diff options
Diffstat (limited to 'external/unbound/doc')
| -rw-r--r-- | external/unbound/doc/Changelog | 907 | ||||
| -rw-r--r-- | external/unbound/doc/README | 2 | ||||
| -rw-r--r-- | external/unbound/doc/example.conf.in | 164 | ||||
| -rw-r--r-- | external/unbound/doc/libunbound.3.in | 26 | ||||
| -rw-r--r-- | external/unbound/doc/unbound-anchor.8.in | 10 | ||||
| -rw-r--r-- | external/unbound/doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | external/unbound/doc/unbound-control.8.in | 56 | ||||
| -rw-r--r-- | external/unbound/doc/unbound-host.1.in | 2 | ||||
| -rw-r--r-- | external/unbound/doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | external/unbound/doc/unbound.conf.5.in | 337 | ||||
| -rw-r--r-- | external/unbound/doc/unbound.doxygen | 4 |
11 files changed, 1467 insertions, 47 deletions
diff --git a/external/unbound/doc/Changelog b/external/unbound/doc/Changelog index 3b9d50653..8f8d6daea 100644 --- a/external/unbound/doc/Changelog +++ b/external/unbound/doc/Changelog @@ -1,3 +1,910 @@ +13 June 2017: Wouter + - Fix #1280: Unbound fails assert when response from authoritative + contains malformed qname. When 0x20 caps-for-id is enabled, when + assertions are not enabled the malformed qname is handled correctly. + - tag for 1.6.3 + +13 April 2017: Wouter + - Fix #1250: inconsistent indentation in services/listen_dnsport.c. + - tag for 1.6.2rc1 + +12 April 2017: Wouter + - subnet mem value is available in shm, also when not enabled, + to make the struct easier to memmap by other applications, + independent of the configuration of unbound. + +12 April 2017: Ralph + - Fix #1247: unbound does not shorten source prefix length when + forwarding ECS. + - Properly check for allocation failure in local_data_find_tag_datas. + - Fix #1249: unbound doesn't return FORMERR to bogus ECS. + - Set SHM ECS memory usage to 0 when module not loaded. + +11 April 2017: Ralph + - Display ECS module memory usage. + +10 April 2017: Wouter + - harden-algo-downgrade: no also makes unbound more lenient about + digest algorithms in DS records. + +10 April 2017: Ralph + - Remove ECS option after REFUSED answer. + - Fix small memory leak in edns_opt_copy_alloc. + - Respip dereference after NULL check. + - Zero initialize addrtree allocation. + - Use correct identifier for SHM destroy. + +7 April 2017: George + - Fix pythonmod for cb changes. + - Some whitespace fixup. + +7 April 2017: Ralph + - Unlock view in respip unit test + +6 April 2017: Ralph + - Generalise inplace callback (de)registration + - (de)register inplace callbacks for module id + - No unbound-control set_option for ECS options + - Deprecated client-subnet-opcode config option + - Introduced client-subnet-always-forward config option + - Changed max-client-subnet-ipv6 default to 56 (as in RFC) + - Removed extern ECS config options + - module_restart_next now calls clear on all following modules + - Also create ECS module qstate on module_event_pass event + - remove malloc from inplace_cb_register + +6 April 2017: Wouter + - Small fixup for documentation. + - iana portlist update + - Fix respip for braces when locks arent used. + - Fix pythonmod for cb changes. + +4 April 2017: Wouter + - Fix #1244: document that use of chroot requires trust anchor file to + be under chroot. + - iana portlist update + +3 April 2017: Ralph + - Do not add current time twice to TTL before ECS cache store. + - Do not touch rrset cache after ECS cache message generation. + - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode. + +3 April 2017: Wouter + - Fix #1217: Add metrics to unbound-control interface showing + crypted, cert request, plaintext and malformed queries (from + Manu Bretelle). + - iana portlist update + +27 March 2017: Wouter + - Remove (now unused) event2 include from dnscrypt code. + +24 March 2017: George + - Fix to prevent non-referal query from being cached as referal when the + no_cache_store flag was set. + +23 March 2017: Wouter + - Fix #1239: configure fails to find python distutils if python + prints warning. + +22 March 2017: Wouter + - Fix #1238: segmentation fault when adding through the remote + interface a per-view local zone to a view with no previous + (configured) local zones. + - Fix #1229: Systemd service sandboxing, options in wrong sections. + +21 March 2017: Ralph + - Merge EDNS Client subnet implementation from feature branch into main + branch, using new EDNS processing framework. + +21 March 2017: Wouter + - Fix doxygen for dnscrypt files. + +20 March 2017: Wouter + - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then + enabled in the config file from Manu Bretelle. + - make depend, autoconf, remove warnings about statement before var. + - lru_demote and lruhash_insert_or_retrieve functions for getdns. + - fixup for lruhash (whitespace and header file comment). + - dnscrypt tests. + +17 March 2017: Wouter + - Patch for view functionality for local-data-ptr from Björn Ketelaars. + - Fix #1237 - Wrong resolving in chain, for norec queries that get + SERVFAIL returned. + +16 March 2017: Wouter + - Fix that SHM is not inited if not enabled. + - Add trustanchor.unbound CH TXT that gets a response with a number + of TXT RRs with a string like "example.com. 2345 1234" with + the trust anchors and their keytags. + - Fix that looped DNAMEs do not cause unbound to spend effort. + - trustanchor tags are sorted. reusable routine to fetch taglist. + +13 March 2017: Wouter + - testbound understands Deckard MATCH rcode question answer commands. + - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead + of YXDOMAIN + query loop, reported by Petr Spacek. + +10 March 2017: Wouter + - Fix #1234: shortening DNAME loop produces duplicate DNAME records + in ANSWER section. + +9 March 2017: Wouter + - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and + DS records. NSEC3 is not disabled. + - fake-sha1 test option; print warning if used. To make unit tests. + - unbound-control list local zone and data commands listed in the + help output. + +8 March 2017: Wouter + - make depend for build dependencies. + - swig version 2.0.1 required. + - fix enum conversion warnings + +7 March 2017: Wouter + - Fix #1230: swig version 2.0.0 is required for pythonmod, with + 1.3.40 it crashes when running repeatly unbound-control reload. + - Response actions based on IP address from Jinmei Tatuya (Infoblox). + +6 March 2017: Wouter + - Fix #1229: Systemd service sandboxing in contrib/unbound.service. + - iana portlist update + +28 February 2017: Ralph + - Fix testpkts.c, check if DO bit is set, not only if there is an OPT + record. + +28 February 2017: Wouter + - For #1227: if we have sha256, set the cipher list to have no + known vulns. + +27 February 2017: Wouter + - Fix #1227: Fix that Unbound control allows weak ciphersuits. + - Fix #1226: provide official 32bit binary for windows. + +24 February 2017: Wouter + - include sys/time.h for new shm code on NetBSD. + +23 February 2017: Wouter + - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to + redirect. + - Patch from Luiz Fernando Softov for Stats Shared Memory. + - unbound-control stats_shm command prints stats using shared memory, + which uses less cpu. + - make depend, autoconf, doxygen and lint fixed up. + +22 February 2017: Wouter + - Fix #1224: Fix that defaults should not fall back to "Program Files + (x86) if Unbound is 64bit by default on windows. + +21 February 2017: Wouter + - iana portlist update + +16 February 2017: Wouter + - sldns updated for vfixed and buffer resize indication from getdns. + +15 February 2017: Wouter + - sldns has ED25519 and ED448 algorithm number and name for display. + +14 February 2017: Wouter + - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2 + +13 February 2017: Wouter + - Fix autoconf of systemd check for lack of pkg-config. + +10 February 2017: Wouter + - Fix pythonmod for typedef changes. + - Fix dnstap for warning of set but not used. + - tag 1.6.1rc2. + +9 February 2017: Wouter + - tag 1.6.1rc1. + +8 February 2017: Wouter + - Fix for type name change and fix warning on windows compile. + +7 February 2017: Wouter + - Include root trust anchor id 20326 in unbound-anchor. + +6 February 2017: Wouter + - Fix compile on solaris of the fix to use $host detect. + +4 February 2017: Wouter + - fix root_anchor test for updated icannbundle.pem lower certificates. + +26 January 2017: Wouter + - Fix 1211: Fix can't enable interface-automatic if no IPv6 with + more helpful error message. + +20 January 2017: Wouter + - Increase MAX_MODULE to 16. + +19 January 2017: Wouter + - Fix to Rename ub_callback_t to ub_callback_type, because POSIX + reserves _t typedefs. + - Fix to rename internally used types from _t to _type, because _t + type names are reserved by POSIX. + - iana portlist update + +12 January 2017: Wouter + - Fix to also block meta types 128 through to 248 with formerr. + - Fix #1206: Some view-related commands are missing from 'unbound-control -h' + +9 January 2017: Wouter + - Fix #1202: Fix code comment that packed_rrset_data is not always + 'packed'. + +6 January 2017: Wouter + - Fix #1201: Fix missing unlock in answer_from_cache error condition. + +5 January 2017: Wouter + - Fix to return formerr for queries for meta-types, to avoid + packet amplification if this meta-type is sent on to upstream. + - Fix #1184: Log DNS replies. This includes the same logging + information that DNS queries and response code and response size, + patch from Larissa Feng. + - Fix #1185: Source IP rate limiting, patch from Larissa Feng. + +3 January 2017: Wouter + - configure --enable-systemd and lets unbound use systemd sockets if + you enable use-systemd: yes in unbound.conf. + Also there are contrib/unbound.socket and contrib/unbound.service: + systemd files for unbound, install them in /usr/lib/systemd/system. + Contributed by Sami Kerola and Pavel Odintsov. + - Fix reload chdir failure when also chrooted to that directory. + +2 January 2017: Wouter + - Fix #1194: Cross build fails when $host isn't `uname` for getentropy. + +23 December 2016: Ralph + - Fix #1190: Do not echo back EDNS options in local-zone error response. + - iana portlist update + +21 December 2016: Ralph + - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built + with Nettle + +19 December 2016: Ralph + - Fix #1191: remove comment about view deletion. + +15 December 2016: Wouter + - iana portlist update + - 64bit is default for windows builds. + - Fix inet_ntop and inet_pton warnings in windows compile. + +14 December 2016: Wouter + - Fix #1178: attempt to fix setup error at end, pop result values + at end of install. + +13 December 2016: Wouter + - Fix #1182: Fix Resource leak (socket), at startup. + - Fix unbound-control and ipv6 only. + +9 December 2016: Wouter + - Fix #1176: stack size too small for Alpine Linux. + +8 December 2016: Wouter + - Fix downcast warnings from visual studio in sldns code. + - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1. + +7 December 2016: Ralph + - Add DSA support for OpenSSL 1.1.0 + - Fix remote control without cert for LibreSSL + +6 December 2016: George + - Added generic EDNS code for registering known EDNS option codes, + bypassing the cache response stage and uniquifying mesh states. Four EDNS + option lists were added to module_qstate (module_qstate.edns_opts_*) to + store EDNS options from/to front/back side. + - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that + control the modules' cache interactions. + - Added code for registering inplace callback functions. The registered + functions can be called just before replying with local data or Chaos, + replying from cache, replying with SERVFAIL, replying with a resolved + query, sending a query to a nameserver. The functions can inspect the + available data and maybe change response/query related data (i.e. append + EDNS options). + - Updated Python module for the above. + - Updated Python documentation. + +5 December 2016: Ralph + - Fix #1173: differ local-zone type deny from unset + tag_actions element. + +5 December 2016: Wouter + - Fix #1170: document that 'inform' local-zone uses local-data. + +1 December 2016: Ralph + - hyphen as minus fix, by Andreas Schulze + +30 November 2016: Ralph + - Added local-zones and local-data bulk addition and removal + functionality in unbound-control (local_zones, local_zones_remove, + local_datas and local_datas_remove). + - iana portlist update + +29 November 2016: Wouter + - version 1.6.0 is in the development branch. + - braces in view.c around lock statements. + +28 November 2016: Wouter + - new install-sh. + +25 November 2016: Wouter + - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by + using no encryption over the unix socket. + +22 Novenber 2016: Ralph + - Make access-control-tag-data RDATA absolute. This makes the RDATA + origin consistent between local-data and access-control-tag-data. + - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a + subdomain of the NSEC owner. + - QNAME minimisation uses QTYPE=A, therefore always check cache for + this type in harden-below-nxdomain functionality. + - Added unit test for QNAME minimisation + harden below nxdomain + synergy. + +22 November 2016: Wouter + - iana portlist update. + - Fix unit tests for DS hash processing for fake-dsa test option. + - patch from Dag-Erling Smorgrav that removes code that relies + on sbrk(). + +21 November 2016: Wouter + - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing + Underneath" for the harden-below-nxdomain option. + +10 November 2016: Ralph + - Fix #1155: test status code of unbound-control in 04-checkconf, + not the status code from the tee command. + +4 November 2016: Ralph + - Added stub-ssl-upstream and forward-ssl-upstream options. + +4 November 2016: Wouter + - configure detects ssl security level API function in the autoconf + manner. Every function on its own, so that other libraries (eg. + LibreSSL) can develop their API without hindrance. + - Fix #1154: segfault when reading config with duplicate zones. + - Note that for harden-below-nxdomain the nxdomain must be secure, + this means nsec3 with optout is insufficient. + +3 November 2016: Ralph + - Set OpenSSL security level to 0 when using aNULL ciphers. + +3 November 2016: Wouter + - .gitattributes line for githubs code language display. + - log-identity: config option to set sys log identity, patch from + "Robin H. Johnson" <robbat2@gentoo.org> + +2 November 2016: Wouter + - iana portlist update. + +31 October 2016: Wouter + - Fix failure to build on arm64 with no sbrk. + - iana portlist update. + +28 October 2016: Wouter + - Patch for server.num.zero_ttl stats for count of expired replies, + from Pavel Odintsov. + +26 October 2016: Wouter + - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled + with the undocumented switch 'fake-dsa'. It logs a warning. + +25 October 2016: Wouter + - Fix #1134: unbound-control set_option -- val-override-date: -1 works + immediately to ignore datetime, or back to 0 to enable it again. + The -- is to ignore the '-1' as an option flag. + +24 October 2016: Wouter + - serve-expired config option: serve expired responses with TTL 0. + - g.root-servers.net has AAAA address. + +21 October 2016: Wouter + - Ported tests for local_cname unit test to testbound framework. + +20 October 2016: Wouter + - suppress compile warning in lex files. + - init lzt variable, for older gcc compiler warnings. + - fix --enable-dsa to work, instead of copying ecdsa enable. + - Fix DNSSEC validation of query type ANY with DNAME answers. + - Fixup query_info local_alias init. + +19 October 2016: Wouter + - Fix #1130: whitespace in example.conf.in more consistent. + +18 October 2016: Wouter + - Patch that resolves CNAMEs entered in local-data conf statements that + point to data on the internet, from Jinmei Tatuya (Infoblox). + - Removed patch comments from acllist.c and msgencode.c + - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, + from Jinmei Tatuya (Infoblox). + - Fix #1125: unbound could reuse an answer packet incorrectly for + clients with different EDNS parameters, from Jinmei Tatuya. + - Fix #1118: libunbound.pc sets strange Libs, Libs.private values. + - Added Requires line to libunbound.pc + - Please doxygen by modifying mesh.h + +17 October 2016: Wouter + - Re-fix #839 from view commit overwrite. + - Fixup const void cast warning. + +12 October 2016: Ralph + - Free view config elements. + +11 October 2016: Ralph + - Added qname-minimisation-strict config option. + - iana portlist update. + - fix memoryleak logfile when in debug mode. + +5 October 2016: Ralph + - Added views functionality. + - Fix #1117: spelling errors, from Robert Edmonds. + +30 September 2016: Wouter + - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav. + +29 September 2016: Wouter + - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX. + - Fix #839: Memory grows unexpectedly with large RPZ files. + - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile. + - Fix #841: big local-zone's make it consume large amounts of memory. + +27 September 2016: Wouter + - tag for 1.5.10 release + - trunk contains 1.5.11 in development. + - Fix dnstap relaying "random" messages instead of resolver/forwarder + responses, from Nikolay Edigaryev. + - Fix #836: unbound could echo back EDNS options in an error response. + +20 September 2016: Wouter + - iana portlist update. + - Fix #835: fix --disable-dsa with nettle verify. + - tag for 1.5.10rc1 release. + +15 September 2016: Wouter + - Fix 883: error for duplicate local zone entry. + - Test for openssl init_crypto and init_ssl functions. + +15 September 2016: Ralph + - fix potential memory leak in daemon/remote.c and nullpointer + dereference in validator/autotrust. + - iana portlist update. + +13 September 2016: Wouter + - Silenced flex-generated sign-unsigned warning print with gcc + diagnostic pragma. + - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len. + +9 September 2016: Wouter + - Fix #831: workaround for spurious fread_chk warning against petal.c + +5 September 2016: Ralph + - Take configured minimum TTL into consideration when reducing TTL + to original TTL from RRSIG. + +5 September 2016: Wouter + - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an + off-by-one typo, from Jinmei Tatuya (Infoblox). + - Fix incomplete prototypes reported by Dag-Erling Smørgrav. + - Fix #828: missing type in access-control-tag-action redirect results + in NXDOMAIN. + +2 September 2016: Wouter + - Fix compile with openssl 1.1.0 with api=1.1.0. + +1 September 2016: Wouter + - RFC 7958 is now out, updated docs for unbound-anchor. + - Fix for compile without warnings with openssl 1.1.0. + - Fix #826: Fix refuse_non_local could result in a broken response. + - iana portlist update. + +29 August 2016: Wouter + - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. + Siewior. + - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e. + +25 August 2016: Ralph + - Clarify local-zone-override entry in unbound.conf.5 + +25 August 2016: Wouter + - 64bit build option for makedist windows compile, -w64. + +24 August 2016: Ralph + - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter + in each iteration in find_tag_datas(). + - unbound.conf.5 entries for define-tag, access-control-tag, + access-control-tag-action, access-control-tag-data, local-zone-tag, + and local-zone-override. + +23 August 2016: Wouter + - Fix #804: unbound stops responding after outage. Fixes queries + that attempt to wait for an empty list of subqueries. + - Fix #804: lower num_target_queries for iterator also for failed + lookups. + +8 August 2016: Wouter + - Note that OPENPGPKEY type is RFC 7929. + +4 August 2016: Wouter + - Fix #807: workaround for possible some "unused" function parameters + in test code, from Jinmei Tatuya. + +3 August 2016: Wouter + - use sendmsg instead of sendto for TFO. + +28 July 2016: Wouter + - Fix #806: wrong comment removed. + +26 July 2016: Wouter + - nicer ratelimit-below-domain explanation. + +22 July 2016: Wouter + - Fix #801: missing error condition handling in + daemon_create_workers(). + - Fix #802: workaround for function parameters that are "unused" + without log_assert. + - Fix #803: confusing (and incorrect) code comment in daemon_cleanup(). + +20 July 2016: Wouter + - Fix typo in unbound.conf. + +18 July 2016: Wouter + - Fix #798: Client-side TCP fast open fails (Linux). + +14 July 2016: Wouter + - TCP Fast open patch from Sara Dickinson. + - Fixed unbound.doxygen for 1.8.11. + +7 July 2016: Wouter + - access-control-tag-data implemented. verbose(4) prints tag debug. + +5 July 2016: Wouter + - Fix dynamic link of anchor-update.exe on windows. + - Fix detect of mingw for MXE package build. + - Fixes for 64bit windows compile. + - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and + --with-libunbound-only --with-nettle. + +4 July 2016: Wouter + - For #787: prefer-ip6 option for unbound.conf prefers to send + upstream queries to ipv6 servers. + - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux + freebind to use 64bits of entropy for every query with random local + part. + +30 June 2016: Wouter + - Document always_transparent, always_refuse, always_nxdomain types. + +29 June 2016: Wouter + - Fix static compile on windows missing gdi32. + +28 June 2016: Wouter + - Create a pkg-config file for libunbound in contrib. + +27 June 2016: Wouter + - Fix #784: Build configure assumess that having getpwnam means there + is endpwent function available. + - Updated repository with newer flex and bison output. + +24 June 2016: Ralph + - Possibility to specify local-zone type for an acl/tag pair + - Possibility to specify (override) local-zone type for a source address + block +16 June 2016: Ralph + - Decrease dp attempts at each QNAME minimisation iteration + +16 June 2016: Wouter + - Fix tcp timeouts in tv.usec. + +15 June 2016: Wouter + - TCP_TIMEOUT is specified in milliseconds. + - If more than half of tcp connections are in use, a shorter timeout + is used (200 msec, vs 2 minutes) to pressure tcp for new connects. + +14 June 2016: Ralph + - QNAME minimisation unit test for dropped QTYPE=A queries. + +14 June 2016: Wouter + - Fix 775: unbound-host and unbound-anchor crash on windows, ignore + null delete for wsaevent. + - Fix spelling in freebind option man page text. + - Fix windows link of ssl with crypt32. + - Fix 779: Union casting is non-portable. + - Fix 780: MAP_ANON not defined in HP-UX 11.31. + - Fix 781: prealloc() is an HP-UX system library call. + +13 June 2016: Ralph + - Use QTYPE=A for QNAME minimisation. + - Keep track of number of time-outs when performing QNAME minimisation. + Stop minimising when number of time-outs for a QNAME/QTYPE pair is + more than three. + +13 June 2016: Wouter + - Fix #778: unbound 1.5.9: -h segfault (null deref). + - Fix directory: fix for unbound-checkconf, it restores cwd. + +10 June 2016: Wouter + - And delete service.conf.shipped on uninstall. + - In unbound.conf directory: dir immediately changes to that directory, + so that include: file below that is relative to that directory. + With chroot, make the directory an absolute path inside chroot. + - keep debug symbols in windows build. + - do not delete service.conf on windows uninstall. + - document directory immediate fix and allow EXECUTABLE syntax in it + on windows. + +9 June 2016: Wouter + - Trunk is called 1.5.10 (with previous fixes already in there to 2 + june). + - Revert fix for NetworkService account on windows due to breakage + it causes. + - Fix that windows install will not overwrite existing service.conf + file (and ignore gui config choices if it exists). + +7 June 2016: Ralph + - Lookup localzones by taglist from acl. + - Possibility to lookup local_zone, regardless the taglist. + - Added local_zone/taglist/acl unit test. + +7 June 2016: Wouter + - Fix #773: Non-standard Python location build failure with pyunbound. + - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. + +6 June 2016: Wouter + - Better help text from -h (from Ray Griffith). + - access-control-tag config directive. + - local-zone-override config directive. + - access-control-tag-action and access-control-tag-data config + directives. + - free acl-tags, acltag-action and acltag-data config lists during + initialisation to free up memory for more entries. + +3 June 2016: Wouter + - Fix to not ignore return value of chown() in daemon startup. + +2 June 2016: Wouter + - Fix libubound for edns optlist feature. + - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc. + - Fix #752: retry resource temporarily unavailable on control pipe. + - un-document localzone tags. + - tag for release 1.5.9rc1. + And this also became release 1.5.9. + - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to + Program Files with (x86) appended. + - re-documented localzone tags in example.conf. + +31 May 2016: Wouter + - Fix windows service to be created run with limited rights, as a + network service account, from Mario Turschmann. + - compat strsep implementation. + - generic edns option parse and store code. + - and also generic edns options for upstream messages (and replies). + after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID), + to insert use edns_opt_append(edns, region, code, len, bindata) on + the opt_list passed to send_query, or in edns_opt_inplace_reply. + +30 May 2016: Wouter + - Fix time in case answer comes from cache in ub_resolve_event(). + - Attempted fix for #765: _unboundmodule missing for python3. + +27 May 2016: Wouter + - Fix #770: Small subgroup attack on DH used in unix pipe on localhost + if unbound control uses a unix local named pipe. + - Document write permission to directory of trust anchor needed. + - Fix #768: Unbound Service Sometimes Can Not Shutdown + Completely, WER Report Shown Up. Close handle before closing WSA. + +26 May 2016: Wouter + - Updated patch from Charles Walker. + +24 May 2016: Wouter + - disable-dnssec-lame-check config option from Charles Walker. + - remove memory leak from lame-check patch. + - iana portlist update. + +23 May 2016: Wouter + - Fix #767: Reference to an expired Internet-Draft in + harden-below-nxdomain documentation. + +20 May 2016: Ralph + - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC + signed zones. + - iana portlist update. + +19 May 2016: Wouter + - Fix #766: dns64 should synthesize results on timeout/errors. + +18 May 2016: Wouter + - Fix #761: DNSSEC LAME false positive resolving nic.club. + +17 May 2016: Wouter + - trunk updated with output of flex 2.6.0. + +6 May 2016: Wouter + - Fix memory leak in out-of-memory conditions of local zone add. + +29 April 2016: Wouter + - Fix sldns with static checking fixes copied from getdns. + +28 April 2016: Wouter + - Fix #759: 0x20 capsforid no longer checks type PTR, for + compatibility with cisco dns guard. This lowers false positives. + +18 April 2016: Wouter + - Fix some malformed reponses to edns queries get fallback to nonedns. + +15 April 2016: Wouter + - cachedb module event handling design. + +14 April 2016: Wouter + - cachedb module framework (empty). + - iana portlist update. + +12 April 2016: Wouter + - Fix #753: document dump_requestlist is for first thread. + +24 March 2016: Wouter + - Document permit-small-holddown for 5011 debug. + - Fix #749: unbound-checkconf gets SIGSEGV when use against a + malformatted conf file. + +23 March 2016: Wouter + - OpenSSL 1.1.0 portability, --disable-dsa configure option. + +21 March 2016: Wouter + - Fix compile of getentropy_linux for SLES11 servicepack 4. + - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev. + - Fix test for openssl to use HMAC_Update for 1.1.0. + - acx_nlnetlabs.m4 to v33, with HMAC_Update. + - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto. + - ERR_remove_state deprecated since openssl 1.0.0. + - OPENSSL_config is deprecated, removing. + +18 March 2016: Ralph + - Validate QNAME minimised NXDOMAIN responses. + - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in + harden-below-nxdomain. + +17 March 2016: Ralph + - Limit number of QNAME minimisation iterations. + +17 March 2016: Wouter + - Fix #746: Fix unbound sets CD bit on all forwards. + If no trust anchors, it'll not set CD bit when forwarding to another + server. If a trust anchor, no CD bit on the first attempt to a + forwarder, but CD bit thereafter on repeated attempts to get DNSSEC. + - iana portlist update. + +16 March 2016: Wouter + - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma. + - Fix ip-transparent for tcp on freebsd. + +15 March 2016: Wouter + - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for + binding to an IP address while the interface or address is down. + +14 March 2016: Wouter + - Fix warnings in ifdef corner case, older or unknown libevent. + - Fix compile for ub_event code with older libev. + +11 March 2016: Wouter + - Remove warning about unused parameter in event_pluggable.c. + - Fix libev usage of dispatch return value. + - No side effects in tolower() call, in case it is a macro. + - For test put free in pluggable api in parenthesis. + +10 March 2016: Wouter + - Fixup backend2str for libev. + +09 March 2016: Willem + - User defined pluggable event API for libunbound + - Fixup of compile fix for pluggable event API from P.Y. Adi + Prasaja. + +09 March 2016: Wouter + - Updated configure and ltmain.sh. + - Updated L root IPv6 address. + +07 March 2016: Wouter + - Fix #747: assert in outnet_serviced_query_stop. + - iana ports fetched via https. + - iana portlist update. + +03 March 2016: Wouter + - configure tests for the weak attribute support by the compiler. + +02 March 2016: Wouter + - 1.5.8 release tag + - trunk contains 1.5.9 in development. + - iana portlist update. + - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname + contains trailing dot. + +24 February 2016: Wouter + - Fix OpenBSD asynclook lock free that gets used later (fix test code). + - Fix that NSEC3 negative cache is used when there is no salt. + +23 February 2016: Wouter + - ub_ctx_set_stub() function for libunbound to config stub zones. + - sorted ubsyms.def file with exported libunbound functions. + +19 February 2016: Wouter + - Print understandable debug log when unusable DS record is seen. + - load gost algorithm if digest is seen before key algorithm. + - iana portlist update. + +17 February 2016: Wouter + - Fix that "make install" fails due to "text file busy" error. + +16 February 2016: Wouter + - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error. + +15 February 2016: Wouter + - ip-transparent option for FreeBSD with IP_BINDANY socket option. + - wait for sendto to drain socket buffers when they are full. + +9 February 2016: Wouter + - Test for type OPENPGPKEY. + - insecure-lan-zones: yesno config option, patch from Dag-Erling + Smørgrav. + +8 February 2016: Wouter + - Fix patch typo in prevuous commit for 734 from Adi Prasaja. + - RR Type CSYNC support RFC 7477, in debug printout and config input. + - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07). + +29 January 2016: Wouter + - Neater cmdline_verbose increment patch from Edgar Pettijohn. + +27 January 2016: Wouter + - Made netbsd sendmsg test nonfatal, in case of false positives. + - Fix #741: log message for dnstap socket connection is more clear. + +26 January 2016: Wouter + - Fix #734: chown the pidfile if it resides inside the chroot. + - Use arc4random instead of random in tests (because it is + available, possibly as compat, anyway). + - Fix cmsg alignment for argument to sendmsg on NetBSD. + - Fix that unbound complains about unimplemented IP_PKTINFO for + sendmsg on NetBSD (for interface-automatic). + +25 January 2016: Wouter + - Fix #738: Swig should not be invoked with CPPFLAGS. + +19 January 2016: Wouter + - Squelch 'cannot assign requested address' log messages unless + verbosity is high, it was spammed after network down. + +14 January 2016: Wouter + - Fix to simplify empty string checking from Michael McConville. + - iana portlist update. + +12 January 2016: Wouter + - Fix #734: Do not log an error when the PID file cannot be chown'ed. + Patch from Simon Deziel. + +11 January 2016: Wouter + - Fix test if -pthreads unused to use better grep for portability. + +06 January 2016: Wouter + - Fix mingw crosscompile for recent mingw. + - Update aclocal, autoconf output with new versions (1.15, 2.4.6). + +05 January 2016: Wouter + - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch + from Daisuke Higashi. + - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked + by default, and can be unblocked with "nodefault" localzone config. + +04 January 2016: Wouter + - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined, + for Linux glibc 2.20. + - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the + source code, so it applies cleanly again. Removed unused variable + warnings. + 15 December 2015: Ralph - Fix #729: omit use of escape sequences in echo since they are not portable (unbound-control-setup). diff --git a/external/unbound/doc/README b/external/unbound/doc/README index 1ae9f4f45..558a48071 100644 --- a/external/unbound/doc/README +++ b/external/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound @version@ +README for Unbound 1.6.3 Copyright 2007 NLnet Labs http://unbound.net diff --git a/external/unbound/doc/example.conf.in b/external/unbound/doc/example.conf.in index af8f92bd3..3411d7edb 100644 --- a/external/unbound/doc/example.conf.in +++ b/external/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version @version@. +# See unbound.conf(5) man page, version 1.6.3. # # this is a comment. @@ -19,6 +19,14 @@ server: # Set to "" or 0 to disable. Default is disabled. # statistics-interval: 0 + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the + # shared memory segment keyed with shm-key. + # shm-enable: no + + # shm for stats uses this key, and key+1 for the shared mem segment. + # shm-key: 11777 + # enable cumulative statistics, without clearing them after printing. # statistics-cumulative: no @@ -53,6 +61,15 @@ server: # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 + # Specify a netblock to use remainder 64 bits as random bits for + # upstream queries. Uses freebind option (Linux). + # outgoing-interface: 2001:DB8::/64 + # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo + # And: ip -6 route add local 2001:db8::/64 dev lo + # And set prefer-ip6: yes to use the ip6 randomness from a netblock. + # Set this to yes to prefer ipv6 upstream servers over ipv4. + # prefer-ip6: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. @@ -90,8 +107,14 @@ server: # use IP_TRANSPARENT so the interface: addresses can be non-local # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). # ip-transparent: no + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. + # Linux only. On Linux you also have ip-transparent that is similar. + # ip-freebind: no + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -157,6 +180,10 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 + # define a number of tags here, use with local-zone, access-control. + # repeat the define-tag statement to add additional tags. + # define-tag: "tag1 tag2 tag3" + # Enable IPv4, "yes" or "no". # do-ip4: yes @@ -173,7 +200,19 @@ server: # useful for tunneling scenarios, default no. # tcp-upstream: no + # Maximum segment size (MSS) of TCP socket on which the server + # responds to queries. Default is 0, system default MSS. + # tcp-mss: 0 + + # Maximum segment size (MSS) of TCP socket for outgoing queries. + # Default is 0, system default MSS. + # outgoing-tcp-mss: 0 + + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + # Detach from the terminal, run in background, "yes" or "no". + # Set the value to "no" when unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -189,6 +228,23 @@ server: # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow + # tag access-control with list of tags (in "" with spaces between) + # Clients using this access control element use localzones that + # are tagged with one of these tags. + # access-control-tag: 192.0.2.0/24 "tag2 tag3" + + # set action for particular tag for given access control element + # if you have multiple tag values, the tag used to lookup the action + # is the first tag match between access-control-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # access-control-tag-action: 192.0.2.0/24 tag3 refuse + + # set redirect data for particular tag for access control element + # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + + # Set view for access control element + # access-control-view: 192.0.2.0/24 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -222,6 +278,8 @@ server: # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. # directory: "@UNBOUND_RUN_DIR@" # the log file, "" means log to stderr. @@ -229,15 +287,23 @@ server: # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to, with identity "unbound". If yes, it overrides the logfile. + # log to. If yes, it overrides the logfile. # use-syslog: yes + # Log identity to report. if empty, defaults to the name of argv[0] + # (usually "unbound"). + # log-identity: "" + # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no # print one line with time, IP, name, type, class for every query. # log-queries: no + # print one line per reply, with time, IP, name, type, class, rcode, + # timetoresolve, fromcache and responsesize. + # log-replies: no + # the pid file. Can be an absolute path outside of chroot/work dir. # pidfile: "@UNBOUND_PIDFILE@" @@ -250,6 +316,9 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no + + # enable to not answer trustanchor.unbound queries. + # hide-trustanchor: no # the identity to report. Leave "" or default to return hostname. # identity: "" @@ -285,7 +354,7 @@ server: # Harden against queries that fall under dnssec-signed nxdomain names. # harden-below-nxdomain: no - # Harden the referral path by performing additional queries for + # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. @@ -301,6 +370,12 @@ server: # to NS when possible. # qname-minimisation: no + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be + # resolvable when this option in enabled. + # This option only has effect when qname-minimisation is enabled. + # qname-minimisation-strict: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no @@ -308,6 +383,7 @@ server: # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. # caps-whitelist: "licdn.com" + # caps-whitelist: "senderbase.org" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -355,6 +431,9 @@ server: # into response messages when those sections are not required. # minimal-responses: no + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" # module-config: "validator iterator" @@ -430,6 +509,10 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no + # Serve expired reponses from cache, with TTL 0 in the response, + # and then attempt to fetch the data afresh. + # serve-expired: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. # val-log-level: 0 @@ -450,7 +533,8 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days - # debug option that allows very small holddown times for key rollover + # debug option that allows very small holddown times for key rollover, + # otherwise the RFC mandates probe intervals must be at least 1 hour. # permit-small-holddown: no # the amount of memory to use for the key cache. @@ -475,6 +559,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "onion." nodefault # local-zone: "10.in-addr.arpa." nodefault # local-zone: "16.172.in-addr.arpa." nodefault # local-zone: "17.172.in-addr.arpa." nodefault @@ -508,13 +593,17 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # if unbound is running service for the local host then it is useful + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" @@ -525,8 +614,10 @@ server: # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names - # o inform resolves normally, but logs client IP address + # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, resolve in + # that way but ignore local data for that name. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -553,6 +644,12 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + + # add a netblock specific override to a localzone, with zone type + # local-zone-override: "example.com" 192.0.2.0/24 refuse + # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -586,7 +683,21 @@ server: # ratelimit-for-domain: example.com 1000 # override the ratelimits for all domains below a domain name # can give this multiple times, the name closest to the zone is used. - # ratelimit-below-domain: example 1000 + # ratelimit-below-domain: com 1000 + + # global query ratelimit for all ip addresses. + # feature is experimental. + # if 0(default) it is disabled, otherwise states qps allowed per ip address + # ip-ratelimit: 0 + + # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ip-ratelimit-size: 4m + # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ip-ratelimit-slabs: 4 + + # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through + # ip-ratelimit-factor: 10 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. @@ -639,6 +750,7 @@ remote-control: # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-ssl-upstream: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -654,6 +766,44 @@ remote-control: # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-ssl-upstream: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com + +# Views +# Create named views. Name must be unique. Map views to requests using +# the access-control-view option. Views can contain zero or more local-zone +# and local-data options. Options from matching views will override global +# options. Global options will be used if no matching view is found. +# With view-first yes, it will try to answer using the global local-zone and +# local-data elements if there is no view specific match. +# view: +# name: "viewname" +# local-zone: "example.com" redirect +# local-data: "example.com A 192.0.2.3" +# local-data-ptr: "192.0.2.3 www.example.com" +# view-first: no +# view: +# name: "anotherview" +# local-zone: "example.com" refuse + +# DNSCrypt +# Caveats: +# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage +# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to +# listen on `dnscrypt-port` with the follo0wing snippet: +# server: +# interface: 0.0.0.0@443 +# interface: ::0@443 +# +# Finally, `dnscrypt` config has its own section. +# dnscrypt: +# dnscrypt-enable: yes +# dnscrypt-port: 443 +# dnscrypt-provider: 2.dnscrypt-cert.example.com. +# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key +# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key +# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert +# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert diff --git a/external/unbound/doc/libunbound.3.in b/external/unbound/doc/libunbound.3.in index 1cefbea51..70ed5c2d4 100644 --- a/external/unbound/doc/libunbound.3.in +++ b/external/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "@date@" "NLnet Labs" "unbound @version@" +.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -12,13 +12,14 @@ .B unbound.h, .B ub_ctx, .B ub_result, -.B ub_callback_t, +.B ub_callback_type, .B ub_ctx_create, .B ub_ctx_delete, .B ub_ctx_set_option, .B ub_ctx_get_option, .B ub_ctx_config, .B ub_ctx_set_fwd, +.B ub_ctx_set_stub, .B ub_ctx_resolvconf, .B ub_ctx_hosts, .B ub_ctx_add_ta, @@ -42,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver @version@ functions. +\- Unbound DNS validating resolver 1.6.3 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP @@ -65,6 +66,12 @@ \fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr); .LP \fIint\fR +\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone, +\fIchar*\fR addr, +.br + \fIint\fR isprime); +.LP +\fIint\fR \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); .LP \fIint\fR @@ -113,7 +120,7 @@ .br \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, .br - \fIub_callback_t\fR callback, \fIint*\fR async_id); + \fIub_callback_type\fR callback, \fIint*\fR async_id); .LP \fIint\fR \fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id); @@ -173,7 +180,7 @@ and .B ub_ctx_hosts to read them. Before you call this, use the openssl functions CRYPTO_set_id_callback and -CRYPTO_set_locking_callback to set up asyncronous operation if you use +CRYPTO_set_locking_callback to set up asynchronous operation if you use lib openssl (the application calls these functions once for initialisation). Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. .TP @@ -207,6 +214,15 @@ that case the addresses are used as backup servers. At this time it is only possible to set configuration before the first resolve is done. .TP +.B ub_ctx_set_stub +Set a stub zone, authoritative dns servers to use for a particular zone. +IP4 or IP6 address. If the address is NULL the stub entry is removed. +Set isprime true if you configure root hints with it. Otherwise similar to +the stub zone item from unbound's config file. Can be called several times, +for different zones, or to add multiple addresses for a particular zone. +At this time it is only possible to set configuration before the +first resolve is done. +.TP .B ub_ctx_resolvconf By default the root servers are queried and full resolver mode is used, but you can use this call to read the list of nameservers to use from the diff --git a/external/unbound/doc/unbound-anchor.8.in b/external/unbound/doc/unbound-anchor.8.in index 3d743a734..f96a9e6c2 100644 --- a/external/unbound/doc/unbound-anchor.8.in +++ b/external/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -16,6 +16,8 @@ .SH "DESCRIPTION" .B Unbound\-anchor performs setup or update of the root trust anchor for DNSSEC validation. +The program fetches the trust anchor with the method from RFC7958 when +regular RFC5011 update fails to bring it up to date. It can be run (as root) from the commandline, or run as part of startup scripts. Before you start the \fIunbound\fR(8) DNS server. .P @@ -39,8 +41,8 @@ update certificate files. .P It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results, if -all checks are successful, it updates the root anchor file. Otherwise +It performs a https fetch of root-anchors.xml and checks the results (RFC7958), +if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. .P @@ -65,7 +67,7 @@ List the builtin root key and builtin root update certificate on stdout. .B \-u \fIname The server name, it connects to https://name. Specify without https:// prefix. The default is "data.iana.org". It connects to the port specified with \-P. -You can pass an IPv4 addres or IPv6 address (no brackets) if you want. +You can pass an IPv4 address or IPv6 address (no brackets) if you want. .TP .B \-x \fIpath The pathname to the root\-anchors.xml file on the server. (forms URL with \-u). diff --git a/external/unbound/doc/unbound-checkconf.8.in b/external/unbound/doc/unbound-checkconf.8.in index f38049a03..523784b5c 100644 --- a/external/unbound/doc/unbound-checkconf.8.in +++ b/external/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/external/unbound/doc/unbound-control.8.in b/external/unbound/doc/unbound-control.8.in index 12d309dda..47d2a4861 100644 --- a/external/unbound/doc/unbound-control.8.in +++ b/external/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -99,6 +99,22 @@ but if the name has become an empty nonterminal (there is still data in domain names below the removed name), NOERROR nodata answers are the result for that name. .TP +.B local_zones +Add local zones read from stdin of unbound\-control. Input is read per line, +with name space type on a line. For bulk additions. +.TP +.B local_zones_remove +Remove local zones read from stdin of unbound\-control. Input is one name per +line. For bulk removals. +.TP +.B local_datas +Add local data RRs read from stdin of unbound\-control. Input is one RR per +line. For bulk additions. +.TP +.B local_datas_remove +Remove local data RRs read from stdin of unbound\-control. Input is one name per +line. For bulk removals. +.TP .B dump_cache The contents of the cache is printed in a text format to stdout. You can redirect it to a file to store the cache in a file. @@ -178,7 +194,7 @@ harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit, -cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl. +ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -263,6 +279,30 @@ estimated qps and qps limit from config. With +a it prints all domains, not just the ratelimited domains, with their estimated qps. The ratelimited domains return an error for uncached (new) queries, but cached queries work as normal. +.TP +.B ip_ratelimit_list \fR[\fI+a\fR] +List the ip addresses that are ratelimited. Printed one per line with current +estimated qps and qps limit from config. With +a it prints all ips, not +just the ratelimited ips, with their estimated qps. The ratelimited +ips are dropped before checking the cache. +.TP +.B view_list_local_zones \fIview\fR +\fIlist_local_zones\fR for given view. +.TP +.B view_local_zone \fIview\fR \fIname\fR \fItype +\fIlocal_zone\fR for given view. +.TP +.B view_local_zone_remove \fIview\fR \fIname +\fIlocal_zone_remove\fR for given view. +.TP +.B view_list_local_data \fIview\fR +\fIlist_local_data\fR for given view. +.TP +.B view_local_data \fIview\fR \fIRR data... +\fIlocal_data\fR for given view. +.TP +.B view_local_data_remove \fIview\fR \fIname +\fIlocal_data_remove\fR for given view. .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" @@ -288,6 +328,9 @@ The \fIstats\fR command shows a number of statistic counters. .I threadX.num.queries number of queries received by thread .TP +.I threadX.num.queries_ip_ratelimited +number of queries rate limited by thread +.TP .I threadX.num.cachehits number of queries that were successfully answered using a cache lookup .TP @@ -301,6 +344,9 @@ and resulted in recursive processing, taking a slot in the requestlist. Not part of the recursivereplies (or the histogram thereof) or cachemiss, as a cache response was sent. .TP +.I threadX.num.zero_ttl +number of replies with ttl zero, because they served an expired cache entry. +.TP .I threadX.num.recursivereplies The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries. .TP @@ -350,6 +396,9 @@ summed over threads. .I total.num.prefetch summed over threads. .TP +.I total.num.zero_ttl +summed over threads. +.TP .I total.num.recursivereplies summed over threads. .TP @@ -384,9 +433,6 @@ uptime since server boot in seconds. time since last statistics printout, in seconds. .SH EXTENDED STATISTICS .TP -.I mem.total.sbrk -If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps. Could be wrong if the OS allocates memory non\-contiguously. -.TP .I mem.cache.rrset Memory in bytes in use by the RRset cache. .TP diff --git a/external/unbound/doc/unbound-host.1.in b/external/unbound/doc/unbound-host.1.in index 0d45c50ca..1d698e16d 100644 --- a/external/unbound/doc/unbound-host.1.in +++ b/external/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/external/unbound/doc/unbound.8.in b/external/unbound/doc/unbound.8.in index 36014430d..cca759b62 100644 --- a/external/unbound/doc/unbound.8.in +++ b/external/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver @version@. +\- Unbound DNS validating resolver 1.6.3. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/external/unbound/doc/unbound.conf.5.in b/external/unbound/doc/unbound.conf.5.in index 70291443b..b2c76ac95 100644 --- a/external/unbound/doc/unbound.conf.5.in +++ b/external/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "@date@" "NLnet Labs" "unbound @version@" +.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into the config file at that point. If also using chroot, using full path names for the included files works, relative pathnames for the included names work if the directory where the daemon is started equals its chroot/working -directory. Wildcards can be used to include multiple files, see \fIglob\fR(7). +directory or is specified before the include statement with directory: dir. +Wildcards can be used to include multiple files, see \fIglob\fR(7). .SS "Server Options" These options are part of the .B server: @@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP -.B outgoing\-interface: \fI<ip address> +.B outgoing\-interface: \fI<ip address or ip6 netblock> Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given multiple times to work on several interfaces. If none are given the @@ -136,12 +137,28 @@ and .B outgoing\-interface: lines, the interfaces are then used for both purposes. Outgoing queries are sent via a random outgoing interface to counter spoofing. +.IP +If an IPv6 netblock is specified instead of an individual IPv6 address, +outgoing UDP queries will use a randomised source address taken from the +netblock to counter spoofing. Requires the IPv6 netblock to be routed to the +host running unbound, and requires OS support for unprivileged non-local binds +(currently only supported on Linux). Several netblocks may be specified with +multiple +.B outgoing\-interface: +options, but do not specify both an individual IPv6 address and an IPv6 +netblock, or the randomisation will be compromised. Consider combining with +.B prefer\-ip6: yes +to increase the likelihood of IPv6 nameservers being selected for queries. +On Linux you need these two commands to be able to use the freebind socket +option to receive traffic for the ip6 netblock: +ip \-6 addr add mynetblock/64 dev lo && +ip \-6 route add local mynetblock/64 dev lo .TP .B outgoing\-range: \fI<number> Number of ports to open. This number of file descriptors can be opened per thread. Must be at least 1. Default depends on compile options. Larger numbers need extra resources from the operating system. For performance a -a very large value is best, use libevent to make this possible. +very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI<port number or range> Permit unbound to open this port or range of ports for use to send queries. @@ -275,7 +292,14 @@ are going to exist later on, with host failover configuration. This is a lot like interface\-automatic, but that one services all interfaces and with this option you can select which (future) interfaces unbound provides service on. This option needs unbound to be started with root -permissions on some systems. +permissions on some systems. The option uses IP_BINDANY on FreeBSD systems. +.TP +.B ip\-freebind: \fI<yes or no> +If yes, then use IP_FREEBIND socket option on sockets where unbound +is listening to incoming traffic. Default no. Allows you to bind to +IP addresses that are nonlocal or do not exist, like when the network +interface or IP address is down. Exists only on Linux, where the similar +ip\-transparent option is also available. .TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. @@ -322,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure cache. Default is 50 milliseconds. Increase this value if using forwarders needing more time to do recursive name resolution. .TP +.B define\-tag: \fI<"list of tags"> +Define the tags that can be used with local\-zone and access\-control. +Enclose the list between quotes ("") and put spaces between tags. +.TP .B do\-ip4: \fI<yes or no> Enable or disable whether ip4 queries are answered or issued. Default is yes. .TP @@ -332,12 +360,32 @@ IPv6 to the internet nameservers. With this option you can disable the ipv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP +.B prefer\-ip6: \fI<yes or no> +If enabled, prefer IPv6 transport for sending DNS queries to internet +nameservers. Default is no. +.TP .B do\-udp: \fI<yes or no> Enable or disable whether UDP queries are answered or issued. Default is yes. .TP .B do\-tcp: \fI<yes or no> Enable or disable whether TCP queries are answered or issued. Default is yes. .TP +.B tcp\-mss: \fI<number> +Maximum segment size (MSS) of TCP socket on which the server responds +to queries. Value lower than common MSS on Ethernet +(1220 for example) will address path MTU problem. +Note that not all platform supports socket option to set MSS (TCP_MAXSEG). +Default is system default MSS determined by interface MTU and +negotiation between server and client. +.TP +.B outgoing\-tcp\-mss: \fI<number> +Maximum segment size (MSS) of TCP socket for outgoing queries +(from Unbound to other servers). Value lower than +common MSS on Ethernet (1220 for example) will address path MTU problem. +Note that not all platform supports socket option to set MSS (TCP_MAXSEG). +Default is system default MSS determined by interface MTU and +negotiation between Unbound and other servers. +.TP .B tcp\-upstream: \fI<yes or no> Enable or disable whether the upstream queries use TCP only for transport. Default is no. Useful in tunneling scenarios. @@ -365,9 +413,14 @@ turned off. The port number on which to provide TCP SSL service, default 853, only interfaces configured with that port number as @number get the SSL service. .TP +.B use\-systemd: \fI<yes or no> +Enable or disable systemd socket activation. +Default is no. +.TP .B do\-daemonize: \fI<yes or no> Enable or disable whether the unbound server forks into the background as -a daemon. Default is yes. +a daemon. Set the value to \fIno\fR when unbound runs as systemd service. +Default is yes. .TP .B access\-control: \fI<IP netblock> <action> The netblock is given as an IP4 or IP6 address with /size appended for a @@ -409,6 +462,26 @@ allowed full recursion but only the static data. With deny_non_local, messages that are disallowed are dropped, with refuse_non_local they receive error code REFUSED. .TP +.B access\-control\-tag: \fI<IP netblock> <"list of tags"> +Assign tags to access-control elements. Clients using this access control +element use localzones that are tagged with one of these tags. Tags must be +defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put +spaces between tags. If access\-control\-tag is configured for a netblock that +does not have an access\-control, an access\-control element with action +\fIallow\fR is configured for this netblock. +.TP +.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action> +Set action for particular tag for given access control element. If you have +multiple tag values, the tag used to lookup the action is the first tag match +between access\-control\-tag and local\-zone\-tag where "first" comes from the +order of the define-tag values. +.TP +.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string"> +Set redirect data for particular tag for given access control element. +.TP +.B access\-control\-view: \fI<IP netblock> <view name> +Set view for given access control element. +.TP .B chroot: \fI<directory> If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the @@ -446,6 +519,8 @@ requires privileges, then a reload will fail; a restart is needed. Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@". On Windows the string "%EXECUTABLE%" tries to change to the directory that unbound.exe resides in. +If you give a server: directory: dir before include: file statements +then those includes can be relative to the working directory. .TP .B logfile: \fI<filename> If "" is given, logging goes to stderr, or nowhere once daemonized. @@ -464,6 +539,13 @@ The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. The default is to log to syslog. .TP +.B log\-identity: \fI<string> +If "" is given (default), then the name of the executable, usually "unbound" +is used to report to the log. Enter a string to override it +with that, which is useful on systems that run more than one instance of +unbound, with different configurations, so that the logs can be easily +distinguished against. +.TP .B log\-time\-ascii: \fI<yes or no> Sets logfile lines to use a timestamp in UTC ascii. Default is no, which prints the seconds since 1970 in brackets. No effect if using syslog, in @@ -475,6 +557,13 @@ name, type and class. Default is no. Note that it takes time to print these lines which makes the server (significantly) slower. Odd (nonprintable) characters in names are printed as '?'. .TP +.B log\-replies: \fI<yes or no> +Prints one line per reply to the log, with the log timestamp and IP address, +name, type, class, return code, time to resolve, from cache and response size. +Default is no. Note that it takes time to print these +lines which makes the server (significantly) slower. Odd (nonprintable) +characters in names are printed as '?'. +.TP .B pidfile: \fI<filename> The process id is written to the file. Default is "@UNBOUND_PIDFILE@". So, @@ -507,6 +596,9 @@ If enabled version.server and version.bind queries are refused. Set the version to report. If set to "", the default, then the package version is returned. .TP +.B hide\-trustanchor: \fI<yes or no> +If enabled trustanchor.unbound queries are refused. +.TP .B target\-fetch\-policy: \fI<"list of numbers"> Set the target fetch policy used by unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per @@ -547,13 +639,15 @@ unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI<yes or no> -From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name +From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), +returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. +The nxdomain must be secure, this means nsec3 with optout is insufficient. .TP .B harden\-referral\-path: \fI<yes or no> Harden the referral path by performing additional queries for @@ -590,8 +684,15 @@ Can be given multiple times, for different domains. .B qname\-minimisation: \fI<yes or no> Send minimum amount of information to upstream servers to enhance privacy. Only sent minimum required labels of the QNAME and set QTYPE to NS when -possible. Best effort approach, full QNAME and original QTYPE will be sent when -upstream replies with a RCODE other than NOERROR. Default is off. +possible. Best effort approach; full QNAME and original QTYPE will be sent when +upstream replies with a RCODE other than NOERROR, except when receiving +NXDOMAIN from a DNSSEC signed zone. Default is off. +.TP +.B qname\-minimisation\-strict: \fI<yes or no> +QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to +potentially broken nameservers. A lot of domains will not be resolvable when +this option in enabled. Only use if you know what you are doing. +This option only has effect when qname-minimisation is enabled. Default is off. .TP .B private\-address: \fI<IP address or subnet> Give IPv4 of IPv6 addresses or classless subnets. These are addresses @@ -657,6 +758,13 @@ This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients. .TP +.B disable-dnssec-lame-check: \fI<yes or no> +If true, disables the DNSSEC lameness check in the iterator. This check +sees if RRSIGs are present in the answer, when dnssec is expected, +and retries another authority if RRSIGs are unexpectedly missing. +The validator will insist in RRSIGs for DNSSEC signed domains regardless +of this setting, if a trust anchor is loaded. +.TP .B module\-config: \fI<"module names"> Module configuration, a list of module names separated by spaces, surround the string with quotes (""). The modules can be validator, iterator. @@ -675,7 +783,10 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. +so the unbound user must have write permission. Write permission to the file, +but also to the directory it is in (to create a temporary file, which is +necessary to deal with filesystem full events), it must also be inside the +chroot (if that is used). .TP .B trust\-anchor: \fI<"Resource Record"> A DS or DNSKEY RR for a key to use for validation. Multiple entries can be @@ -782,6 +893,11 @@ servers that set the CD flag but cannot validate DNSSEC themselves are the clients, and then unbound provides them with DNSSEC protection. The default value is "no". .TP +.B serve\-expired: \fI<yes or no> +If enabled, unbound attempts to serve old responses from cache with a +TTL of 0 in the response without waiting for the actual resolution to finish. +The actual resolution answer ends up in the cache later on. Default is "no". +.TP .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the @@ -841,10 +957,16 @@ as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. .TP +.B insecure\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then reverse lookups in private +address space are not validated. This is usually required whenever +\fIunblock\-lan\-zones\fR is used. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, inform, inform_deny, +always_transparent, always_refuse, always_nxdomain, and are explained below. After that the default settings are listed. Use local\-data: to enter data into the local zone. Answers for local zones are authoritative DNS answers. By default the zones are class IN. @@ -895,16 +1017,25 @@ queries for www.example.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix example.com. .TP 10 \h'5'\fIinform\fR -The query is answered normally. The client IP address (@portnumber) -is printed to the logfile. The log message is: timestamp, unbound-pid, -info: zonename inform IP@port queryname type class. This option can be -used for normal resolution, but machines looking up infected names are -logged, eg. to run antivirus on them. +The query is answered normally, same as transparent. The client IP +address (@portnumber) is printed to the logfile. The log message is: +timestamp, unbound-pid, info: zonename inform IP@port queryname type +class. This option can be used for normal resolution, but machines +looking up infected names are logged, eg. to run antivirus on them. .TP 10 \h'5'\fIinform_deny\fR The query is dropped, like 'deny', and logged, like 'inform'. Ie. find infected machines without answering the queries. .TP 10 +\h'5'\fIalways_transparent\fR +Like transparent, but ignores local data and resolves normally. +.TP 10 +\h'5'\fIalways_refuse\fR +Like refuse, but ignores local data and refuses the query. +.TP 10 +\h'5'\fIalways_nxdomain\fR +Like static, but ignores local data and returns nxdomain for the query. +.TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types also turn off default contents for the zone. The 'nodefault' option @@ -912,10 +1043,10 @@ has no other effect than turning off default contents for the given zone. Use \fInodefault\fR if you use exactly that zone, if you want to use a subzone, use \fItransparent\fR. .P -The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 -zones. The AS112 zones are reverse DNS zones for private use and reserved -IP addresses for which the servers on the internet cannot provide correct -answers. They are configured by default to give nxdomain (no reverse +The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and +the AS112 zones. The AS112 zones are reverse DNS zones for private use and +reserved IP addresses for which the servers on the internet cannot provide +correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your own local\-zone of that name, or using the 'nodefault' type. Below is a list of the default zone contents. @@ -959,6 +1090,15 @@ local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. PTR localhost." .fi .TP 10 +\h'5'\fIonion (RFC 7686)\fR +Default content: +.nf +local\-zone: "onion." static +local\-data: "onion. 10800 IN NS localhost." +local\-data: "onion. 10800 IN + SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" +.fi +.TP 10 \h'5'\fIreverse RFC1918 local use zones\fR Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. @@ -1013,6 +1153,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" .TP 5 +.B local\-zone\-tag: \fI<zone> <"list of tags"> +Assign tags to localzones. Tagged localzones will only be applied when the +used access-control element has a matching tag. Tags must be defined in +\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between +tags. +.TP 5 +.B local\-zone\-override: \fI<zone> <IP netblock> <type> +Override the localzone type for queries from addresses matching netblock. +Use this localzone type, regardless the type configured for the local-zone +(both tagged and untagged) and regardless the type configured using +access\-control\-tag\-action. +.TP 5 .B ratelimit: \fI<number or 0> Enable ratelimiting of queries sent to nameserver for performing recursion. If 0, the default, it is disabled. This option is experimental at this time. @@ -1057,6 +1209,34 @@ in different parts of the namespace. The closest matching suffix is used to determine the qps limit. The rate for the exact matching domain name is not changed, use ratelimit\-for\-domain to set that, you might want to use different settings for a top\-level\-domain and subdomains. +.TP 5 +.B ip\-ratelimit: \fI<number or 0> +Enable global ratelimiting of queries accepted per ip address. +If 0, the default, it is disabled. This option is experimental at this time. +The ratelimit is in queries per second that are allowed. More queries are +completely dropped and will not receive a reply, SERVFAIL or otherwise. +IP ratelimiting happens before looking in the cache. This may be useful for +mitigating amplification attacks. +.TP 5 +.B ip\-ratelimit\-size: \fI<memory size> +Give the size of the data structure in which the current ongoing rates are +kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). +The ip ratelimit structure is small, so this data structure likely does +not need to be large. +.TP 5 +.B ip\-ratelimit\-slabs: \fI<number> +Give power of 2 number of slabs, this is used to reduce lock contention +in the ip ratelimit tracking data structure. Close to the number of cpus is +a fairly good setting. +.TP 5 +.B ip\-ratelimit\-factor: \fI<number> +Set the amount of queries to rate limit when the limit is exceeded. +If set to 0, all queries are dropped for addresses where the limit is +exceeded. If set to another value, 1 in that number is allowed through +to complete. Default is 10, allowing 1/10 traffic to flow normally. +This can make ordinary queries complete (if repeatedly queried for), +and enter the cache, whilst also mitigating the traffic flow by the +factor given. .SS "Remote Control Options" In the .B remote\-control: @@ -1167,6 +1347,10 @@ If enabled, a query is attempted without the stub clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. +.TP +.B stub\-ssl\-upstream: \fI<yes or no> +Enabled or disable whether the queries to this stub use SSL for transport. +Default is no. .SS "Forward Zone Options" .LP There may be multiple @@ -1197,6 +1381,40 @@ If enabled, a query is attempted without the forward clause if it fails. The data could not be retrieved and would have caused SERVFAIL because the servers are unreachable, instead it is tried without this clause. The default is no. +.TP +.B forward\-ssl\-upstream: \fI<yes or no> +Enabled or disable whether the queries to this forwarder use SSL for transport. +Default is no. +.SS "View Options" +.LP +There may be multiple +.B view: +clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and +\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view +name in an \fBaccess\-control\-view\fR element. Options from matching views will +override global options. Global options will be used if no matching view +is found. +.TP +.B name: \fI<view name> +Name of the view. Must be unique. This name is used in access\-control\-view +elements. +.TP +.B local\-zone: \fI<zone> <type> +View specific local\-zone elements. Has the same types and behaviour as the +global local\-zone elements. +.TP +.B local\-data: \fI"<resource record string>" +View specific local\-data elements. Has the same behaviour as the global +local\-data elements. +.TP +.B local\-data\-ptr: \fI"IPaddr name" +View specific local\-data\-ptr elements. Has the same behaviour as the global +local\-data\-ptr elements. +.TP +.B view\-first: \fI<yes or no> +If enabled, it attempts to use the global local\-zone and local\-data if there +is no match in the view specific options. +The default is no. .SS "Python Module Options" .LP The @@ -1206,9 +1424,15 @@ acts like the iterator and validator modules do, on queries and answers. To enable the script module it has to be compiled into the daemon, and the word "python" has to be put in the \fBmodule\-config:\fR option (usually first, or between the validator and iterator). +.LP +If the \fBchroot:\fR option is enabled, you should make sure Python's +library directory structure is bind mounted in the new root environment, see +\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an +absolute path relative to the new root, or as a relative path to the working +directory. .TP .B python\-script: \fI<python file>\fR -The script file to load. +The script file to load. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 @@ -1222,6 +1446,79 @@ It must be /96 or shorter. The default prefix is 64:ff9b::/96. .B dns64\-synthall: \fI<yes or no>\fR Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records. +.SS "DNSCrypt Options" +.LP +The +.B dnscrypt: +clause give the settings of the dnscrypt channel. While those options are +available, they are only meaningful if unbound was compiled with +\fB\-\-enable\-dnscrypt\fR. +Currently certificate and secret/public keys cannot be generated by unbound. +You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage +.TP +.B dnscrypt\-enable: \fI<yes or no>\fR +Whether or not the \fBdnscrypt\fR config should be enabled. You may define +configuration but not activate it. +The default is no. +.TP +.B dnscrypt\-port: \fI<port number> +On which port should \fBdnscrypt\fR should be activated. Note that you should +have a matching \fBinterface\fR option defined in the \fBserver\fR section for +this port. +.TP +.B dnscrypt\-provider: \fI<provider name>\fR +The provider name to use to distribute certificates. This is of the form: +\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot. +.TP +.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR +Path to the time limited secret key file. This option may be specified multiple +times. +.TP +.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR +Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option +may be specified multiple times. +.SS "EDNS Client Subnet Module Options" +.LP +The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache +validator iterator" directive and be compiled into the daemon to be +enabled. These settings go in the \fBserver:\fR section. +.LP +If the destination address is whitelisted with Unbound will add the EDNS0 option +to the query containing the relevant part of the client's address. When an +answer contains the ECS option the response and the option are placed in a +specialized cache. If the authority indicated no support, the response is stored +in the regular cache. +.LP +Additionally, when a client includes the option in its queries, Unbound will +forward the option to the authority regardless of the authorities presence in +the whitelist. In this case the lookup in the regular cache is skipped. +.LP +The maximum size of the ECS cache is controlled by 'msg-cache-size' in the +configuration file. On top of that, for each query only 100 different subnets +are allowed to be stored for each address family. Exceeding that number, older +entries will be purged from cache. +.TP +.B send\-client\-subnet: \fI<IP address>\fR +Send client source address to this authority. Append /num to indicate a +classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can +be given multiple times. Authorities not listed will not receive edns-subnet +information. +.TP +.B client\-subnet\-always\-forward: \fI<yes or no>\fR +Specify whether the ECS whitelist check (configured using +\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering +query contains an ECS record, or only for queries for which the ECS record is +generated using the querier address (and therefore did not contain ECS data in +the client query). If enabled, the whitelist check is skipped when the client +query contains an ECS record. Default is no. +.TP +.B max\-client\-subnet\-ipv6: \fI<number>\fR +Specifies the maximum prefix length of the client source address we are willing +to expose to third parties for IPv6. Defaults to 56. +.TP +.B max\-client\-subnet\-ipv4: \fI<number>\fR +Specifies the maximum prefix length of the client source address we are willing +to expose to third parties for IPv4. Defaults to 24. .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer diff --git a/external/unbound/doc/unbound.doxygen b/external/unbound/doc/unbound.doxygen index 43f2e38d8..fe3987681 100644 --- a/external/unbound/doc/unbound.doxygen +++ b/external/unbound/doc/unbound.doxygen @@ -623,7 +623,9 @@ EXCLUDE = ./build \ pythonmod/examples/resip.py \ libunbound/python/unbound.py \ libunbound/python/libunbound_wrap.c \ - ./ldns-src + ./ldns-src \ + doc/control_proto_spec.txt \ + doc/requirements.txt # The EXCLUDE_SYMLINKS tag can be used select whether or not files or # directories that are symbolic links (a Unix filesystem feature) are excluded |