1 files changed, 46 insertions, 3 deletions
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
index 1b399a4..a106733 100644
--- a/contrib/unbound/doc/unbound.conf.5
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -122,6 +122,9 @@ A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
 \fBport\fR) is used.
 .TP
+.B ip\-address: \fI<ip address[@port]>
+Same as interface: (for easy of compatibility with nsd.conf).
+.TP
 .B interface\-automatic: \fI<yes or no>
 Detect source interface on UDP queries and copy them to replies.  This 
 feature is experimental, and needs support in your OS for particular socket
@@ -183,6 +186,11 @@ stringent path MTU problems, but is seen as extreme, since the amount
 of TCP fallback generated is excessive (probably also for this resolver,
 consider tuning the outgoing tcp number).
 .TP
+.B max\-udp\-size: \fI<number>
+Maximum UDP response size (not applied to TCP response).  65536 disables the
+udp response size maximum, and uses the choice from the client, always.
+Suggested values are 512 to 4096. Default is 4096. 
+.TP
 .B msg\-buffer\-size: \fI<number>
 Number of bytes size of the message buffers. Default is 65552 bytes, enough
 for 64 Kb packets, the maximum DNS message size. No message larger than this
@@ -220,6 +228,15 @@ The qps for short queries can be about (numqueriesperthread / 2)
 / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
 qps by default.
 .TP
+.B delay\-close: \fI<msec>
+Extra delay for timeouted UDP ports before they are closed, in msec.
+Default is 0, and that disables it.  This prevents very delayed answer
+packets from the upstream (recursive) servers from bouncing against
+closed ports and setting off all sort of close-port counters, with
+eg. 1500 msec.  When timeouts happen you need extra sockets, it checks
+the ID and remote IP of packets, and unwanted packets are added to the
+unwanted packet counter.
+.TP
 .B so\-rcvbuf: \fI<number>
 If not 0, then set the SO_RCVBUF socket option to get more buffer
 space on UDP port 53 incoming queries.  So that short spikes on busy
@@ -242,6 +259,15 @@ linux unbound needs root permission to bypass the limit, or the admin
 can use sysctl net.core.wmem_max.  On BSD, Solaris changes are similar
 to so\-rcvbuf.
 .TP
+.B so\-reuseport: \fI<yes or no>
+If yes, then open dedicated listening sockets for incoming queries for each
+thread and try to set the SO_REUSEPORT socket option on each socket.  May
+distribute incoming queries to threads more evenly.  Default is no.  Only
+supported on Linux >= 3.9.  You can enable it (on any platform and kernel),
+it then attempts to open the port and passes the option if it was available
+at compile time, if that works it is used, if it fails, it continues
+silently (unless verbosity 3) without the option.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -326,7 +352,7 @@ a daemon. Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
-\fIallow\fR or \fIallow_snoop\fR.
+\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP
@@ -355,6 +381,12 @@ By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
 protocol is not designed to handle dropped packets due to policy, and 
 dropping may result in (possibly excessive) retried queries.
+.IP
+The deny_non_local and refuse_non_local settings are for hosts that are
+only allowed to query for the authoritative local\-data, they are not
+allowed full recursion but only the static data.  With deny_non_local,
+messages that are disallowed are dropped, with refuse_non_local they
+receive error code REFUSED.
 .TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
@@ -492,7 +524,7 @@ unsigned to badly signed often. If turned off you run the risk of a
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-below\-nxdomain: \fI<yes or no>
-From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
+From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
@@ -746,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
 or gigabytes (1024*1024 bytes in a megabyte).
 .TP
+.B unblock\-lan\-zones: \fI<yesno>
+Default is disabled.  If enabled, then for private address space,
+the reverse lookups are no longer filtered.  This allows unbound when
+running as dns service on a host where it provides service for that host,
+to put out all of the queries for the 'lan' upstream.  When enabled,
+only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
+with default local zones.  Disable the option when unbound is running
+as a (DHCP-) DNS network resolver for a group of machines, where such
+lookups should be filtered (RFC compliance), this also stops potential
+data leakage about the local network to the upstream DNS servers.
+.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,