diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Changelog | 348 | ||||
| -rw-r--r-- | doc/README | 4 | ||||
| -rw-r--r-- | doc/README.ipset.md | 65 | ||||
| -rw-r--r-- | doc/TODO | 2 | ||||
| -rw-r--r-- | doc/example.conf.in | 18 | ||||
| -rw-r--r-- | doc/libunbound.3.in | 4 | ||||
| -rw-r--r-- | doc/unbound-anchor.8.in | 6 | ||||
| -rw-r--r-- | doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-control.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-host.1.in | 2 | ||||
| -rw-r--r-- | doc/unbound.8.in | 9 | ||||
| -rw-r--r-- | doc/unbound.conf.5.in | 28 |
12 files changed, 463 insertions, 27 deletions
diff --git a/doc/Changelog b/doc/Changelog index 420f6ab7c18e..1fca26b643fd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,352 @@ +6 December 2019: Wouter + - Fix ipsecmod compile. + - Fix Makefile.in for ipset module compile, from Adi Prasaja. + +5 December 2019: Wouter + - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1 + replacements for unbound-fuzzme.c that gets created after applying + the contrib/unbound-fuzzme.patch. They are contributed by + Eric Sesterhenn from X41 D-Sec. + - tag for 1.9.6rc1. + +4 December 2019: Wouter + - Fix lock type for memory purify log lock deletion. + - Fix testbound for alloccheck runs, memory purify and lock checks. + - update contrib/fastrpz.patch to apply more cleanly. + - Fix Make Test Fails when Configured With --enable-alloc-nonregional, + reported by X41 D-Sec. + +3 December 2019: Wouter + - Merge pull request #124 from rmetrich: Changed log lock + from 'quick' to 'basic' because this is an I/O lock. + - Fix text around serial arithmatic used for RRSIG times to refer + to correct RFC number. + - Fix Assert Causing DoS in synth_cname(), + reported by X41 D-Sec. + - Fix similar code in auth_zone synth cname to add the extra checks. + - Fix Assert Causing DoS in dname_pkt_copy(), + reported by X41 D-Sec. + - Fix OOB Read in sldns_wire2str_dname_scan(), + reported by X41 D-Sec. + - Fix Out of Bounds Write in sldns_str2wire_str_buf(), + reported by X41 D-Sec. + - Fix Out of Bounds Write in sldns_b64_pton(), + fixed by check in sldns_str2wire_int16_data_buf(), + reported by X41 D-Sec. + - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(), + reported by X41 D-Sec. + - Fix Out of Bound Write Compressed Names in rdata_copy(), + reported by X41 D-Sec. + - Fix Hang in sldns_wire2str_pkt_scan(), + reported by X41 D-Sec. + This further lowers the max to 256. + - Fix snprintf() supports the n-specifier, + reported by X41 D-Sec. + - Fix Bad Indentation, in dnscrypt.c, + reported by X41 D-Sec. + - Fix Client NONCE Generation used for Server NONCE, + reported by X41 D-Sec. + - Fix compile error in dnscrypt. + - Fix _vfixed not Used, removed from sbuffer code, + reported by X41 D-Sec. + - Fix Hardcoded Constant, reported by X41 D-Sec. + - make depend + +2 December 2019: Wouter + - Merge pull request #122 from he32: In tcp_callback_writer(), + don't disable time-out when changing to read. + +22 November 2019: George + - Fix compiler warnings. + +22 November 2019: Wouter + - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec. + - Add make distclean that removes everything configure produced, + and make maintainer-clean that removes bison and flex output. + +20 November 2019: Wouter + - Fix Out of Bounds Read in rrinternal_get_owner(), + reported by X41 D-Sec. + - Fix Race Condition in autr_tp_create(), + reported by X41 D-Sec. + - Fix Shared Memory World Writeable, + reported by X41 D-Sec. + - Adjust unbound-control to make stats_shm a read only operation. + - Fix Weak Entropy Used For Nettle, + reported by X41 D-Sec. + - Fix Randomness Error not Handled Properly, + reported by X41 D-Sec. + - Fix Out-of-Bounds Read in dname_valid(), + reported by X41 D-Sec. + - Fix Config Injection in create_unbound_ad_servers.sh, + reported by X41 D-Sec. + - Fix Local Memory Leak in cachedb_init(), + reported by X41 D-Sec. + - Fix Integer Underflow in Regional Allocator, + reported by X41 D-Sec. + - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD. + - Synchronize compat/getentropy_win.c with version 1.5 from + OpenBSD, no changes but makes the file, comments, identical. + - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD. + - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD. + - Changes to compat/getentropy files for, + no link to openssl if using nettle, and hence config.h for + HAVE_NETTLE variable. + compat definition of MAP_ANON, for older systems. + ifdef stdint.h inclusion for older systems. + ifdef sha2.h inclusion for older systems. + - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec. + - Fix compile with --enable-alloc-checks, reported by X41 D-Sec. + - Fix Terminating Quotes not Written, reported by X41 D-Sec. + - Fix Useless memset() in validator, reported by X41 D-Sec. + - Fix Unrequired Checks, reported by X41 D-Sec. + - Fix Enum Name not Used, reported by X41 D-Sec. + - Fix NULL Pointer Dereference via Control Port, + reported by X41 D-Sec. + - Fix Bad Randomness in Seed, reported by X41 D-Sec. + - Fix python examples/calc.py for eval, reported by X41 D-Sec. + - Fix comments for doxygen in dns64. + +19 November 2019: Wouter + - Fix CVE-2019-18934, shell execution in ipsecmod. + - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development. + - Fix authzone printout buffer length check. + - Fixes to please lint checks. + - Fix Integer Overflow in Regional Allocator, + reported by X41 D-Sec. + - Fix Unchecked NULL Pointer in dns64_inform_super() + and ipsecmod_new(), reported by X41 D-Sec. + - Fix Out-of-bounds Read in rr_comment_dnskey(), + reported by X41 D-Sec. + - Fix Integer Overflows in Size Calculations, + reported by X41 D-Sec. + - Fix Integer Overflow to Buffer Overflow in + sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec. + - Fix Out of Bounds Read in sldns_str2wire_dname(), + reported by X41 D-Sec. + - Fix Out of Bounds Write in sldns_bget_token_par(), + reported by X41 D-Sec. + +18 November 2019: Wouter + - In unbound-host use separate variable for get_option to please + code checkers. + - update to bison output of 3.4.1 in code repository. + - Provide a prototype for compat malloc to remove compile warning. + - Portable grep usage for reuseport configure test. + - Check return type of HMAC_Init_ex for openssl 0.9.8. + - gitignore .source tempfile used for compatible make. + +13 November 2019: Wouter + - iana portlist updated. + - contrib/fastrpz.patch updated to apply for current code. + - fixes for splint cleanliness, long vs int in SSL set_mode. + +11 November 2019: Wouter + - Fix #109: check number of arguments for stdin-pipes in + unbound-control and fail if too many arguments. + - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD. + +24 October 2019: Wouter + - Fix #99: Memory leak in ub_ctx (event_base will never be freed). + +23 October 2019: George + - Add new configure option `--enable-fully-static` to enable full static + build if requested; in relation to #91. + +23 October 2019: Wouter + - Merge #97: manpage: Add missing word on unbound.conf, + from Erethon. + +22 October 2019: Wouter + - drop-tld.diff: adds option drop-tld: yesno that drops 2 label + queries, to stop random floods. Apply with + patch -p1 < contrib/drop-tld.diff and compile. + From Saksham Manchanda (Secure64). Please note that we think this + will drop DNSKEY and DS lookups for tlds and hence break DNSSEC + lookups for downstream clients. + +7 October 2019: Wouter + - Add doxygen comments to unbound-anchor source address code, in #86. + +3 October 2019: Wouter + - Merge #90 from vcunat: fix build with nettle-3.5. + - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866. + - Continue with development of 1.9.5. + - Merge #86 from psquarejho: Added -b source address option to + smallapp/unbound-anchor.c, from Lukas Wunner. + +26 September 2019: Wouter + - Merge #87 from hardfalcon: Fix contrib/unbound.service.in, + Drop CAP_KILL, use + prefix for ExecReload= instead. + +25 September 2019: Wouter + - The unbound.conf includes are sorted ascending, for include + statements with a '*' from glob. + +23 September 2019: Wouter + - Merge #85 for #84 from sam-lunt: Add kill capability to systemd + service file to fix that systemctl reload fails. + +20 September 2019: Wouter + - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW + in unbound.service. + - Merge #81 from Maryse47: Consistently use /dev/urandom instead + of /dev/random in scripts and docs. + - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork + into the background. + +19 September 2019: Wouter + - Fix #78: Memory leak in outside_network.c. + - Merge pull request #76 from Maryse47: Improvements and fixes for + systemd unbound.service. + - oss-fuzz badge on README.md. + - Fix fix for #78 to also free service callback struct. + - Fix for oss-fuzz build warning. + - Fix wrong response ttl for prepended short CNAME ttls, this would + create a wrong zero_ttl response count with serve-expired enabled. + - Merge #80 from stasic: Improve wording in man page. + +11 September 2019: Wouter + - Use explicit bzero for wiping clear buffer of hash in cachedb, + reported by Eric Sesterhenn from X41 D-Sec. + +9 September 2019: Wouter + - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default + LOG_DAEMON (as before) can set the syslog facility that the server + uses to log messages. + +4 September 2019: Wouter + - Fix #71: fix openssl error squelch commit compilation error. + +3 September 2019: Wouter + - squelch DNS over TLS errors 'ssl handshake failed crypto error' + on low verbosity, they show on verbosity 3 (query details), because + there is a high volume and the operator cannot do anything for the + remote failure. Specifically filters the high volume errors. + +2 September 2019: Wouter + - ipset module #28: log that an address is added, when verbosity high. + - ipset: refactor long routine into three smaller ones. + - updated Makefile dependencies. + +23 August 2019: Wouter + - Fix contrib/fastrpz.patch asprintf return value checks. + +22 August 2019: Wouter + - Fix that pkg-config is setup before --enable-systemd needs it. + - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release. + Master is 1.9.4 in development. + +21 August 2019: Wouter + - Fix log_dns_msg to log irrespective of minimal responses config. + +19 August 2019: Ralph + - Document limitation of pidfile removal outside of chroot directory. + +16 August 2019: Wouter + - Fix unittest valgrind false positive uninitialised value report, + where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 + issues an uninitialised value for the token buffer at the str2wire.c + rrinternal_get_owner() strcmp with the '@' value. Rewritten to use + straight character comparisons removes the false positive. Also + valgrinds --expensive-definedness-checks=yes can stop this false + positive. + - Please doxygen's parser for "@" occurrence in doxygen comment. + - Fixup contrib/fastrpz.patch + - Remove warning about unknown cast-function-type warning pragma. + +15 August 2019: Wouter + - iana portlist updated. + - Fix autotrust temp file uniqueness windows compile. + - avoid warning about upcast on 32bit systems for autotrust. + - escape commandline contents for -V. + - Fix character buffer size in ub_ctx_hosts. + - 1.9.3rc1 release candidate tag. + - Option -V prints if TCP fastopen is available. + +14 August 2019: George + - Fix #59, when compiled with systemd support check that we can properly + communicate with systemd through the `NOTIFY_SOCKET`. + +14 August 2019: Wouter + - Generate configlexer with newer flex. + - Fix warning for unused variable for compilation without systemd. + +12 August 2019: George + - Introduce `-V` option to print the version number and build options. + Previously reported build options like linked libs and linked modules + are now moved from `-h` to `-V` as well for consistency. + - PACKAGE_BUGREPORT now also includes link to GitHub issues. + +1 August 2019: Wouter + - For #52 #53, second context does not close logfile override. + - Fix #52 #53, fix for example fail program. + - Fix to return after failed auth zone http chunk write. + - Fix to remove unused test for task_probe existance. + - Fix to timeval_add for remaining second in microseconds. + - Check repinfo in worker_handle_request, if null, drop it. + +29 July 2019: Wouter + - Add verbose log message when auth zone file is written, at level 4. + - Add hex print of trust anchor pointer to trust anchor file temp + name to make it unique, for libunbound created multiple contexts. + +23 July 2019: Wouter + - Fix question section mismatch in local zone redirect. + +19 July 2019: Wouter + - Fix #49: Set no renegotiation on the SSL context to stop client + session renegotiation. + +12 July 2019: Wouter + - Fix #48: Unbound returns additional records on NODATA response, + if minimal-responses is enabled, also the additional for negative + responses is removed. + +9 July 2019: Ralph + - Fix in respip addrtree selection. Absence of addr_tree_init_parents() + call made it impossible to go up the tree when the matching netmask is + too specific. + +5 July 2019: Ralph + - Fix for possible assertion failure when answering respip CNAME from + cache. + +25 June 2019: Wouter + - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf + when do-not-query-localhost is turned on, or at default on, + unbound-checkconf prints a warning if it is found in forward-addr or + stub-addr statements. + +24 June 2019: Wouter + - Fix memleak in unit test, reported from the clang 8.0 static analyzer. + +18 June 2019: Wouter + - PR #28: IPSet module, by Kevin Chou. Created a module to support + the ipset that could add the domain's ip to a list easily. + Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. + - Fix to omit RRSIGs from addition to the ipset. + - Fix to make unbound-control with ipset, remove unused variable, + use unsigned type because of comparison, and assign null instead + of compare with it. Remade lex and yacc output. + - make depend + - Added documentation to the ipset files (for doxygen output). + - Merge PR #6: Python module: support multiple instances + - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT + - Merge PR #4: Python module: assign something useful to the + per-query data store 'qdata' + - Fix python dict reference and double free in config. + +17 June 2019: Wouter + - Master contains version 1.9.3 in development. + - Fix #39: In libunbound, leftover logfile is close()d unpredictably. + - Fix for #24: Fix abort due to scan of auth zone masters using old + address from previous scan. + 12 June 2019: Wouter - Fix another spoolbuf storage code point, in prefetch. - - 1.9.2rc3 release candidate tag. + - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release + on 17 June 2019. 11 June 2019: Wouter - Fix that fixes the Fix that spoolbuf is not used to store tcp diff --git a/doc/README b/doc/README index d468688b9b2b..334624575491 100644 --- a/doc/README +++ b/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.9.2 +README for Unbound 1.9.6 Copyright 2007 NLnet Labs http://unbound.net @@ -99,7 +99,7 @@ o If you are not receiving the correct source IP address on replies (e.g. the config file is an alternative. The interface-automatic option uses non portable socket options, Linux and FreeBSD should work fine. o The warning 'openssl has no entropy, seeding with time', with chroot - enabled, may be solved with a symbolic link to /dev/random from <chrootdir>. + enabled, may be solved with a symbolic link to /dev/urandom from <chrootdir>. o On Solaris 5.10 some libtool packages from repositories do not work with gcc, showing errors gcc: unrecognized option `-KPIC' To solve this do ./configure libtool=./libtool [your options...]. diff --git a/doc/README.ipset.md b/doc/README.ipset.md new file mode 100644 index 000000000000..4bd993e67ad1 --- /dev/null +++ b/doc/README.ipset.md @@ -0,0 +1,65 @@ +## Created a module to support the ipset that could add the domain's ip to a list easily. + +### Purposes: +* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. +So, I set up a transparent proxy to proxy the traffic which has been blocked only. +At the final step, I need to install a dns service which would work with ipset well to launch the system. +I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. +``` +# unbound.conf +server: + ... + local-zone: "facebook.com" ipset + local-zone: "twitter.com" ipset + local-zone: "instagram.com" ipset + more social website + +ipset: + name-v4: "gfwlist" +``` +``` +# iptables +iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 +iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 +``` + +* This patch could work with iptables rules to batch block the IPs. +``` +# unbound.conf +server: + ... + local-zone: "facebook.com" ipset + local-zone: "twitter.com" ipset + local-zone: "instagram.com" ipset + more social website + +ipset: + name-v4: "blacklist" + name-v6: "blacklist6" +``` +``` +# iptables +iptables -A INPUT -m set --set blacklist src -j DROP +ip6tables -A INPUT -m set --set blacklist6 src -j DROP +``` + +### Notes: +* To enable this module the root privileges is required. +* Please create a set with ipset command first. eg. **ipset -N blacklist iphash** + +### How to use: +``` +./configure --enable-ipset +make && make install +``` + +### Configuration: +``` +# unbound.conf +server: + ... + local-zone: "example.com" ipset + +ipset: + name-v4: "blacklist" +``` @@ -29,7 +29,7 @@ o support OPT record placement on recv anywhere in the additional section. o add local-file: config with authority features. o (option) to make local-data answers be secure for libunbound (default=no) o (option) to make chroot: copy all needed files into jail (or make jail) - perhaps also print reminder to link /dev/random and sysloghack. + perhaps also print reminder to link /dev/urandom and sysloghack. o overhaul outside-network servicedquery to merge with udpwait and tcpwait, to make timers in servicedquery independent of udpwait queues. o check into rebinding ports for efficiency, configure time test. diff --git a/doc/example.conf.in b/doc/example.conf.in index c58242d31551..0a8c179f971d 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.9.2. +# See unbound.conf(5) man page, version 1.9.6. # # this is a comment. @@ -286,7 +286,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/random (for entropy). + # Additionally, unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -654,6 +654,9 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + # Add example.com into ipset + # local-zone: "example.com" ipset + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server @@ -992,3 +995,14 @@ remote-control: # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 + +# IPSet +# Add specify domain into set via ipset. +# Note: To enable ipset needs run unbound as root user. +# ipset: +# # set name for ip v4 addresses +# name-v4: "list-v4" +# # set name for ip v6 addresses +# name-v6: "list-v6" +# + diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index fd5c336e0903..19ef40236897 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "libunbound" "3" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.9.2 functions. +\- Unbound DNS validating resolver 1.9.6 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 76f4ea21f0cd..dc1c10cf5034 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-anchor" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -69,6 +69,10 @@ The server name, it connects to https://name. Specify without https:// prefix. The default is "data.iana.org". It connects to the port specified with \-P. You can pass an IPv4 address or IPv6 address (no brackets) if you want. .TP +.B \-b \fIaddress +The source address to bind to for domain resolution and contacting the server +on https. May be either an IPv4 address or IPv6 address (no brackets). +.TP .B \-x \fIpath The pathname to the root\-anchors.xml file on the server. (forms URL with \-u). The default is /root\-anchors/root\-anchors.xml. diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index b3e6ff3c54b1..30d53f4bec13 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-checkconf" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 2e16ac97a7bb..754fdf987aac 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-control" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in index 58505d2370e6..ac8be5bff5f5 100644 --- a/doc/unbound-host.1.in +++ b/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound\-host" "1" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/doc/unbound.8.in b/doc/unbound.8.in index 4d408dba6f0f..145620b73c9d 100644 --- a/doc/unbound.8.in +++ b/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.9.2. +\- Unbound DNS validating resolver 1.9.6. .SH "SYNOPSIS" .B unbound .RB [ \-h ] @@ -54,7 +54,7 @@ resolvers are using the same port number (53). The available options are: .TP .B \-h -Show the version and commandline option help. +Show the version number and commandline option help, and exit. .TP .B \-c\fI cfgfile Set the config file with settings for unbound to read instead of reading the @@ -76,6 +76,9 @@ concurrently. .B \-v Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file. +.TP +.B \-V +Show the version number and build options, and exit. .SH "SEE ALSO" \fIunbound.conf\fR(5), \fIunbound\-checkconf\fR(8), diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 24ca5f73682f..d6352bcd983a 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound.conf" "5" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -50,7 +50,7 @@ server: username: unbound # make sure unbound can access entropy from inside the chroot. # e.g. on linux the use these commands (on BSD, devfs(8) is used): - # mount \-\-bind \-n /dev/random /etc/unbound/dev/random + # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log chroot: "/etc/unbound" # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. @@ -629,9 +629,11 @@ In the last case the path is adjusted to remove the unused portion. The pidfile can be either a relative path to the working directory, or an absolute path relative to the original root. It is written just prior to chroot and dropping permissions. This allows the pidfile to be -/var/run/unbound.pid and the chroot to be /var/unbound, for example. +/var/run/unbound.pid and the chroot to be /var/unbound, for example. Note that +Unbound is not able to remove the pidfile after termination when it is located +outside of the chroot directory. .IP -Additionally, unbound may need to access /dev/random (for entropy) +Additionally, unbound may need to access /dev/urandom (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. By default chroot is @@ -773,7 +775,7 @@ wise to send these, and could be necessary for operation if TSIG or EDNS payload is very large. .TP .B harden\-glue: \fI<yes or no> -Will trust glue only if it is within the servers authority. Default is on. +Will trust glue only if it is within the servers authority. Default is yes. .TP .B harden\-dnssec\-stripped: \fI<yes or no> Require DNSSEC data for trust\-anchored zones, if such data is absent, @@ -783,7 +785,7 @@ this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a -downgrade attack that disables security for a zone. Default is on. +downgrade attack that disables security for a zone. Default is yes. .TP .B harden\-below\-nxdomain: \fI<yes or no> From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), @@ -793,7 +795,7 @@ noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not -have DNSSEC. Default is on. +have DNSSEC. Default is yes. The nxdomain must be secure, this means nsec3 with optout is insufficient. .TP .B harden\-referral\-path: \fI<yes or no> @@ -947,7 +949,7 @@ Default is "", or no trust anchor file. .TP .B auto\-trust\-anchor\-file: \fI<filename> File with trust anchor for one zone, which is tracked with RFC5011 probes. -The probes are several times per month, thus the machine must be online +The probes are run several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, so the unbound user must have write permission. Write permission to the file, @@ -972,10 +974,10 @@ It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B trust\-anchor\-signaling: \fI<yes or no> -Send RFC8145 key tag query after trust anchor priming. Default is on. +Send RFC8145 key tag query after trust anchor priming. Default is yes. .TP .B root\-key\-sentinel: \fI<yes or no> -Root key trust anchor sentinel. Default is on. +Root key trust anchor sentinel. Default is yes. .TP .B dlv\-anchor\-file: \fI<filename> This option was used during early days DNSSEC deployment when no parent-side @@ -1768,7 +1770,8 @@ clause gives the settings for the \fIpython\fR(1) script module. This module acts like the iterator and validator modules do, on queries and answers. To enable the script module it has to be compiled into the daemon, and the word "python" has to be put in the \fBmodule\-config:\fR option -(usually first, or between the validator and iterator). +(usually first, or between the validator and iterator). Multiple instances of +the python module are supported by adding the word "python" more than once. .LP If the \fBchroot:\fR option is enabled, you should make sure Python's library directory structure is bind mounted in the new root environment, see @@ -1777,7 +1780,8 @@ absolute path relative to the new root, or as a relative path to the working directory. .TP .B python\-script: \fI<python file>\fR -The script file to load. +The script file to load. Repeat this option for every python module instance +added to the \fBmodule\-config:\fR option. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 |