diff options
Diffstat (limited to 'contrib/unbound/doc')
| -rw-r--r-- | contrib/unbound/doc/Changelog | 809 | ||||
| -rw-r--r-- | contrib/unbound/doc/README | 11 | ||||
| -rw-r--r-- | contrib/unbound/doc/README.DNS64 | 20 | ||||
| -rw-r--r-- | contrib/unbound/doc/example.conf.in | 146 | ||||
| -rw-r--r-- | contrib/unbound/doc/libunbound.3.in | 4 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-anchor.8.in | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-control.8.in | 66 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound-host.1.in | 2 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | contrib/unbound/doc/unbound.conf.5.in | 284 |
11 files changed, 1293 insertions, 57 deletions
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 13f0f11749e0..328e83289102 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,6 +1,813 @@ +8 March 2024: Wouter + - Fix unbound-control-setup.cmd to use 3072 bits so that certificates + are long enough for newer OpenSSL versions. + - Fix TTL of synthesized CNAME when a DNAME is used from cache. + - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, + like unbound-control-setup.sh has. + +7 March 2024: Wouter + - Version set to 1.19.3 for release. After 1.19.2 point release with + security fix for CVE-2024-1931, Denial of service when trimming + EDE text on positive replies. The code repo includes the fix and + is for version 1.19.3. + +5 March 2024: Wouter + - Fix for #1022: Fix ede prohibited in access control refused answers. + +4 March 2024: Wouter + - Fix edns subnet replies for scope zero answers to not get stored + in the global cache, and in cachedb, when the upstream replies + without an EDNS record. + +28 February 2024: Wouter + - Move github workflows to use checkoutv4. + +23 February 2024: Yorgos + - Document the suspend argument for process_ds_response(). + +22 February 2024: Wouter + - Fix trim of EDE text from large udp responses from spinning cpu. + +20 February 2024: Yorgos + - Merge #1010: Mention REFUSED has the TC bit set with unmatched + allow_cookie acl in the manpage. It also fixes the code to match the + documentation about clients with a valid cookie that bypass the + ratelimit regardless of the allow_cookie acl. + +13 February 2024: Wouter + - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited + to exhaust CPU resources and stall DNS resolvers. + - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. + - These fixes are part of the 1.19.1 release, that is a security + point release on 1.19.0, the code repository continues with these + fixes, with version number 1.19.2. + +8 February 2024: Wouter + - Fix documentation for access-control in the unbound.conf man page. + +7 February 2024: Yorgos + - Fix #1006: Can't find protobuf-c package since #999. + +30 January 2024: Wouter + - Merge #999: Search for protobuf-c with pkg-config. + +23 January 2024: Yorgos + - Update message TTL when using cached RRSETs. It could result in + non-expired messages with expired RRSETs (non-usable messages by + Unbound). + +22 January 2024: Yorgos + - Update error printout for duplicate trust anchors to include the + trust anchor name (relates to #920). + +22 January 2024: Wouter + - Fix for #997: Print details for SSL certificate failure. + +17 January 2024: Wouter + - Update workflow for ports to use newer openssl on windows compile. + - Fix warning for windres on resource files due to redefinition. + +16 January 2024: Wouter + - Fix to link with libssp for libcrypto and getaddrinfo check for + only header. Also update crosscompile to remove ssp for 32bit. + - Merge #993: Update b.root-servers.net also in example config file. + +15 January 2024: Wouter + - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. + +9 January 2024: Wouter + - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. + +5 January 2024: Wouter + - Merge #987: skip edns frag retry if advertised udp payload size is + not smaller. + - Fix unit test for #987 change in udp1xxx retry packet send. + +4 January 2024: Wouter + - Remove unneeded newlines and improve indentation in remote control + code. + +3 January 2024: Wouter + - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors + for non-HTTP/2 DoH clients. + - Merge #985: Add DoH and DoT to dnstap message. + - Fix #983: Sha1 runtime insecure change was incomplete. + +22 December 2023: Yorgos + - Update example.conf with cookie options. + +8 December 2023: Yorgos + - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as + per RFC 6672. + +8 December 2023: Wouter + - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, + now that the root has a valid ZONEMD. + +7 December 2023: Wouter + - Fix #974: doc: default number of outgoing ports without libevent. + - Merge #975: Fixed some syntax errors in rpl files. + +6 December 2023: Wouter + - Fix to sync the tests script file common.sh. + - iana portlist update. + - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. + - Update test script file common.sh. + - Fix tests to use new common.sh functions, wait_logfile and + kill_from_pidfile. + +5 December 2023: Wouter + - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. + - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. + - Fix dnstap that assertion failed on logging other than UDP and TCP + traffic. It lists it as TCP traffic. + +27 November 2023: Yorgos + - Merge #968: Replace the obsolescent fgrep with grep -F in tests. + +27 November 2023: Wouter + - Fix #964: config.h.in~ backup file in release tar balls. + +24 November 2023: Yorgos + - Use 127.0.0.1 explicitly in tests to avoid delays and errors on + newer systems. + +9 November 2023: Wouter + - Fix unit test parse of origin syntax. + +2 November 2023: Wouter + - Set version number to 1.19.0. + - Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023. + The repository continues with 1.19.1. + +1 November 2023: George + - Mention flex and bison in README.md when building from repository + source. + +1 November 2023: Wouter + - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. + - Fix SSL compile failure for other missing definitions in + log_crypto_err_io_code_arg. + - Fix compilation without openssl, remove unused function warning. + +31 October 2023: George + - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with + suggestion by dukeartem to also fix the udp_ancil with dnscrypt. + +30 October 2023: George + - Merge #930 from Stuart Henderson: add void to + log_ident_revert_to_default declaration. + +30 October 2023: Wouter + - autoconf. + +24 October 2023: George + - Clearer configure text for missing protobuf-c development libraries. + +20 October 2023: Wouter + - Merge #951: Cachedb no store. The cachedb-no-store: yes option is + used to stop cachedb from writing messages to the backend storage. + It reads messages when data is available from the backend. The + default is no. + +19 October 2023: Wouter + - Fix to print detailed errors when an SSL IO routine fails via + SSL_get_error. + +18 October 2023: George + - Mailing list patches from Daniel Gröber for DNS64 fallback to plain + AAAA when no A record exists for synthesis, and minor DNS64 code + refactoring for better readability. + - Fixes for the DNS64 patches. + - Update the dns64_lookup.rpl test for the DNS64 fallback patch. + - Merge #955 from buevsan: fix ipset wrong behavior. + - Update testdata/ipset.tdir test for ipset fix. + +17 October 2023: Wouter + - Fix #954: Inconsistent RPZ handling for A record returned along with + CNAME. + +16 October 2023: George + - Expose the script filename in the Python module environment 'mod_env' + instead of the config_file structure which includes the linked list + of scripts in a multi Python module setup; fixes #79. + - Expose the configured listening and outgoing interfaces, if any, as + a list of strings in the Python 'config_file' class instead of the + current Swig object proxy; fixes #79. + - For multi Python module setups, clean previously parsed module + functions in __main__'s dictionary, if any, so that only current + module functions are registered. + +13 October 2023: George + - Better fix for infinite loop when reading multiple lines of input on + a broken remote control socket, by treating a zero byte line the + same as transmission end. Addesses #947 and #948. + +12 October 2023: Wouter + - Merge #944: Disable EDNS DO. + Disable the EDNS DO flag in upstream requests. This can be helpful + for devices that cannot handle DNSSEC information. But it should not + be enabled otherwise, because that would stop DNSSEC validation. The + DNSSEC validation would not work for Unbound itself, and also not + for downstream users. Default is no. The option + is disable-edns-do: no + +11 October 2023: George + - Fix #850: [FR] Ability to use specific database in Redis, with new + redis-logical-db configuration option. + +11 October 2023: Wouter + - Fix #949: "could not create control compt". + - Fix that cachedb does not warn when serve-expired is disabled about + use of serve-expired-reply-ttl and serve-expired-client-timeout. + - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. + +10 October 2023: George + - Fix infinite loop when reading multiple lines of input on a broken + remote control socket. Addesses #947 and #948. + +9 October 2023: Wouter + - Fix edns subnet so that queries with a source prefix of zero cause + the recursor send no edns subnet option to the upstream. + - Fix that printout of EDNS options shows the EDNS cookie option by + name. + +4 October 2023: Wouter + - Fix #946: Forwarder returns servfail on upstream response noerror no + data. + +3 October 2023: George + - Merge #881: Generalise the proxy protocol code. + +2 October 2023: George + - Fix misplaced comment. + +22 September 2023: Wouter + - Fix #942: 1.18.0 libunbound DNS regression when built without + OpenSSL. + +18 September 2023: Wouter + - Fix rpz tcp-only action with rpz triggers nsdname and nsip. + +15 September 2023: Wouter + - Merge #936: Check for c99 with autoconf versions prior to 2.70. + - Fix to remove two c99 notations. + +14 September 2023: Wouter + - Fix authority zone answers for obscured DNAMEs and delegations. + +8 September 2023: Wouter + - Fix send of udp retries when ENOBUFS is returned. It stops looping + and also waits for the condition to go away. Reported by Florian + Obser. + +7 September 2023: Wouter + - Fix to scrub resource records of type A and AAAA that have an + inappropriate size. They are removed from responses. + - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. + - Fix to add EDE text when RRs have been removed due to length. + - Fix to set ede match in unit test for rr length removal. + - Fix to print EDE text in readable form in output logs. + +6 September 2023: Wouter + - Merge #931: Prevent warnings from -Wmissing-prototypes. + +31 August 2023: Wouter + - Fix autoconf 2.69 warnings in configure. + - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. + +30 August 2023: Wouter + - Fix for WKS call to getservbyname that creates allocation on exit + in unit test by testing numbers first and testing from the services + list later. + +28 August 2023: Wouter + - Fix for version generation race condition that ignored changes. + +25 August 2023: Wouter + - Fix compile error on NetBSD in util/netevent.h. + +23 August 2023: Wouter + - Tag for 1.18.0rc1 release. This became the 1.18.0 release on + 30 aug 2023, with the fix from 25 aug, fix compile on NetBSD + included. The repository continues with version 1.18.1. + +22 August 2023: Wouter + - Set version number to 1.18.0. + +21 August 2023: Wouter + - Debug Windows ci workflow. + - Fix windows ci workflow to install bison and flex. + - Fix for #925: unbound.service: Main process exited, code=killed, + status=11/SEGV. Fixes cachedb configuration handling. + - Fix #923: processQueryResponse() THROWAWAY should be mindful of + fail_reply. + - Fix unit test for unbound-control to work when threads are disabled, + and fix cache dump check. + +18 August 2023: Wouter + - Fix for iter_dec_attempts that could cause a hang, part of + capsforid and qname minimisation, depending on the settings. + - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. + - Fix stat_values test to work with dig that enables DNS cookies. + +17 August 2023: Wouter + - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and + RFC9018. Create server cookies for clients that send client cookies. + This needs to be explicitly turned on in the config file with: + `answer-cookie: yes`. A `cookie-secret:` can be configured for + anycast setups. Without one, a random cookie secret is generated. + The acl option `allow_cookie` allows queries with either a valid + cookie or over a stateful transport. The statistics output has + `queries_cookie_valid` and `queries_cookie_client` and + `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` + value determines a rate limit for queries with cookies, if desired. + - Fix regional_alloc_init for potential unaligned source of the copy. + - Fix ip_ratelimit test to work with dig that enables DNS cookies. + +2 August 2023: George + - Move a cache reply callback in worker.c closer to the cache reply + generation. + +1 August 2023: George + - Merge #911 from natalie-reece: Exclude EDE before other EDNS options + when there isn't enough space. + - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options + altogether) before giving up on attaching EDE options. + - More braces and formatting for Fix for EDNS EDE size calculation to + avoid future bugs. + - Fix to use the now cached EDE, if any, for CD_bit queries. + +1 August 2023: Wouter + - Fix for EDNS EDE size calculation. + +31 July 2023: George + - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb + and subnetcache. + +31 July 2023: Wouter + - iana portlist update. + +30 July 2023: George + - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching. + +28 July 2023: George + - Fix unused variable compile warning for kernel timestamps in + netevent.c + +21 July 2023: George + - Merge #857 from eaglegai: fix potential memory leaks when errors + happen. + - For #857: fix mixed declarations and code. + - Merge #118 from mibere: Changed verbosity level for Redis init & + deinit. + - Merge #390 from Frank Riley: Add missing callbacks to the python + module. + - Cleaner failure code for callback functions in interface.i. + - Merge #889 from borisVanhoof: Free memory in error case + remove + unused function. + - For #889: use netcat-openbsd instead of netcat-traditional. + - For #889: Account for num_detached_states before possible + mesh_state_delete when erroring out. + +20 July 2023: George + - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and + CLASSXX representation. + - For #909: Fix return values. + - Merge #901 from Sergei Trofimovich: config: improve handling of + unknown modules. + +20 July 2023: Wouter + - For #909: Fix RR class comparison. + +14 July 2023: George + - More clear description of the different auth-zone behaviors on the + man page. + +13 July 2023: George + - Merge #880 from chipitsine: services/authzone.c: remove redundant + check. + +11 July 2023: George + - Merge #664 from tilan7763: Add prefetch support for subnet cache + entries. + - For #664: Easier code flow for subnetcache prefetching. + - For #664: Add testcase. + - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to + differentiate from the new subnet prefetch support. + +3 July 2023: George + - Merge #739: Add SVCB dohpath support. + - Code cleanup for sldns_str2wire_svcparam_key_lookup. + - Merge #802: add validation EDEs to queries where the CD bit is set. + - For #802: Cleanup comments and add RCODE check for CD bit test case. + - Skip the 00-lint test. splint is not maintained; it either does not + work or produces false positives. Static analysis is handled in the + clang test. + +3 July 2023: Wouter + - Fix #906: warning: ‘Py_SetProgramName’ is deprecated. + - Fix dereference of NULL variable warning in mesh_do_callback. + +29 June 2023: George + - More fixes for reference counting for python module and clean up + failure code. + - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading + which causes memory leaks. + +29 June 2023: Wouter + - Fix python modules with multiple scripts, by incrementing reference + counts. + +27 June 2023: George + - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as + a new statistical counter. + - Remove warning about unknown cast-function-type warning pragma. + +22 June 2023: Wouter + - Merge #903: contrib: add yocto compatible init script. + +15 June 2023: Philip + - Fix for issue #887 (Timeouts to forward servers on BSD based + system with ASLR) + - Probably fixes #516 (Stream reuse does not work on Windows) as well + +14 June 2023: George + - Properly handle all return values of worker_check_request during + early EDE code. + - Do not check the incoming request more than once. + +12 June 2023: Wouter + - Merge #896: Fix: #895: pythonmodule: add all site-packages + directories to sys.path. + - Fix #895: python + sysconfig gives ANOTHER path comparing to + distutils. + - Fix for uncertain unit test for doh buffer size events. + +25 May 2023: Wouter + - Fix unbound-dnstap-socket printout when no query is present. + - Fix unbound-dnstap-socket time fraction conversion for printout. + +19 May 2023: Wouter + - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. + - Fix to remove unused variables from RPZ clientip data structure. + +16 May 2023: Wouter + - Fix #888: [FR] Use kernel timestamps for dnstap. + - Fix to print debug log for ancillary data with correct IP address. + +11 May 2023: Wouter + - Fix warning in windows compile, in set_recvtimestamp. + +4 May 2023: Wouter + - Fix #885: Error: util/configlexer.c: No such file or directory, + adds error messages explaining to install flex and bison. + - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h. + - Fix doxygen in addr_to_nat64 header definition. + +1 May 2023: George + - Merge #722 from David 'eqvinox' Lamparter: NAT64 support. + - For #722: minor fixes, formatting, refactoring. + +1 May 2023: Wouter + - Fix RPZ IP responses with trigger rpz-drop on cache entries, that + they are dropped. + +26 April 2023: Philip + - Fix issue #860: Bad interaction with 0 TTL records and serve-expired + +26 April 2023: Wouter + - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with + sock-queue-timeout option that drops packets that have been in the + socket queue for too long. Added statistics num.queries_timed_out + and query.queue_time_us.max that track the socket queue timeouts. + - Fix for #882: small changes, date updated in Copyright for + util/timeval_func.c and util/timeval_func.h. Man page entries and + example entry. + - Fix for #882: document variable to stop doxygen warning. + +19 April 2023: Wouter + - Fix for #878: Invalid IP address in unbound.conf causes Segmentation + Fault on OpenBSD. + +14 April 2023: Wouter + - Merge #875: change obsolete txt URL in unbound-anchor.c to point + to RFC 7958, and Fix #874. + +13 April 2023: Wouter + - Fix build badge, from failing travis link to github ci action link. + +6 April 2023: Wouter + - Fix for #870: Add test case for the qname minimisation and CNAME. + +4 April 2023: Wouter + - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing + CNAME record. + +24 March 2023: Philip + - Fix issue #676: Unencrypted query is sent when + forward-tls-upstream: yes is used without tls-cert-bundle + - Extra consistency check to make sure that when TLS is requested, + either we set up a TLS connection or we return an error. + +21 March 2023: Philip + - Fix issue #851: reserved identifier violation + +20 March 2023: Wouter + - iana portlist update. + +17 March 2023: George + - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option + to ignore the unexpected eof while reading in openssl >= 3. + +16 March 2023: Wouter + - Fix ssl.h include brackets, instead of quotes. + +14 March 2023: Wouter + - Fix unbound-dnstap-socket test program to reply the finish frame + over a TLS connection correctly. + +23 February 2023: Wouter + - Fix for #852: Completion of error handling. + +21 February 2023: Philip + - Fix #825: Unexpected behavior with client-subnet-always-forward + and serve-expired + +10 February 2023: George + - Clean up iterator/iterator.c::error_response_cache() and allow for + better interaction with serve-expired, prefetch and cached error + responses. + +9 February 2023: George + - Allow TTL refresh of expired error responses. + - Add testcase for refreshing expired error responses. + +9 February 2023: Wouter + - Fix to ignore entirely empty responses, and try at another authority. + This turns completely empty responses, a type of noerror/nodata into + a servfail, but they do not conform to RFC2308, and the retry can + fetch improved content. + - Fix unit tests for spurious empty messages. + - Fix consistency of unit test without roundrobin answers for the + cnametooptout unit test. + - Fix to git ignore the library symbol file that configure can create. + +8 February 2023: Wouter + - Fix #841: Unbound won't build with aaaa-filter-iterator.patch. + +30 January 2023: George + - Add duration variable for speed_local.test. + +26 January 2023: Wouter + - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes. + +23 January 2023: George + - Fix #833: [FR] Ability to set the Redis password. + +23 January 2023: Wouter + - Fix #835: [FR] Ability to use Redis unix sockets. + +20 January 2023: Wouter + - Merge #819: Added new static zone type block_a to suppress all A + queries for specific zones. + +19 January 2023: Wouter + - Set max-udp-size default to 1232. This is the same default value as + the default value for edns-buffer-size. It restricts client edns + buffer size choices, and makes unbound behave similar to other DNS + resolvers. The new choice, down from 4096 means it is harder to get + large responses from Unbound. Thanks to Xiang Li, from NISL Lab, + Tsinghua University. + - Add harden-unknown-additional option. It removes + unknown records from the authority section and additional section. + Thanks to Xiang Li, from NISL Lab, Tsinghua University. + - Set default for harden-unknown-additional to no. So that it does + not hamper future protocol developments. + - Fix test for new default. + +18 January 2023: Wouter + - Fix not following cleared RD flags potentially enables amplification + DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, + Tsinghua University. The fix stops query loops, by refusing to send + RD=0 queries to a forwarder, they still get answered from cache. + +13 January 2023: Wouter + - Merge #826: Аdd a metric about the maximum number of collisions in + lrushah. + - Improve documentation for #826, describe the large collisions amount. + +9 January 2023: Wouter + - Fix python module install path detection. + - Fix python version detection in configure. + +6 January 2023: Wouter + - Fix #823: Response change to NODATA for some ANY queries since + 1.12, tested on 1.16.1. + - Fix wildcard in hyperlocal zone service degradation, reported + by Sergey Kacheev. This fix is included in 1.17.1rc2. + That became 1.17.1 on 12 Jan 2023, the code repo continues + with 1.17.2. 1.17.1 excludes fix #823, it is included forwards. + +5 January 2023: Wouter + - Tag for 1.17.1 release. + +2 January 2023: Wouter + - Fix windows compile for libunbound subprocess reap comm point closes. + - Update github workflows to use checkout v3. + +14 December 2022: George + - Merge #569 from JINMEI Tatuya: add keep-cache option to + 'unbound-control reload' to keep caches. + +13 December 2022: George + - Expose 'statistics-inhibit-zero' as a configuration option; the + default value retains Unbound's behavior. + - Expose 'max-sent-count' as a configuration option; the + default value retains Unbound's behavior. + - Merge #461 from Christian Allred: Add max-query-restarts option. + Exposes an internal configuration but the default value retains + Unbound's behavior. + +13 December 2022: Wouter + - Merge #808: Wrap Makefile script's directory variables in quotes. + - Fix to wrap Makefile scripts directory in quotes for uninstall. + +1 December 2022: Wouter + - Fix #773: When used with systemd-networkd, unbound does not start + until systemd-networkd-wait-online.service times out. + +30 November 2022: George + - Add SVCB and HTTPS to the types removed by 'unbound-control flush'. + - Clear documentation for interactivity between the subnet module and + the serve-expired and prefetch configuration options. + +30 November 2022: Wouter + - Fix #782: Segmentation fault in stats.c:404. + +28 November 2022: Wouter + - Fix for the ignore of tcp events for closed comm points, preserve + the use after free protection features. + +23 November 2022: Philip + - Merge #720 from jonathangray: fix use after free when + WSACreateEvent() fails. + +22 November 2022: George + - Ignore expired error responses. + +11 November 2022: Wouter + - Fix #779: [doc] Missing documention in ub_resolve_event() for + callback parameter was_ratelimited. + +9 November 2022: George + - Complementary fix for distutils.sysconfig deprecation in Python 3.10 + to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. + +8 November 2022: Wouter + - Fix to ignore tcp events for closed comm points. + - Fix to make sure to not read again after a tcp comm point is closed. + - Fix #775: libunbound: subprocess reap causes parent process reap + to hang. + - iana portlist update. + +21 October 2022: George + - Merge #767 from jonathangray: consistently use IPv4/IPv6 in + unbound.conf.5. + +21 October 2022: Wouter + - Fix that cachedb does not store failures in the external cache. + +18 October 2022: George + - Clarify the use of MAX_SENT_COUNT in the iterator code. + +17 October 2022: Wouter + - testcode/dohclient sets log identity to its name. + +14 October 2022: Wouter + - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU + extension. + - In unit test, print python script name list correctly. + +13 October 2022: Wouter + - Tag for 1.17.0 release. The code repository continues with 1.17.1. + +11 October 2022: George + - Fix PROXYv2 header read for TCP connections when no proxied addresses + are provided. + +7 October 2022: Wouter + - Tag for 1.17.0rc1 release. + +7 October 2022: George + - Fix to stop possible loops in the tcp reuse code (write_wait list + and tcp_wait list). Based on analysis and patch from Prad Seniappan + and Karthik Umashankar. + - Fix unit test to properly test the reuse_write_wait_pop function. + +6 October 2022: Wouter + - Fix to stop responses with TC flag from resulting in partial + responses. It retries to fetch the data elsewhere, or fails the + query and in depth fix removes the TC flag from the cached item. + - Fix proxy length debug output printout typecasts. + +5 October 2022: Wouter + - Fix dnscrypt compile for proxy protocol code changes. + +5 October 2022: George + - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. + - Fix string comparison in mini_tdir.sh. + - Make ede.tdir test more predictable by using static data. + - Fix checkconf test for dnscrypt and proxy port. + +4 October 2022: George + - Merge #764: Leniency for target discovery when under load (for + NRDelegation changes). + +4 October 2022: Wouter + - Fix static analysis report to remove dead code from the + rpz_callback_from_iterator_module function. + - Fix to clean up after the acl_interface unit test. + +3 October 2022: George + - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port + configuration option). + +3 October 2022: Wouter + - Fix to remove erroneous TC flag from TCP upstream. + - Fix test tdir skip report printout. + - Fix windows compile, the identifier interface is defined in headers. + - Fix to close errno block in comm_point_tcp_handle_read outside of + ifdef. + +26 September 2022: George + - Better output for skipped tdir tests. + +21 September 2022: Wouter + - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. + - This patch was released in 1.16.3, the code repository continues + with the previous features and fixes for 1.17.0. + - Fix doxygen warning in respip.h. + +20 September 2022: George + - Convert tdir tests to use the new skip_test functionality. + - Remove unused testcode/mini_tpkg.sh file. + +16 September 2022: George + - Merge #753: ACL per interface. (New interface-* configuration + options). + +2 September 2022: Wouter + - Remove include that was there for debug purposes. + - Fix to check pthread_t size after pthread has been detected. + +1 September 2022: Wouter + - Fix to update config tests to fix checking if nonblocking sockets + work on OpenBSD. + - Slow down log frequency of write wait failures. + - Fix to set out of file descriptor warning to operational verbosity. + - Fix to log a verbose message at operational notice level if a + thread is not responding, to stats requests. It is logged with + thread identifiers. + +31 August 2022: Wouter + - Fix to avoid process wide fcntl calls mixed with nonblocking + operations after a blocked write. + - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive + operations, so that instruction reordering does not cause mistakenly + blocking socket operations. + - Fix to wait for blocked write on UDP sockets, with a timeout if it + takes too long the packet is dropped. + - Fix for wait for udp send to stop when packet is successfully sent. + +22 August 2022: Wouter + - Fix #741: systemd socket activation fails on IPv6. + +12 August 2022: Wouter + - Fix to log accept error ENFILE and EMFILE errno, but slowly, once + per 10 seconds. Also log accept failures when no slow down is used. + +5 August 2022: Wouter + - Fix #734 [FR] enable unbound-checkconf to detect more (basic) + errors. + +4 August 2022: Wouter + - Fix ratelimit inconsistency, for ip-ratelimits the value is the + amount allowed, like for ratelimits. + +2 August 2022: Wouter + - Fix edns subnet so that scope 0 answers only match sourcemask 0 + queries for answers from cache if from a query with sourcemask 0. + - Fix unittest for edns subnet change. + - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due + to unsupported IPV6_USER_MTU socket option being set. + 1 August 2022: Wouter - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Tests for ghost domain fixes. + - Tag for 1.16.2 release. The code repo continues with 1.16.3. + - Fix #728: alloc_reg_obtain() core dump. Stop double + alloc_reg_release when serviced_create fails. 19 July 2022: George - Update documentation for 'outbound-msg-retry:'. @@ -4230,7 +5037,7 @@ - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket. -22 Novenber 2016: Ralph +22 November 2016: Ralph - Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data. - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index a6377d85c71e..b92f649ef30f 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.16.2 +README for Unbound 1.19.3 Copyright 2007 NLnet Labs http://unbound.net @@ -19,11 +19,10 @@ The DNSTAP code has BSD license in dnstap/dnstap.c. * Make and install: ./configure; make; make install * --with-libevent=/path/to/libevent Can be set to either the system install or the build directory. - --with-libevent=no (default) gives a builtin alternative - implementation. libevent is useful when having many (thousands) - of outgoing ports. This improves randomization and spoof - resistance. For the default of 16 ports the builtin alternative - works well and is a little faster. + --with-libevent=no gives a builtin alternative implementation. + Libevent is enabled by default, it is useful when having many + (thousands) of outgoing ports. This improves randomization and spoof + resistance. It also allows a higher number of outgoing queries. * --with-libexpat=/path/to/libexpat Can be set to the install directory of libexpat. * --without-pthreads diff --git a/contrib/unbound/doc/README.DNS64 b/contrib/unbound/doc/README.DNS64 index 49446ac575d1..71e2310ed9aa 100644 --- a/contrib/unbound/doc/README.DNS64 +++ b/contrib/unbound/doc/README.DNS64 @@ -28,3 +28,23 @@ prefix. For example: ;; ANSWER SECTION: jazz-v4.viagenie.ca. 86400 IN AAAA 64:ff9b::ce7b:1f02 + +NAT64 support was added by David Lamparter in 2022; license(s) of the +surrounding code apply. Note that NAT64 is closely related but functionally +orthogonal to DNS64; it allows Unbound to send outgoing queries to IPv4-only +servers over IPv6 through the configured NAT64 prefix. This allows running +an Unbound instance on an IPv6-only host without breaking every single domain +that only has IPv4 servers. Whether that Unbound instance also does DNS64 is +an independent choice. + +To enable NAT64 in Unbound, add to unbound.conf's "server" section: + + do-nat64: yes + +The NAT64 prefix defaults to the DNS64 prefix, which in turn defaults to the +standard 64:FF9B::/96 prefix. You can reconfigure it with: + + nat64-prefix: 64:FF9B::/96 + +To test NAT64 operation, pick a domain that only has IPv4 reachability for its +nameservers and try resolving any names in that domain. diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index 087e6364297f..d791cf8d4761 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.16.2. +# See unbound.conf(5) man page, version 1.19.3. # # this is a comment. @@ -17,7 +17,7 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 + # verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. @@ -35,9 +35,14 @@ server: # statistics-cumulative: no # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. + # printed from unbound-control. Default off, because of speed. # extended-statistics: no + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. # num-threads: 1 @@ -50,6 +55,7 @@ server: # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 + # interface: eth0@5003 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. @@ -137,8 +143,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # max-udp-size: 4096 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m @@ -172,6 +178,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -217,7 +232,8 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -227,6 +243,18 @@ server: # Enable IPv6, "yes" or "no". # do-ip6: yes + # If running unbound on an IPv6-only host, domains that only have + # IPv4 servers would become unresolveable. If NAT64 is available in + # the network, unbound can use NAT64 to reach these servers with + # the following option. This is NOT needed for enabling DNS64 on a + # system that has IPv4 connectivity. + # Consider also enabling prefer-ip6 to prefer native IPv6 connections + # to nameservers. + # do-nat64: no + + # NAT64 prefix. Defaults to using dns64-prefix value. + # nat64-prefix: 64:ff9b::0/96 + # Enable UDP, "yes" or "no". # do-udp: yes @@ -258,6 +286,10 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 + # UDP queries that have waited in the socket buffer for a long time + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -271,11 +303,10 @@ server: # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), # allow_snoop (recursive and nonrecursive ok) + # allow_cookie (allow UDP with valid cookie or stateful transport) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -284,7 +315,7 @@ server: # are tagged with one of these tags. # access-control-tag: 192.0.2.0/24 "tag2 tag3" - # set action for particular tag for given access control element + # set action for particular tag for given access control element. # if you have multiple tag values, the tag used to lookup the action # is the first tag match between access-control-tag and local-zone-tag # where "first" comes from the order of the define-tag values. @@ -296,6 +327,58 @@ server: # Set view for access control element # access-control-view: 192.0.2.0/24 viewname + # Similar to 'access-control:' but for interfaces. + # Control which listening interfaces are allowed to accept (recursive) + # queries for this server. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the action. + # The actions are the same as 'access-control:' above. + # By default all the interfaces configured are refused. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-action: 192.0.2.153 allow + # interface-action: 192.0.2.154 allow + # interface-action: 192.0.2.154@5003 allow + # interface-action: 2001:DB8::5 allow + # interface-action: eth0@5003 allow + + # Similar to 'access-control-tag:' but for interfaces. + # Tag interfaces with a list of tags (in "" with spaces between). + # Interfaces using these tags use localzones that are tagged with one + # of these tags. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the list of tags. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag: eth0@5003 "tag2 tag3" + + # Similar to 'access-control-tag-action:' but for interfaces. + # Set action for particular tag for a given interface element. + # If you have multiple tag values, the tag used to lookup the action + # is the first tag match between interface-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and action. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-action: eth0@5003 tag3 refuse + + # Similar to 'access-control-tag-data:' but for interfaces. + # Set redirect data for a particular tag for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and the redirect data. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" + + # Similar to 'access-control-view:' but for interfaces. + # Set view for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the view name. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-view: eth0@5003 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -359,6 +442,9 @@ server: # filtering log-queries and log-replies from the log. # log-tag-queryreply: no + # log with destination address, port and type for log-replies. + # log-destaddr: no + # log the local-zone actions, like local-zone type inform is enabled # also for the other local zone types. # log-local-actions: no @@ -437,6 +523,10 @@ server: # to validate the zone. # harden-algo-downgrade: no + # Harden against unknown records in the authority section and the + # additional section. + # harden-unknown-additional: no + # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -597,6 +687,11 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no + # Disable the DO flag in outgoing requests. It is helpful for upstream + # devices that cannot handle DNSSEC information. But do not enable it + # otherwise, because it would stop DNSSEC validation. + # disable-edns-do: no + # Serve expired responses from cache, with serve-expired-reply-ttl in # the response, and then attempt to fetch the data afresh. # serve-expired: no @@ -744,6 +839,8 @@ server: # o always_transparent, always_refuse, always_nxdomain, always_nodata, # always_deny resolve in that way but ignore local data for # that name + # o block_a resolves all records normally but returns + # NODATA for A queries and ignores local data for that name # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # @@ -850,6 +947,10 @@ server: # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no + # The interfaces that use these listed port numbers will support and + # expect PROXYv2. For UDP and TCP/TLS interfaces. + # proxy-protocol-port: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 @@ -886,6 +987,13 @@ server: # if 0(default) it is disabled, otherwise states qps allowed per ip address # ip-ratelimit: 0 + # global query ratelimit for all ip addresses with a valid DNS Cookie. + # feature is experimental. + # if 0(default) it is disabled, otherwise states qps allowed per ip address + # useful in combination with 'allow_cookie'. + # If used, suggested to be higher than ip-ratelimit, tenfold. + # ip-ratelimit-cookie: 0 + # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). # ip-ratelimit-size: 4m # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. @@ -907,6 +1015,14 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 + # reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018. + # answer-cookie: no + + # secret for DNS Cookie generation. + # useful for anycast deployments. + # example value "000102030405060708090a0b0c0d0e0f". + # cookie-secret: <128 bit random hex string> + # Enable to attach Extended DNS Error codes (RFC8914) to responses. # ede: no @@ -1053,7 +1169,7 @@ remote-control: # sources of notifies. # auth-zone: # name: "." -# primary: 199.9.14.201 # b.root-servers.net +# primary: 170.247.170.2 # b.root-servers.net # primary: 192.33.4.12 # c.root-servers.net # primary: 199.7.91.13 # d.root-servers.net # primary: 192.5.5.241 # f.root-servers.net @@ -1061,7 +1177,7 @@ remote-control: # primary: 193.0.14.129 # k.root-servers.net # primary: 192.0.47.132 # xfr.cjr.dns.icann.org # primary: 192.0.32.132 # xfr.lax.dns.icann.org -# primary: 2001:500:200::b # b.root-servers.net +# primary: 2801:1b8:10::b # b.root-servers.net # primary: 2001:500:2::c # c.root-servers.net # primary: 2001:500:2d::d # d.root-servers.net # primary: 2001:500:2f::f # f.root-servers.net @@ -1129,6 +1245,8 @@ remote-control: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # if the backend should be read from, but not written to. +# cachedb-no-store: no # # # For "redis" backend: # # (to enable, use --with-libhiredis to configure before compiling) @@ -1136,10 +1254,16 @@ remote-control: # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 +# # if the server uses a unix socket, set its path, or "" when not used. +# # redis-server-path: "/var/lib/redis/redis-server.sock" +# # if the server uses an AUTH password, specify here, or "" when not used. +# # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # set timeout on redis records based on DNS response TTL # redis-expire-records: no +# # redis logical database to use, 0 is the default database. +# redis-logical-db: 0 # IPSet # Add specify domain into set via ipset. diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index 543e628fd22a..aeffa9516514 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "libunbound" "3" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.16.2 functions. +\- Unbound DNS validating resolver 1.19.3 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index 7fc316855320..f372d58e278a 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-anchor" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index 628f841b36f4..cde6d5c7aef2 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-checkconf" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index d18a407cb5eb..4de6988ba0c0 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-control" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -54,6 +54,12 @@ Stop the server. The server daemon exits. .B reload Reload the server. This flushes the cache and reads the config file fresh. .TP +.B reload_keep_cache +Reload the server but try to keep the RRset and message cache if +(re)configuration allows for it. +That means the caches sizes and the number of threads must not change between +reloads. +.TP .B verbosity \fInumber Change verbosity value for logging. Same values as \fBverbosity\fR keyword in \fIunbound.conf\fR(5). This new setting lasts until the server is issued @@ -130,7 +136,7 @@ name specified. .TP .B flush \fIname Remove the name from the cache. Removes the types -A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. +A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS. Because that is fast to do. Other record types can be removed using .B flush_type or @@ -363,6 +369,15 @@ number of queries received by thread .I threadX.num.queries_ip_ratelimited number of queries rate limited by thread .TP +.I threadX.num.queries_cookie_valid +number of queries with a valid DNS Cookie by thread +.TP +.I threadX.num.queries_cookie_client +number of queries with a client part only DNS Cookie by thread +.TP +.I threadX.num.queries_cookie_invalid +number of queries with an invalid DNS Cookie by thread +.TP .I threadX.num.cachehits number of queries that were successfully answered using a cache lookup .TP @@ -392,6 +407,14 @@ as a cache response was sent. .I threadX.num.expired number of replies that served an expired cache entry. .TP +.I threadX.num.queries_timed_out +number of queries that are dropped because they waited in the UDP socket buffer +for too long. +.TP +.I threadX.query.queue_time_us.max +The maximum wait time for packets in the socket buffer, in microseconds. This +is only reported when sock-queue-timeout is enabled. +.TP .I threadX.num.recursivereplies The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries. .TP @@ -432,6 +455,18 @@ buffers are full. .I total.num.queries summed over threads. .TP +.I total.num.queries_ip_ratelimited +summed over threads. +.TP +.I total.num.queries_cookie_valid +summed over threads. +.TP +.I total.num.queries_cookie_client +summed over threads. +.TP +.I total.num.queries_cookie_invalid +summed over threads. +.TP .I total.num.cachehits summed over threads. .TP @@ -456,6 +491,12 @@ summed over threads. .I total.num.expired summed over threads. .TP +.I total.num.queries_timed_out +summed over threads. +.TP +.I total.query.queue_time_us.max +the maximum of the thread values. +.TP .I total.num.recursivereplies summed over threads. .TP @@ -591,7 +632,7 @@ ratelimiting. .TP .I num.query.dnscrypt.shared_secret.cachemiss The number of dnscrypt queries that did not find a shared secret in the cache. -The can be use to compute the shared secret hitrate. +This can be used to compute the shared secret hitrate. .TP .I num.query.dnscrypt.replay The number of dnscrypt queries that found a nonce hit in the nonce cache and @@ -647,6 +688,18 @@ timing and protocol support information. The number of items in the key cache. These are DNSSEC keys, one item per delegation point, and their validation status. .TP +.I msg.cache.max_collisions +The maximum number of hash table collisions in the msg cache. This is the +number of hashes that are identical when a new element is inserted in the +hash table. If the value is very large, like hundreds, something is wrong +with the performance of the hash table, hash values are incorrect or malicious. +.TP +.I rrset.cache.max_collisions +The maximum number of hash table collisions in the rrset cache. This is the +number of hashes that are identical when a new element is inserted in the +hash table. If the value is very large, like hundreds, something is wrong +with the performance of the hash table, hash values are incorrect or malicious. +.TP .I dnscrypt_shared_secret.cache.count The number of items in the shared secret cache. These are precomputed shared secrets for a given client public key/server secret key pair. Shared secrets @@ -686,7 +739,12 @@ Number of queries that got an answer that contained EDNS client subnet data. .I num.query.subnet_cache Number of queries answered from the edns client subnet cache. These are counted as cachemiss by the main counters, but hit the client subnet -specific cache, after getting processed by the edns client subnet module. +specific cache after getting processed by the edns client subnet module. +.TP +.I num.query.cachedb +Number of queries answered from the external cache of cachedb. +These are counted as cachemiss by the main counters, but hit the cachedb +external cache after getting processed by the cachedb module. .TP .I num.rpz.action.<rpz_action> Number of queries answered using configured RPZ policy, per RPZ action type. diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index d3b701fb9e48..aacaa0e2eb31 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound\-host" "1" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 73b9e4b7a8d0..542c71e52486 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.16.2. +\- Unbound DNS validating resolver 1.19.3. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 47250e4f88f0..d37451aa4539 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound.conf" "5" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -112,13 +112,21 @@ If enabled, extended statistics are printed from \fIunbound\-control\fR(8). Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP +.B statistics\-inhibit\-zero: \fI<yes or no> +If enabled, selected extended statistics with a value of 0 are inhibited from +printing with \fIunbound\-control\fR(8). +These are query types, query classes, query opcodes, answer rcodes +(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and +RPZ actions. +Default is on. +.TP .B num\-threads: \fI<number> The number of threads to create to serve clients. Use 1 for no threading. .TP .B port: \fI<port number> The port number, default 53, on which the server responds to queries. .TP -.B interface: \fI<ip address[@port]> +.B interface: \fI<ip address or interface name [@port]> Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are @@ -129,7 +137,7 @@ A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP -.B ip\-address: \fI<ip address[@port]> +.B ip\-address: \fI<ip address or interface name [@port]> Same as interface: (for ease of compatibility with nsd.conf). .TP .B interface\-automatic: \fI<yes or no> @@ -225,7 +233,8 @@ number). .B max\-udp\-size: \fI<number> Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. +Suggested values are 512 to 4096. Default is 1232. The default value is the +same as the default for edns\-buffer\-size. .TP .B stream\-wait\-size: \fI<number> Number of bytes size maximum to use for waiting stream buffers. Default is @@ -349,7 +358,7 @@ ip\-transparent option is also available. The value of the Differentiated Services Codepoint (DSCP) in the differentiated services field (DS) of the outgoing IP packet headers. The field replaces the outdated IPv4 Type-Of-Service field and the -IPV6 traffic class field. +IPv6 traffic class field. .TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. @@ -416,7 +425,7 @@ Enable or disable whether ip4 queries are answered or issued. Default is yes. Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the -ipv6 transport for sending DNS traffic, it does not impact the contents of +IPv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP .B prefer\-ip4: \fI<yes or no> @@ -496,6 +505,14 @@ configured, and finally to 0 if the number of free buffers falls below A minimum actual timeout of 200 milliseconds is observed regardless of the advertised timeout. .TP +.B sock\-queue\-timeout: \fI<sec>\fR +UDP queries that have waited in the socket buffer for a long time can be +dropped. Default is 0, disabled. The time is set in seconds, 3 could be a +good value to ignore old queries that likely the client does not need a reply +for any more. This could happen if the host has not been able to service +the queries for a while, i.e. Unbound is not running, and then is enabled +again. It uses timestamp socket options. +.TP .B tcp\-upstream: \fI<yes or no> Enable or disable whether the upstream queries use TCP only for transport. Default is no. Useful in tunneling scenarios. If set to no you can specify @@ -656,6 +673,17 @@ Ignored if the option is not available. Default is yes. Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for local back end servers. Default is no. .TP +.B proxy\-protocol\-port: \fI<portnr> +List port numbers as proxy\-protocol\-port, and when interfaces are defined, +eg. with the @port suffix, as this port number, they support and expect PROXYv2. +In this case the proxy address will only be used for the network communication +and initial ACL (check if the proxy itself is denied/refused by configuration). +The proxied address (if any) will then be used as the true client address and +will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting. +PROXYv2 is supported for UDP and TCP/TLS listening interfaces. +There is no support for PROXYv2 on a DoH or DNSCrypt listening interface. +Can list multiple, each on a new statement. +.TP .B use\-systemd: \fI<yes or no> Enable or disable systemd socket activation. Default is no. @@ -671,19 +699,25 @@ When at the limit, further connections are accepted but closed immediately. This option is experimental at this time. .TP .B access\-control: \fI<IP netblock> <action> +Specify treatment of incoming queries from their originating IP address. +Queries can be allowed to have access to this server that gives DNS +answers, or refused, with other actions possible. The IP address range +can be specified as a netblock, it is possible to give the statement +several times in order to specify the treatment of different netblocks. +.IP The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or -\fIrefuse_non_local\fR. -The most specific netblock match is used, if none match \fIdeny\fR is used. +\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR, +\fIdeny_non_local\fR or \fIrefuse_non_local\fR. +The most specific netblock match is used, if none match \fIrefuse\fR is used. The order of the access\-control statements therefore does not matter. .IP -The action \fIdeny\fR stops queries from hosts from that netblock. +The \fIdeny\fR action stops queries from hosts from that netblock. .IP -The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED +The \fIrefuse\fR action stops queries too, but sends a DNS rcode REFUSED error message back. .IP -The action \fIallow\fR gives access to clients from that netblock. +The \fIallow\fR action gives access to clients from that netblock. It gives only access for recursion clients (which is what almost all clients need). Nonrecursive queries are refused. .IP @@ -703,13 +737,25 @@ may be useful if another DNS server must forward requests for specific zones to a resolver DNS server, but only supports stub domains and sends queries to the resolver DNS server with the RD bit cleared. .IP -The action \fIallow_snoop\fR gives nonrecursive access too. This give +The \fIallow_snoop\fR action gives nonrecursive access too. This give both recursive and non recursive access. The name \fIallow_snoop\fR refers to cache snooping, a technique to use nonrecursive queries to examine the cache contents (for malicious acts). However, nonrecursive queries can also be a valuable debugging tool (when you want to examine the cache contents). In that case use \fIallow_snoop\fR for your administration host. .IP +The \fIallow_cookie\fR action allows access only to UDP queries that contain a +valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the +\fBanswer\-cookie\fR option is enabled. +UDP queries containing only a DNS Client Cookie and no Server Cookie, or an +invalid DNS Cookie, will receive a BADCOOKIE response including a newly +generated DNS Cookie, allowing clients to retry with that DNS Cookie. +The \fIallow_cookie\fR action will also accept requests over stateful +transports, regardless of the presence of an DNS Cookie and regardless of the +\fBanswer\-cookie\fR setting. +UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set, +that may trigger fall back to TCP for those clients. +.IP By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and @@ -741,6 +787,46 @@ Set redirect data for particular tag for given access control element. .B access\-control\-view: \fI<IP netblock> <view name> Set view for given access control element. .TP +.B interface\-action: \fI<ip address or interface name [@port]> <action> +Similar to \fBaccess\-control:\fR but for interfaces. +.IP +The action is the same as the ones defined under \fBaccess\-control:\fR. +Interfaces are \fIrefuse\fRd by default. +By default only localhost (the IP netblock, not the loopback interface) is +\fIallow\fRed through the default \fBaccess\-control:\fR behavior. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags"> +Similar to \fBaccess\-control-tag:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action> +Similar to \fBaccess\-control-tag-action:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string"> +Similar to \fBaccess\-control-tag-data:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-view: \fI<ip address or interface name [@port]> <view name> +Similar to \fBaccess\-control-view:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP .B chroot: \fI<directory> If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the @@ -831,6 +917,11 @@ Prints the word 'query' and 'reply' with log\-queries and log\-replies. This makes filtering logs easier. The default is off (for backwards compatibility). .TP +.B log\-destaddr: \fI<yes or no> +Prints the destination address, port and type in the log\-replies output. +This disambiguates what type of traffic, eg. udp or tcp, and to what local +port the traffic was sent to. +.TP .B log\-local\-actions: \fI<yes or no> Print log lines to inform about local zone actions. These lines are like the local\-zone type inform prints out, but they are also printed for the other @@ -960,6 +1051,12 @@ validate the zone. Default is no. Zone signers must produce zones that allow this feature to work, but sometimes they do not, and turning this option off avoids that validation failure. .TP +.B harden\-unknown\-additional: \fI<yes or no> +Harden against unknown records in the authority section and additional +section. Default is no. If no, such records are copied from the upstream +and presented to the client together with the answer. If yes, it could +hamper future protocol developments that want to add records. +.TP .B use\-caps\-for\-id: \fI<yes or no> Use 0x20\-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to @@ -1214,6 +1311,20 @@ servers that set the CD flag but cannot validate DNSSEC themselves are the clients, and then Unbound provides them with DNSSEC protection. The default value is "no". .TP +.B disable\-edns\-do: \fI<yes or no> +Disable the EDNS DO flag in upstream requests. +It breaks DNSSEC validation for Unbound's clients. +This results in the upstream name servers to not include DNSSEC records in +their replies and could be helpful for devices that cannot handle DNSSEC +information. +When the option is enabled, clients that set the DO flag receive no EDNS +record in the response to indicate the lack of support to them. +If this option is enabled but Unbound is already configured for DNSSEC +validation (i.e., the validator module is enabled; default) this option is +implicitly turned off with a warning as to not break DNSSEC validation in +Unbound. +Default is no. +.TP .B serve\-expired: \fI<yes or no> If enabled, Unbound attempts to serve old responses from cache with a TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the @@ -1332,10 +1443,10 @@ address space are not validated. This is usually required whenever Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, inform, inform_deny, -inform_redirect, always_transparent, always_refuse, always_nxdomain, always_null, noview, -and are explained below. After that the default settings are listed. Use -local\-data: to enter data into the local zone. Answers for local zones -are authoritative DNS answers. By default the zones are class IN. +inform_redirect, always_transparent, block_a, always_refuse, always_nxdomain, +always_null, noview, and are explained below. After that the default settings +are listed. Use local\-data: to enter data into the local zone. Answers for +local zones are authoritative DNS answers. By default the zones are class IN. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for @@ -1410,6 +1521,12 @@ Ie. answer queries with fixed data and also log the machines that ask. \h'5'\fIalways_transparent\fR Like transparent, but ignores local data and resolves normally. .TP 10 +\h'5'\fIblock_a\fR +Like transparent, but ignores local data and resolves normally all query +types excluding A. For A queries it unconditionally returns NODATA. +Useful in cases when there is a need to explicitly force all apps to use +IPv6 protocol and avoid any queries to IPv4. +.TP 10 \h'5'\fIalways_refuse\fR Like refuse, but ignores local data and refuses the query. .TP 10 @@ -1620,7 +1737,7 @@ This specifies the action data for \fIresponse-ip\fR with action being to redirect as specified by "\fIresource record string\fR". "Resource record string" is similar to that of \fIaccess-control-tag-action\fR, but it must be of either AAAA, A or CNAME types. -If the IP-netblock is an IPv6/IPV4 prefix, the record +If the IP-netblock is an IPv6/IPv4 prefix, the record must be AAAA/A respectively, unless it is a CNAME (which can be used for both versions of IP netblocks). If it is CNAME there must not be more than one \fIresponse-ip-data\fR for the same IP-netblock. @@ -1726,11 +1843,30 @@ A value of 0 will disable ratelimiting for domain names that end in this name. .TP 5 .B ip\-ratelimit: \fI<number or 0> Enable global ratelimiting of queries accepted per IP address. -If 0, the default, it is disabled. This option is experimental at this time. +This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. IP ratelimiting happens before looking in the cache. This may be useful for mitigating amplification attacks. +Clients with a valid DNS Cookie will bypass the ratelimit. +If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR +can be used instead. +Default is 0 (disabled). +.TP 5 +.B ip\-ratelimit\-cookie: \fI<number or 0> +Enable global ratelimiting of queries accepted per IP address with a valid DNS +Cookie. +This option is experimental at this time. +The ratelimit is in queries per second that are allowed. +More queries are completely dropped and will not receive a reply, SERVFAIL or +otherwise. +IP ratelimiting happens before looking in the cache. +This option could be useful in combination with \fIallow_cookie\fR in an +attempt to mitigate other amplification attacks than UDP reflections (e.g., +attacks targeting Unbound itself) which are already handled with DNS Cookies. +If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g., +tenfold. +Default is 0 (disabled). .TP 5 .B ip\-ratelimit\-size: \fI<memory size> Give the size of the data structure in which the current ongoing rates are @@ -1769,6 +1905,21 @@ If a forward/stub zone is used, this is the number of retries per nameserver in the zone. Default is 5. .TP 5 +.B max\-sent\-count: \fI<number> +Hard limit on the number of outgoing queries Unbound will make while resolving +a name, making sure large NS sets do not loop. +Results in SERVFAIL when reached. +It resets on query restarts (e.g., CNAME) and referrals. +Default is 32. +.TP 5 +.B max\-query\-restarts: \fI<number> +Hard limit on the number of times Unbound is allowed to restart a query upon +encountering a CNAME record. +Results in SERVFAIL when reached. +Changing this value needs caution as it can allow long CNAME chains to be +accepted, where Unbound needs to verify (resolve) each link individually. +Default is 11. +.TP 5 .B fast\-server\-permil: \fI<number> Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. A value of 900 would pick from the fastest @@ -1784,6 +1935,18 @@ Set the number of servers that should be used for fast server selection. Only use the fastest specified number of servers with the fast\-server\-permil option, that turns this on or off. The default is to use the fastest 3 servers. .TP 5 +.B answer\-cookie: \fI<yes or no> +If enabled, Unbound will answer to requests containing DNS Cookies as +specified in RFC 7873 and RFC 9018. +Default is no. +.TP 5 +.B cookie\-secret: \fI<128 bit hex string> +Server's secret for DNS Cookie generation. +Useful to explicitly set for servers in an anycast deployment that need to +share the secret in order to verify each other's Server Cookies. +An example hex string would be "000102030405060708090a0b0c0d0e0f". +Default is a 128 bits random secret generated at startup time. +.TP 5 .B edns\-client\-string: \fI<IP netblock> <string> Include an EDNS0 option containing configured ascii string in queries with destination address matching the configured IP netblock. This configuration @@ -1802,7 +1965,7 @@ errors. Default is "no". When the \fBval-log-level\fR option is also set to \fB2\fR, responses with Extended DNS Errors concerning DNSSEC failures that are not served from cache, will also contain a descriptive text message about the reason for the failure. -.TP +.TP 5 .B ede\-serve\-expired: \fI<yes or no> If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale Answer as EDNS0 option to the expired response. Note that this will not attach @@ -1823,9 +1986,11 @@ section for options. To setup the correct self\-signed certificates use the The option is used to enable remote control, default is "no". If turned off, the server does not listen for control commands. .TP 5 -.B control\-interface: \fI<ip address or path> +.B control\-interface: \fI<ip address or interface name or path> Give IPv4 or IPv6 addresses or local socket path to listen on for control commands. +If an interface name is used instead of an ip address, the list of ip addresses +on that interface are used. By default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0 and ::0 to listen to all interfaces. If you change this and permissions have been dropped, you must restart @@ -2015,13 +2180,32 @@ useful when you want immediate changes to be visible. Authority zones are configured with \fBauth\-zone:\fR, and each one must have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace. The authority zone with the name closest to the name looked up is used. -Authority zones are processed after \fBlocal\-zones\fR and before -cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner -make Unbound respond like an authority server. Authority zones are also -processed after cache, just before going to the network to fetch -information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used -in this manner provide a local copy of an authority server that speeds up -lookups of that data. +Authority zones can be processed on two distinct, non-exclusive, configurable +stages. +.LP +With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed +after \fBlocal\-zones\fR and before cache. +When used in this manner, Unbound responds like an authority server with no +further processing other than returning an answer from the zone contents. +A notable example, in this case, is CNAME records which are returned verbatim +to downstream clients without further resolution. +.LP +With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed +after the cache lookup, just before going to the network to fetch +information for recursion. +When used in this manner they provide a local copy of an authority server +that speeds up lookups for that data during resolving. +.LP +If both options are enabled (default), client queries for an authority zone are +answered authoritatively from Unbound, while internal queries that require data +from the authority zone consult the local zone data instead of going to the +network. +.LP +An interesting configuration is \fBfor\-downstream:\fR \fIno\fR, +\fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both +client and internal queries consult the local zone data while resolving. +In this case, the aforementioned CNAME example will result in a thoroughly +resolved answer. .LP Authority zones can be read from zonefile. And can be kept updated via AXFR and IXFR. After update the zonefile is rewritten. The update mechanism @@ -2215,6 +2399,21 @@ List domain for which the AAAA records are ignored and the A record is used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given. +.SS "NAT64 Operation" +.LP +NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only +servers. It is controlled by two options in the \fBserver:\fR section: +.TP +.B do\-nat64: \fI<yes or no>\fR +Use NAT64 to reach IPv4-only servers. +Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to +nameservers. +Default no. +.TP +.B nat64\-prefix: \fI<IPv6 prefix>\fR +Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using +the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to +64:ff9b::/96. The prefix length must be one of /32, /40, /48, /56, /64 or /96. .SS "DNSCrypt Options" .LP The @@ -2305,6 +2504,9 @@ The maximum size of the ECS cache is controlled by 'msg-cache-size' in the configuration file. On top of that, for each query only 100 different subnets are allowed to be stored for each address family. Exceeding that number, older entries will be purged from cache. +.LP +This module does not interact with the \fBserve\-expired*\fR and +\fBprefetch:\fR options. .TP .B send\-client\-subnet: \fI<IP address>\fR Send client source address to this authority. Append /num to indicate a @@ -2491,6 +2693,11 @@ operationally. If the backend database is shared by multiple Unbound instances, all instances must use the same secret seed. This option defaults to "default". +.TP +.B cachedb-no-store: \fI<yes or no>\fR +If the backend should be read from, but not written to. This makes this +instance not store dns messages in the backend. But if data is available it +is retrieved. The default is no. .P The following .B cachedb @@ -2507,6 +2714,16 @@ This option defaults to "127.0.0.1". The TCP port number of the Redis server. This option defaults to 6379. .TP +.B redis-server-path: \fI<unix socket path>\fR +The unix socket path to connect to the redis server. Off by default, and it +can be set to "" to turn this off. Unix sockets may have better throughput +than the IP address option. +.TP +.B redis-server-password: \fI"<password>"\fR +The Redis AUTH password to use for the redis server. +Only relevant if Redis is configured for client password authorisation. +Off by default, and it can be set to "" to turn this off. +.TP .B redis-timeout: \fI<msec>\fR The period until when Unbound waits for a response from the Redis sever. If this timeout expires Unbound closes the connection, treats it as @@ -2521,6 +2738,17 @@ Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, this option is internally reverted to "no". Redis SETEX support is required for this option (Redis >= 2.0.0). This option defaults to no. +.TP +.B redis-logical-db: \fI<logical database index> +The logical database in Redis to use. +These are databases in the same Redis instance sharing the same configuration +and persisted in the same RDB/AOF file. +If unsure about using this option, Redis documentation +(https://redis.io/commands/select/) suggests not to use a single Redis instance +for multiple unrelated applications. +The default database in Redis is 0 while other logical databases need to be +explicitly SELECT'ed upon connecting. +This option defaults to 0. .SS DNSTAP Logging Options DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled in the \fBdnstap:\fR section. |