diff options
Diffstat (limited to 'contrib/unbound/doc')
| -rw-r--r-- | contrib/unbound/doc/Changelog | 311 | ||||
| -rw-r--r-- | contrib/unbound/doc/FEATURES | 1 | ||||
| -rw-r--r-- | contrib/unbound/doc/LICENSE | 20 | ||||
| -rw-r--r-- | contrib/unbound/doc/README | 11 | ||||
| -rw-r--r-- | contrib/unbound/doc/example.conf.in | 62 | ||||
| -rw-r--r-- | contrib/unbound/doc/libunbound.3 | 9 | ||||
| -rw-r--r-- | contrib/unbound/doc/libunbound.3.in | 9 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-anchor.8 | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-anchor.8.in | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-checkconf.8 | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-control.8 | 12 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-control.8.in | 12 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-host.1 | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.8 | 4 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.conf.5 | 49 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.conf.5.in | 49 |
18 files changed, 520 insertions, 43 deletions
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 346f02a..55650ae 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,5 +1,316 @@ +12 March 2014: Wouter + - tag 1.4.22 + +10 March 2014: Wouter + - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes + because of spelling. Patch from Chris Coates. + +27 February 2014: Wouter + - tag 1.4.22rc1 + +21 February 2014: Wouter + - iana portlist updated. + +20 February 2014: Matthijs + - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is + received. This is okay according 4035, but not after revising + existence in 4592. NSEC empty non-terminals exist and thus the + RCODE should have been NOERROR. If this occurs, and the RRsets + are secure, we set the RCODE to NOERROR and the security status + of the reponse is also considered secure. + +14 February 2014: Wouter + - Works on Minix (3.2.1). + +11 February 2014: Wouter + - Fix parse of #553(NSD) string in sldns, quotes without spaces. + +7 February 2014: Wouter + - iana portlist updated. + - add body to ifstatement if locks disabled. + - add TXT string"string" test case to unit test. + - Fix #551: License change "Regents" to "Copyright holder", matching + the BSD license on opensource.org. + +6 February 2014: Wouter + - sldns has type HIP. + - code documentation on the module interface. + +5 February 2014: Wouter + - Fix sldns parse tests on osx. + +3 February 2014: Wouter + - Detect libevent2 install automatically by configure. + - Fixup link with lib/event2 subdir. + - Fix parse in sldns of quoted parenthesized text strings. + +31 January 2014: Wouter + - unit test for ldns wire to str and back with zones, root, nlnetlabs + and types.sidnlabs. + - Fix for hex to string in unknown, atma and nsap. + - fixup nss compile (no ldns in it). + - fixup warning in unitldns + - fixup WKS and rdata type service to print unsigned because strings + are not portable; they cannot be read (for sure) on other computers. + - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string + parse sldns. + +30 January 2014: Wouter + - delay-close does not act if there are udp-wait queries, so that + it does not make a socketdrain DoS easier. + +28 January 2014: Wouter + - iana portlist updated. + - iana portlist test updated so it does not touch the source + if there are no changes. + - delay-close: msec option that delays closing ports for which + the UDP reply has timed out. Keeps the port open, only accepts + the correct reply. This correct reply is not used, but the port + is open so that no port-denied ICMPs are generated. + +27 January 2014: Wouter + - reuseport is attempted, then fallback to without on failure. + +24 January 2014: Wouter + - Change unbound-event.h to use void* buffer, length idiom. + - iana portlist updated. + - unbound-event.h is installed if you configure --enable-event-api. + - speed up unbound (reports say it could be up to 10%), by reducing + lock contention on localzones.lock. It is changed to an rwlock. + - so-reuseport: yesno option to distribute queries evenly over + threads on Linux (Thanks Robert Edmonds). + - made lint clean. + +21 January 2014: Wouter + - Fix #547: no trustanchor written if filesystem full, fclose checked. + +17 January 2014: Wouter + - Fix isprint() portability in sldns, uses unsigned int. + - iana portlist updated. + +16 January 2014: Wouter + - fix #544: Fixed +i causes segfault when running with module conf + "iterator". + - Windows port, adjust %lld to %I64d, and warning in win_event.c. + +14 January 2014: Wouter + - iana portlist updated. + +5 Dec 2013: Wouter + - Fix bug in cachedump that uses sldns. + - update pythonmod for ldns_ to sldns_ name change. + +3 Dec 2013: Wouter + - Fix sldns to use sldns_ prefix for all ldns_ variables. + - Fix windows compile to compile with sldns. + +30 Nov 2013: Wouter + - Fix sldns to make globals use sldns_ prefix. This fixes + linking with libldns that uses global variables ldns_ . + +13 Nov 2013: Wouter + - Fix bug#537: compile python plugin without ldns library. + +12 Nov 2013: Wouter + - Fix bug#536: acl_deny_non_local and refuse_non_local added. + +5 Nov 2013: Wouter + - Patch from Neel Goyal to fix async id assignment if callback + is called by libunbound in the mesh attach. + - Accept ip-address: as an alternative for interface: for + consistency with nsd.conf syntax. + +4 Nov 2013: Wouter + - Patch from Neel Goyal to fix callback in libunbound. + +3 Nov 2013: Wouter + - if configured --with-libunbound-only fix make install. + +31 Oct 2013: Wouter + - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a + more specific interface port 53 can be used at the same time, and + one of the daemons is unbound. + - iana portlist update. + - separate ldns into core ldns inside ldns/ subdirectory. No more + --with-ldns is needed and unbound does not rely on libldns. + - portability fixes for new USE_SLDNS ldns subdir codebase. + +22 Oct 2013: Wouter + - Patch from Neel Goyal: Add an API call to set an event base on an + existing ub_ctx. This basically just destroys the current worker and + sets the event base to the current. And fix a deadlock in + ub_resolve_event – the cfglock is held when libworker_create is + called. This ends up trying to acquire the lock again in + context_obtain_alloc in the call chain. + - Fix #528: if very high logging (4 or more) segfault on allow_snoop. + +26 Sep 2013: Wouter + - unbound-event.h is installed if configured --with-libevent. It + contains low-level library calls, that use libevent's event_base + and an ldns_buffer for the wire return packet to perform async + resolution in the client's eventloop. + +19 Sep 2013: Wouter + - 1.4.21 tag created. + - trunk has 1.4.22 number inside it. + - iana portlist updated. + - acx_nlnetlabs.m4 to 26; improve FLTO help text. + +16 Sep 2013: Wouter + - Fix#524: max-udp-size not effective to non-EDNS0 queries, from + Daisuke HIGASHI. + +10 Sep 2013: Wouter + - MIN_TTL and MAX_TTL also in time_t. + - tag 1.4.21rc1 made again. + +26 Aug 2013: Wouter + - More fixes for bug#519: for the threaded case test if the bg + thread has been killed, on ub_ctx_delete, to avoid hangs. + +22 Aug 2013: Wouter + - more fixes that I overlooked. + - review fixes from Willem. + +21 Aug 2013: Wouter + - Fix#520: Errors found by static analysis from Tomas Hozza(redhat). + +20 Aug 2013: Wouter + - Fix for 2038, with time_t instead of uint32_t. + +19 Aug 2013: Wouter + - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound). + +14 Aug 2013: Wouter + - Fix uninit variable in fix#516. + +8 Aug 2013: Wouter + - Fix#516 dnssec lameness detection for answers that are improper. + +30 Jun 2013: Wouter + - tag 1.4.21rc1 + +29 Jun 2013: Wouter + - Fix#512 memleak in testcode for testbound (if it fails). + - Fix#512 NSS returned arrays out of setup function to be statics. + +26 Jun 2013: Wouter + - max include of 100.000 files (depth and globbed at one time). + This is to preserve system memory in bug cases, or endless cases. + - iana portlist updated. + +19 Jun 2013: Wouter + - streamtcp man page, contributed by Tomas Hozza. + - iana portlist updated. + - libunbound documentation on how to avoid openssl race conditions. + +25 Jun 2013: Wouter + - Squelch sendto-permission denied errors when the network is + not connected, to avoid spamming syslog. + - configure --disable-flto option (from Robert Edmonds). + +18 Jun 2013: Wouter + - Fix for const string literals in C++ for libunbound, from Karel + Slany. + - iana portlist updated. + +17 Jun 2013: Wouter + - Fixup manpage syntax. + +14 Jun 2013: Wouter + - get_option and set_option support for log-time-ascii, python-script + val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect + immediately. The others are mostly useful for libunbound users. + +13 Jun 2013: Wouter + - get_option, set_option, unbound-checkconf -o and libunbound + getoption and setoption support cache-min-ttl and cache-max-ttl. + +10 Jun 2013: Wouter + - Fix#501: forward-first does not recurse, when forward name is ".". + - iana portlist update. + - Max include depth is unlimited. + +27 May 2013: Wouter + - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply + patch to it to not fail when -Werror is also specified, from the + autoconf-archives. + - iana portlist update. + +21 May 2013: Wouter + - Explain bogus and secure flags in libunbound more. + +16 May 2013: Wouter + - Fix#499 use-after-free in out-of-memory handling code (thanks Jake + Montgomery). + - Fix#500 use on non-initialised values on socket bind failures. + +15 May 2013: Wouter + - Fix round-robin doesn't work with some Windows clients (from Ilya + Bakulin). + +3 May 2013: Wouter + - update acx_nlnetlabs.m4 to v23, sleep w32 fix. + +26 April 2013: Wouter + - add unbound-control insecure_add and insecure_remove for the + administration of negative trust anchors. + +25 April 2013: Wouter + - Implement max-udp-size config option, default 4096 (thanks + Daisuke Higashi). + - Robust checks on dname validity from rdata for dname compare. + - updated iana portlist. + +19 April 2013: Wouter + - Fixup snprintf return value usage, fixed libunbound_get_option. + +18 April 2013: Wouter + - fix bug #491: pick program name (0th argument) as syslog identity. + - own implementation of compat/snprintf.c. + +15 April 2013: Wouter + - Fix so that for a configuration line of include: "*.conf" it is not + an error if there are no files matching the glob pattern. + - unbound-anchor review: BIO_write can return 0 successfully if it + has successfully appended a zero length string. + +11 April 2013: Wouter + - Fix queries leaking up for stubs and forwards, if the configured + nameservers all fail to answer. + +10 April 2013: Wouter + - code improve for minimal responses, small speed increase. + +9 April 2013: Wouter + - updated iana portlist. + - Fix crash in previous private address fixup of 22 March. + +28 March 2013: Wouter + - Make reverse zones easier by documenting the nodefault statements + commented-out in the example config file. + +26 March 2013: Wouter + - more fixes to lookup3.c endianness detection. + +25 March 2013: Wouter + - #492: Fix endianness detection, revert to older lookup3.c detection + and put new detect lines after previous tests, to avoid regressions + but allow new detections to succeed. + And add detection for machine/endian.h to it. + +22 March 2013: Wouter + - Fix resolve of names that use a mix of public and private addresses. + - iana portlist update. + - Fix makedist for new svn for -d option. + - unbound.h header file has UNBOUND_VERSION_MAJOR define. + - Fix windows RSRC version for long version numbers. + 21 March 2013: Wouter - release 1.4.20 + - trunk has 1.4.21 + - committed libunbound version 4:1:2 for binary API updated in 1.4.20 + - install copy of unbound-control.8 man page for unbound-control-setup 14 March 2013: Wouter - iana portlist update. diff --git a/contrib/unbound/doc/FEATURES b/contrib/unbound/doc/FEATURES index 93ed292..076988e 100644 --- a/contrib/unbound/doc/FEATURES +++ b/contrib/unbound/doc/FEATURES @@ -99,4 +99,5 @@ SSHFP type 4701: DHCID 5155: NSEC3, NSEC3PARAM 4408: SPF +6944: DNSKEY algorithm status diff --git a/contrib/unbound/doc/LICENSE b/contrib/unbound/doc/LICENSE index c248049..1859c09 100644 --- a/contrib/unbound/doc/LICENSE +++ b/contrib/unbound/doc/LICENSE @@ -18,13 +18,13 @@ be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index c8c69c1..badc60f 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.4.20 +README for Unbound 1.4.22 Copyright 2007 NLnet Labs http://unbound.net @@ -10,14 +10,11 @@ This software is under BSD license, see LICENSE for details. http://unbound.net/svn/ * Uses the following libraries; - * ldns http://www.nlnetlabs.nl/ldns/ (BSD license) - (required) can use ldns build directory directly with --with-ldns=path. * libevent http://www.monkey.org/~provos/libevent/ (BSD license) (optional) can use builtin alternative instead. + * libexpat (for the unbound-anchor helper program) (MIT license) * Make and install: ./configure; make; make install - * --with-ldns=/path/to/ldns - It will dynamically link against it. * --with-libevent=/path/to/libevent Can be set to either the system install or the build directory. --with-libevent=no (default) gives a builtin alternative @@ -36,8 +33,8 @@ This software is under BSD license, see LICENSE for details. programming errors, among which buffer overflows. The program exits with an error if an assertion fails (but the buffer did not overflow). * --enable-static-exe - This enables a debug option to statically link, against ldns and - libevent libraries. + This enables a debug option to statically link against the + libevent library. * --enable-lock-checks This enables a debug option to check lock and unlock calls. It needs a recent pthreads library to work. diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index aa9a7f7..9e91d1f 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.4.20. +# See unbound.conf(5) man page, version 1.4.22. # # this is a comment. @@ -84,11 +84,18 @@ server: # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 + + # on Linux(3.9+) use SO_REUSEPORT to distribute queries over threads. + # so-reuseport: no # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # max-udp-size: 4096 + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -107,6 +114,9 @@ server: # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 + + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". @@ -161,6 +171,8 @@ server: # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow # access-control: ::0/0 refuse @@ -425,6 +437,54 @@ server: # the amount of memory to use for the negative cache (used for DLV). # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m + + # if unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # a number of locally served zones can be configured. # local-zone: <zone> <type> diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3 index 0f6f0c6..52c0a53 100644 --- a/contrib/unbound/doc/libunbound.3 +++ b/contrib/unbound/doc/libunbound.3 @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "libunbound" "3" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.4.20 functions. +\- Unbound DNS validating resolver 1.4.22 functions. .SH "SYNOPSIS" .LP .B #include <unbound.h> @@ -171,6 +171,9 @@ by default. Use and .B ub_ctx_hosts to read them. +Before you call this, use the openssl functions CRYPTO_set_id_callback and +CRYPTO_set_locking_callback to set up asyncronous operation if you use +lib openssl (the application calls these functions once for initialisation). .TP .B ub_ctx_delete Delete validation context and free associated resources. @@ -364,7 +367,7 @@ The result of the DNS resolution and validation is returned as .fi .P If both secure and bogus are false, security was not enabled for the -domain of the query. +domain of the query. Else, they are not both true, one of them is true. .SH "RETURN VALUES" Many routines return an error code. The value 0 (zero) denotes no error happened. Other values can be passed to diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index 0f6f0c6..52c0a53 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "libunbound" "3" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.4.20 functions. +\- Unbound DNS validating resolver 1.4.22 functions. .SH "SYNOPSIS" .LP .B #include <unbound.h> @@ -171,6 +171,9 @@ by default. Use and .B ub_ctx_hosts to read them. +Before you call this, use the openssl functions CRYPTO_set_id_callback and +CRYPTO_set_locking_callback to set up asyncronous operation if you use +lib openssl (the application calls these functions once for initialisation). .TP .B ub_ctx_delete Delete validation context and free associated resources. @@ -364,7 +367,7 @@ The result of the DNS resolution and validation is returned as .fi .P If both secure and bogus are false, security was not enabled for the -domain of the query. +domain of the query. Else, they are not both true, one of them is true. .SH "RETURN VALUES" Many routines return an error code. The value 0 (zero) denotes no error happened. Other values can be passed to diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8 index 4c9c6a7..27bb5a6 100644 --- a/contrib/unbound/doc/unbound-anchor.8 +++ b/contrib/unbound/doc/unbound-anchor.8 @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-anchor" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index 0b5e5a0..41b18ed 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-anchor" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8 index 768bda5..2ed6124 100644 --- a/contrib/unbound/doc/unbound-checkconf.8 +++ b/contrib/unbound/doc/unbound-checkconf.8 @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-checkconf" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index 4ae174f..69e0b4f 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-checkconf" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8 index 5b3559d..4f1a1cf 100644 --- a/contrib/unbound/doc/unbound-control.8 +++ b/contrib/unbound/doc/unbound-control.8 @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-control" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream. +keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -196,6 +196,14 @@ List the local zones in use. These are printed one per line with zone type. .B list_local_data List the local data RRs in use. The resource records are printed. .TP +.B insecure_add \fIzone +Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. +Adds to the running unbound without affecting the cache contents (which may +still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. +.TP +.B insecure_remove \fIzone +Removes domain\-insecure for the given zone. +.TP .B forward_add \fR[\fI+i\fR] \fIzone addr ... Add a new forward zone to running unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index 669e81d..e57231c 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-control" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream. +keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -196,6 +196,14 @@ List the local zones in use. These are printed one per line with zone type. .B list_local_data List the local data RRs in use. The resource records are printed. .TP +.B insecure_add \fIzone +Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. +Adds to the running unbound without affecting the cache contents (which may +still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. +.TP +.B insecure_remove \fIzone +Removes domain\-insecure for the given zone. +.TP .B forward_add \fR[\fI+i\fR] \fIzone addr ... Add a new forward zone to running unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1 index 4957705..1c8c42d 100644 --- a/contrib/unbound/doc/unbound-host.1 +++ b/contrib/unbound/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound\-host" "1" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8 index 09fcc6a..9c04538 100644 --- a/contrib/unbound/doc/unbound.8 +++ b/contrib/unbound/doc/unbound.8 @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound.8 -- unbound manual .\" @@ -10,7 +10,7 @@ .SH "NAME" .LP .B unbound -\- Unbound DNS validating resolver 1.4.20. +\- Unbound DNS validating resolver 1.4.22. .SH "SYNOPSIS" .LP .B unbound diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 5d84d9a..fd67e71 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound" "8" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound.8 -- unbound manual .\" @@ -10,7 +10,7 @@ .SH "NAME" .LP .B unbound -\- Unbound DNS validating resolver 1.4.20. +\- Unbound DNS validating resolver 1.4.22. .SH "SYNOPSIS" .LP .B unbound diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index 1b399a4..a106733 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -122,6 +122,9 @@ A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP +.B ip\-address: \fI<ip address[@port]> +Same as interface: (for easy of compatibility with nsd.conf). +.TP .B interface\-automatic: \fI<yes or no> Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket @@ -183,6 +186,11 @@ stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). .TP +.B max\-udp\-size: \fI<number> +Maximum UDP response size (not applied to TCP response). 65536 disables the +udp response size maximum, and uses the choice from the client, always. +Suggested values are 512 to 4096. Default is 4096. +.TP .B msg\-buffer\-size: \fI<number> Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this @@ -220,6 +228,15 @@ The qps for short queries can be about (numqueriesperthread / 2) / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 qps by default. .TP +.B delay\-close: \fI<msec> +Extra delay for timeouted UDP ports before they are closed, in msec. +Default is 0, and that disables it. This prevents very delayed answer +packets from the upstream (recursive) servers from bouncing against +closed ports and setting off all sort of close-port counters, with +eg. 1500 msec. When timeouts happen you need extra sockets, it checks +the ID and remote IP of packets, and unwanted packets are added to the +unwanted packet counter. +.TP .B so\-rcvbuf: \fI<number> If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy @@ -242,6 +259,15 @@ linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP +.B so\-reuseport: \fI<yes or no> +If yes, then open dedicated listening sockets for incoming queries for each +thread and try to set the SO_REUSEPORT socket option on each socket. May +distribute incoming queries to threads more evenly. Default is no. Only +supported on Linux >= 3.9. You can enable it (on any platform and kernel), +it then attempts to open the port and passes the option if it was available +at compile time, if that works it is used, if it fails, it continues +silently (unless verbosity 3) without the option. +.TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -326,7 +352,7 @@ a daemon. Default is yes. .B access\-control: \fI<IP netblock> <action> The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR or \fIallow_snoop\fR. +\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -355,6 +381,12 @@ By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. +.IP +The deny_non_local and refuse_non_local settings are for hosts that are +only allowed to query for the authoritative local\-data, they are not +allowed full recursion but only the static data. With deny_non_local, +messages that are disallowed are dropped, with refuse_non_local they +receive error code REFUSED. .TP .B chroot: \fI<directory> If chroot is enabled, you should pass the configfile (from the @@ -492,7 +524,7 @@ unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI<yes or no> -From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name +From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse @@ -746,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP +.B unblock\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then for private address space, +the reverse lookups are no longer filtered. This allows unbound when +running as dns service on a host where it provides service for that host, +to put out all of the queries for the 'lan' upstream. When enabled, +only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured +with default local zones. Disable the option when unbound is running +as a (DHCP-) DNS network resolver for a group of machines, where such +lookups should be filtered (RFC compliance), this also stops potential +data leakage about the local network to the upstream DNS servers. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 6dd0216..aadd0da 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -122,6 +122,9 @@ A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP +.B ip\-address: \fI<ip address[@port]> +Same as interface: (for easy of compatibility with nsd.conf). +.TP .B interface\-automatic: \fI<yes or no> Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket @@ -183,6 +186,11 @@ stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). .TP +.B max\-udp\-size: \fI<number> +Maximum UDP response size (not applied to TCP response). 65536 disables the +udp response size maximum, and uses the choice from the client, always. +Suggested values are 512 to 4096. Default is 4096. +.TP .B msg\-buffer\-size: \fI<number> Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this @@ -220,6 +228,15 @@ The qps for short queries can be about (numqueriesperthread / 2) / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 qps by default. .TP +.B delay\-close: \fI<msec> +Extra delay for timeouted UDP ports before they are closed, in msec. +Default is 0, and that disables it. This prevents very delayed answer +packets from the upstream (recursive) servers from bouncing against +closed ports and setting off all sort of close-port counters, with +eg. 1500 msec. When timeouts happen you need extra sockets, it checks +the ID and remote IP of packets, and unwanted packets are added to the +unwanted packet counter. +.TP .B so\-rcvbuf: \fI<number> If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy @@ -242,6 +259,15 @@ linux unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP +.B so\-reuseport: \fI<yes or no> +If yes, then open dedicated listening sockets for incoming queries for each +thread and try to set the SO_REUSEPORT socket option on each socket. May +distribute incoming queries to threads more evenly. Default is no. Only +supported on Linux >= 3.9. You can enable it (on any platform and kernel), +it then attempts to open the port and passes the option if it was available +at compile time, if that works it is used, if it fails, it continues +silently (unless verbosity 3) without the option. +.TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -326,7 +352,7 @@ a daemon. Default is yes. .B access\-control: \fI<IP netblock> <action> The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR or \fIallow_snoop\fR. +\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -355,6 +381,12 @@ By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. +.IP +The deny_non_local and refuse_non_local settings are for hosts that are +only allowed to query for the authoritative local\-data, they are not +allowed full recursion but only the static data. With deny_non_local, +messages that are disallowed are dropped, with refuse_non_local they +receive error code REFUSED. .TP .B chroot: \fI<directory> If chroot is enabled, you should pass the configfile (from the @@ -492,7 +524,7 @@ unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI<yes or no> -From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name +From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse @@ -746,6 +778,17 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). .TP +.B unblock\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then for private address space, +the reverse lookups are no longer filtered. This allows unbound when +running as dns service on a host where it provides service for that host, +to put out all of the queries for the 'lan' upstream. When enabled, +only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured +with default local zones. Disable the option when unbound is running +as a (DHCP-) DNS network resolver for a group of machines, where such +lookups should be filtered (RFC compliance), this also stops potential +data leakage about the local network to the upstream DNS servers. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, |
