (also called asynchronous). -The async method returns from the call immediately, so that processing -can go on, while the results become available later. -.P -The functions are discussed in turn below. -.SH "FUNCTIONS" -.TP -.B ub_ctx_create -Create a new context, initialised with defaults. -The information from /etc/resolv.conf and /etc/hosts is not utilised -by default. Use -.B ub_ctx_resolvconf -and -.B ub_ctx_hosts -to read them. -Before you call this, use the openssl functions CRYPTO_set_id_callback and -CRYPTO_set_locking_callback to set up asynchronous operation if you use -lib openssl (the application calls these functions once for initialisation). -Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. -.TP -.B ub_ctx_delete -Delete validation context and free associated resources. -Outstanding async queries are killed and callbacks are not called for them. -.TP -.B ub_ctx_set_option -A power\-user interface that lets you specify one of the options from the -config file format, see \fIunbound.conf\fR(5). Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. Pass the option name with the trailing ':'. -.TP -.B ub_ctx_get_option -A power\-user interface that gets an option value. Some options cannot be -gotten, and others return a newline separated list. Pass the option name -without trailing ':'. The returned value must be free(2)d by the caller. -.TP -.B ub_ctx_config -A power\-user interface that lets you specify an unbound config file, see -\fIunbound.conf\fR(5), which is read for configuration. Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. -.TP -.B ub_ctx_set_fwd -Set machine to forward DNS queries to, the caching resolver to use. -IP4 or IP6 address. Forwards all DNS requests to that machine, which -is expected to run a recursive resolver. If the proxy is not -DNSSEC capable, validation may fail. Can be called several times, in -that case the addresses are used as backup servers. -At this time it is only possible to set configuration before the -first resolve is done. -.TP -.B ub_ctx_set_stub -Set a stub zone, authoritative dns servers to use for a particular zone. -IP4 or IP6 address. If the address is NULL the stub entry is removed. -Set isprime true if you configure root hints with it. Otherwise similar to -the stub zone item from unbound's config file. Can be called several times, -for different zones, or to add multiple addresses for a particular zone. -At this time it is only possible to set configuration before the -first resolve is done. -.TP -.B ub_ctx_resolvconf -By default the root servers are queried and full resolver mode is used, but -you can use this call to read the list of nameservers to use from the -filename given. -Usually "/etc/resolv.conf". Uses those nameservers as caching proxies. -If they do not support DNSSEC, validation may fail. -Only nameservers are picked up, the searchdomain, ndots and other -settings from \fIresolv.conf\fR(5) are ignored. -If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows, -the system\-wide configured nameserver is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. -.TP -.B ub_ctx_hosts -Read list of hosts from the filename given. -Usually "/etc/hosts". When queried for, these addresses are not marked -DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used -(if on Windows, etc/hosts from WINDIR is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. -.TP -.B -ub_ctx_add_ta -Add a trust anchor to the given context. -At this time it is only possible to add trusted keys before the -first resolve is done. -The format is a string, similar to the zone\-file format, -[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted. -.TP -.B ub_ctx_add_ta_autr -Add filename with automatically tracked trust anchor to the given context. -Pass name of a file with the managed trust anchor. You can create this -file with \fIunbound\-anchor\fR(8) for the root anchor. You can also -create it with an initial file with one line with a DNSKEY or DS record. -If the file is writable, it is updated when the trust anchor changes. -At this time it is only possible to add trusted keys before the -first resolve is done. -.TP -.B ub_ctx_add_ta_file -Add trust anchors to the given context. -Pass name of a file with DS and DNSKEY records in zone file format. -At this time it is only possible to add trusted keys before the -first resolve is done. -.TP -.B ub_ctx_trustedkeys -Add trust anchors to the given context. -Pass the name of a bind\-style config file with trusted\-keys{}. -At this time it is only possible to add trusted keys before the -first resolve is done. -.TP -.B ub_ctx_debugout -Set debug and error log output to the given stream. Pass NULL to disable -output. Default is stderr. File\-names or using syslog can be enabled -using config options, this routine is for using your own stream. -.TP -.B ub_ctx_debuglevel -Set debug verbosity for the context. Output is directed to stderr. -Higher debug level gives more output. -.TP -.B ub_ctx_async -Set a context behaviour for asynchronous action. -if set to true, enables threading and a call to -.B ub_resolve_async -creates a thread to handle work in the background. -If false, a process is forked to handle work in the background. -Changes to this setting after -.B ub_resolve_async -calls have been made have no effect (delete and re\-create the context -to change). -.TP -.B ub_poll -Poll a context to see if it has any new results. -Do not poll in a loop, instead extract the fd below to poll for readiness, -and then check, or wait using the wait routine. -Returns 0 if nothing to read, or nonzero if a result is available. -If nonzero, call -.B ub_process -to do callbacks. -.TP -.B ub_wait -Wait for a context to finish with results. Calls -.B ub_process -after the wait for you. After the wait, there are no more outstanding -asynchronous queries. -.TP -.B ub_fd -Get file descriptor. Wait for it to become readable, at this point -answers are returned from the asynchronous validating resolver. -Then call the \fBub_process\fR to continue processing. -.TP -.B ub_process -Call this routine to continue processing results from the validating -resolver (when the fd becomes readable). -Will perform necessary callbacks. -.TP -.B ub_resolve -Perform resolution and validation of the target name. -The name is a domain name in a zero terminated text string. -The rrtype and rrclass are DNS type and class codes. -The result structure is newly allocated with the resulting data. -.TP -.B ub_resolve_async -Perform asynchronous resolution and validation of the target name. -Arguments mean the same as for \fBub_resolve\fR except no -data is returned immediately, instead a callback is called later. -The callback receives a copy of the mydata pointer, that you can use to pass -information to the callback. The callback type is a function pointer to -a function declared as -.IP -void my_callback_function(void* my_arg, int err, -.br - struct ub_result* result); -.IP -The async_id is returned so you can (at your option) decide to track it -and cancel the request if needed. If you pass a NULL pointer the async_id -is not returned. -.TP -.B ub_cancel -Cancel an async query in progress. This may return an error if the query -does not exist, or the query is already being delivered, in that case you -may still get a callback for the query. -.TP -.B ub_resolve_free -Free struct ub_result contents after use. -.TP -.B ub_strerror -Convert error value from one of the unbound library functions -to a human readable string. -.TP -.B ub_ctx_print_local_zones -Debug printout the local authority information to debug output. -.TP -.B ub_ctx_zone_add -Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5) -statement. -.TP -.B ub_ctx_zone_remove -Delete zone from local authority info. -.TP -.B ub_ctx_data_add -Add resource record data to local authority info, like local\-data -\fIunbound.conf\fR(5) statement. -.TP -.B ub_ctx_data_remove -Delete local authority data from the name given. -.SH "RESULT DATA STRUCTURE" -The result of the DNS resolution and validation is returned as -\fIstruct ub_result\fR. The result structure contains the following entries. -.P -.nf - struct ub_result { - char* qname; /* text string, original question */ - int qtype; /* type code asked for */ - int qclass; /* class code asked for */ - char** data; /* array of rdata items, NULL terminated*/ - int* len; /* array with lengths of rdata items */ - char* canonname; /* canonical name of result */ - int rcode; /* additional error code in case of no data */ - void* answer_packet; /* full network format answer packet */ - int answer_len; /* length of packet in octets */ - int havedata; /* true if there is data */ - int nxdomain; /* true if nodata because name does not exist */ - int secure; /* true if result is secure */ - int bogus; /* true if a security failure happened */ - char* why_bogus; /* string with error if bogus */ - int ttl; /* number of seconds the result is valid */ - }; -.fi -.P -If both secure and bogus are false, security was not enabled for the -domain of the query. Else, they are not both true, one of them is true. -.SH "RETURN VALUES" -Many routines return an error code. The value 0 (zero) denotes no error -happened. Other values can be passed to -.B ub_strerror -to obtain a readable error string. -.B ub_strerror -returns a zero terminated string. -.B ub_ctx_create -returns NULL on an error (a malloc failure). -.B ub_poll -returns true if some information may be available, false otherwise. -.B ub_fd -returns a file descriptor or \-1 on error. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). -.SH "AUTHORS" -.B Unbound -developers are mentioned in the CREDITS file in the distribution. diff --git a/external/unbound/doc/requirements.txt b/external/unbound/doc/requirements.txt deleted file mode 100644 index a66962d4a..000000000 --- a/external/unbound/doc/requirements.txt +++ /dev/null @@ -1,294 +0,0 @@ -Requirements for Recursive Caching Resolver - (a.k.a. Treeshrew, Unbound-C) -By W.C.A. Wijngaards, NLnet Labs, October 2006. - -Contents -1. Introduction -2. History -3. Goals -4. Non-Goals - - -1. Introduction ---------------- -This is the requirements document for a DNS name server and aims to -document the goals and non-goals of the project. The DNS (the Domain -Name System) is a global, replicated database that uses a hierarchical -structure for queries. - -Data in the DNS is stored in Resource Record sets (RR sets), and has a -time to live (TTL). During this time the data can be cached. It is -thus useful to cache data to speed up future lookups. A server that -looks up data in the DNS for clients and caches previous answers to -speed up processing is called a caching, recursive nameserver. - -This project aims to develop such a nameserver in modular components, so -that also DNSSEC (secure DNS) validation and stub-resolvers (that do not -run as a server, but a linked into an application) are easily possible. - -The main components are the Validator that validates the security -fingerprints on data sets, the Iterator that sends queries to the -hierarchical DNS servers that own the data and the Cache that stores -data from previous queries. The networking and query management code -then interface with the modules to perform the necessary processing. - -In Section 2 the origins of the Unbound project are documented. Section -3 lists the goals, while Section 4 lists the explicit non-goals of the -project. Section 5 discusses choices made during development. - - -2. History ----------- -The unbound resolver project started by Bill Manning, David Blacka, and -Matt Larson (from the University of California and from Verisign), that -created a Java based prototype resolver called Unbound. The basic -design decisions of clean modules was executed. - -The Java prototype worked very well, with contributions from Geoff -Sisson and Roy Arends from Nominet. Around 2006 the idea came to create -a full-fledged C implementation ready for deployed use. NLnet Labs -volunteered to write this implementation. - - -3. Goals --------- -o A validating recursive DNS resolver. -o Code diversity in the DNS resolver monoculture. -o Drop-in replacement for BIND apart from config. -o DNSSEC support. -o Fully RFC compliant. -o High performance - * even with validation. -o Used as - * stub resolver. - * full caching name server. - * resolver library. -o Elegant design of validator, resolver, cache modules. - * provide the ability to pick and choose modules. -o Robust. -o In C, open source: The BSD license. -o Highly portable, targets include modern Unix systems, such as *BSD, -solaris, linux, and maybe also the windows platform. -o Smallest as possible component that does the job. -o Stub-zones can be configured (local data or AS112 zones). - - -4. Non-Goals ------------- -o An authoritative name server. -o Too many Features. - - -5. Choices ----------- -o rfc2181 decourages duplicates RRs in RRsets. unbound does not create - duplicates, but when presented with duplicates on the wire from the - authoritative servers, does not perform duplicate removal. - It does do some rrsig duplicate removal, in the msgparser, for dnssec qtype - rrsig and any, because of special rrsig processing in the msgparser. -o The harden-glue feature, when yes all out of zone glue is deleted, when - no out of zone glue is used for further resolving, is more complicated - than that, see below. - Main points: - * rfc2182 trust handling is used. - * data is let through only in very specific cases - * spoofability remains possible. - Not all glue is let through (despite the name of the option). Only glue - which is present in a delegation, of type A and AAAA, where the name is - present in the NS record in the authority section is let through. - The glue that is let through is stored in the cache (marked as 'from the - additional section'). And will then be used for sending queries to. It - will not be present in the reply to the client (if RD is off). - A direct query for that name will attempt to get a msg into the message - cache. Since A and AAAA queries are not synthesized by the unbound cache, - this query will be (eventually) sent to the authoritative server and its - answer will be put in the cache, marked as 'from the answer section' and - thus remove the 'from the additional section' data, and this record is - returned to the client. - The message has a TTL smaller or equal to the TTL of the answer RR. - If the cache memory is low; the answer RR may be dropped, and a glue - RR may be inserted, within the message TTL time, and thus return the - spoofed glue to a client. When the message expires, it is refetched and - the cached RR is updated with the correct content. - The server can be spoofed by getting it to visit a especially prepared - domain. This domain then inserts an address for another authoritative - server into the cache, when visiting that other domain, this address may - then be used to send queries to. And fake answers may be returned. - If the other domain is signed by DNSSEC, the fakes will be detected. - - In summary, the harden glue feature presents a security risk if - disabled. Disabling the feature leads to possible better performance - as more glue is present for the recursive service to use. The feature - is implemented so as to minimise the security risk, while trying to - keep this performance gain. -o The method by which dnssec-lameness is detected is not secure. DNSSEC lame - is when a server has the zone in question, but lacks dnssec data, such as - signatures. The method to detect dnssec lameness looks at nonvalidated - data from the parent of a zone. This can be used, by spoofing the parent, - to create a false sense of dnssec-lameness in the child, or a false sense - or dnssec-non-lameness in the child. The first results in the server marked - lame, and not used for 900 seconds, and the second will result in a - validator failure (SERVFAIL again), when the query is validated later on. - - Concluding, a spoof of the parent delegation can be used for many cases - of denial of service. I.e. a completely different NS set could be returned, - or the information withheld. All of these alterations can be caught by - the validator if the parent is signed, and result in 900 seconds bogus. - The dnssec-lameness detection is used to detect operator failures, - before the validator will properly verify the messages. - - Also for zones for which no chain of trust exists, but a DS is given by the - parent, dnssec-lameness detection enables. This delivers dnssec to our - clients when possible (for client validators). - - The following issue needs to be resolved: - a server that serves both a parent and child zone, where - parent is signed, but child is not. The server must not be marked - lame for the parent zone, because the child answer is not signed. - Instead of a false positive, we want false negatives; failure to - detect dnssec-lameness is less of a problem than marking honest - servers lame. dnssec-lameness is a config error and deserves the trouble. - So, only messages that identify the zone are used to mark the zone - lame. The zone is identified by SOA or NS RRsets in the answer/auth. - That includes almost all negative responses and also A, AAAA qtypes. - That would be most responses from servers. - For referrals, delegations that add a single label can be checked to be - from their zone, this covers most delegation-centric zones. - - So possibly, for complicated setups, with multiple (parent-child) zones - on a server, dnssec-lameness detection does not work - no dnssec-lameness - is detected. Instead the zone that is dnssec-lame becomes bogus. - -o authority features. - This is a recursive server, and authority features are out of scope. - However, some authority features are expected in a recursor. Things like - localhost, reverse lookup for 127.0.0.1, or blocking AS112 traffic. - Also redirection of domain names with fixed data is needed by service - providers. Limited support is added specifically to address this. - - Adding full authority support, requires much more code, and more complex - maintenance. - - The limited support allows adding some static data (for localhost and so), - and to respond with a fixed rcode (NXDOMAIN) for domains (such as AS112). - - You can put authority data on a separate server, and set the server in - unbound.conf as stub for those zones, this allows clients to access data - from the server without making unbound authoritative for the zones. - -o the access control denies queries before any other processing. - This denies queries that are not authoritative, or version.bind, or any. - And thus prevents cache-snooping (denied hosts cannot make non-recursive - queries and get answers from the cache). - -o If a client makes a query without RD bit, in the case of a returned - message from cache which is: - answer section: empty - auth section: NS record present, no SOA record, no DS record, - maybe NSEC or NSEC3 records present. - additional: A records or other relevant records. - A SOA record would indicate that this was a NODATA answer. - A DS records would indicate a referral. - Absence of NS record would indicate a NODATA answer as well. - - Then the receiver does not know whether this was a referral - with attempt at no-DS proof) or a nodata answer with attempt - at no-data proof. It could be determined by attempting to prove - either condition; and looking if only one is valid, but both - proofs could be valid, or neither could be valid, which creates - doubt. This case is validated by unbound as a 'referral' which - ascertains that RRSIGs are OK (and not omitted), but does not - check NSEC/NSEC3. - -o Case preservation - Unbound preserves the casing received from authority servers as best - as possible. It compresses without case, so case can get lost there. - The casing from the query name is used in preference to the casing - of the authority server. This is the same as BIND. RFC4343 allows either - behaviour. - -o Denial of service protection - If many queries are made, and they are made to names for which the - authority servers do not respond, then the requestlist for unbound - fills up fast. This results in denial of service for new queries. - To combat this the first 50% of the requestlist can run to completion. - The last 50% of the requestlist get (200 msec) at least and are replaced - by newer queries when older (LIFO). - When a new query comes in, and a place in the first 50% is available, this - is preferred. Otherwise, it can replace older queries out of the last 50%. - Thus, even long queries get a 50% chance to be resolved. And many 'short' - one or two round-trip resolves can be done in the last 50% of the list. - The timeout can be configured. - -o EDNS fallback. Is done according to the EDNS RFC (and update draft-00). - Unbound assumes EDNS 0 support for the first query. Then it can detect - support (if the servers replies) or non-support (on a NOTIMPL or FORMERR). - Some middleboxes drop EDNS 0 queries, mainly when forwarding, not when - routing packets. To detect this, when timeouts keep happening, as the - timeout approached 5-10 seconds, and EDNS status has not been detected yet, - a single probe query is sent. This probe has a sub-second timeout, and - if the server responds (quickly) without EDNS, this is cached for 15 min. - This works very well when detecting an address that you use much - like - a forwarder address - which is where the middleboxes need to be detected. - Otherwise, it results in a 5 second wait time before EDNS timeout is - detected, which is slow but it works at least. - It minimizes the chances of a dropped query making a (DNSSEC) EDNS server - falsely EDNS-nonsupporting, and thus DNSSEC-bogus, works well with - middleboxes, and can detect the occasional authority that drops EDNS. - For some boxes it is necessary to probe for every failing query, a - reassurance that the DNS server does EDNS does not mean that path can - take large DNS answers. - -o 0x20 backoff. - The draft describes to back off to the next server, and go through all - servers several times. Unbound goes on get the full list of nameserver - addresses, and then makes 3 * number of addresses queries. - They are sent to a random server, but no one address more than 4 times. - It succeeds if one has 0x20 intact, or else all are equal. - Otherwise, servfail is returned to the client. - -o NXDOMAIN and SOA serial numbers. - Unbound keeps TTL values for message formats, and thus rcodes, such - as NXDOMAIN. Also it keeps the latest rrsets in the rrset cache. - So it will faithfully negative cache for the exact TTL as originally - specified for an NXDOMAIN message, but send a newer SOA record if - this has been found in the mean time. In point, this could lead to a - negative cached NXDOMAIN reply with a SOA RR where the serial number - indicates a zone version where this domain is not any longer NXDOMAIN. - These situations become consistent once the original TTL expires. - If the domain is DNSSEC signed, by the way, then NSEC records are - updated more carefully. If one of the NSEC records in an NXDOMAIN is - updated from another query, the NXDOMAIN is dropped from the cache, - and queried for again, so that its proof can be checked again. - -o SOA records in negative cached answers for DS queries. - The current unbound code uses a negative cache for queries for type DS. - This speeds up building chains of trust, and uses NSEC and NSEC3 - (optout) information to speed up lookups. When used internally, - the bare NSEC(3) information is sufficient, probably picked up from - a referral. When answering to clients, a SOA record is needed for - the correct message format, a SOA record is picked from the cache - (and may not actually match the serial number of the SOA for which the - NSEC and NSEC3 records were obtained) if available otherwise network - queries are performed to get the data. - -o Parent and child with different nameserver information. - A misconfiguration that sometimes happens is where the parent and child - have different NS, glue information. The child is authoritative, and - unbound will not trust information from the parent nameservers as the - final answer. To help lookups, unbound will however use the parent-side - version of the glue as a last resort lookup. This resolves lookups for - those misconfigured domains where the servers reported by the parent - are the only ones working, and servers reported by the child do not. - -o Failure of validation and probing. - Retries on a validation failure are now 5x to a different nameserver IP - (if possible), and then it gives up, for one name, type, class entry in - the message cache. If a DNSKEY or DS fails in the chain of trust in the - key cache additionally, after the probing, a bad key entry is created that - makes the entire zone bogus for 900 seconds. This is a fixed value at - this time and is conservative in sending probes. It makes the compound - effect of many resolvers less and easier to handle, but penalizes - individual resolvers by having less probes and a longer time before fixes - are picked up. - diff --git a/external/unbound/doc/unbound-anchor.8.in b/external/unbound/doc/unbound-anchor.8.in deleted file mode 100644 index f96a9e6c2..000000000 --- a/external/unbound/doc/unbound-anchor.8.in +++ /dev/null @@ -1,177 +0,0 @@ -.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound-anchor.8 -- unbound anchor maintenance utility manual -.\" -.\" Copyright (c) 2008, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound\-anchor -\- Unbound anchor utility. -.SH "SYNOPSIS" -.B unbound\-anchor -.RB [ opts ] -.SH "DESCRIPTION" -.B Unbound\-anchor -performs setup or update of the root trust anchor for DNSSEC validation. -The program fetches the trust anchor with the method from RFC7958 when -regular RFC5011 update fails to bring it up to date. -It can be run (as root) from the commandline, or run as part of startup -scripts. Before you start the \fIunbound\fR(8) DNS server. -.P -Suggested usage: -.P -.nf - # in the init scripts. - # provide or update the root anchor (if necessary) - unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@" - # Please note usage of this root anchor is at your own risk - # and under the terms of our LICENSE (see source). - # - # start validating resolver - # the unbound.conf contains: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - unbound \-c unbound.conf -.fi -.P -This tool provides builtin default contents for the root anchor and root -update certificate files. -.P -It tests if the root anchor file works, and if not, and an update is possible, -attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), -if all checks are successful, it updates the root anchor file. Otherwise -the root anchor file is unchanged. It performs RFC5011 tracking if the -DNSSEC information available via the DNS makes that possible. -.P -It does not perform an update if the certificate is expired, if the network -is down or other errors occur. -.P -The available options are: -.TP -.B \-a \fIfile -The root anchor key file, that is read in and written out. -Default is @UNBOUND_ROOTKEY_FILE@. -If the file does not exist, or is empty, a builtin root key is written to it. -.TP -.B \-c \fIfile -The root update certificate file, that is read in. -Default is @UNBOUND_ROOTCERT_FILE@. -If the file does not exist, or is empty, a builtin certificate is used. -.TP -.B \-l -List the builtin root key and builtin root update certificate on stdout. -.TP -.B \-u \fIname -The server name, it connects to https://name. Specify without https:// prefix. -The default is "data.iana.org". It connects to the port specified with \-P. -You can pass an IPv4 address or IPv6 address (no brackets) if you want. -.TP -.B \-x \fIpath -The pathname to the root\-anchors.xml file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.xml. -.TP -.B \-s \fIpath -The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7 -signature over the xml file, using the pem file (\-c) as trust anchor. -.TP -.B \-n \fIname -The emailAddress for the Subject of the signer's certificate from the p7s -signature file. Only signatures from this name are allowed. default is -dnssec@iana.org. If you pass "" then the emailAddress is not checked. -.TP -.B \-4 -Use IPv4 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. -.TP -.B \-6 -Use IPv6 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. -.TP -.B \-f \fIresolv.conf -Use the given resolv.conf file. Not enabled by default, but you could try to -pass /etc/resolv.conf on some systems. It contains the IP addresses of the -recursive nameservers to use. However, since this tool could be used to -bootstrap that very recursive nameserver, it would not be useful (since -that server is not up yet, since we are bootstrapping it). It could be -useful in a situation where you know an upstream cache is deployed (and -running) and in captive portal situations. -.TP -.B \-r \fIroot.hints -Use the given root.hints file (same syntax as the BIND and Unbound root hints -file) to bootstrap domain resolution. By default a list of builtin root -hints is used. Unbound\-anchor goes to the network itself for these roots, -to resolve the server (\-u option) and to check the root DNSKEY records. -It does so, because the tool when used for bootstrapping the recursive -resolver, cannot use that recursive resolver itself because it is bootstrapping -that server. -.TP -.B \-v -More verbose. Once prints informational messages, multiple times may enable -large debug amounts (such as full certificates or byte\-dumps of downloaded -files). By default it prints almost nothing. It also prints nothing on -errors by default; in that case the original root anchor file is simply -left undisturbed, so that a recursive server can start right after it. -.TP -.B \-C \fIunbound.conf -Debug option to read unbound.conf into the resolver process used. -.TP -.B \-P \fIport -Set the port number to use for the https connection. The default is 443. -.TP -.B \-F -Debug option to force update of the root anchor through downloading the xml -file and verifying it with the certificate. By default it first tries to -update by contacting the DNS, which uses much less bandwidth, is much -faster (200 msec not 2 sec), and is nicer to the deployed infrastructure. -With this option, it still attempts to do so (and may verbosely tell you), -but then ignores the result and goes on to use the xml fallback method. -.TP -.B \-h -Show the version and commandline option help. -.SH "EXIT CODE" -This tool exits with value 1 if the root anchor was updated using the -certificate or if the builtin root-anchor was used. It exits with code -0 if no update was necessary, if the update was possible with RFC5011 -tracking, or if an error occurred. -.P -You can check the exit value in this manner: -.nf - unbound-anchor \-a "root.key" || logger "Please check root.key" -.fi -Or something more suitable for your operational environment. -.SH "TRUST" -The root keys and update certificate included in this tool -are provided for convenience and under the terms of our -license (see the LICENSE file in the source distribution or -http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or -not suitable to your purpose. -.P -By running "unbound\-anchor \-l" the keys and certificate that are -configured in the code are printed for your convenience. -.P -The build\-in configuration can be overridden by providing a root\-cert -file and a rootkey file. -.SH "FILES" -.TP -.I @UNBOUND_ROOTKEY_FILE@ -The root anchor file, updated with 5011 tracking, and read and written to. -The file is created if it does not exist. -.TP -.I @UNBOUND_ROOTCERT_FILE@ -The trusted self\-signed certificate that is used to verify the downloaded -DNSSEC root trust anchor. You can update it by fetching it from -https://data.iana.org/root\-anchors/icannbundle.pem (and validate it). -If the file does not exist or is empty, a builtin version is used. -.TP -.I https://data.iana.org/root\-anchors/root\-anchors.xml -Source for the root key information. -.TP -.I https://data.iana.org/root\-anchors/root\-anchors.p7s -Signature on the root key information. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). diff --git a/external/unbound/doc/unbound-checkconf.8.in b/external/unbound/doc/unbound-checkconf.8.in deleted file mode 100644 index 523784b5c..000000000 --- a/external/unbound/doc/unbound-checkconf.8.in +++ /dev/null @@ -1,52 +0,0 @@ -.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound-checkconf.8 -- unbound configuration checker manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -unbound\-checkconf -\- Check unbound configuration file for errors. -.SH "SYNOPSIS" -.B unbound\-checkconf -.RB [ \-h ] -.RB [ \-f ] -.RB [ \-o -.IR option ] -.RI [ cfgfile ] -.SH "DESCRIPTION" -.B Unbound\-checkconf -checks the configuration file for the -\fIunbound\fR(8) -DNS resolver for syntax and other errors. -The config file syntax is described in -\fIunbound.conf\fR(5). -.P -The available options are: -.TP -.B \-h -Show the version and commandline option help. -.TP -.B \-f -Print full pathname, with chroot applied to it. Use with the \-o option. -.TP -.B \-o\fI option -If given, after checking the config file the value of this option is -printed to stdout. For "" (disabled) options an empty line is printed. -.TP -.I cfgfile -The config file to read with settings for unbound. It is checked. -If omitted, the config file at the default location is checked. -.SH "EXIT CODE" -The unbound\-checkconf program exits with status code 1 on error, -0 for a correct config file. -.SH "FILES" -.TP -.I @ub_conf_file@ -unbound configuration file. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). diff --git a/external/unbound/doc/unbound-control.8.in b/external/unbound/doc/unbound-control.8.in deleted file mode 100644 index 47d2a4861..000000000 --- a/external/unbound/doc/unbound-control.8.in +++ /dev/null @@ -1,555 +0,0 @@ -.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound-control.8 -- unbound remote control manual -.\" -.\" Copyright (c) 2008, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound\-control, -.B unbound\-control\-setup -\- Unbound remote server control utility. -.SH "SYNOPSIS" -.B unbound\-control -.RB [ \-hq ] -.RB [ \-c -.IR cfgfile ] -.RB [ \-s -.IR server ] -.IR command -.SH "DESCRIPTION" -.B Unbound\-control -performs remote administration on the \fIunbound\fR(8) DNS server. -It reads the configuration file, contacts the unbound server over SSL -sends the command and displays the result. -.P -The available options are: -.TP -.B \-h -Show the version and commandline option help. -.TP -.B \-c \fIcfgfile -The config file to read with settings. If not given the default -config file @ub_conf_file@ is used. -.TP -.B \-s \fIserver[@port] -IPv4 or IPv6 address of the server to contact. If not given, the -address is read from the config file. -.TP -.B \-q -quiet, if the option is given it does not print anything if it works ok. -.SH "COMMANDS" -There are several commands that the server understands. -.TP -.B start -Start the server. Simply execs \fIunbound\fR(8). The unbound executable -is searched for in the \fBPATH\fR set in the environment. It is started -with the config file specified using \fI\-c\fR or the default config file. -.TP -.B stop -Stop the server. The server daemon exits. -.TP -.B reload -Reload the server. This flushes the cache and reads the config file fresh. -.TP -.B verbosity \fInumber -Change verbosity value for logging. Same values as \fBverbosity\fR keyword in -\fIunbound.conf\fR(5). This new setting lasts until the server is issued -a reload (taken from config file again), or the next verbosity control command. -.TP -.B log_reopen -Reopen the logfile, close and open it. Useful for logrotation to make the -daemon release the file it is logging to. If you are using syslog it will -attempt to close and open the syslog (which may not work if chrooted). -.TP -.B stats -Print statistics. Resets the internal counters to zero, this can be -controlled using the \fBstatistics\-cumulative\fR config statement. -Statistics are printed with one [name]: [value] per line. -.TP -.B stats_noreset -Peek at statistics. Prints them like the \fBstats\fR command does, but does not -reset the internal counters to zero. -.TP -.B status -Display server status. Exit code 3 if not running (the connection to the -port is refused), 1 on error, 0 if running. -.TP -.B local_zone \fIname\fR \fItype -Add new local zone with name and type. Like \fBlocal\-zone\fR config statement. -If the zone already exists, the type is changed to the given argument. -.TP -.B local_zone_remove \fIname -Remove the local zone with the given name. Removes all local data inside -it. If the zone does not exist, the command succeeds. -.TP -.B local_data \fIRR data... -Add new local data, the given resource record. Like \fBlocal\-data\fR -config statement, except for when no covering zone exists. In that case -this remote control command creates a transparent zone with the same -name as this record. This command is not good at returning detailed syntax -errors. -.TP -.B local_data_remove \fIname -Remove all RR data from local name. If the name already has no items, -nothing happens. Often results in NXDOMAIN for the name (in a static zone), -but if the name has become an empty nonterminal (there is still data in -domain names below the removed name), NOERROR nodata answers are the -result for that name. -.TP -.B local_zones -Add local zones read from stdin of unbound\-control. Input is read per line, -with name space type on a line. For bulk additions. -.TP -.B local_zones_remove -Remove local zones read from stdin of unbound\-control. Input is one name per -line. For bulk removals. -.TP -.B local_datas -Add local data RRs read from stdin of unbound\-control. Input is one RR per -line. For bulk additions. -.TP -.B local_datas_remove -Remove local data RRs read from stdin of unbound\-control. Input is one name per -line. For bulk removals. -.TP -.B dump_cache -The contents of the cache is printed in a text format to stdout. You can -redirect it to a file to store the cache in a file. -.TP -.B load_cache -The contents of the cache is loaded from stdin. Uses the same format as -dump_cache uses. Loading the cache with old, or wrong data can result -in old or wrong data returned to clients. Loading data into the cache -in this way is supported in order to aid with debugging. -.TP -.B lookup \fIname -Print to stdout the name servers that would be used to look up the -name specified. -.TP -.B flush \fIname -Remove the name from the cache. Removes the types -A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. -Because that is fast to do. Other record types can be removed using -.B flush_type -or -.B flush_zone\fR. -.TP -.B flush_type \fIname\fR \fItype -Remove the name, type information from the cache. -.TP -.B flush_zone \fIname -Remove all information at or below the name from the cache. -The rrsets and key entries are removed so that new lookups will be performed. -This needs to walk and inspect the entire cache, and is a slow operation. -.TP -.B flush_bogus -Remove all bogus data from the cache. -.TP -.B flush_negative -Remove all negative data from the cache. This is nxdomain answers, -nodata answers and servfail answers. Also removes bad key entries -(which could be due to failed lookups) from the dnssec key cache, and -iterator last-resort lookup failures from the rrset cache. -.TP -.B flush_stats -Reset statistics to zero. -.TP -.B flush_requestlist -Drop the queries that are worked on. Stops working on the queries that the -server is working on now. The cache is unaffected. No reply is sent for -those queries, probably making those users request again later. -Useful to make the server restart working on queries with new settings, -such as a higher verbosity level. -.TP -.B dump_requestlist -Show what is worked on. Prints all queries that the server is currently -working on. Prints the time that users have been waiting. For internal -requests, no time is printed. And then prints out the module status. -This prints the queries from the first thread, and not queries that are -being serviced from other threads. -.TP -.B flush_infra \fIall|IP -If all then entire infra cache is emptied. If a specific IP address, the -entry for that address is removed from the cache. It contains EDNS, ping -and lameness data. -.TP -.B dump_infra -Show the contents of the infra cache. -.TP -.B set_option \fIopt: val -Set the option to the given value without a reload. The cache is -therefore not flushed. The option must end with a ':' and whitespace -must be between the option and the value. Some values may not have an -effect if set this way, the new values are not written to the config file, -not all options are supported. This is different from the set_option call -in libunbound, where all values work because unbound has not been initialized. -.IP -The values that work are: statistics\-interval, statistics\-cumulative, -do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries, -harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, -harden\-referral\-path, prefetch, prefetch\-key, log\-queries, -hide\-identity, hide\-version, identity, version, val\-log\-level, -val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit, -ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl. -.TP -.B get_option \fIopt -Get the value of the option. Give the option name without a trailing ':'. -The value is printed. If the value is "", nothing is printed -and the connection closes. On error 'error ...' is printed (it gives -a syntax error on unknown option). For some options a list of values, -one on each line, is printed. The options are shown from the config file -as modified with set_option. For some options an override may have been -taken that does not show up with this command, not results from e.g. the -verbosity and forward control commands. Not all options work, see list_stubs, -list_forwards, list_local_zones and list_local_data for those. -.TP -.B list_stubs -List the stub zones in use. These are printed one by one to the output. -This includes the root hints in use. -.TP -.B list_forwards -List the forward zones in use. These are printed zone by zone to the output. -.TP -.B list_insecure -List the zones with domain\-insecure. -.TP -.B list_local_zones -List the local zones in use. These are printed one per line with zone type. -.TP -.B list_local_data -List the local data RRs in use. The resource records are printed. -.TP -.B insecure_add \fIzone -Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. -Adds to the running unbound without affecting the cache contents (which may -still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. -.TP -.B insecure_remove \fIzone -Removes domain\-insecure for the given zone. -.TP -.B forward_add \fR[\fI+i\fR] \fIzone addr ... -Add a new forward zone to running unbound. With +i option also adds a -\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have -a DNSSEC root trust anchor configured for other names). -The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config -in unbound.conf. -.TP -.B forward_remove \fR[\fI+i\fR] \fIzone -Remove a forward zone from running unbound. The +i also removes a -\fIdomain\-insecure\fR for the zone. -.TP -.B stub_add \fR[\fI+ip\fR] \fIzone addr ... -Add a new stub zone to running unbound. With +i option also adds a -\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, -without it it is set to notprime. The addr can be IP4, IP6 or nameserver -names, like the \fIstub-zone\fR config in unbound.conf. -.TP -.B stub_remove \fR[\fI+i\fR] \fIzone -Remove a stub zone from running unbound. The +i also removes a -\fIdomain\-insecure\fR for the zone. -.TP -.B forward \fR[\fIoff\fR | \fIaddr ...\fR ] -Setup forwarding mode. Configures if the server should ask other upstream -nameservers, should go to the internet root nameservers itself, or show -the current config. You could pass the nameservers after a DHCP update. -.IP -Without arguments the current list of addresses used to forward all queries -to is printed. On startup this is from the forward\-zone "." configuration. -Afterwards it shows the status. It prints off when no forwarding is used. -.IP -If \fIoff\fR is passed, forwarding is disabled and the root nameservers -are used. This can be used to avoid to avoid buggy or non\-DNSSEC supporting -nameservers returned from DHCP. But may not work in hotels or hotspots. -.IP -If one or more IPv4 or IPv6 addresses are given, those are then used to forward -queries to. The addresses must be separated with spaces. With '@port' the -port number can be set explicitly (default port is 53 (DNS)). -.IP -By default the forwarder information from the config file for the root "." is -used. The config file is not changed, so after a reload these changes are -gone. Other forward zones from the config file are not affected by this command. -.TP -.B ratelimit_list \fR[\fI+a\fR] -List the domains that are ratelimited. Printed one per line with current -estimated qps and qps limit from config. With +a it prints all domains, not -just the ratelimited domains, with their estimated qps. The ratelimited -domains return an error for uncached (new) queries, but cached queries work -as normal. -.TP -.B ip_ratelimit_list \fR[\fI+a\fR] -List the ip addresses that are ratelimited. Printed one per line with current -estimated qps and qps limit from config. With +a it prints all ips, not -just the ratelimited ips, with their estimated qps. The ratelimited -ips are dropped before checking the cache. -.TP -.B view_list_local_zones \fIview\fR -\fIlist_local_zones\fR for given view. -.TP -.B view_local_zone \fIview\fR \fIname\fR \fItype -\fIlocal_zone\fR for given view. -.TP -.B view_local_zone_remove \fIview\fR \fIname -\fIlocal_zone_remove\fR for given view. -.TP -.B view_list_local_data \fIview\fR -\fIlist_local_data\fR for given view. -.TP -.B view_local_data \fIview\fR \fIRR data... -\fIlocal_data\fR for given view. -.TP -.B view_local_data_remove \fIview\fR \fIname -\fIlocal_data_remove\fR for given view. -.SH "EXIT CODE" -The unbound\-control program exits with status code 1 on error, 0 on success. -.SH "SET UP" -The setup requires a self\-signed certificate and private keys for both -the server and client. The script \fIunbound\-control\-setup\fR generates -these in the default run directory, or with \-d in another directory. -If you change the access control permissions on the key files you can decide -who can use unbound\-control, by default owner and group but not all users. -Run the script under the same username as you have configured in unbound.conf -or as root, so that the daemon is permitted to read the files, for example with: -.nf - sudo \-u unbound unbound\-control\-setup -.fi -If you have not configured -a username in unbound.conf, the keys need read permission for the user -credentials under which the daemon is started. -The script preserves private keys present in the directory. -After running the script as root, turn on \fBcontrol\-enable\fR in -\fIunbound.conf\fR. -.SH "STATISTIC COUNTERS" -The \fIstats\fR command shows a number of statistic counters. -.TP -.I threadX.num.queries -number of queries received by thread -.TP -.I threadX.num.queries_ip_ratelimited -number of queries rate limited by thread -.TP -.I threadX.num.cachehits -number of queries that were successfully answered using a cache lookup -.TP -.I threadX.num.cachemiss -number of queries that needed recursive processing -.TP -.I threadX.num.prefetch -number of cache prefetches performed. This number is included in -cachehits, as the original query had the unprefetched answer from cache, -and resulted in recursive processing, taking a slot in the requestlist. -Not part of the recursivereplies (or the histogram thereof) or cachemiss, -as a cache response was sent. -.TP -.I threadX.num.zero_ttl -number of replies with ttl zero, because they served an expired cache entry. -.TP -.I threadX.num.recursivereplies -The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries. -.TP -.I threadX.requestlist.avg -The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query. -.TP -.I threadX.requestlist.max -Maximum size attained by the internal recursive processing request list. -.TP -.I threadX.requestlist.overwritten -Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time. -.TP -.I threadX.requestlist.exceeded -Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up. -.TP -.I threadX.requestlist.current.all -Current size of the request list, includes internally generated queries (such -as priming queries and glue lookups). -.TP -.I threadX.requestlist.current.user -Current size of the request list, only the requests from client queries. -.TP -.I threadX.recursion.time.avg -Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average. -.TP -.I threadX.recursion.time.median -The median of the time it took to answer queries that needed recursive -processing. The median means that 50% of the user queries were answered in -less than this time. Because of big outliers (usually queries to non -responsive servers), the average can be bigger than the median. This median -has been calculated by interpolation from a histogram. -.TP -.I threadX.tcpusage -The currently held tcp buffers for incoming connections. A spot value on -the time of the request. This helps you spot if the incoming\-num\-tcp -buffers are full. -.TP -.I total.num.queries -summed over threads. -.TP -.I total.num.cachehits -summed over threads. -.TP -.I total.num.cachemiss -summed over threads. -.TP -.I total.num.prefetch -summed over threads. -.TP -.I total.num.zero_ttl -summed over threads. -.TP -.I total.num.recursivereplies -summed over threads. -.TP -.I total.requestlist.avg -averaged over threads. -.TP -.I total.requestlist.max -the maximum of the thread requestlist.max values. -.TP -.I total.requestlist.overwritten -summed over threads. -.TP -.I total.requestlist.exceeded -summed over threads. -.TP -.I total.requestlist.current.all -summed over threads. -.TP -.I total.recursion.time.median -averaged over threads. -.TP -.I total.tcpusage -summed over threads. -.TP -.I time.now -current time in seconds since 1970. -.TP -.I time.up -uptime since server boot in seconds. -.TP -.I time.elapsed -time since last statistics printout, in seconds. -.SH EXTENDED STATISTICS -.TP -.I mem.cache.rrset -Memory in bytes in use by the RRset cache. -.TP -.I mem.cache.message -Memory in bytes in use by the message cache. -.TP -.I mem.mod.iterator -Memory in bytes in use by the iterator module. -.TP -.I mem.mod.validator -Memory in bytes in use by the validator module. Includes the key cache and -negative cache. -.TP -.I histogram.<sec>.<usec>.to.<sec>.<usec> -Shows a histogram, summed over all threads. Every element counts the -recursive queries whose reply time fit between the lower and upper bound. -Times larger or equal to the lowerbound, and smaller than the upper bound. -There are 40 buckets, with bucket sizes doubling. -.TP -.I num.query.type.A -The total number of queries over all threads with query type A. -Printed for the other query types as well, but only for the types for which -queries were received, thus =0 entries are omitted for brevity. -.TP -.I num.query.type.other -Number of queries with query types 256\-65535. -.TP -.I num.query.class.IN -The total number of queries over all threads with query class IN (internet). -Also printed for other classes (such as CH (CHAOS) sometimes used for -debugging), or NONE, ANY, used by dynamic update. -num.query.class.other is printed for classes 256\-65535. -.TP -.I num.query.opcode.QUERY -The total number of queries over all threads with query opcode QUERY. -Also printed for other opcodes, UPDATE, ... -.TP -.I num.query.tcp -Number of queries that were made using TCP towards the unbound server. -.TP -.I num.query.tcpout -Number of queries that the unbound server made using TCP outgoing towards -other servers. -.TP -.I num.query.ipv6 -Number of queries that were made using IPv6 towards the unbound server. -.TP -.I num.query.flags.RD -The number of queries that had the RD flag set in the header. -Also printed for flags QR, AA, TC, RA, Z, AD, CD. -Note that queries with flags QR, AA or TC may have been rejected -because of that. -.TP -.I num.query.edns.present -number of queries that had an EDNS OPT record present. -.TP -.I num.query.edns.DO -number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set. -These queries are also included in the num.query.edns.present number. -.TP -.I num.answer.rcode.NXDOMAIN -The number of answers to queries, from cache or from recursion, that had the -return code NXDOMAIN. Also printed for the other return codes. -.TP -.I num.answer.rcode.nodata -The number of answers to queries that had the pseudo return code nodata. -This means the actual return code was NOERROR, but additionally, no data was -carried in the answer (making what is called a NOERROR/NODATA answer). -These queries are also included in the num.answer.rcode.NOERROR number. -Common for AAAA lookups when an A record exists, and no AAAA. -.TP -.I num.answer.secure -Number of answers that were secure. The answer validated correctly. -The AD bit might have been set in some of these answers, where the client -signalled (with DO or AD bit in the query) that they were ready to accept -the AD bit in the answer. -.TP -.I num.answer.bogus -Number of answers that were bogus. These answers resulted in SERVFAIL -to the client because the answer failed validation. -.TP -.I num.rrset.bogus -The number of rrsets marked bogus by the validator. Increased for every -RRset inspection that fails. -.TP -.I unwanted.queries -Number of queries that were refused or dropped because they failed the -access control settings. -.TP -.I unwanted.replies -Replies that were unwanted or unsolicited. Could have been random traffic, -delayed duplicates, very late answers, or could be spoofing attempts. -Some low level of late answers and delayed duplicates are to be expected -with the UDP protocol. Very high values could indicate a threat (spoofing). -.TP -.I msg.cache.count -The number of items (DNS replies) in the message cache. -.TP -.I rrset.cache.count -The number of RRsets in the rrset cache. This includes rrsets used by -the messages in the message cache, but also delegation information. -.TP -.I infra.cache.count -The number of items in the infra cache. These are IP addresses with their -timing and protocol support information. -.TP -.I key.cache.count -The number of items in the key cache. These are DNSSEC keys, one item -per delegation point, and their validation status. -.SH "FILES" -.TP -.I @ub_conf_file@ -unbound configuration file. -.TP -.I @UNBOUND_RUN_DIR@ -directory with private keys (unbound_server.key and unbound_control.key) and -self\-signed certificates (unbound_server.pem and unbound_control.pem). -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). diff --git a/external/unbound/doc/unbound-host.1.in b/external/unbound/doc/unbound-host.1.in deleted file mode 100644 index 1d698e16d..000000000 --- a/external/unbound/doc/unbound-host.1.in +++ /dev/null @@ -1,116 +0,0 @@ -.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound-host.1 -- unbound DNS lookup utility -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound\-host -\- unbound DNS lookup utility -.SH "SYNOPSIS" -.B unbound\-host -.RB [ \-vdhr46D ] -.RB [ \-c -.IR class ] -.RB [ \-t -.IR type ] -.I hostname -.RB [ \-y -.IR key ] -.RB [ \-f -.IR keyfile ] -.RB [ \-F -.IR namedkeyfile ] -.RB [ \-C -.IR configfile ] -.SH "DESCRIPTION" -.B Unbound\-host -uses the unbound validating resolver to query for the hostname and display -results. With the \fB\-v\fR option it displays validation -status: secure, insecure, bogus (security failure). -.P -By default it reads no configuration file whatsoever. It attempts to reach -the internet root servers. With \fB\-C\fR an unbound config file and with -\fB\-r\fR resolv.conf can be read. -.P -The available options are: -.TP -.I hostname -This name is resolved (looked up in the DNS). -If a IPv4 or IPv6 address is given, a reverse lookup is performed. -.TP -.B \-h -Show the version and commandline option help. -.TP -.B \-v -Enable verbose output and it shows validation results, on every line. -Secure means that the NXDOMAIN (no such domain name), nodata (no such data) -or positive data response validated correctly with one of the keys. -Insecure means that that domain name has no security set up for it. -Bogus (security failure) means that the response failed one or more checks, -it is likely wrong, outdated, tampered with, or broken. -.TP -.B \-d -Enable debug output to stderr. One \-d shows what the resolver and validator -are doing and may tell you what is going on. More times, \-d \-d, gives a -lot of output, with every packet sent and received. -.TP -.B \-c \fIclass -Specify the class to lookup for, the default is IN the internet class. -.TP -.B \-t \fItype -Specify the type of data to lookup. The default looks for IPv4, IPv6 and -mail handler data, or domain name pointers for reverse queries. -.TP -.B \-y \fIkey -Specify a public key to use as trust anchor. This is the base for a chain -of trust that is built up from the trust anchor to the response, in order -to validate the response message. Can be given as a DS or DNSKEY record. -For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD". -.TP -.B \-D -Enables DNSSEC validation. Reads the root anchor from the default configured -root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. -.TP -.B \-f \fIkeyfile -Reads keys from a file. Every line has a DS or DNSKEY record, in the format -as for \-y. The zone file format, the same as dig and drill produce. -.TP -.B \-F \fInamedkeyfile -Reads keys from a BIND\-style named.conf file. Only the trusted\-key {}; entries -are read. -.TP -.B \-C \fIconfigfile -Uses the specified unbound.conf to prime -.IR libunbound (3). -.TP -.B \-r -Read /etc/resolv.conf, and use the forward DNS servers from there (those could -have been set by DHCP). More info in -.IR resolv.conf (5). -Breaks validation if those servers do not support DNSSEC. -.TP -.B \-4 -Use solely the IPv4 network for sending packets. -.TP -.B \-6 -Use solely the IPv6 network for sending packets. -.SH "EXAMPLES" -Some examples of use. The keys shown below are fakes, thus a security failure -is encountered. -.P -$ unbound\-host www.example.com -.P -$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com -.P -$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 -.SH "EXIT CODE" -The unbound\-host program exits with status code 1 on error, -0 on no error. The data may not be available on exit code 0, exit code 1 -means the lookup encountered a fatal error. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). diff --git a/external/unbound/doc/unbound.8.in b/external/unbound/doc/unbound.8.in deleted file mode 100644 index cca759b62..000000000 --- a/external/unbound/doc/unbound.8.in +++ /dev/null @@ -1,79 +0,0 @@ -.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound.8 -- unbound manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound -\- Unbound DNS validating resolver 1.6.3. -.SH "SYNOPSIS" -.B unbound -.RB [ \-h ] -.RB [ \-d ] -.RB [ \-v ] -.RB [ \-c -.IR cfgfile ] -.SH "DESCRIPTION" -.B Unbound -is a caching DNS resolver. -.P -It uses a built in list of authoritative nameservers for the root zone (.), -the so called root hints. -On receiving a DNS query it will ask the root nameservers for -an answer and will in almost all cases receive a delegation to a top level -domain (TLD) authoritative nameserver. -It will then ask that nameserver for an answer. -It will recursively continue until an answer is found or no answer is -available (NXDOMAIN). -For performance and efficiency reasons that answer is cached for a -certain time (the answer's time\-to\-live or TTL). -A second query for the same name will then be answered from the cache. -Unbound can also do DNSSEC validation. -.P -To use a locally running -.B Unbound -for resolving put -.sp -.RS 6n -nameserver 127.0.0.1 -.RE -.sp -into -.IR resolv.conf (5). -.P -If authoritative DNS is needed as well using -.IR nsd (8), -careful setup is required because authoritative nameservers and -resolvers are using the same port number (53). -.P -The available options are: -.TP -.B \-h -Show the version and commandline option help. -.TP -.B \-c\fI cfgfile -Set the config file with settings for unbound to read instead of reading the -file at the default location, @ub_conf_file@. The syntax is -described in \fIunbound.conf\fR(5). -.TP -.B \-d -Debug flag: do not fork into the background, but stay attached to -the console. This flag will also delay writing to the log file until -the thread\-spawn time, so that most config and setup errors appear on -stderr. If given twice or more, logging does not switch to the log file -or to syslog, but the log messages are printed to stderr all the time. -.TP -.B \-v -Increase verbosity. If given multiple times, more information is logged. -This is in addition to the verbosity (if any) from the config file. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\-checkconf\fR(8), -\fInsd\fR(8). -.SH "AUTHORS" -.B Unbound -developers are mentioned in the CREDITS file in the distribution. diff --git a/external/unbound/doc/unbound.conf.5.in b/external/unbound/doc/unbound.conf.5.in deleted file mode 100644 index b2c76ac95..000000000 --- a/external/unbound/doc/unbound.conf.5.in +++ /dev/null @@ -1,1578 +0,0 @@ -.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound.conf.5 -- unbound.conf manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound.conf -\- Unbound configuration file. -.SH "SYNOPSIS" -.B unbound.conf -.SH "DESCRIPTION" -.B unbound.conf -is used to configure -\fIunbound\fR(8). -The file format has attributes and values. Some attributes have attributes inside them. -The notation is: attribute: value. -.P -Comments start with # and last to the end of line. Empty lines are -ignored as is whitespace at the beginning of a line. -.P -The utility -\fIunbound\-checkconf\fR(8) -can be used to check unbound.conf prior to usage. -.SH "EXAMPLE" -An example config file is shown below. Copy this to /etc/unbound/unbound.conf -and start the server with: -.P -.nf - $ unbound \-c /etc/unbound/unbound.conf -.fi -.P -Most settings are the defaults. Stop the server with: -.P -.nf - $ kill `cat /etc/unbound/unbound.pid` -.fi -.P -Below is a minimal config file. The source distribution contains an extensive -example.conf file with all the options. -.P -.nf -# unbound.conf(5) config file for unbound(8). -server: - directory: "/etc/unbound" - username: unbound - # make sure unbound can access entropy from inside the chroot. - # e.g. on linux the use these commands (on BSD, devfs(8) is used): - # mount \-\-bind \-n /dev/random /etc/unbound/dev/random - # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log - chroot: "/etc/unbound" - # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. - pidfile: "/etc/unbound/unbound.pid" - # verbosity: 1 # uncomment and increase to get more logging. - # listen on all interfaces, answer queries from the local subnet. - interface: 0.0.0.0 - interface: ::0 - access\-control: 10.0.0.0/8 allow - access\-control: 2001:DB8::/64 allow -.fi -.SH "FILE FORMAT" -There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute -is followed by its containing attributes, or a value. -.P -Files can be included using the -.B include: -directive. It can appear anywhere, it accepts a single file name as argument. -Processing continues as if the text from the included file was copied into -the config file at that point. If also using chroot, using full path names -for the included files works, relative pathnames for the included names work -if the directory where the daemon is started equals its chroot/working -directory or is specified before the include statement with directory: dir. -Wildcards can be used to include multiple files, see \fIglob\fR(7). -.SS "Server Options" -These options are part of the -.B server: -clause. -.TP -.B verbosity: \fI<number> -The verbosity number, level 0 means no verbosity, only errors. Level 1 -gives operational information. Level 2 gives detailed operational -information. Level 3 gives query level information, output per query. -Level 4 gives algorithm level information. Level 5 logs client -identification for cache misses. Default is level 1. -The verbosity can also be increased from the commandline, see \fIunbound\fR(8). -.TP -.B statistics\-interval: \fI<seconds> -The number of seconds between printing statistics to the log for every thread. -Disable with value 0 or "". Default is disabled. The histogram statistics -are only printed if replies were sent during the statistics interval, -requestlist statistics are printed for every interval (but can be 0). -This is because the median calculation requires data to be present. -.TP -.B statistics\-cumulative: \fI<yes or no> -If enabled, statistics are cumulative since starting unbound, without clearing -the statistics counters after logging the statistics. Default is no. -.TP -.B extended\-statistics: \fI<yes or no> -If enabled, extended statistics are printed from \fIunbound\-control\fR(8). -Default is off, because keeping track of more statistics takes time. The -counters are listed in \fIunbound\-control\fR(8). -.TP -.B num\-threads: \fI<number> -The number of threads to create to serve clients. Use 1 for no threading. -.TP -.B port: \fI<port number> -The port number, default 53, on which the server responds to queries. -.TP -.B interface: \fI<ip address[@port]> -Interface to use to connect to the network. This interface is listened to -for queries from clients, and answers to clients are given from it. -Can be given multiple times to work on several interfaces. If none are -given the default is to listen to localhost. -The interfaces are not changed on a reload (kill \-HUP) but only on restart. -A port number can be specified with @port (without spaces between -interface and port number), if not specified the default port (from -\fBport\fR) is used. -.TP -.B ip\-address: \fI<ip address[@port]> -Same as interface: (for easy of compatibility with nsd.conf). -.TP -.B interface\-automatic: \fI<yes or no> -Detect source interface on UDP queries and copy them to replies. This -feature is experimental, and needs support in your OS for particular socket -options. Default value is no. -.TP -.B outgoing\-interface: \fI<ip address or ip6 netblock> -Interface to use to connect to the network. This interface is used to send -queries to authoritative servers and receive their replies. Can be given -multiple times to work on several interfaces. If none are given the -default (all) is used. You can specify the same interfaces in -.B interface: -and -.B outgoing\-interface: -lines, the interfaces are then used for both purposes. Outgoing queries are -sent via a random outgoing interface to counter spoofing. -.IP -If an IPv6 netblock is specified instead of an individual IPv6 address, -outgoing UDP queries will use a randomised source address taken from the -netblock to counter spoofing. Requires the IPv6 netblock to be routed to the -host running unbound, and requires OS support for unprivileged non-local binds -(currently only supported on Linux). Several netblocks may be specified with -multiple -.B outgoing\-interface: -options, but do not specify both an individual IPv6 address and an IPv6 -netblock, or the randomisation will be compromised. Consider combining with -.B prefer\-ip6: yes -to increase the likelihood of IPv6 nameservers being selected for queries. -On Linux you need these two commands to be able to use the freebind socket -option to receive traffic for the ip6 netblock: -ip \-6 addr add mynetblock/64 dev lo && -ip \-6 route add local mynetblock/64 dev lo -.TP -.B outgoing\-range: \fI<number> -Number of ports to open. This number of file descriptors can be opened per -thread. Must be at least 1. Default depends on compile options. Larger -numbers need extra resources from the operating system. For performance a -very large value is best, use libevent to make this possible. -.TP -.B outgoing\-port\-permit: \fI<port number or range> -Permit unbound to open this port or range of ports for use to send queries. -A larger number of permitted outgoing ports increases resilience against -spoofing attempts. Make sure these ports are not needed by other daemons. -By default only ports above 1024 that have not been assigned by IANA are used. -Give a port number or a range of the form "low\-high", without spaces. -.IP -The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements -are processed in the line order of the config file, adding the permitted ports -and subtracting the avoided ports from the set of allowed ports. The -processing starts with the non IANA allocated ports above 1024 in the set -of allowed ports. -.TP -.B outgoing\-port\-avoid: \fI<port number or range> -Do not permit unbound to open this port or range of ports for use to send -queries. Use this to make sure unbound does not grab a port that another -daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. -By default only ports above 1024 that have not been assigned by IANA are used. -Give a port number or a range of the form "low\-high", without spaces. -.TP -.B outgoing\-num\-tcp: \fI<number> -Number of outgoing TCP buffers to allocate per thread. Default is 10. If -set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers -are done. For larger installations increasing this value is a good idea. -.TP -.B incoming\-num\-tcp: \fI<number> -Number of incoming TCP buffers to allocate per thread. Default is -10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are -accepted. For larger installations increasing this value is a good idea. -.TP -.B edns\-buffer\-size: \fI<number> -Number of bytes size to advertise as the EDNS reassembly buffer size. -This is the value put into datagrams over UDP towards peers. The actual -buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do -not set higher than that value. Default is 4096 which is RFC recommended. -If you have fragmentation reassembly problems, usually seen as timeouts, -then a value of 1480 can fix it. Setting to 512 bypasses even the most -stringent path MTU problems, but is seen as extreme, since the amount -of TCP fallback generated is excessive (probably also for this resolver, -consider tuning the outgoing tcp number). -.TP -.B max\-udp\-size: \fI<number> -Maximum UDP response size (not applied to TCP response). 65536 disables the -udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. -.TP -.B msg\-buffer\-size: \fI<number> -Number of bytes size of the message buffers. Default is 65552 bytes, enough -for 64 Kb packets, the maximum DNS message size. No message larger than this -can be sent or received. Can be reduced to use less memory, but some requests -for DNS data, such as for huge resource records, will result in a SERVFAIL -reply to the client. -.TP -.B msg\-cache\-size: \fI<number> -Number of bytes size of the message cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B msg\-cache\-slabs: \fI<number> -Number of slabs in the message cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a -reasonable guess. -.TP -.B num\-queries\-per\-thread: \fI<number> -The number of queries that every thread will service simultaneously. -If more queries arrive that need servicing, and no queries can be jostled out -(see \fIjostle\-timeout\fR), then the queries are dropped. This forces -the client to resend after a timeout; allowing the server time to work on -the existing queries. Default depends on compile options, 512 or 1024. -.TP -.B jostle\-timeout: \fI<msec> -Timeout used when the server is very busy. Set to a value that usually -results in one roundtrip to the authority servers. If too many queries -arrive, then 50% of the queries are allowed to run to completion, and -the other 50% are replaced with the new incoming query if they have already -spent more than their allowed time. This protects against denial of -service by slow queries or high query rates. Default 200 milliseconds. -The effect is that the qps for long-lasting queries is about -(numqueriesperthread / 2) / (average time for such long queries) qps. -The qps for short queries can be about (numqueriesperthread / 2) -/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 -qps by default. -.TP -.B delay\-close: \fI<msec> -Extra delay for timeouted UDP ports before they are closed, in msec. -Default is 0, and that disables it. This prevents very delayed answer -packets from the upstream (recursive) servers from bouncing against -closed ports and setting off all sort of close-port counters, with -eg. 1500 msec. When timeouts happen you need extra sockets, it checks -the ID and remote IP of packets, and unwanted packets are added to the -unwanted packet counter. -.TP -.B so\-rcvbuf: \fI<number> -If not 0, then set the SO_RCVBUF socket option to get more buffer -space on UDP port 53 incoming queries. So that short spikes on busy -servers do not drop packets (see counter in netstat \-su). Default is -0 (use system value). Otherwise, the number of bytes to ask for, try -"4m" on a busy server. The OS caps it at a maximum, on linux unbound -needs root permission to bypass the limit, or the admin can use sysctl -net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. -On OpenBSD change header and recompile kernel. On Solaris ndd \-set -/dev/udp udp_max_buf 8388608. -.TP -.B so\-sndbuf: \fI<number> -If not 0, then set the SO_SNDBUF socket option to get more buffer space on -UDP port 53 outgoing queries. This for very busy servers handles spikes -in answer traffic, otherwise 'send: resource temporarily unavailable' -can get logged, the buffer overrun is also visible by netstat \-su. -Default is 0 (use system value). Specify the number of bytes to ask -for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux unbound needs root permission to bypass the limit, or the admin -can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar -to so\-rcvbuf. -.TP -.B so\-reuseport: \fI<yes or no> -If yes, then open dedicated listening sockets for incoming queries for each -thread and try to set the SO_REUSEPORT socket option on each socket. May -distribute incoming queries to threads more evenly. Default is no. On Linux -it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may -also work. You can enable it (on any platform and kernel), -it then attempts to open the port and passes the option if it was available -at compile time, if that works it is used, if it fails, it continues -silently (unless verbosity 3) without the option. -.TP -.B ip\-transparent: \fI<yes or no> -If yes, then use IP_TRANSPARENT socket option on sockets where unbound -is listening for incoming traffic. Default no. Allows you to bind to -non\-local interfaces. For example for non\-existant IP addresses that -are going to exist later on, with host failover configuration. This is -a lot like interface\-automatic, but that one services all interfaces -and with this option you can select which (future) interfaces unbound -provides service on. This option needs unbound to be started with root -permissions on some systems. The option uses IP_BINDANY on FreeBSD systems. -.TP -.B ip\-freebind: \fI<yes or no> -If yes, then use IP_FREEBIND socket option on sockets where unbound -is listening to incoming traffic. Default no. Allows you to bind to -IP addresses that are nonlocal or do not exist, like when the network -interface or IP address is down. Exists only on Linux, where the similar -ip\-transparent option is also available. -.TP -.B rrset\-cache\-size: \fI<number> -Number of bytes size of the RRset cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B rrset\-cache\-slabs: \fI<number> -Number of slabs in the RRset cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. -.TP -.B cache\-max\-ttl: \fI<seconds> -Time to live maximum for RRsets and messages in the cache. Default is -86400 seconds (1 day). If the maximum kicks in, responses to clients -still get decrementing TTLs based on the original (larger) values. -When the internal TTL expires, the cache item has expired. -Can be set lower to force the resolver to query for data often, and not -trust (very large) TTL values. -.TP -.B cache\-min\-ttl: \fI<seconds> -Time to live minimum for RRsets and messages in the cache. Default is 0. -If the minimum kicks in, the data is cached for longer than the domain -owner intended, and thus less queries are made to look up the data. -Zero makes sure the data in the cache is as the domain owner intended, -higher values, especially more than an hour or so, can lead to trouble as -the data in the cache does not match up with the actual data any more. -.TP -.B cache\-max\-negative\-ttl: \fI<seconds> -Time to live maximum for negative responses, these have a SOA in the -authority section that is limited in time. Default is 3600. -.TP -.B infra\-host\-ttl: \fI<seconds> -Time to live for entries in the host cache. The host cache contains -roundtrip timing, lameness and EDNS support information. Default is 900. -.TP -.B infra\-cache\-slabs: \fI<number> -Number of slabs in the infrastructure cache. Slabs reduce lock contention -by threads. Must be set to a power of 2. -.TP -.B infra\-cache\-numhosts: \fI<number> -Number of hosts for which information is cached. Default is 10000. -.TP -.B infra\-cache\-min\-rtt: \fI<msec> -Lower limit for dynamic retransmit timeout calculation in infrastructure -cache. Default is 50 milliseconds. Increase this value if using forwarders -needing more time to do recursive name resolution. -.TP -.B define\-tag: \fI<"list of tags"> -Define the tags that can be used with local\-zone and access\-control. -Enclose the list between quotes ("") and put spaces between tags. -.TP -.B do\-ip4: \fI<yes or no> -Enable or disable whether ip4 queries are answered or issued. Default is yes. -.TP -.B do\-ip6: \fI<yes or no> -Enable or disable whether ip6 queries are answered or issued. Default is yes. -If disabled, queries are not answered on IPv6, and queries are not sent on -IPv6 to the internet nameservers. With this option you can disable the -ipv6 transport for sending DNS traffic, it does not impact the contents of -the DNS traffic, which may have ip4 and ip6 addresses in it. -.TP -.B prefer\-ip6: \fI<yes or no> -If enabled, prefer IPv6 transport for sending DNS queries to internet -nameservers. Default is no. -.TP -.B do\-udp: \fI<yes or no> -Enable or disable whether UDP queries are answered or issued. Default is yes. -.TP -.B do\-tcp: \fI<yes or no> -Enable or disable whether TCP queries are answered or issued. Default is yes. -.TP -.B tcp\-mss: \fI<number> -Maximum segment size (MSS) of TCP socket on which the server responds -to queries. Value lower than common MSS on Ethernet -(1220 for example) will address path MTU problem. -Note that not all platform supports socket option to set MSS (TCP_MAXSEG). -Default is system default MSS determined by interface MTU and -negotiation between server and client. -.TP -.B outgoing\-tcp\-mss: \fI<number> -Maximum segment size (MSS) of TCP socket for outgoing queries -(from Unbound to other servers). Value lower than -common MSS on Ethernet (1220 for example) will address path MTU problem. -Note that not all platform supports socket option to set MSS (TCP_MAXSEG). -Default is system default MSS determined by interface MTU and -negotiation between Unbound and other servers. -.TP -.B tcp\-upstream: \fI<yes or no> -Enable or disable whether the upstream queries use TCP only for transport. -Default is no. Useful in tunneling scenarios. -.TP -.B ssl\-upstream: \fI<yes or no> -Enabled or disable whether the upstream queries use SSL only for transport. -Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in -TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). -.TP -.B ssl\-service-key: \fI<file> -If enabled, the server provider SSL service on its TCP sockets. The clients -have to use ssl\-upstream: yes. The file is the private key for the TLS -session. The public certificate is in the ssl\-service\-pem file. Default -is "", turned off. Requires a restart (a reload is not enough) if changed, -because the private key is read while root permissions are held and before -chroot (if any). Normal DNS TCP service is not provided and gives errors, -this service is best run with a different \fBport:\fR config or \fI@port\fR -suffixes in the \fBinterface\fR config. -.TP -.B ssl\-service\-pem: \fI<file> -The public key certificate pem file for the ssl service. Default is "", -turned off. -.TP -.B ssl\-port: \fI<number> -The port number on which to provide TCP SSL service, default 853, only -interfaces configured with that port number as @number get the SSL service. -.TP -.B use\-systemd: \fI<yes or no> -Enable or disable systemd socket activation. -Default is no. -.TP -.B do\-daemonize: \fI<yes or no> -Enable or disable whether the unbound server forks into the background as -a daemon. Set the value to \fIno\fR when unbound runs as systemd service. -Default is yes. -.TP -.B access\-control: \fI<IP netblock> <action> -The netblock is given as an IP4 or IP6 address with /size appended for a -classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. -The most specific netblock match is used, if none match \fIdeny\fR is used. -.IP -The action \fIdeny\fR stops queries from hosts from that netblock. -.IP -The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED -error message back. -.IP -The action \fIallow\fR gives access to clients from that netblock. -It gives only access for recursion clients (which is -what almost all clients need). Nonrecursive queries are refused. -.IP -The \fIallow\fR action does allow nonrecursive queries to access the -local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served -in the reply. This supports normal operations where nonrecursive queries -are made for the authoritative data. For nonrecursive queries any replies -from the dynamic cache are refused. -.IP -The action \fIallow_snoop\fR gives nonrecursive access too. This give -both recursive and non recursive access. The name \fIallow_snoop\fR refers -to cache snooping, a technique to use nonrecursive queries to examine -the cache contents (for malicious acts). However, nonrecursive queries can -also be a valuable debugging tool (when you want to examine the cache -contents). In that case use \fIallow_snoop\fR for your administration host. -.IP -By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. -The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS -protocol is not designed to handle dropped packets due to policy, and -dropping may result in (possibly excessive) retried queries. -.IP -The deny_non_local and refuse_non_local settings are for hosts that are -only allowed to query for the authoritative local\-data, they are not -allowed full recursion but only the static data. With deny_non_local, -messages that are disallowed are dropped, with refuse_non_local they -receive error code REFUSED. -.TP -.B access\-control\-tag: \fI<IP netblock> <"list of tags"> -Assign tags to access-control elements. Clients using this access control -element use localzones that are tagged with one of these tags. Tags must be -defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put -spaces between tags. If access\-control\-tag is configured for a netblock that -does not have an access\-control, an access\-control element with action -\fIallow\fR is configured for this netblock. -.TP -.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action> -Set action for particular tag for given access control element. If you have -multiple tag values, the tag used to lookup the action is the first tag match -between access\-control\-tag and local\-zone\-tag where "first" comes from the -order of the define-tag values. -.TP -.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string"> -Set redirect data for particular tag for given access control element. -.TP -.B access\-control\-view: \fI<IP netblock> <view name> -Set view for given access control element. -.TP -.B chroot: \fI<directory> -If chroot is enabled, you should pass the configfile (from the -commandline) as a full path from the original root. After the -chroot has been performed the now defunct portion of the config -file path is removed to be able to reread the config after a reload. -.IP -All other file paths (working dir, logfile, roothints, and -key files) can be specified in several ways: -as an absolute path relative to the new root, -as a relative path to the working directory, or -as an absolute path relative to the original root. -In the last case the path is adjusted to remove the unused portion. -.IP -The pidfile can be either a relative path to the working directory, or -an absolute path relative to the original root. It is written just prior -to chroot and dropping permissions. This allows the pidfile to be -/var/run/unbound.pid and the chroot to be /var/unbound, for example. -.IP -Additionally, unbound may need to access /dev/random (for entropy) -from inside the chroot. -.IP -If given a chroot is done to the given directory. The default is -"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed. -.TP -.B username: \fI<name> -If given, after binding the port the user privileges are dropped. Default is -"@UNBOUND_USERNAME@". If you give username: "" no user change is performed. -.IP -If this user is not capable of binding the -port, reloads (by signal HUP) will still retain the opened ports. -If you change the port number in the config file, and that new port number -requires privileges, then a reload will fail; a restart is needed. -.TP -.B directory: \fI<directory> -Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@". -On Windows the string "%EXECUTABLE%" tries to change to the directory -that unbound.exe resides in. -If you give a server: directory: dir before include: file statements -then those includes can be relative to the working directory. -.TP -.B logfile: \fI<filename> -If "" is given, logging goes to stderr, or nowhere once daemonized. -The logfile is appended to, in the following format: -.nf -[seconds since 1970] unbound[pid:tid]: type: message. -.fi -If this option is given, the use\-syslog is option is set to "no". -The logfile is reopened (for append) when the config file is reread, on -SIGHUP. -.TP -.B use\-syslog: \fI<yes or no> -Sets unbound to send log messages to the syslogd, using -\fIsyslog\fR(3). -The log facility LOG_DAEMON is used, with identity "unbound". -The logfile setting is overridden when use\-syslog is turned on. -The default is to log to syslog. -.TP -.B log\-identity: \fI<string> -If "" is given (default), then the name of the executable, usually "unbound" -is used to report to the log. Enter a string to override it -with that, which is useful on systems that run more than one instance of -unbound, with different configurations, so that the logs can be easily -distinguished against. -.TP -.B log\-time\-ascii: \fI<yes or no> -Sets logfile lines to use a timestamp in UTC ascii. Default is no, which -prints the seconds since 1970 in brackets. No effect if using syslog, in -that case syslog formats the timestamp printed into the log files. -.TP -.B log\-queries: \fI<yes or no> -Prints one line per query to the log, with the log timestamp and IP address, -name, type and class. Default is no. Note that it takes time to print these -lines which makes the server (significantly) slower. Odd (nonprintable) -characters in names are printed as '?'. -.TP -.B log\-replies: \fI<yes or no> -Prints one line per reply to the log, with the log timestamp and IP address, -name, type, class, return code, time to resolve, from cache and response size. -Default is no. Note that it takes time to print these -lines which makes the server (significantly) slower. Odd (nonprintable) -characters in names are printed as '?'. -.TP -.B pidfile: \fI<filename> -The process id is written to the file. Default is "@UNBOUND_PIDFILE@". -So, -.nf -kill \-HUP `cat @UNBOUND_PIDFILE@` -.fi -triggers a reload, -.nf -kill \-TERM `cat @UNBOUND_PIDFILE@` -.fi -gracefully terminates. -.TP -.B root\-hints: \fI<filename> -Read the root hints from this file. Default is nothing, using builtin hints -for the IN class. The file has the format of zone files, with root -nameserver names and addresses only. The default may become outdated, -when servers change, therefore it is good practice to use a root\-hints file. -.TP -.B hide\-identity: \fI<yes or no> -If enabled id.server and hostname.bind queries are refused. -.TP -.B identity: \fI<string> -Set the identity to report. If set to "", the default, then the hostname -of the server is returned. -.TP -.B hide\-version: \fI<yes or no> -If enabled version.server and version.bind queries are refused. -.TP -.B version: \fI<string> -Set the version to report. If set to "", the default, then the package -version is returned. -.TP -.B hide\-trustanchor: \fI<yes or no> -If enabled trustanchor.unbound queries are refused. -.TP -.B target\-fetch\-policy: \fI<"list of numbers"> -Set the target fetch policy used by unbound to determine if it should fetch -nameserver target addresses opportunistically. The policy is described per -dependency depth. -.IP -The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. -A value of \-1 means to fetch all targets opportunistically for that dependency -depth. A value of 0 means to fetch on demand only. A positive value fetches -that many targets opportunistically. -.IP -Enclose the list between quotes ("") and put spaces between numbers. -The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour -closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour -rumoured to be closer to that of BIND 8. -.TP -.B harden\-short\-bufsize: \fI<yes or no> -Very small EDNS buffer sizes from queries are ignored. Default is off, since -it is legal protocol wise to send these, and unbound tries to give very -small answers to these queries, where possible. -.TP -.B harden\-large\-queries: \fI<yes or no> -Very large queries are ignored. Default is off, since it is legal protocol -wise to send these, and could be necessary for operation if TSIG or EDNS -payload is very large. -.TP -.B harden\-glue: \fI<yes or no> -Will trust glue only if it is within the servers authority. Default is on. -.TP -.B harden\-dnssec\-stripped: \fI<yes or no> -Require DNSSEC data for trust\-anchored zones, if such data is absent, -the zone becomes bogus. If turned off, and no DNSSEC data is received -(or the DNSKEY data fails to validate), then the zone is made insecure, -this behaves like there is no trust anchor. You could turn this off if -you are sometimes behind an intrusive firewall (of some sort) that -removes DNSSEC data from packets, or a zone changes from signed to -unsigned to badly signed often. If turned off you run the risk of a -downgrade attack that disables security for a zone. Default is on. -.TP -.B harden\-below\-nxdomain: \fI<yes or no> -From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), -returns nxdomain to queries for a name -below another name that is already known to be nxdomain. DNSSEC mandates -noerror for empty nonterminals, hence this is possible. Very old software -might return nxdomain for empty nonterminals (that usually happen for reverse -IP address lookups), and thus may be incompatible with this. To try to avoid -this only DNSSEC-secure nxdomains are used, because the old software does not -have DNSSEC. Default is off. -The nxdomain must be secure, this means nsec3 with optout is insufficient. -.TP -.B harden\-referral\-path: \fI<yes or no> -Harden the referral path by performing additional queries for -infrastructure data. Validates the replies if trust anchors are configured -and the zones are signed. This enforces DNSSEC validation on nameserver -NS sets and the nameserver addresses that are encountered on the referral -path to the answer. -Default off, because it burdens the authority servers, and it is -not RFC standard, and could lead to performance problems because of the -extra query load that is generated. Experimental option. -If you enable it consider adding more numbers after the target\-fetch\-policy -to increase the max depth that is checked to. -.TP -.B harden\-algo\-downgrade: \fI<yes or no> -Harden against algorithm downgrade when multiple algorithms are -advertised in the DS record. If no, allows the weakest algorithm to -validate the zone. Default is no. Zone signers must produce zones -that allow this feature to work, but sometimes they do not, and turning -this option off avoids that validation failure. -.TP -.B use\-caps\-for\-id: \fI<yes or no> -Use 0x20\-encoded random bits in the query to foil spoof attempts. -This perturbs the lowercase and uppercase of query names sent to -authority servers and checks if the reply still has the correct casing. -Disabled by default. -This feature is an experimental implementation of draft dns\-0x20. -.TP -.B caps\-whitelist: \fI<domain> -Whitelist the domain so that it does not receive caps\-for\-id perturbed -queries. For domains that do not support 0x20 and also fail with fallback -because they keep sending different answers, like some load balancers. -Can be given multiple times, for different domains. -.TP -.B qname\-minimisation: \fI<yes or no> -Send minimum amount of information to upstream servers to enhance privacy. -Only sent minimum required labels of the QNAME and set QTYPE to NS when -possible. Best effort approach; full QNAME and original QTYPE will be sent when -upstream replies with a RCODE other than NOERROR, except when receiving -NXDOMAIN from a DNSSEC signed zone. Default is off. -.TP -.B qname\-minimisation\-strict: \fI<yes or no> -QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to -potentially broken nameservers. A lot of domains will not be resolvable when -this option in enabled. Only use if you know what you are doing. -This option only has effect when qname-minimisation is enabled. Default is off. -.TP -.B private\-address: \fI<IP address or subnet> -Give IPv4 of IPv6 addresses or classless subnets. These are addresses -on your private network, and are not allowed to be returned for -public internet names. Any occurrence of such addresses are removed -from DNS answers. Additionally, the DNSSEC validator may mark the -answers bogus. This protects against so\-called DNS Rebinding, where -a user browser is turned into a network proxy, allowing remote access -through the browser to other parts of your private network. Some names -can be allowed to contain your private addresses, by default all the -\fBlocal\-data\fR that you configured is allowed to, and you can specify -additional names using \fBprivate\-domain\fR. No private addresses are -enabled by default. We consider to enable this for the RFC1918 private -IP address space by default in later releases. That would enable private -addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 -fd00::/8 and fe80::/10, since the RFC standards say these addresses -should not be visible on the public internet. Turning on 127.0.0.0/8 -would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96 -stops IPv4-mapped IPv6 addresses from bypassing the filter. -.TP -.B private\-domain: \fI<domain name> -Allow this domain, and all its subdomains to contain private addresses. -Give multiple times to allow multiple domain names to contain private -addresses. Default is none. -.TP -.B unwanted\-reply\-threshold: \fI<number> -If set, a total number of unwanted replies is kept track of in every thread. -When it reaches the threshold, a defensive action is taken and a warning -is printed to the log. The defensive action is to clear the rrset and -message caches, hopefully flushing away any poison. A value of 10 million -is suggested. Default is 0 (turned off). -.TP -.B do\-not\-query\-address: \fI<IP address> -Do not query the given IP address. Can be IP4 or IP6. Append /num to -indicate a classless delegation netblock, for example like -10.2.3.4/24 or 2001::11/64. -.TP -.B do\-not\-query\-localhost: \fI<yes or no> -If yes, localhost is added to the do\-not\-query\-address entries, both -IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send -queries to. Default is yes. -.TP -.B prefetch: \fI<yes or no> -If yes, message cache elements are prefetched before they expire to -keep the cache up to date. Default is no. Turning it on gives about -10 percent more traffic and load on the machine, but popular items do -not expire from the cache. -.TP -.B prefetch-key: \fI<yes or no> -If yes, fetch the DNSKEYs earlier in the validation process, when a DS -record is encountered. This lowers the latency of requests. It does use -a little more CPU. Also if the cache is set to 0, it is no use. Default is no. -.TP -.B rrset-roundrobin: \fI<yes or no> -If yes, Unbound rotates RRSet order in response (the random number is taken -from the query ID, for speed and thread safety). Default is no. -.TP -.B minimal-responses: \fI<yes or no> -If yes, Unbound doesn't insert authority/additional sections into response -messages when those sections are not required. This reduces response -size significantly, and may avoid TCP fallback for some responses. -This may cause a slight speedup. The default is no, because the DNS -protocol RFCs mandate these sections, and the additional content could -be of use and save roundtrips for clients. -.TP -.B disable-dnssec-lame-check: \fI<yes or no> -If true, disables the DNSSEC lameness check in the iterator. This check -sees if RRSIGs are present in the answer, when dnssec is expected, -and retries another authority if RRSIGs are unexpectedly missing. -The validator will insist in RRSIGs for DNSSEC signed domains regardless -of this setting, if a trust anchor is loaded. -.TP -.B module\-config: \fI<"module names"> -Module configuration, a list of module names separated by spaces, surround -the string with quotes (""). The modules can be validator, iterator. -Setting this to "iterator" will result in a non\-validating server. -Setting this to "validator iterator" will turn on DNSSEC validation. -The ordering of the modules is important. -You must also set trust\-anchors for validation to be useful. -.TP -.B trust\-anchor\-file: \fI<filename> -File with trusted keys for validation. Both DS and DNSKEY entries can appear -in the file. The format of the file is the standard DNS Zone file format. -Default is "", or no trust anchor file. -.TP -.B auto\-trust\-anchor\-file: \fI<filename> -File with trust anchor for one zone, which is tracked with RFC5011 probes. -The probes are several times per month, thus the machine must be online -frequently. The initial file can be one with contents as described in -\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. Write permission to the file, -but also to the directory it is in (to create a temporary file, which is -necessary to deal with filesystem full events), it must also be inside the -chroot (if that is used). -.TP -.B trust\-anchor: \fI<"Resource Record"> -A DS or DNSKEY RR for a key to use for validation. Multiple entries can be -given to specify multiple trusted keys, in addition to the trust\-anchor\-files. -The resource record is entered in the same format as 'dig' or 'drill' prints -them, the same format as in the zone file. Has to be on a single line, with -"" around it. A TTL can be specified for ease of cut and paste, but is ignored. -A class can be specified, but class IN is default. -.TP -.B trusted\-keys\-file: \fI<filename> -File with trusted keys for validation. Specify more than one file -with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR -but has a different file format. Format is BIND\-9 style format, -the trusted\-keys { name flag proto algo "key"; }; clauses are read. -It is possible to use wildcards with this statement, the wildcard is -expanded on start and on reload. -.TP -.B dlv\-anchor\-file: \fI<filename> -This option was used during early days DNSSEC deployment when no parent-side -DS record registrations were easily available. Nowadays, it is best to have -DS records registered with the parent zone (many top level zones are signed). -File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and -DNSKEY entries can be used in the file, in the same format as for -\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more -would be slow. The DLV configured is used as a root trusted DLV, this -means that it is a lookaside for the root. Default is "", or no dlv anchor file. -DLV is going to be decommissioned. Please do not use it any more. -.TP -.B dlv\-anchor: \fI<"Resource Record"> -Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. -DLV is going to be decommissioned. Please do not use it any more. -.TP -.B domain\-insecure: \fI<domain name> -Sets domain name to be insecure, DNSSEC chain of trust is ignored towards -the domain name. So a trust anchor above the domain name can not make the -domain secure with a DS record, such a DS record is then ignored. -Also keys from DLV are ignored for the domain. Can be given multiple times -to specify multiple domains that are treated as if unsigned. If you set -trust anchors for the domain they override this setting (and the domain -is secured). -.IP -This can be useful if you want to make sure a trust anchor for external -lookups does not affect an (unsigned) internal domain. A DS record -externally can create validation failures for that internal domain. -.TP -.B val\-override\-date: \fI<rrsig\-style date spec> -Default is "" or "0", which disables this debugging feature. If enabled by -giving a RRSIG style date, that date is used for verifying RRSIG inception -and expiration dates, instead of the current date. Do not set this unless -you are debugging signature inception and expiration. The value \-1 ignores -the date altogether, useful for some special applications. -.TP -.B val\-sig\-skew\-min: \fI<seconds> -Minimum number of seconds of clock skew to apply to validated signatures. -A value of 10% of the signature lifetime (expiration \- inception) is -used, capped by this setting. Default is 3600 (1 hour) which allows for -daylight savings differences. Lower this value for more strict checking -of short lived signatures. -.TP -.B val\-sig\-skew\-max: \fI<seconds> -Maximum number of seconds of clock skew to apply to validated signatures. -A value of 10% of the signature lifetime (expiration \- inception) -is used, capped by this setting. Default is 86400 (24 hours) which -allows for timezone setting problems in stable domains. Setting both -min and max very low disables the clock skew allowances. Setting both -min and max very high makes the validator check the signature timestamps -less strictly. -.TP -.B val\-bogus\-ttl: \fI<number> -The time to live for bogus data. This is data that has failed validation; -due to invalid signatures or other checks. The TTL from that data cannot be -trusted, and this value is used instead. The value is in seconds, default 60. -The time interval prevents repeated revalidation of bogus data. -.TP -.B val\-clean\-additional: \fI<yes or no> -Instruct the validator to remove data from the additional section of secure -messages that are not signed properly. Messages that are insecure, bogus, -indeterminate or unchecked are not affected. Default is yes. Use this setting -to protect the users that rely on this validator for authentication from -potentially bad data in the additional section. -.TP -.B val\-log\-level: \fI<number> -Have the validator print validation failures to the log. Regardless of -the verbosity setting. Default is 0, off. At 1, for every user query -that fails a line is printed to the logs. This way you can monitor what -happens with validation. Use a diagnosis tool, such as dig or drill, -to find out why validation is failing for these queries. At 2, not only -the query that failed is printed but also the reason why unbound thought -it was wrong and which server sent the faulty data. -.TP -.B val\-permissive\-mode: \fI<yes or no> -Instruct the validator to mark bogus messages as indeterminate. The security -checks are performed, but if the result is bogus (failed security), the -reply is not withheld from the client with SERVFAIL as usual. The client -receives the bogus data. For messages that are found to be secure the AD bit -is set in replies. Also logging is performed as for full validation. -The default value is "no". -.TP -.B ignore\-cd\-flag: \fI<yes or no> -Instruct unbound to ignore the CD flag from clients and refuse to -return bogus answers to them. Thus, the CD (Checking Disabled) flag -does not disable checking any more. This is useful if legacy (w2008) -servers that set the CD flag but cannot validate DNSSEC themselves are -the clients, and then unbound provides them with DNSSEC protection. -The default value is "no". -.TP -.B serve\-expired: \fI<yes or no> -If enabled, unbound attempts to serve old responses from cache with a -TTL of 0 in the response without waiting for the actual resolution to finish. -The actual resolution answer ends up in the cache later on. Default is "no". -.TP -.B val\-nsec3\-keysize\-iterations: \fI<"list of values"> -List of keysize and iteration count values, separated by spaces, surrounded -by quotes. Default is "1024 150 2048 500 4096 2500". This determines the -maximum allowed NSEC3 iteration count before a message is simply marked -insecure instead of performing the many hashing iterations. The list must -be in ascending order and have at least one entry. If you set it to -"1024 65535" there is no restriction to NSEC3 iteration values. -This table must be kept short; a very long list could cause slower operation. -.TP -.B add\-holddown: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to add new trust anchors only after they have been -visible for this time. Default is 30 days as per the RFC. -.TP -.B del\-holddown: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to remove revoked trust anchors after they have been -kept in the revoked list for this long. Default is 30 days as per -the RFC. -.TP -.B keep\-missing: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to remove missing trust anchors after they have been -unseen for this long. This cleans up the state file if the target zone -does not perform trust anchor revocation, so this makes the auto probe -mechanism work with zones that perform regular (non\-5011) rollovers. -The default is 366 days. The value 0 does not remove missing anchors, -as per the RFC. -.TP -.B permit\-small\-holddown: \fI<yes or no> -Debug option that allows the autotrust 5011 rollover timers to assume -very small values. Default is no. -.TP -.B key\-cache\-size: \fI<number> -Number of bytes size of the key cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B key\-cache\-slabs: \fI<number> -Number of slabs in the key cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a -reasonable guess. -.TP -.B neg\-cache\-size: \fI<number> -Number of bytes size of the aggressive negative cache. Default is 1 megabyte. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B unblock\-lan\-zones: \fI<yesno> -Default is disabled. If enabled, then for private address space, -the reverse lookups are no longer filtered. This allows unbound when -running as dns service on a host where it provides service for that host, -to put out all of the queries for the 'lan' upstream. When enabled, -only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured -with default local zones. Disable the option when unbound is running -as a (DHCP-) DNS network resolver for a group of machines, where such -lookups should be filtered (RFC compliance), this also stops potential -data leakage about the local network to the upstream DNS servers. -.TP -.B insecure\-lan\-zones: \fI<yesno> -Default is disabled. If enabled, then reverse lookups in private -address space are not validated. This is usually required whenever -\fIunblock\-lan\-zones\fR is used. -.TP -.B local\-zone: \fI<zone> <type> -Configure a local zone. The type determines the answer to give if -there is no match from local\-data. The types are deny, refuse, static, -transparent, redirect, nodefault, typetransparent, inform, inform_deny, -always_transparent, always_refuse, always_nxdomain, -and are explained below. After that the default settings are listed. Use -local\-data: to enter data into the local zone. Answers for local zones -are authoritative DNS answers. By default the zones are class IN. -.IP -If you need more complicated authoritative data, with referrals, wildcards, -CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for -it as detailed in the stub zone section below. -.TP 10 -\h'5'\fIdeny\fR -Do not send an answer, drop the query. -If there is a match from local data, the query is answered. -.TP 10 -\h'5'\fIrefuse\fR -Send an error message reply, with rcode REFUSED. -If there is a match from local data, the query is answered. -.TP 10 -\h'5'\fIstatic\fR -If there is a match from local data, the query is answered. -Otherwise, the query is answered with nodata or nxdomain. -For a negative answer a SOA is included in the answer if present -as local\-data for the zone apex domain. -.TP 10 -\h'5'\fItransparent\fR -If there is a match from local data, the query is answered. -Otherwise if the query has a different name, the query is resolved normally. -If the query is for a name given in localdata but no such type of data is -given in localdata, then a noerror nodata answer is returned. -If no local\-zone is given local\-data causes a transparent zone -to be created by default. -.TP 10 -\h'5'\fItypetransparent\fR -If there is a match from local data, the query is answered. If the query -is for a different name, or for the same name but for a different type, -the query is resolved normally. So, similar to transparent but types -that are not listed in local data are resolved normally, so if an A record -is in the local data that does not cause a nodata reply for AAAA queries. -.TP 10 -\h'5'\fIredirect\fR -The query is answered from the local data for the zone name. -There may be no local data beneath the zone name. -This answers queries for the zone, and all subdomains of the zone -with the local data for the zone. -It can be used to redirect a domain to return a different address record -to the end user, with -local\-zone: "example.com." redirect and -local\-data: "example.com. A 127.0.0.1" -queries for www.example.com and www.foo.example.com are redirected, so -that users with web browsers cannot access sites with suffix example.com. -.TP 10 -\h'5'\fIinform\fR -The query is answered normally, same as transparent. The client IP -address (@portnumber) is printed to the logfile. The log message is: -timestamp, unbound-pid, info: zonename inform IP@port queryname type -class. This option can be used for normal resolution, but machines -looking up infected names are logged, eg. to run antivirus on them. -.TP 10 -\h'5'\fIinform_deny\fR -The query is dropped, like 'deny', and logged, like 'inform'. Ie. find -infected machines without answering the queries. -.TP 10 -\h'5'\fIalways_transparent\fR -Like transparent, but ignores local data and resolves normally. -.TP 10 -\h'5'\fIalways_refuse\fR -Like refuse, but ignores local data and refuses the query. -.TP 10 -\h'5'\fIalways_nxdomain\fR -Like static, but ignores local data and returns nxdomain for the query. -.TP 10 -\h'5'\fInodefault\fR -Used to turn off default contents for AS112 zones. The other types -also turn off default contents for the zone. The 'nodefault' option -has no other effect than turning off default contents for the -given zone. Use \fInodefault\fR if you use exactly that zone, if you want to -use a subzone, use \fItransparent\fR. -.P -The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and -the AS112 zones. The AS112 zones are reverse DNS zones for private use and -reserved IP addresses for which the servers on the internet cannot provide -correct answers. They are configured by default to give nxdomain (no reverse -information) answers. The defaults can be turned off by specifying your -own local\-zone of that name, or using the 'nodefault' type. Below is a -list of the default zone contents. -.TP 10 -\h'5'\fIlocalhost\fR -The IP4 and IP6 localhost information is given. NS and SOA records are provided -for completeness and to satisfy some DNS update tools. Default content: -.nf -local\-zone: "localhost." static -local\-data: "localhost. 10800 IN NS localhost." -local\-data: "localhost. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "localhost. 10800 IN A 127.0.0.1" -local\-data: "localhost. 10800 IN AAAA ::1" -.fi -.TP 10 -\h'5'\fIreverse IPv4 loopback\fR -Default content: -.nf -local\-zone: "127.in\-addr.arpa." static -local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." -local\-data: "127.in\-addr.arpa. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN - PTR localhost." -.fi -.TP 10 -\h'5'\fIreverse IPv6 loopback\fR -Default content: -.nf -local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - NS localhost." -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - PTR localhost." -.fi -.TP 10 -\h'5'\fIonion (RFC 7686)\fR -Default content: -.nf -local\-zone: "onion." static -local\-data: "onion. 10800 IN NS localhost." -local\-data: "onion. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -.fi -.TP 10 -\h'5'\fIreverse RFC1918 local use zones\fR -Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to -31.172.in\-addr.arpa, 168.192.in\-addr.arpa. -The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS -records are provided. -.TP 10 -\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR -Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, -2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), -113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. -And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). -.TP 10 -\h'5'\fIreverse RFC4291 IP6 unspecified\fR -Reverse data for zone -.nf -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. -.fi -.TP 10 -\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR -Reverse data for zone D.F.ip6.arpa. -.TP 10 -\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR -Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. -.TP 10 -\h'5'\fIreverse IPv6 Example Prefix\fR -Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for -tutorials and examples. You can remove the block on this zone with: -.nf - local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault -.fi -You can also selectively unblock a part of the zone by making that part -transparent with a local\-zone statement. -This also works with the other default zones. -.\" End of local-zone listing. -.TP 5 -.B local\-data: \fI"<resource record string>" -Configure local data, which is served in reply to queries for it. -The query has to match exactly unless you configure the local\-zone as -redirect. If not matched exactly, the local\-zone type determines -further processing. If local\-data is configured that is not a subdomain of -a local\-zone, a transparent local\-zone is configured. -For record types such as TXT, use single quotes, as in -local\-data: 'example. TXT "text"'. -.IP -If you need more complicated authoritative data, with referrals, wildcards, -CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for -it as detailed in the stub zone section below. -.TP 5 -.B local\-data\-ptr: \fI"IPaddr name" -Configure local data shorthand for a PTR record with the reversed IPv4 or -IPv6 address and the host name. For example "192.0.2.4 www.example.com". -TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" -.TP 5 -.B local\-zone\-tag: \fI<zone> <"list of tags"> -Assign tags to localzones. Tagged localzones will only be applied when the -used access-control element has a matching tag. Tags must be defined in -\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between -tags. -.TP 5 -.B local\-zone\-override: \fI<zone> <IP netblock> <type> -Override the localzone type for queries from addresses matching netblock. -Use this localzone type, regardless the type configured for the local-zone -(both tagged and untagged) and regardless the type configured using -access\-control\-tag\-action. -.TP 5 -.B ratelimit: \fI<number or 0> -Enable ratelimiting of queries sent to nameserver for performing recursion. -If 0, the default, it is disabled. This option is experimental at this time. -The ratelimit is in queries per second that are allowed. More queries are -turned away with an error (servfail). This stops recursive floods, eg. random -query names, but not spoofed reflection floods. Cached responses are not -ratelimited by this setting. The zone of the query is determined by examining -the nameservers for it, the zone name is used to keep track of the rate. -For example, 1000 may be a suitable value to stop the server from being -overloaded with random names, and keeps unbound from sending traffic to the -nameservers for those zones. -.TP 5 -.B ratelimit\-size: \fI<memory size> -Give the size of the data structure in which the current ongoing rates are -kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). -The ratelimit structure is small, so this data structure likely does -not need to be large. -.TP 5 -.B ratelimit\-slabs: \fI<number> -Give power of 2 number of slabs, this is used to reduce lock contention -in the ratelimit tracking data structure. Close to the number of cpus is -a fairly good setting. -.TP 5 -.B ratelimit\-factor: \fI<number> -Set the amount of queries to rate limit when the limit is exceeded. -If set to 0, all queries are dropped for domains where the limit is -exceeded. If set to another value, 1 in that number is allowed through -to complete. Default is 10, allowing 1/10 traffic to flow normally. -This can make ordinary queries complete (if repeatedly queried for), -and enter the cache, whilst also mitigating the traffic flow by the -factor given. -.TP 5 -.B ratelimit\-for\-domain: \fI<domain> <number qps> -Override the global ratelimit for an exact match domain name with the listed -number. You can give this for any number of names. For example, for -a top\-level\-domain you may want to have a higher limit than other names. -.TP 5 -.B ratelimit\-below\-domain: \fI<domain> <number qps> -Override the global ratelimit for a domain name that ends in this name. -You can give this multiple times, it then describes different settings -in different parts of the namespace. The closest matching suffix is used -to determine the qps limit. The rate for the exact matching domain name -is not changed, use ratelimit\-for\-domain to set that, you might want -to use different settings for a top\-level\-domain and subdomains. -.TP 5 -.B ip\-ratelimit: \fI<number or 0> -Enable global ratelimiting of queries accepted per ip address. -If 0, the default, it is disabled. This option is experimental at this time. -The ratelimit is in queries per second that are allowed. More queries are -completely dropped and will not receive a reply, SERVFAIL or otherwise. -IP ratelimiting happens before looking in the cache. This may be useful for -mitigating amplification attacks. -.TP 5 -.B ip\-ratelimit\-size: \fI<memory size> -Give the size of the data structure in which the current ongoing rates are -kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). -The ip ratelimit structure is small, so this data structure likely does -not need to be large. -.TP 5 -.B ip\-ratelimit\-slabs: \fI<number> -Give power of 2 number of slabs, this is used to reduce lock contention -in the ip ratelimit tracking data structure. Close to the number of cpus is -a fairly good setting. -.TP 5 -.B ip\-ratelimit\-factor: \fI<number> -Set the amount of queries to rate limit when the limit is exceeded. -If set to 0, all queries are dropped for addresses where the limit is -exceeded. If set to another value, 1 in that number is allowed through -to complete. Default is 10, allowing 1/10 traffic to flow normally. -This can make ordinary queries complete (if repeatedly queried for), -and enter the cache, whilst also mitigating the traffic flow by the -factor given. -.SS "Remote Control Options" -In the -.B remote\-control: -clause are the declarations for the remote control facility. If this is -enabled, the \fIunbound\-control\fR(8) utility can be used to send -commands to the running unbound server. The server uses these clauses -to setup SSLv3 / TLSv1 security for the connection. The -\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR -section for options. To setup the correct self\-signed certificates use the -\fIunbound\-control\-setup\fR(8) utility. -.TP 5 -.B control\-enable: \fI<yes or no> -The option is used to enable remote control, default is "no". -If turned off, the server does not listen for control commands. -.TP 5 -.B control\-interface: \fI<ip address or path> -Give IPv4 or IPv6 addresses or local socket path to listen on for -control commands. -By default localhost (127.0.0.1 and ::1) is listened to. -Use 0.0.0.0 and ::0 to listen to all interfaces. -If you change this and permissions have been dropped, you must restart -the server for the change to take effect. -.TP 5 -.B control\-port: \fI<port number> -The port number to listen on for IPv4 or IPv6 control interfaces, -default is 8953. -If you change this and permissions have been dropped, you must restart -the server for the change to take effect. -.TP 5 -.B control\-use\-cert: \fI<yes or no> -Whether to require certificate authentication of control connections. -The default is "yes". -This should not be changed unless there are other mechanisms in place -to prevent untrusted users from accessing the remote control -interface. -.TP 5 -.B server\-key\-file: \fI<private key file> -Path to the server private key, by default unbound_server.key. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, but not by \fIunbound\-control\fR. -.TP 5 -.B server\-cert\-file: \fI<certificate file.pem> -Path to the server self signed certificate, by default unbound_server.pem. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, and also by \fIunbound\-control\fR. -.TP 5 -.B control\-key\-file: \fI<private key file> -Path to the control client private key, by default unbound_control.key. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by \fIunbound\-control\fR. -.TP 5 -.B control\-cert\-file: \fI<certificate file.pem> -Path to the control client certificate, by default unbound_control.pem. -This certificate has to be signed with the server certificate. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by \fIunbound\-control\fR. -.SS "Stub Zone Options" -.LP -There may be multiple -.B stub\-zone: -clauses. Each with a name: and zero or more hostnames or IP addresses. -For the stub zone this list of nameservers is used. Class IN is assumed. -The servers should be authority servers, not recursors; unbound performs -the recursive processing itself for stub zones. -.P -The stub zone can be used to configure authoritative data to be used -by the resolver that cannot be accessed using the public internet servers. -This is useful for company\-local data or private zones. Setup an -authoritative server on a different host (or different port). Enter a config -entry for unbound with -.B stub\-addr: -<ip address of host[@port]>. -The unbound resolver can then access the data, without referring to the -public internet for it. -.P -This setup allows DNSSEC signed zones to be served by that -authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD -bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the -private zone, and can even set the AD bit ('authentic'), but the AA -('authoritative') bit is not set on these replies. -.P -Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and -for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally -served zone. The insecure clause stops DNSSEC from invalidating the -zone. The local zone nodefault (or \fItransparent\fR) clause makes the -(reverse\-) zone bypass unbound's filtering of RFC1918 zones. -.TP -.B name: \fI<domain name> -Name of the stub zone. -.TP -.B stub\-host: \fI<domain name> -Name of stub zone nameserver. Is itself resolved before it is used. -.TP -.B stub\-addr: \fI<IP address> -IP address of stub zone nameserver. Can be IP 4 or IP 6. -To use a nondefault port for DNS communication append '@' with the port number. -.TP -.B stub\-prime: \fI<yes or no> -This option is by default off. If enabled it performs NS set priming, -which is similar to root hints, where it starts using the list of nameservers -currently published by the zone. Thus, if the hint list is slightly outdated, -the resolver picks up a correct list online. -.TP -.B stub\-first: \fI<yes or no> -If enabled, a query is attempted without the stub clause if it fails. -The data could not be retrieved and would have caused SERVFAIL because -the servers are unreachable, instead it is tried without this clause. -The default is no. -.TP -.B stub\-ssl\-upstream: \fI<yes or no> -Enabled or disable whether the queries to this stub use SSL for transport. -Default is no. -.SS "Forward Zone Options" -.LP -There may be multiple -.B forward\-zone: -clauses. Each with a \fBname:\fR and zero or more hostnames or IP -addresses. For the forward zone this list of nameservers is used to -forward the queries to. The servers listed as \fBforward\-host:\fR and -\fBforward\-addr:\fR have to handle further recursion for the query. Thus, -those servers are not authority servers, but are (just like unbound is) -recursive servers too; unbound does not perform recursion itself for the -forward zone, it lets the remote server do it. Class IN is assumed. -A forward\-zone entry with name "." and a forward\-addr target will -forward all queries to that other server (unless it can answer from -the cache). -.TP -.B name: \fI<domain name> -Name of the forward zone. -.TP -.B forward\-host: \fI<domain name> -Name of server to forward to. Is itself resolved before it is used. -.TP -.B forward\-addr: \fI<IP address> -IP address of server to forward to. Can be IP 4 or IP 6. -To use a nondefault port for DNS communication append '@' with the port number. -.TP -.B forward\-first: \fI<yes or no> -If enabled, a query is attempted without the forward clause if it fails. -The data could not be retrieved and would have caused SERVFAIL because -the servers are unreachable, instead it is tried without this clause. -The default is no. -.TP -.B forward\-ssl\-upstream: \fI<yes or no> -Enabled or disable whether the queries to this forwarder use SSL for transport. -Default is no. -.SS "View Options" -.LP -There may be multiple -.B view: -clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view -name in an \fBaccess\-control\-view\fR element. Options from matching views will -override global options. Global options will be used if no matching view -is found. -.TP -.B name: \fI<view name> -Name of the view. Must be unique. This name is used in access\-control\-view -elements. -.TP -.B local\-zone: \fI<zone> <type> -View specific local\-zone elements. Has the same types and behaviour as the -global local\-zone elements. -.TP -.B local\-data: \fI"<resource record string>" -View specific local\-data elements. Has the same behaviour as the global -local\-data elements. -.TP -.B local\-data\-ptr: \fI"IPaddr name" -View specific local\-data\-ptr elements. Has the same behaviour as the global -local\-data\-ptr elements. -.TP -.B view\-first: \fI<yes or no> -If enabled, it attempts to use the global local\-zone and local\-data if there -is no match in the view specific options. -The default is no. -.SS "Python Module Options" -.LP -The -.B python: -clause gives the settings for the \fIpython\fR(1) script module. This module -acts like the iterator and validator modules do, on queries and answers. -To enable the script module it has to be compiled into the daemon, -and the word "python" has to be put in the \fBmodule\-config:\fR option -(usually first, or between the validator and iterator). -.LP -If the \fBchroot:\fR option is enabled, you should make sure Python's -library directory structure is bind mounted in the new root environment, see -\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an -absolute path relative to the new root, or as a relative path to the working -directory. -.TP -.B python\-script: \fI<python file>\fR -The script file to load. -.SS "DNS64 Module Options" -.LP -The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. -.TP -.B dns64\-prefix: \fI<IPv6 prefix>\fR -This sets the DNS64 prefix to use to synthesize AAAA records with. -It must be /96 or shorter. The default prefix is 64:ff9b::/96. -.TP -.B dns64\-synthall: \fI<yes or no>\fR -Debug option, default no. If enabled, synthesize all AAAA records -despite the presence of actual AAAA records. -.SS "DNSCrypt Options" -.LP -The -.B dnscrypt: -clause give the settings of the dnscrypt channel. While those options are -available, they are only meaningful if unbound was compiled with -\fB\-\-enable\-dnscrypt\fR. -Currently certificate and secret/public keys cannot be generated by unbound. -You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -.TP -.B dnscrypt\-enable: \fI<yes or no>\fR -Whether or not the \fBdnscrypt\fR config should be enabled. You may define -configuration but not activate it. -The default is no. -.TP -.B dnscrypt\-port: \fI<port number> -On which port should \fBdnscrypt\fR should be activated. Note that you should -have a matching \fBinterface\fR option defined in the \fBserver\fR section for -this port. -.TP -.B dnscrypt\-provider: \fI<provider name>\fR -The provider name to use to distribute certificates. This is of the form: -\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot. -.TP -.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR -Path to the time limited secret key file. This option may be specified multiple -times. -.TP -.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR -Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option -may be specified multiple times. -.SS "EDNS Client Subnet Module Options" -.LP -The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. -.LP -If the destination address is whitelisted with Unbound will add the EDNS0 option -to the query containing the relevant part of the client's address. When an -answer contains the ECS option the response and the option are placed in a -specialized cache. If the authority indicated no support, the response is stored -in the regular cache. -.LP -Additionally, when a client includes the option in its queries, Unbound will -forward the option to the authority regardless of the authorities presence in -the whitelist. In this case the lookup in the regular cache is skipped. -.LP -The maximum size of the ECS cache is controlled by 'msg-cache-size' in the -configuration file. On top of that, for each query only 100 different subnets -are allowed to be stored for each address family. Exceeding that number, older -entries will be purged from cache. -.TP -.B send\-client\-subnet: \fI<IP address>\fR -Send client source address to this authority. Append /num to indicate a -classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can -be given multiple times. Authorities not listed will not receive edns-subnet -information. -.TP -.B client\-subnet\-always\-forward: \fI<yes or no>\fR -Specify whether the ECS whitelist check (configured using -\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering -query contains an ECS record, or only for queries for which the ECS record is -generated using the querier address (and therefore did not contain ECS data in -the client query). If enabled, the whitelist check is skipped when the client -query contains an ECS record. Default is no. -.TP -.B max\-client\-subnet\-ipv6: \fI<number>\fR -Specifies the maximum prefix length of the client source address we are willing -to expose to third parties for IPv6. Defaults to 56. -.TP -.B max\-client\-subnet\-ipv4: \fI<number>\fR -Specifies the maximum prefix length of the client source address we are willing -to expose to third parties for IPv4. Defaults to 24. -.SH "MEMORY CONTROL EXAMPLE" -In the example config settings below memory usage is reduced. Some service -levels are lower, notable very large data and a high TCP load are no longer -supported. Very large data and high TCP loads are exceptional for the DNS. -DNSSEC validation is enabled, just add trust anchors. -If you do not have to worry about programs using more than 3 Mb of memory, -the below example is not for you. Use the defaults to receive full service, -which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. -.P -.nf -# example settings that reduce memory usage -server: - num\-threads: 1 - outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. - incoming\-num\-tcp: 1 - outgoing\-range: 60 # uses less memory, but less performance. - msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. - msg\-cache\-size: 100k - msg\-cache\-slabs: 1 - rrset\-cache\-size: 100k - rrset\-cache\-slabs: 1 - infra\-cache\-numhosts: 200 - infra\-cache\-slabs: 1 - key\-cache\-size: 100k - key\-cache\-slabs: 1 - neg\-cache\-size: 10k - num\-queries\-per\-thread: 30 - target\-fetch\-policy: "2 1 0 0 0 0" - harden\-large\-queries: "yes" - harden\-short\-bufsize: "yes" -.fi -.SH "FILES" -.TP -.I @UNBOUND_RUN_DIR@ -default unbound working directory. -.TP -.I @UNBOUND_CHROOT_DIR@ -default -\fIchroot\fR(2) -location. -.TP -.I @ub_conf_file@ -unbound configuration file. -.TP -.I @UNBOUND_PIDFILE@ -default unbound pidfile with process ID of the running daemon. -.TP -.I unbound.log -unbound log file. default is to log to -\fIsyslog\fR(3). -.SH "SEE ALSO" -\fIunbound\fR(8), -\fIunbound\-checkconf\fR(8). -.SH "AUTHORS" -.B Unbound -was written by NLnet Labs. Please see CREDITS file -in the distribution for further details. diff --git a/external/unbound/doc/unbound.doxygen b/external/unbound/doc/unbound.doxygen deleted file mode 100644 index fe3987681..000000000 --- a/external/unbound/doc/unbound.doxygen +++ /dev/null @@ -1,1650 +0,0 @@ -# Doxyfile 1.7.1 - -# This file describes the settings to be used by the documentation system -# doxygen (www.doxygen.org) for a project -# -# All text after a hash (#) is considered a comment and will be ignored -# The format is: -# TAG = value [value, ...] -# For lists items can also be appended using: -# TAG += value [value, ...] -# Values that contain spaces should be placed between quotes (" ") - -#--------------------------------------------------------------------------- -# Project related configuration options -#--------------------------------------------------------------------------- - -# This tag specifies the encoding used for all characters in the config file -# that follow. The default is UTF-8 which is also the encoding used for all -# text before the first occurrence of this tag. Doxygen uses libiconv (or the -# iconv built into libc) for the transcoding. See -# http://www.gnu.org/software/libiconv for the list of possible encodings. - -DOXYFILE_ENCODING = UTF-8 - -# The PROJECT_NAME tag is a single word (or a sequence of words surrounded -# by quotes) that should identify the project. - -PROJECT_NAME = unbound - -# The PROJECT_NUMBER tag can be used to enter a project or revision number. -# This could be handy for archiving the generated documentation or -# if some version control system is used. - -PROJECT_NUMBER = 0.1 - -# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) -# base path where the generated documentation will be put. -# If a relative path is entered, it will be relative to the location -# where doxygen was started. If left blank the current directory will be used. - -OUTPUT_DIRECTORY = doc - -# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create -# 4096 sub-directories (in 2 levels) under the output directory of each output -# format and will distribute the generated files over these directories. -# Enabling this option can be useful when feeding doxygen a huge amount of -# source files, where putting all generated files in the same directory would -# otherwise cause performance problems for the file system. - -CREATE_SUBDIRS = NO - -# The OUTPUT_LANGUAGE tag is used to specify the language in which all -# documentation generated by doxygen is written. Doxygen will use this -# information to generate all constant output in the proper language. -# The default language is English, other supported languages are: -# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, -# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, -# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English -# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, -# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, -# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. - -OUTPUT_LANGUAGE = English - -# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will -# include brief member descriptions after the members that are listed in -# the file and class documentation (similar to JavaDoc). -# Set to NO to disable this. - -BRIEF_MEMBER_DESC = YES - -# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend -# the brief description of a member or function before the detailed description. -# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the -# brief descriptions will be completely suppressed. - -REPEAT_BRIEF = YES - -# This tag implements a quasi-intelligent brief description abbreviator -# that is used to form the text in various listings. Each string -# in this list, if found as the leading text of the brief description, will be -# stripped from the text and the result after processing the whole list, is -# used as the annotated text. Otherwise, the brief description is used as-is. -# If left blank, the following values are used ("$name" is automatically -# replaced with the name of the entity): "The $name class" "The $name widget" -# "The $name file" "is" "provides" "specifies" "contains" -# "represents" "a" "an" "the" - -ABBREVIATE_BRIEF = - -# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then -# Doxygen will generate a detailed section even if there is only a brief -# description. - -ALWAYS_DETAILED_SEC = NO - -# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all -# inherited members of a class in the documentation of that class as if those -# members were ordinary class members. Constructors, destructors and assignment -# operators of the base classes will not be shown. - -INLINE_INHERITED_MEMB = NO - -# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full -# path before files name in the file list and in the header files. If set -# to NO the shortest path that makes the file name unique will be used. - -FULL_PATH_NAMES = YES - -# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag -# can be used to strip a user-defined part of the path. Stripping is -# only done if one of the specified strings matches the left-hand part of -# the path. The tag can be used to show relative paths in the file list. -# If left blank the directory from which doxygen is run is used as the -# path to strip. - -STRIP_FROM_PATH = - -# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of -# the path mentioned in the documentation of a class, which tells -# the reader which header file to include in order to use a class. -# If left blank only the name of the header file containing the class -# definition is used. Otherwise one should specify the include paths that -# are normally passed to the compiler using the -I flag. - -STRIP_FROM_INC_PATH = - -# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter -# (but less readable) file names. This can be useful is your file systems -# doesn't support long names like on DOS, Mac, or CD-ROM. - -SHORT_NAMES = NO - -# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen -# will interpret the first line (until the first dot) of a JavaDoc-style -# comment as the brief description. If set to NO, the JavaDoc -# comments will behave just like regular Qt-style comments -# (thus requiring an explicit @brief command for a brief description.) - -JAVADOC_AUTOBRIEF = YES - -# If the QT_AUTOBRIEF tag is set to YES then Doxygen will -# interpret the first line (until the first dot) of a Qt-style -# comment as the brief description. If set to NO, the comments -# will behave just like regular Qt-style comments (thus requiring -# an explicit \brief command for a brief description.) - -QT_AUTOBRIEF = NO - -# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen -# treat a multi-line C++ special comment block (i.e. a block of //! or /// -# comments) as a brief description. This used to be the default behaviour. -# The new default is to treat a multi-line C++ comment block as a detailed -# description. Set this tag to YES if you prefer the old behaviour instead. - -MULTILINE_CPP_IS_BRIEF = NO - -# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented -# member inherits the documentation from any documented member that it -# re-implements. - -INHERIT_DOCS = YES - -# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce -# a new page for each member. If set to NO, the documentation of a member will -# be part of the file/class/namespace that contains it. - -SEPARATE_MEMBER_PAGES = NO - -# The TAB_SIZE tag can be used to set the number of spaces in a tab. -# Doxygen uses this value to replace tabs by spaces in code fragments. - -TAB_SIZE = 8 - -# This tag can be used to specify a number of aliases that acts -# as commands in the documentation. An alias has the form "name=value". -# For example adding "sideeffect=\par Side Effects:\n" will allow you to -# put the command \sideeffect (or @sideeffect) in the documentation, which -# will result in a user-defined paragraph with heading "Side Effects:". -# You can put \n's in the value part of an alias to insert newlines. - -ALIASES = - -# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C -# sources only. Doxygen will then generate output that is more tailored for C. -# For instance, some of the names that are used will be different. The list -# of all members will be omitted, etc. - -OPTIMIZE_OUTPUT_FOR_C = YES - -# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java -# sources only. Doxygen will then generate output that is more tailored for -# Java. For instance, namespaces will be presented as packages, qualified -# scopes will look different, etc. - -OPTIMIZE_OUTPUT_JAVA = NO - -# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran -# sources only. Doxygen will then generate output that is more tailored for -# Fortran. - -OPTIMIZE_FOR_FORTRAN = NO - -# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL -# sources. Doxygen will then generate output that is tailored for -# VHDL. - -OPTIMIZE_OUTPUT_VHDL = NO - -# Doxygen selects the parser to use depending on the extension of the files it -# parses. With this tag you can assign which parser to use for a given extension. -# Doxygen has a built-in mapping, but you can override or extend it using this -# tag. The format is ext=language, where ext is a file extension, and language -# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C, -# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make -# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C -# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions -# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. - -EXTENSION_MAPPING = - -# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want -# to include (a tag file for) the STL sources as input, then you should -# set this tag to YES in order to let doxygen match functions declarations and -# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. -# func(std::string) {}). This also make the inheritance and collaboration -# diagrams that involve STL classes more complete and accurate. - -BUILTIN_STL_SUPPORT = NO - -# If you use Microsoft's C++/CLI language, you should set this option to YES to -# enable parsing support. - -CPP_CLI_SUPPORT = NO - -# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. -# Doxygen will parse them like normal C++ but will assume all classes use public -# instead of private inheritance when no explicit protection keyword is present. - -SIP_SUPPORT = NO - -# For Microsoft's IDL there are propget and propput attributes to indicate getter -# and setter methods for a property. Setting this option to YES (the default) -# will make doxygen to replace the get and set methods by a property in the -# documentation. This will only work if the methods are indeed getting or -# setting a simple type. If this is not the case, or you want to show the -# methods anyway, you should set this option to NO. - -IDL_PROPERTY_SUPPORT = YES - -# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC -# tag is set to YES, then doxygen will reuse the documentation of the first -# member in the group (if any) for the other members of the group. By default -# all members of a group must be documented explicitly. - -DISTRIBUTE_GROUP_DOC = NO - -# Set the SUBGROUPING tag to YES (the default) to allow class member groups of -# the same type (for instance a group of public functions) to be put as a -# subgroup of that type (e.g. under the Public Functions section). Set it to -# NO to prevent subgrouping. Alternatively, this can be done per class using -# the \nosubgrouping command. - -SUBGROUPING = YES - -# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum -# is documented as struct, union, or enum with the name of the typedef. So -# typedef struct TypeS {} TypeT, will appear in the documentation as a struct -# with name TypeT. When disabled the typedef will appear as a member of a file, -# namespace, or class. And the struct will be named TypeS. This can typically -# be useful for C code in case the coding convention dictates that all compound -# types are typedef'ed and only the typedef is referenced, never the tag name. - -TYPEDEF_HIDES_STRUCT = NO - -# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to -# determine which symbols to keep in memory and which to flush to disk. -# When the cache is full, less often used symbols will be written to disk. -# For small to medium size projects (<1000 input files) the default value is -# probably good enough. For larger projects a too small cache size can cause -# doxygen to be busy swapping symbols to and from disk most of the time -# causing a significant performance penality. -# If the system has enough physical memory increasing the cache will improve the -# performance by keeping more symbols in memory. Note that the value works on -# a logarithmic scale so increasing the size by one will rougly double the -# memory usage. The cache size is given by this formula: -# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, -# corresponding to a cache size of 2^16 = 65536 symbols - -#SYMBOL_CACHE_SIZE = 0 - -#--------------------------------------------------------------------------- -# Build related configuration options -#--------------------------------------------------------------------------- - -# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in -# documentation are documented, even if no documentation was available. -# Private class members and static file members will be hidden unless -# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES - -EXTRACT_ALL = NO - -# If the EXTRACT_PRIVATE tag is set to YES all private members of a class -# will be included in the documentation. - -EXTRACT_PRIVATE = YES - -# If the EXTRACT_STATIC tag is set to YES all static members of a file -# will be included in the documentation. - -EXTRACT_STATIC = YES - -# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) -# defined locally in source files will be included in the documentation. -# If set to NO only classes defined in header files are included. - -EXTRACT_LOCAL_CLASSES = YES - -# This flag is only useful for Objective-C code. When set to YES local -# methods, which are defined in the implementation section but not in -# the interface are included in the documentation. -# If set to NO (the default) only methods in the interface are included. - -EXTRACT_LOCAL_METHODS = YES - -# If this flag is set to YES, the members of anonymous namespaces will be -# extracted and appear in the documentation as a namespace called -# 'anonymous_namespace{file}', where file will be replaced with the base -# name of the file that contains the anonymous namespace. By default -# anonymous namespace are hidden. - -EXTRACT_ANON_NSPACES = NO - -# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all -# undocumented members of documented classes, files or namespaces. -# If set to NO (the default) these members will be included in the -# various overviews, but no documentation section is generated. -# This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_MEMBERS = NO - -# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all -# undocumented classes that are normally visible in the class hierarchy. -# If set to NO (the default) these classes will be included in the various -# overviews. This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_CLASSES = NO - -# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all -# friend (class|struct|union) declarations. -# If set to NO (the default) these declarations will be included in the -# documentation. - -HIDE_FRIEND_COMPOUNDS = NO - -# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any -# documentation blocks found inside the body of a function. -# If set to NO (the default) these blocks will be appended to the -# function's detailed documentation block. - -HIDE_IN_BODY_DOCS = NO - -# The INTERNAL_DOCS tag determines if documentation -# that is typed after a \internal command is included. If the tag is set -# to NO (the default) then the documentation will be excluded. -# Set it to YES to include the internal documentation. - -INTERNAL_DOCS = NO - -# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate -# file names in lower-case letters. If set to YES upper-case letters are also -# allowed. This is useful if you have classes or files whose names only differ -# in case and if your file system supports case sensitive file names. Windows -# and Mac users are advised to set this option to NO. - -CASE_SENSE_NAMES = YES - -# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen -# will show members with their full class and namespace scopes in the -# documentation. If set to YES the scope will be hidden. - -HIDE_SCOPE_NAMES = NO - -# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen -# will put a list of the files that are included by a file in the documentation -# of that file. - -SHOW_INCLUDE_FILES = YES - -# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen -# will list include files with double quotes in the documentation -# rather than with sharp brackets. - -FORCE_LOCAL_INCLUDES = NO - -# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] -# is inserted in the documentation for inline members. - -INLINE_INFO = YES - -# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen -# will sort the (detailed) documentation of file and class members -# alphabetically by member name. If set to NO the members will appear in -# declaration order. - -SORT_MEMBER_DOCS = NO - -# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the -# brief documentation of file, namespace and class members alphabetically -# by member name. If set to NO (the default) the members will appear in -# declaration order. - -SORT_BRIEF_DOCS = NO - -# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen -# will sort the (brief and detailed) documentation of class members so that -# constructors and destructors are listed first. If set to NO (the default) -# the constructors will appear in the respective orders defined by -# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. -# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO -# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. - -SORT_MEMBERS_CTORS_1ST = NO - -# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the -# hierarchy of group names into alphabetical order. If set to NO (the default) -# the group names will appear in their defined order. - -SORT_GROUP_NAMES = NO - -# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be -# sorted by fully-qualified names, including namespaces. If set to -# NO (the default), the class list will be sorted only by class name, -# not including the namespace part. -# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. -# Note: This option applies only to the class list, not to the -# alphabetical list. - -SORT_BY_SCOPE_NAME = NO - -# The GENERATE_TODOLIST tag can be used to enable (YES) or -# disable (NO) the todo list. This list is created by putting \todo -# commands in the documentation. - -GENERATE_TODOLIST = YES - -# The GENERATE_TESTLIST tag can be used to enable (YES) or -# disable (NO) the test list. This list is created by putting \test -# commands in the documentation. - -GENERATE_TESTLIST = YES - -# The GENERATE_BUGLIST tag can be used to enable (YES) or -# disable (NO) the bug list. This list is created by putting \bug -# commands in the documentation. - -GENERATE_BUGLIST = YES - -# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or -# disable (NO) the deprecated list. This list is created by putting -# \deprecated commands in the documentation. - -GENERATE_DEPRECATEDLIST= YES - -# The ENABLED_SECTIONS tag can be used to enable conditional -# documentation sections, marked by \if sectionname ... \endif. - -ENABLED_SECTIONS = - -# The MAX_INITIALIZER_LINES tag determines the maximum number of lines -# the initial value of a variable or define consists of for it to appear in -# the documentation. If the initializer consists of more lines than specified -# here it will be hidden. Use a value of 0 to hide initializers completely. -# The appearance of the initializer of individual variables and defines in the -# documentation can be controlled using \showinitializer or \hideinitializer -# command in the documentation regardless of this setting. - -MAX_INITIALIZER_LINES = 30 - -# Set the SHOW_USED_FILES tag to NO to disable the list of files generated -# at the bottom of the documentation of classes and structs. If set to YES the -# list will mention the files that were used to generate the documentation. - -SHOW_USED_FILES = YES - -# If the sources in your project are distributed over multiple directories -# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy -# in the documentation. The default is NO. - -#SHOW_DIRECTORIES = YES - -# Set the SHOW_FILES tag to NO to disable the generation of the Files page. -# This will remove the Files entry from the Quick Index and from the -# Folder Tree View (if specified). The default is YES. - -SHOW_FILES = YES - -# Set the SHOW_NAMESPACES tag to NO to disable the generation of the -# Namespaces page. -# This will remove the Namespaces entry from the Quick Index -# and from the Folder Tree View (if specified). The default is YES. - -SHOW_NAMESPACES = YES - -# The FILE_VERSION_FILTER tag can be used to specify a program or script that -# doxygen should invoke to get the current version for each file (typically from -# the version control system). Doxygen will invoke the program by executing (via -# popen()) the command <command> <input-file>, where <command> is the value of -# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file -# provided by doxygen. Whatever the program writes to standard output -# is used as the file version. See the manual for examples. - -FILE_VERSION_FILTER = - -# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed -# by doxygen. The layout file controls the global structure of the generated -# output files in an output format independent way. The create the layout file -# that represents doxygen's defaults, run doxygen with the -l option. -# You can optionally specify a file name after the option, if omitted -# DoxygenLayout.xml will be used as the name of the layout file. - -LAYOUT_FILE = - -#--------------------------------------------------------------------------- -# configuration options related to warning and progress messages -#--------------------------------------------------------------------------- - -# The QUIET tag can be used to turn on/off the messages that are generated -# by doxygen. Possible values are YES and NO. If left blank NO is used. - -QUIET = YES - -# The WARNINGS tag can be used to turn on/off the warning messages that are -# generated by doxygen. Possible values are YES and NO. If left blank -# NO is used. - -WARNINGS = YES - -# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings -# for undocumented members. If EXTRACT_ALL is set to YES then this flag will -# automatically be disabled. - -WARN_IF_UNDOCUMENTED = NO - -# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for -# potential errors in the documentation, such as not documenting some -# parameters in a documented function, or documenting parameters that -# don't exist or using markup commands wrongly. - -WARN_IF_DOC_ERROR = YES - -# This WARN_NO_PARAMDOC option can be abled to get warnings for -# functions that are documented, but have no documentation for their parameters -# or return value. If set to NO (the default) doxygen will only warn about -# wrong or incomplete parameter documentation, but not about the absence of -# documentation. - -WARN_NO_PARAMDOC = YES - -# The WARN_FORMAT tag determines the format of the warning messages that -# doxygen can produce. The string should contain the $file, $line, and $text -# tags, which will be replaced by the file and line number from which the -# warning originated and the warning text. Optionally the format may contain -# $version, which will be replaced by the version of the file (if it could -# be obtained via FILE_VERSION_FILTER) - -WARN_FORMAT = "$file:$line: $text" - -# The WARN_LOGFILE tag can be used to specify a file to which warning -# and error messages should be written. If left blank the output is written -# to stderr. - -WARN_LOGFILE = - -#--------------------------------------------------------------------------- -# configuration options related to the input files -#--------------------------------------------------------------------------- - -# The INPUT tag can be used to specify the files and/or directories that contain -# documented source files. You may enter file names like "myfile.cpp" or -# directories like "/usr/src/myproject". Separate the files or directories -# with spaces. - -INPUT = . - -# This tag can be used to specify the character encoding of the source files -# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is -# also the default input encoding. Doxygen uses libiconv (or the iconv built -# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for -# the list of possible encodings. - -INPUT_ENCODING = UTF-8 - -# If the value of the INPUT tag contains directories, you can use the -# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank the following patterns are tested: -# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx -# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 - -FILE_PATTERNS = - -# The RECURSIVE tag can be used to turn specify whether or not subdirectories -# should be searched for input files as well. Possible values are YES and NO. -# If left blank NO is used. - -RECURSIVE = YES - -# The EXCLUDE tag can be used to specify files and/or directories that should -# excluded from the INPUT source files. This way you can easily exclude a -# subdirectory from a directory tree whose root is specified with the INPUT tag. - -EXCLUDE = ./build \ - ./compat \ - util/configparser.c \ - util/configparser.h \ - util/configlexer.c \ - util/locks.h \ - pythonmod/unboundmodule.py \ - pythonmod/interface.h \ - pythonmod/examples/resgen.py \ - pythonmod/examples/resmod.py \ - pythonmod/examples/resip.py \ - libunbound/python/unbound.py \ - libunbound/python/libunbound_wrap.c \ - ./ldns-src \ - doc/control_proto_spec.txt \ - doc/requirements.txt - -# The EXCLUDE_SYMLINKS tag can be used select whether or not files or -# directories that are symbolic links (a Unix filesystem feature) are excluded -# from the input. - -EXCLUDE_SYMLINKS = NO - -# If the value of the INPUT tag contains directories, you can use the -# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude -# certain files from those directories. Note that the wildcards are matched -# against the file with absolute path, so to exclude all test directories -# for example use the pattern */test/* - -EXCLUDE_PATTERNS = - -# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names -# (namespaces, classes, functions, etc.) that should be excluded from the -# output. The symbol name can be a fully qualified name, a word, or if the -# wildcard * is used, a substring. Examples: ANamespace, AClass, -# AClass::ANamespace, ANamespace::*Test - -EXCLUDE_SYMBOLS = - -# The EXAMPLE_PATH tag can be used to specify one or more files or -# directories that contain example code fragments that are included (see -# the \include command). - -EXAMPLE_PATH = - -# If the value of the EXAMPLE_PATH tag contains directories, you can use the -# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank all files are included. - -EXAMPLE_PATTERNS = - -# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be -# searched for input files to be used with the \include or \dontinclude -# commands irrespective of the value of the RECURSIVE tag. -# Possible values are YES and NO. If left blank NO is used. - -EXAMPLE_RECURSIVE = NO - -# The IMAGE_PATH tag can be used to specify one or more files or -# directories that contain image that are included in the documentation (see -# the \image command). - -IMAGE_PATH = - -# The INPUT_FILTER tag can be used to specify a program that doxygen should -# invoke to filter for each input file. Doxygen will invoke the filter program -# by executing (via popen()) the command <filter> <input-file>, where <filter> -# is the value of the INPUT_FILTER tag, and <input-file> is the name of an -# input file. Doxygen will then use the output that the filter program writes -# to standard output. -# If FILTER_PATTERNS is specified, this tag will be -# ignored. - -INPUT_FILTER = - -# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern -# basis. -# Doxygen will compare the file name with each pattern and apply the -# filter if there is a match. -# The filters are a list of the form: -# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further -# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER -# is applied to all files. - -FILTER_PATTERNS = - -# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using -# INPUT_FILTER) will be used to filter the input files when producing source -# files to browse (i.e. when SOURCE_BROWSER is set to YES). - -FILTER_SOURCE_FILES = NO - -#--------------------------------------------------------------------------- -# configuration options related to source browsing -#--------------------------------------------------------------------------- - -# If the SOURCE_BROWSER tag is set to YES then a list of source files will -# be generated. Documented entities will be cross-referenced with these sources. -# Note: To get rid of all source code in the generated output, make sure also -# VERBATIM_HEADERS is set to NO. - -SOURCE_BROWSER = NO - -# Setting the INLINE_SOURCES tag to YES will include the body -# of functions and classes directly in the documentation. - -INLINE_SOURCES = NO - -# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct -# doxygen to hide any special comment blocks from generated source code -# fragments. Normal C and C++ comments will always remain visible. - -STRIP_CODE_COMMENTS = YES - -# If the REFERENCED_BY_RELATION tag is set to YES -# then for each documented function all documented -# functions referencing it will be listed. - -REFERENCED_BY_RELATION = YES - -# If the REFERENCES_RELATION tag is set to YES -# then for each documented function all documented entities -# called/used by that function will be listed. - -REFERENCES_RELATION = YES - -# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) -# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from -# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will -# link to the source code. -# Otherwise they will link to the documentation. - -REFERENCES_LINK_SOURCE = YES - -# If the USE_HTAGS tag is set to YES then the references to source code -# will point to the HTML generated by the htags(1) tool instead of doxygen -# built-in source browser. The htags tool is part of GNU's global source -# tagging system (see http://www.gnu.org/software/global/global.html). You -# will need version 4.8.6 or higher. - -USE_HTAGS = NO - -# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen -# will generate a verbatim copy of the header file for each class for -# which an include is specified. Set to NO to disable this. - -VERBATIM_HEADERS = NO - -#--------------------------------------------------------------------------- -# configuration options related to the alphabetical class index -#--------------------------------------------------------------------------- - -# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index -# of all compounds will be generated. Enable this if the project -# contains a lot of classes, structs, unions or interfaces. - -ALPHABETICAL_INDEX = YES - -# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then -# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns -# in which this list will be split (can be a number in the range [1..20]) - -COLS_IN_ALPHA_INDEX = 5 - -# In case all classes in a project start with a common prefix, all -# classes will be put under the same header in the alphabetical index. -# The IGNORE_PREFIX tag can be used to specify one or more prefixes that -# should be ignored while generating the index headers. - -IGNORE_PREFIX = - -#--------------------------------------------------------------------------- -# configuration options related to the HTML output -#--------------------------------------------------------------------------- - -# If the GENERATE_HTML tag is set to YES (the default) Doxygen will -# generate HTML output. - -GENERATE_HTML = YES - -# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `html' will be used as the default path. - -HTML_OUTPUT = html - -# The HTML_FILE_EXTENSION tag can be used to specify the file extension for -# each generated HTML page (for example: .htm,.php,.asp). If it is left blank -# doxygen will generate files with .html extension. - -HTML_FILE_EXTENSION = .html - -# The HTML_HEADER tag can be used to specify a personal HTML header for -# each generated HTML page. If it is left blank doxygen will generate a -# standard header. - -HTML_HEADER = - -# The HTML_FOOTER tag can be used to specify a personal HTML footer for -# each generated HTML page. If it is left blank doxygen will generate a -# standard footer. - -HTML_FOOTER = - -# If the HTML_TIMESTAMP tag is set to YES then the generated HTML -# documentation will contain the timesstamp. - -HTML_TIMESTAMP = NO - -# The HTML_STYLESHEET tag can be used to specify a user-defined cascading -# style sheet that is used by each HTML page. It can be used to -# fine-tune the look of the HTML output. If the tag is left blank doxygen -# will generate a default style sheet. Note that doxygen will try to copy -# the style sheet file to the HTML output directory, so don't put your own -# stylesheet in the HTML output directory as well, or it will be erased! - -HTML_STYLESHEET = - -# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. -# Doxygen will adjust the colors in the stylesheet and background images -# according to this color. Hue is specified as an angle on a colorwheel, -# see http://en.wikipedia.org/wiki/Hue for more information. -# For instance the value 0 represents red, 60 is yellow, 120 is green, -# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. -# The allowed range is 0 to 359. - -#HTML_COLORSTYLE_HUE = 220 - -# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of -# the colors in the HTML output. For a value of 0 the output will use -# grayscales only. A value of 255 will produce the most vivid colors. - -#HTML_COLORSTYLE_SAT = 100 - -# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to -# the luminance component of the colors in the HTML output. Values below -# 100 gradually make the output lighter, whereas values above 100 make -# the output darker. The value divided by 100 is the actual gamma applied, -# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, -# and 100 does not change the gamma. - -#HTML_COLORSTYLE_GAMMA = 80 - -# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML -# page will contain the date and time when the page was generated. Setting -# this to NO can help when comparing the output of multiple runs. - -HTML_TIMESTAMP = YES - -# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, -# files or namespaces will be aligned in HTML using tables. If set to -# NO a bullet list will be used. - -#HTML_ALIGN_MEMBERS = YES - -# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML -# documentation will contain sections that can be hidden and shown after the -# page has loaded. For this to work a browser that supports -# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox -# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). - -HTML_DYNAMIC_SECTIONS = NO - -# If the GENERATE_DOCSET tag is set to YES, additional index files -# will be generated that can be used as input for Apple's Xcode 3 -# integrated development environment, introduced with OSX 10.5 (Leopard). -# To create a documentation set, doxygen will generate a Makefile in the -# HTML output directory. Running make will produce the docset in that -# directory and running "make install" will install the docset in -# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find -# it at startup. -# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html -# for more information. - -GENERATE_DOCSET = NO - -# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the -# feed. A documentation feed provides an umbrella under which multiple -# documentation sets from a single provider (such as a company or product suite) -# can be grouped. - -DOCSET_FEEDNAME = "Doxygen generated docs" - -# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that -# should uniquely identify the documentation set bundle. This should be a -# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen -# will append .docset to the name. - -DOCSET_BUNDLE_ID = org.doxygen.Project - -# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify -# the documentation publisher. This should be a reverse domain-name style -# string, e.g. com.mycompany.MyDocSet.documentation. - -#DOCSET_PUBLISHER_ID = org.doxygen.Publisher - -# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. - -#DOCSET_PUBLISHER_NAME = Publisher - -# If the GENERATE_HTMLHELP tag is set to YES, additional index files -# will be generated that can be used as input for tools like the -# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) -# of the generated HTML documentation. - -GENERATE_HTMLHELP = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can -# be used to specify the file name of the resulting .chm file. You -# can add a path in front of the file if the result should not be -# written to the html output directory. - -CHM_FILE = - -# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can -# be used to specify the location (absolute path including file name) of -# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run -# the HTML help compiler on the generated index.hhp. - -HHC_LOCATION = - -# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag -# controls if a separate .chi index file is generated (YES) or that -# it should be included in the master .chm file (NO). - -GENERATE_CHI = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING -# is used to encode HtmlHelp index (hhk), content (hhc) and project file -# content. - -CHM_INDEX_ENCODING = - -# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag -# controls whether a binary table of contents is generated (YES) or a -# normal table of contents (NO) in the .chm file. - -BINARY_TOC = NO - -# The TOC_EXPAND flag can be set to YES to add extra items for group members -# to the contents of the HTML help documentation and to the tree view. - -TOC_EXPAND = NO - -# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and -# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated -# that can be used as input for Qt's qhelpgenerator to generate a -# Qt Compressed Help (.qch) of the generated HTML documentation. - -GENERATE_QHP = NO - -# If the QHG_LOCATION tag is specified, the QCH_FILE tag can -# be used to specify the file name of the resulting .qch file. -# The path specified is relative to the HTML output folder. - -QCH_FILE = - -# The QHP_NAMESPACE tag specifies the namespace to use when generating -# Qt Help Project output. For more information please see -# http://doc.trolltech.com/qthelpproject.html#namespace - -QHP_NAMESPACE = org.doxygen.Project - -# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating -# Qt Help Project output. For more information please see -# http://doc.trolltech.com/qthelpproject.html#virtual-folders - -QHP_VIRTUAL_FOLDER = doc - -# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to -# add. For more information please see -# http://doc.trolltech.com/qthelpproject.html#custom-filters - -QHP_CUST_FILTER_NAME = - -# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the -# custom filter to add. For more information please see -# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters"> -# Qt Help Project / Custom Filters</a>. - -QHP_CUST_FILTER_ATTRS = - -# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this -# project's -# filter section matches. -# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes"> -# Qt Help Project / Filter Attributes</a>. - -QHP_SECT_FILTER_ATTRS = - -# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can -# be used to specify the location of Qt's qhelpgenerator. -# If non-empty doxygen will try to run qhelpgenerator on the generated -# .qhp file. - -QHG_LOCATION = - -# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files -# will be generated, which together with the HTML files, form an Eclipse help -# plugin. To install this plugin and make it available under the help contents -# menu in Eclipse, the contents of the directory containing the HTML and XML -# files needs to be copied into the plugins directory of eclipse. The name of -# the directory within the plugins directory should be the same as -# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before -# the help appears. - -GENERATE_ECLIPSEHELP = NO - -# A unique identifier for the eclipse help plugin. When installing the plugin -# the directory name containing the HTML and XML files should also have -# this name. - -ECLIPSE_DOC_ID = org.doxygen.Project - -# The DISABLE_INDEX tag can be used to turn on/off the condensed index at -# top of each HTML page. The value NO (the default) enables the index and -# the value YES disables it. - -DISABLE_INDEX = NO - -# This tag can be used to set the number of enum values (range [1..20]) -# that doxygen will group on one line in the generated HTML documentation. - -ENUM_VALUES_PER_LINE = 4 - -# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index -# structure should be generated to display hierarchical information. -# If the tag value is set to YES, a side panel will be generated -# containing a tree-like index structure (just like the one that -# is generated for HTML Help). For this to work a browser that supports -# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). -# Windows users are probably better off using the HTML help feature. - -GENERATE_TREEVIEW = NO - -# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, -# and Class Hierarchy pages using a tree view instead of an ordered list. - -#USE_INLINE_TREES = NO - -# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be -# used to set the initial width (in pixels) of the frame in which the tree -# is shown. - -TREEVIEW_WIDTH = 250 - -# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open -# links to external symbols imported via tag files in a separate window. - -#EXT_LINKS_IN_WINDOW = NO - -# Use this tag to change the font size of Latex formulas included -# as images in the HTML documentation. The default is 10. Note that -# when you change the font size after a successful doxygen run you need -# to manually remove any form_*.png images from the HTML output directory -# to force them to be regenerated. - -FORMULA_FONTSIZE = 10 - -# Use the FORMULA_TRANPARENT tag to determine whether or not the images -# generated for formulas are transparent PNGs. Transparent PNGs are -# not supported properly for IE 6.0, but are supported on all modern browsers. -# Note that when changing this option you need to delete any form_*.png files -# in the HTML output before the changes have effect. - -#FORMULA_TRANSPARENT = YES - -# When the SEARCHENGINE tag is enabled doxygen will generate a search box -# for the HTML output. The underlying search engine uses javascript -# and DHTML and should work on any modern browser. Note that when using -# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets -# (GENERATE_DOCSET) there is already a search function so this one should -# typically be disabled. For large projects the javascript based search engine -# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. - -SEARCHENGINE = NO - -# When the SERVER_BASED_SEARCH tag is enabled the search engine will be -# implemented using a PHP enabled web server instead of at the web client -# using Javascript. Doxygen will generate the search PHP script and index -# file to put on the web server. The advantage of the server -# based approach is that it scales better to large projects and allows -# full text search. The disadvances is that it is more difficult to setup -# and does not have live searching capabilities. - -SERVER_BASED_SEARCH = NO - -#--------------------------------------------------------------------------- -# configuration options related to the LaTeX output -#--------------------------------------------------------------------------- - -# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will -# generate Latex output. - -GENERATE_LATEX = NO - -# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `latex' will be used as the default path. - -LATEX_OUTPUT = latex - -# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be -# invoked. If left blank `latex' will be used as the default command name. -# Note that when enabling USE_PDFLATEX this option is only used for -# generating bitmaps for formulas in the HTML output, but not in the -# Makefile that is written to the output directory. - -LATEX_CMD_NAME = latex - -# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to -# generate index for LaTeX. If left blank `makeindex' will be used as the -# default command name. - -MAKEINDEX_CMD_NAME = makeindex - -# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact -# LaTeX documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_LATEX = NO - -# The PAPER_TYPE tag can be used to set the paper type that is used -# by the printer. Possible values are: a4, a4wide, letter, legal and -# executive. If left blank a4wide will be used. - -PAPER_TYPE = a4wide - -# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX -# packages that should be included in the LaTeX output. - -EXTRA_PACKAGES = - -# The LATEX_HEADER tag can be used to specify a personal LaTeX header for -# the generated latex document. The header should contain everything until -# the first chapter. If it is left blank doxygen will generate a -# standard header. Notice: only use this tag if you know what you are doing! - -LATEX_HEADER = - -# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated -# is prepared for conversion to pdf (using ps2pdf). The pdf file will -# contain links (just like the HTML output) instead of page references -# This makes the output suitable for online browsing using a pdf viewer. - -PDF_HYPERLINKS = NO - -# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of -# plain latex in the generated Makefile. Set this option to YES to get a -# higher quality PDF documentation. - -USE_PDFLATEX = NO - -# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. -# command to the generated LaTeX files. This will instruct LaTeX to keep -# running if errors occur, instead of asking the user for help. -# This option is also used when generating formulas in HTML. - -LATEX_BATCHMODE = NO - -# If LATEX_HIDE_INDICES is set to YES then doxygen will not -# include the index chapters (such as File Index, Compound Index, etc.) -# in the output. - -LATEX_HIDE_INDICES = NO - -# If LATEX_SOURCE_CODE is set to YES then doxygen will include -# source code with syntax highlighting in the LaTeX output. -# Note that which sources are shown also depends on other settings -# such as SOURCE_BROWSER. - -LATEX_SOURCE_CODE = NO - -#--------------------------------------------------------------------------- -# configuration options related to the RTF output -#--------------------------------------------------------------------------- - -# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output -# The RTF output is optimized for Word 97 and may not look very pretty with -# other RTF readers or editors. - -GENERATE_RTF = NO - -# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `rtf' will be used as the default path. - -RTF_OUTPUT = rtf - -# If the COMPACT_RTF tag is set to YES Doxygen generates more compact -# RTF documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_RTF = NO - -# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated -# will contain hyperlink fields. The RTF file will -# contain links (just like the HTML output) instead of page references. -# This makes the output suitable for online browsing using WORD or other -# programs which support those fields. -# Note: wordpad (write) and others do not support links. - -RTF_HYPERLINKS = NO - -# Load stylesheet definitions from file. Syntax is similar to doxygen's -# config file, i.e. a series of assignments. You only have to provide -# replacements, missing definitions are set to their default value. - -RTF_STYLESHEET_FILE = - -# Set optional variables used in the generation of an rtf document. -# Syntax is similar to doxygen's config file. - -RTF_EXTENSIONS_FILE = - -#--------------------------------------------------------------------------- -# configuration options related to the man page output -#--------------------------------------------------------------------------- - -# If the GENERATE_MAN tag is set to YES (the default) Doxygen will -# generate man pages - -GENERATE_MAN = NO - -# The MAN_OUTPUT tag is used to specify where the man pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `man' will be used as the default path. - -MAN_OUTPUT = man - -# The MAN_EXTENSION tag determines the extension that is added to -# the generated man pages (default is the subroutine's section .3) - -MAN_EXTENSION = .3 - -# If the MAN_LINKS tag is set to YES and Doxygen generates man output, -# then it will generate one additional man file for each entity -# documented in the real man page(s). These additional files -# only source the real man page, but without them the man command -# would be unable to find the correct page. The default is NO. - -MAN_LINKS = NO - -#--------------------------------------------------------------------------- -# configuration options related to the XML output -#--------------------------------------------------------------------------- - -# If the GENERATE_XML tag is set to YES Doxygen will -# generate an XML file that captures the structure of -# the code including all documentation. - -GENERATE_XML = YES - -# The XML_OUTPUT tag is used to specify where the XML pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `xml' will be used as the default path. - -XML_OUTPUT = xml - -# The XML_SCHEMA tag can be used to specify an XML schema, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -#XML_SCHEMA = - -# The XML_DTD tag can be used to specify an XML DTD, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -#XML_DTD = - -# If the XML_PROGRAMLISTING tag is set to YES Doxygen will -# dump the program listings (including syntax highlighting -# and cross-referencing information) to the XML output. Note that -# enabling this will significantly increase the size of the XML output. - -XML_PROGRAMLISTING = YES - -#--------------------------------------------------------------------------- -# configuration options for the AutoGen Definitions output -#--------------------------------------------------------------------------- - -# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will -# generate an AutoGen Definitions (see autogen.sf.net) file -# that captures the structure of the code including all -# documentation. Note that this feature is still experimental -# and incomplete at the moment. - -GENERATE_AUTOGEN_DEF = NO - -#--------------------------------------------------------------------------- -# configuration options related to the Perl module output -#--------------------------------------------------------------------------- - -# If the GENERATE_PERLMOD tag is set to YES Doxygen will -# generate a Perl module file that captures the structure of -# the code including all documentation. Note that this -# feature is still experimental and incomplete at the -# moment. - -GENERATE_PERLMOD = NO - -# If the PERLMOD_LATEX tag is set to YES Doxygen will generate -# the necessary Makefile rules, Perl scripts and LaTeX code to be able -# to generate PDF and DVI output from the Perl module output. - -PERLMOD_LATEX = NO - -# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be -# nicely formatted so it can be parsed by a human reader. -# This is useful -# if you want to understand what is going on. -# On the other hand, if this -# tag is set to NO the size of the Perl module output will be much smaller -# and Perl will parse it just the same. - -PERLMOD_PRETTY = YES - -# The names of the make variables in the generated doxyrules.make file -# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. -# This is useful so different doxyrules.make files included by the same -# Makefile don't overwrite each other's variables. - -PERLMOD_MAKEVAR_PREFIX = - -#--------------------------------------------------------------------------- -# Configuration options related to the preprocessor -#--------------------------------------------------------------------------- - -# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will -# evaluate all C-preprocessor directives found in the sources and include -# files. - -ENABLE_PREPROCESSING = YES - -# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro -# names in the source code. If set to NO (the default) only conditional -# compilation will be performed. Macro expansion can be done in a controlled -# way by setting EXPAND_ONLY_PREDEF to YES. - -MACRO_EXPANSION = YES - -# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES -# then the macro expansion is limited to the macros specified with the -# PREDEFINED and EXPAND_AS_DEFINED tags. - -EXPAND_ONLY_PREDEF = YES - -# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files -# in the INCLUDE_PATH (see below) will be search if a #include is found. - -SEARCH_INCLUDES = YES - -# The INCLUDE_PATH tag can be used to specify one or more directories that -# contain include files that are not input files but should be processed by -# the preprocessor. - -INCLUDE_PATH = - -# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard -# patterns (like *.h and *.hpp) to filter out the header-files in the -# directories. If left blank, the patterns specified with FILE_PATTERNS will -# be used. - -INCLUDE_FILE_PATTERNS = *.h - -# The PREDEFINED tag can be used to specify one or more macro names that -# are defined before the preprocessor is started (similar to the -D option of -# gcc). The argument of the tag is a list of macros of the form: name -# or name=definition (no spaces). If the definition and the = are -# omitted =1 is assumed. To prevent a macro definition from being -# undefined via #undef or recursively expanded use the := operator -# instead of the = operator. - -PREDEFINED = DOXYGEN - -# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then -# this tag can be used to specify a list of macro names that should be expanded. -# The macro definition that is found in the sources will be used. -# Use the PREDEFINED tag if you want to use a different macro definition. - -EXPAND_AS_DEFINED = ATTR_UNUSED - -# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then -# doxygen's preprocessor will remove all function-like macros that are alone -# on a line, have an all uppercase name, and do not end with a semicolon. Such -# function macros are typically used for boiler-plate code, and will confuse -# the parser if not removed. - -SKIP_FUNCTION_MACROS = YES - -#--------------------------------------------------------------------------- -# Configuration::additions related to external references -#--------------------------------------------------------------------------- - -# The TAGFILES option can be used to specify one or more tagfiles. -# Optionally an initial location of the external documentation -# can be added for each tagfile. The format of a tag file without -# this location is as follows: -# -# TAGFILES = file1 file2 ... -# Adding location for the tag files is done as follows: -# -# TAGFILES = file1=loc1 "file2 = loc2" ... -# where "loc1" and "loc2" can be relative or absolute paths or -# URLs. If a location is present for each tag, the installdox tool -# does not have to be run to correct the links. -# Note that each tag file must have a unique name -# (where the name does NOT include the path) -# If a tag file is not located in the directory in which doxygen -# is run, you must also specify the path to the tagfile here. - -TAGFILES = - -# When a file name is specified after GENERATE_TAGFILE, doxygen will create -# a tag file that is based on the input files it reads. - -GENERATE_TAGFILE = - -# If the ALLEXTERNALS tag is set to YES all external classes will be listed -# in the class index. If set to NO only the inherited external classes -# will be listed. - -ALLEXTERNALS = NO - -# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed -# in the modules index. If set to NO, only the current project's groups will -# be listed. - -EXTERNAL_GROUPS = YES - -# The PERL_PATH should be the absolute path and name of the perl script -# interpreter (i.e. the result of `which perl'). - -PERL_PATH = /usr/bin/perl - -#--------------------------------------------------------------------------- -# Configuration options related to the dot tool -#--------------------------------------------------------------------------- - -# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will -# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base -# or super classes. Setting the tag to NO turns the diagrams off. Note that -# this option is superseded by the HAVE_DOT option below. This is only a -# fallback. It is recommended to install and use dot, since it yields more -# powerful graphs. - -CLASS_DIAGRAMS = YES - -# You can define message sequence charts within doxygen comments using the \msc -# command. Doxygen will then run the mscgen tool (see -# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the -# documentation. The MSCGEN_PATH tag allows you to specify the directory where -# the mscgen tool resides. If left empty the tool is assumed to be found in the -# default search path. - -MSCGEN_PATH = - -# If set to YES, the inheritance and collaboration graphs will hide -# inheritance and usage relations if the target is undocumented -# or is not a class. - -HIDE_UNDOC_RELATIONS = YES - -# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is -# available from the path. This tool is part of Graphviz, a graph visualization -# toolkit from AT&T and Lucent Bell Labs. The other options in this section -# have no effect if this option is set to NO (the default) - -HAVE_DOT = NO - -# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is -# allowed to run in parallel. When set to 0 (the default) doxygen will -# base this on the number of processors available in the system. You can set it -# explicitly to a value larger than 0 to get control over the balance -# between CPU load and processing speed. - -#DOT_NUM_THREADS = 0 - -# By default doxygen will write a font called FreeSans.ttf to the output -# directory and reference it in all dot files that doxygen generates. This -# font does not include all possible unicode characters however, so when you need -# these (or just want a differently looking font) you can specify the font name -# using DOT_FONTNAME. You need need to make sure dot is able to find the font, -# which can be done by putting it in a standard location or by setting the -# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory -# containing the font. - -#DOT_FONTNAME = FreeSans.ttf - -# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. -# The default size is 10pt. - -DOT_FONTSIZE = 10 - -# By default doxygen will tell dot to use the output directory to look for the -# FreeSans.ttf font (which doxygen will put there itself). If you specify a -# different font using DOT_FONTNAME you can set the path where dot -# can find it using this tag. - -DOT_FONTPATH = - -# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect inheritance relations. Setting this tag to YES will force the -# the CLASS_DIAGRAMS tag to NO. - -CLASS_GRAPH = YES - -# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect implementation dependencies (inheritance, containment, and -# class references variables) of the class with other documented classes. - -COLLABORATION_GRAPH = YES - -# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for groups, showing the direct groups dependencies - -GROUP_GRAPHS = YES - -# If the UML_LOOK tag is set to YES doxygen will generate inheritance and -# collaboration diagrams in a style similar to the OMG's Unified Modeling -# Language. - -UML_LOOK = NO - -# If set to YES, the inheritance and collaboration graphs will show the -# relations between templates and their instances. - -TEMPLATE_RELATIONS = NO - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT -# tags are set to YES then doxygen will generate a graph for each documented -# file showing the direct and indirect include dependencies of the file with -# other documented files. - -INCLUDE_GRAPH = YES - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and -# HAVE_DOT tags are set to YES then doxygen will generate a graph for each -# documented header file showing the documented files that directly or -# indirectly include this file. - -INCLUDED_BY_GRAPH = YES - -# If the CALL_GRAPH and HAVE_DOT options are set to YES then -# doxygen will generate a call dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable call graphs -# for selected functions only using the \callgraph command. - -CALL_GRAPH = NO - -# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then -# doxygen will generate a caller dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable caller -# graphs for selected functions only using the \callergraph command. - -CALLER_GRAPH = NO - -# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen -# will graphical hierarchy of all classes instead of a textual one. - -GRAPHICAL_HIERARCHY = YES - -# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES -# then doxygen will show the dependencies a directory has on other directories -# in a graphical way. The dependency relations are determined by the #include -# relations between the files in the directories. - -DIRECTORY_GRAPH = YES - -# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images -# generated by dot. Possible values are png, jpg, or gif -# If left blank png will be used. - -DOT_IMAGE_FORMAT = png - -# The tag DOT_PATH can be used to specify the path where the dot tool can be -# found. If left blank, it is assumed the dot tool can be found in the path. - -DOT_PATH = - -# The DOTFILE_DIRS tag can be used to specify one or more directories that -# contain dot files that are included in the documentation (see the -# \dotfile command). - -DOTFILE_DIRS = - -# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of -# nodes that will be shown in the graph. If the number of nodes in a graph -# becomes larger than this value, doxygen will truncate the graph, which is -# visualized by representing a node as a red box. Note that doxygen if the -# number of direct children of the root node in a graph is already larger than -# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note -# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. - -DOT_GRAPH_MAX_NODES = 50 - -# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the -# graphs generated by dot. A depth value of 3 means that only nodes reachable -# from the root by following a path via at most 3 edges will be shown. Nodes -# that lay further from the root node will be omitted. Note that setting this -# option to 1 or 2 may greatly reduce the computation time needed for large -# code bases. Also note that the size of a graph can be further restricted by -# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. - -MAX_DOT_GRAPH_DEPTH = 0 - -# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent -# background. This is disabled by default, because dot on Windows does not -# seem to support this out of the box. Warning: Depending on the platform used, -# enabling this option may lead to badly anti-aliased labels on the edges of -# a graph (i.e. they become hard to read). - -DOT_TRANSPARENT = NO - -# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output -# files in one run (i.e. multiple -o and -T options on the command line). This -# makes dot run faster, but since only newer versions of dot (>1.8.10) -# support this, this feature is disabled by default. - -DOT_MULTI_TARGETS = NO - -# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will -# generate a legend page explaining the meaning of the various boxes and -# arrows in the dot generated graphs. - -GENERATE_LEGEND = YES - -# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will -# remove the intermediate dot files that are used to generate -# the various graphs. - -DOT_CLEANUP = YES |