vendor/unbound/1.5.4

10 files changed, 320 insertions, 22 deletions

diff --git a/doc/Changelog b/doc/Changelog
index a1c2f76cd21d..525bb365e3d9 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,164 @@
+29 June 2015: Wouter
+	- iana portlist update.
+	- Fix alloc with log for allocation size checks.
+
+26 June 2015: Wouter
+	- Fix #677 Fix DNAME responses from cache that failed internal chain
+	  test.
+	- iana portlist update.
+
+22 June 2015: Wouter
+	- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
+	  and was therefore always synthesized (thanks to Valentin Dietrich).
+
+4 June 2015: Wouter
+	- RFC 7553 RR type URI support, is now enabled by default.
+
+2 June 2015: Wouter
+	- Fix #674: Do not free pointers given by getenv.
+
+29 May 2015: Wouter
+	- Fix that unparseable error responses are ratelimited.
+	- SOA negative TTL is capped at minimumttl in its rdata section.
+	- cache-max-negative-ttl config option, default 3600.
+
+26 May 2015: Wouter
+	- Document that ratelimit works with unbound-control set_option.
+
+21 May 2015: Wouter
+	- iana portlist update.
+	- documentation proposes ratelimit of 1000 (closer to what upstream
+	  servers expect from us).
+
+20 May 2015: Wouter
+	- DLV is going to be decommissioned.  Advice to stop using it, and
+	  put text in the example configuration and man page to that effect.
+
+10 May 2015: Wouter
+	- Change syntax of particular validator error to be easier for
+	  machine parse, swap rrset and ip adres info so it looks like:
+	  validation failure <www.example.nl. TXT IN>: signature crypto
+	  failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
+
+1 May 2015: Wouter
+	- caps-whitelist in unbound.conf allows whitelist of loadbalancers
+	  that cannot work with caps-for-id or its fallback.
+
+30 April 2015: Wouter
+	- Unit test for type ANY synthesis.
+
+22 April 2015: Wouter
+	- Removed contrib/unbound_unixsock.diff, because it has been
+	  integrated, use control-interface: /path in unbound.conf.
+	- iana portlist update.
+
+17 April 2015: Wouter
+	- Synthesize ANY responses from cache.  Does not search exhaustively,
+	  but MX,A,AAAA,SOA,NS also CNAME.
+	- Fix leaked dns64prefix configuration string.
+
+16 April 2015: Wouter
+	- Add local-zone type inform_deny, that logs query and drops answer.
+	- Ratelimit does not apply to prefetched queries, and ratelimit-factor
+	  is default 10.  Repeated normal queries get resolved and with
+	  prefetch stay in the cache.
+	- Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
+	  Use print_function also for Python2.
+	  libunbound examples: produce sorted output.
+	  libunbound-Python: libldns is not used anymore.
+	  Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
+
+10 April 2015: Wouter
+	- unbound-control ratelimit_list lists high rate domains.
+	- ratelimit feature, ratelimit: 100, or some sensible qps, can be
+	  used to turn it on.  It ratelimits recursion effort per zone.
+	  For particular names you can configure exceptions in unbound.conf.
+	- Fix that get_option for cache-sizes does not print double newline.
+	- Fix#663: ssl handshake fails when using unix socket because dh size
+	  is too small.
+
+8 April 2015: Wouter
+	- Fix crash in dnstap: Do not try to log TCP responses after timeout.
+
+7 April 2015: Wouter
+	- Libunbound skips dos-line-endings from etc/hosts.
+	- Unbound exits with a fatal error when the auto-trust-anchor-file
+	  fails to be writable.  This is seconds after startup.  You can
+	  load a readonly auto-trust-anchor-file with trust-anchor-file.
+	  The file has to be writable to notice the trust anchor change,
+	  without it, a trust anchor change will be unnoticed and the system
+	  will then become inoperable.
+	- unbound-control list_insecure command shows the negative trust
+	  anchors currently configured, patch from Jelte Jansen.
+
+2 April 2015: Wouter
+	- Fix #660: Fix interface-automatic broken in the presence of
+	  asymmetric routing.
+
+26 March 2015: Wouter
+	- remote.c probedelay line is easier to read.
+	- rename ldns subdirectory to sldns to avoid name collision.
+
+25 March 2015: Wouter
+	- Fix #657:  libunbound(3) recommends deprecated
+	  CRYPTO_set_id_callback.
+	- If unknown trust anchor algorithm, and libressl is used, error
+	  message encourages upgrade of the libressl package.
+
 23 March 2015: Wouter
 	- Fix segfault on user not found at startup (from Maciej Soltysiak).
 
+20 March 2015: Wouter
+	- Fixed to add integer overflow checks on allocation (defense in depth).
+
+19 March 2015: Wouter
+	- Add ip-transparent config option for bind to non-local addresses.
+
+17 March 2015: Wouter
+	- Use reallocarray for integer overflow protection, patch submitted
+	  by Loganaden Velvindron.
+
+16 March 2015: Wouter
+	- Fixup compile on cygwin, more portable openssl thread id.
+
+12 March 2015: Wouter
+	- Updated default keylength in unbound-control-setup to 3k.
+
+10 March 2015: Wouter
+	- Fix lintian warning in unbound-checkconf man page (from Andreas
+	  Schulze).
+	- print svnroot when building windows dist.
+	- iana portlist update.
+	- Fix warning on sign compare in getentropy_linux.
+
+9 March 2015: Wouter
+	- Fix #644: harden-algo-downgrade option, if turned off, fixes the
+	  reported excessive validation failure when multiple algorithms
+	  are present.  It allows the weakest algorithm to validate the zone.
+	- iana portlist update.
+
+5 March 2015: Wouter
+	- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
+	  scripts.  Contributed by Yuri Voinov.
+	- Document that incoming-num-tcp increase is good for large servers.
+	- stats reports tcp usage, of incoming-num-tcp buffers.
+
+4 March 2015: Wouter
+	- Patch from Brad Smith that syncs compat/getentropy_linux with
+	  OpenBSD's version (2015-03-04).
+	- 0x20 fallback improved: servfail responses do not count as missing
+	  comparisons (except if all responses are errors),
+	  inability to find nameservers does not fail equality comparisons,
+	  many nameservers does not try to compare more than max-sent-count,
+	  parse failures start 0x20 fallback procedure.
+	- store caps_response with best response in case downgrade response
+	  happens to be the last one.
+	- Document windows 8 tests.
+
+3 March 2015: Wouter
+	- tag 1.5.3rc1
+	[ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
+
 2 March 2015: Wouter
 	- iana portlist update.
 
diff --git a/doc/README b/doc/README
index f3530d6eedf4..e192333dc986 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.3
+README for Unbound 1.5.4
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 60ed5c89f91e..677598767bf5 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.3.
+# See unbound.conf(5) man page, version 1.5.4.
 #
 # this is a comment.
 
@@ -87,6 +87,10 @@ server:
 	
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
+	
+	# use IP_TRANSPARENT so the interface: addresses can be non-local
+	# and you can config non-existing IPs that are going to work later on
+	# ip-transparent: no
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
@@ -135,6 +139,9 @@ server:
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400
 
+	# the time to live (TTL) value cap for negative responses in the cache
+	# cache-max-negative-ttl: 3600
+
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
@@ -284,9 +291,18 @@ server:
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
+	# Harden against algorithm downgrade when multiple algorithms are
+	# advertised in the DS record.  If no, allows the weakest algorithm
+	# to validate the zone.
+	# harden-algo-downgrade: yes
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
+	
+	# Domains (and domains in them) without support for dns-0x20 and
+	# the fallback fails because they keep sending different answers.
+	# caps-whitelist: "licdn.com"
 
 	# Enforce privacy of these addresses. Strips them away from answers. 
 	# It may cause DNSSEC validation to additionally mark it as bogus. 
@@ -349,7 +365,7 @@ server:
 
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
-	# Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
+	# DLV is going to be decommissioned.  Please do not use it any more.
 	# dlv-anchor-file: "dlv.isc.org.key"
 
 	# File with trusted keys for validation. Specify more than one file
@@ -501,6 +517,7 @@ server:
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
 	# o inform resolves normally, but logs client IP address
+	# o inform_deny drops queries and logs client IP address
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -542,6 +559,26 @@ server:
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 
+	# ratelimit for uncached, new queries, this limits recursion effort.
+	# ratelimiting is experimental, and may help against randomqueryflood.
+	# if 0(default) it is disabled, otherwise state qps allowed per zone.
+	# ratelimit: 0
+
+	# ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+	# ratelimit-size: 4m
+	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
+	# ratelimit-slabs: 4
+	
+	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
+	# ratelimit-factor: 10
+
+	# override the ratelimit for a specific domain name.
+	# give this setting multiple times to have multiple overrides.
+	# ratelimit-for-domain: example.com 1000
+	# override the ratelimits for all domains below a domain name
+	# can give this multiple times, the name closest to the zone is used.
+	# ratelimit-below-domain: example 1000
+
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index a4c7945aea1b..7ef77865b6e7 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "libunbound" "3" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.3 functions.
+\- Unbound DNS validating resolver 1.5.4 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
@@ -175,6 +175,7 @@ to read them.
 Before you call this, use the openssl functions CRYPTO_set_id_callback and
 CRYPTO_set_locking_callback to set up asyncronous operation if you use
 lib openssl (the application calls these functions once for initialisation).
+Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
 .TP
 .B ub_ctx_delete
 Delete validation context and free associated resources.
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index fb2136fc1aaf..4632cf71d681 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound-anchor" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index e7db810bbec8..e1a94cf7a812 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound-checkconf" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
@@ -31,7 +31,7 @@ The available options are:
 Show the version and commandline option help.
 .TP
 .B \-f
-Print full pathname, with chroot applied to it.  Use with the -o option.
+Print full pathname, with chroot applied to it.  Use with the \-o option.
 .TP
 .B \-o\fI option
 If given, after checking the config file the value of this option is 
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index f6eae249abc9..057eb0336fe4 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound-control" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -177,7 +177,8 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
 harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
 hide\-identity, hide\-version, identity, version, val\-log\-level,
 val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
-keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size.
+keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit,
+cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
 .TP
 .B get_option \fIopt
 Get the value of the option.  Give the option name without a trailing ':'.
@@ -197,6 +198,9 @@ This includes the root hints in use.
 .B list_forwards
 List the forward zones in use.  These are printed zone by zone to the output.
 .TP
+.B list_insecure
+List the zones with domain\-insecure.
+.TP
 .B list_local_zones
 List the local zones in use.  These are printed one per line with zone type.
 .TP
@@ -252,6 +256,13 @@ port number can be set explicitly (default port is 53 (DNS)).
 By default the forwarder information from the config file for the root "." is
 used.  The config file is not changed, so after a reload these changes are
 gone.  Other forward zones from the config file are not affected by this command.
+.TP
+.B ratelimit_list \fR[\fI+a\fR]
+List the domains that are ratelimited.  Printed one per line with current
+estimated qps and qps limit from config.  With +a it prints all domains, not
+just the ratelimited domains, with their estimated qps.  The ratelimited
+domains return an error for uncached (new) queries, but cached queries work
+as normal.
 .SH "EXIT CODE"
 The unbound\-control program exits with status code 1 on error, 0 on success.
 .SH "SET UP"
@@ -322,6 +333,11 @@ less than this time.  Because of big outliers (usually queries to non
 responsive servers), the average can be bigger than the median.  This median
 has been calculated by interpolation from a histogram.
 .TP
+.I threadX.tcpusage
+The currently held tcp buffers for incoming connections.  A spot value on
+the time of the request.  This helps you spot if the incoming\-num\-tcp
+buffers are full.
+.TP
 .I total.num.queries
 summed over threads.
 .TP
@@ -355,6 +371,9 @@ summed over threads.
 .I total.recursion.time.median
 averaged over threads.
 .TP
+.I total.tcpusage
+summed over threads.
+.TP
 .I time.now
 current time in seconds since 1970.
 .TP
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 9129bea66af1..568dbcd407df 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound\-host" "1" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 7242469c1f1f..e4ff3b8e9b14 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.3.
+\- Unbound DNS validating resolver 1.5.4.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 9b088f372b63..cd57ab83d3d8 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3"
+.TH "unbound.conf" "5" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -164,12 +164,14 @@ By default only ports above 1024 that have not been assigned by IANA are used.
 Give a port number or a range of the form "low\-high", without spaces.
 .TP
 .B outgoing\-num\-tcp: \fI<number>
-Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done.
+Number of outgoing TCP buffers to allocate per thread. Default is 10. If
+set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
+are done.  For larger installations increasing this value is a good idea.
 .TP
 .B incoming\-num\-tcp: \fI<number>
-Number of incoming TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries from clients are accepted.
+Number of incoming TCP buffers to allocate per thread. Default is
+10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
+accepted. For larger installations increasing this value is a good idea.
 .TP
 .B edns\-buffer\-size: \fI<number>
 Number of bytes size to advertise as the EDNS reassembly buffer size.
@@ -265,6 +267,16 @@ it then attempts to open the port and passes the option if it was available
 at compile time, if that works it is used, if it fails, it continues
 silently (unless verbosity 3) without the option.
 .TP
+.B ip\-transparent: \fI<yes or no>
+If yes, then use IP_TRANSPARENT socket option on sockets where unbound
+is listening for incoming traffic.  Default no.  Allows you to bind to
+non\-local interfaces.  For example for non\-existant IP addresses that
+are going to exist later on, with host failover configuration.  This is
+a lot like interface\-automatic, but that one services all interfaces
+and with this option you can select which (future) interfaces unbound
+provides service on.  This option needs unbound to be started with root
+permissions on some systems.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -290,6 +302,10 @@ Zero makes sure the data in the cache is as the domain owner intended,
 higher values, especially more than an hour or so, can lead to trouble as 
 the data in the cache does not match up with the actual data any more.
 .TP
+.B cache\-max\-negative\-ttl: \fI<seconds>
+Time to live maximum for negative responses, these have a SOA in the
+authority section that is limited in time.  Default is 3600.
+.TP
 .B infra\-host\-ttl: \fI<seconds>
 Time to live for entries in the host cache. The host cache contains 
 roundtrip timing, lameness and EDNS support information. Default is 900.
@@ -548,6 +564,13 @@ extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
 to increase the max depth that is checked to.
 .TP
+.B harden\-algo\-downgrade: \fI<yes or no>
+Harden against algorithm downgrade when multiple algorithms are
+advertised in the DS record.  If no, allows the weakest algorithm to
+validate the zone.  Default is yes.  Zone signers must produce zones
+that allow this feature to work, but sometimes they do not, and turning
+this option off avoids that validation failure.
+.TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20\-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
@@ -555,6 +578,12 @@ authority servers and checks if the reply still has the correct casing.
 Disabled by default. 
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
+.B caps\-whitelist: \fI<domain>
+Whitelist the domain so that it does not receive caps\-for\-id perturbed
+queries.  For domains that do not support 0x20 and also fail with fallback
+because they keep sending different answers, like some load balancers.
+Can be given multiple times, for different domains.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
 on your private network, and are not allowed to be returned for public
@@ -655,14 +684,19 @@ It is possible to use wildcards with this statement, the wildcard is
 expanded on start and on reload.
 .TP
 .B dlv\-anchor\-file: \fI<filename>
+This option was used during early days DNSSEC deployment when no parent-side
+DS record registrations were easily available.  Nowadays, it is best to have
+DS records registered with the parent zone (many top level zones are signed).
 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
 would be slow. The DLV configured is used as a root trusted DLV, this 
 means that it is a lookaside for the root. Default is "", or no dlv anchor file.
+DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
+DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
@@ -796,10 +830,10 @@ data leakage about the local network to the upstream DNS servers.
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
-transparent, redirect, nodefault, typetransparent, inform, and are explained
-below. After that the default settings are listed. Use local\-data: to
-enter data into the local zone. Answers for local zones are authoritative
-DNS answers. By default the zones are class IN.
+transparent, redirect, nodefault, typetransparent, inform, inform_deny,
+and are explained below. After that the default settings are listed. Use
+local\-data: to enter data into the local zone. Answers for local zones
+are authoritative DNS answers. By default the zones are class IN.
 .IP
 If you need more complicated authoritative data, with referrals, wildcards,
 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
@@ -853,6 +887,10 @@ info: zonename inform IP@port queryname type class.  This option can be
 used for normal resolution, but machines looking up infected names are
 logged, eg. to run antivirus on them.
 .TP 10
+\h'5'\fIinform_deny\fR 
+The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
+infected machines without answering the queries.
+.TP 10
 \h'5'\fInodefault\fR 
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option 
@@ -959,6 +997,51 @@ it as detailed in the stub zone section below.
 Configure local data shorthand for a PTR record with the reversed IPv4 or
 IPv6 address and the host name.  For example "192.0.2.4 www.example.com".
 TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
+.TP 5
+.B ratelimit: \fI<number or 0>
+Enable ratelimiting of queries sent to nameserver for performing recursion.
+If 0, the default, it is disabled.  This option is experimental at this time.
+The ratelimit is in queries per second that are allowed.  More queries are
+turned away with an error (servfail).  This stops recursive floods, eg. random
+query names, but not spoofed reflection floods.  Cached responses are not
+ratelimited by this setting.  The zone of the query is determined by examining
+the nameservers for it, the zone name is used to keep track of the rate.
+For example, 1000 may be a suitable value to stop the server from being
+overloaded with random names, and keeps unbound from sending traffic to the
+nameservers for those zones.
+.TP 5
+.B ratelimit\-size: \fI<memory size>
+Give the size of the data structure in which the current ongoing rates are
+kept track in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).
+The ratelimit structure is small, so this data structure likely does
+not need to be large.
+.TP 5
+.B ratelimit\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the ratelimit tracking data structure.  Close to the number of cpus is
+a fairly good setting.
+.TP 5
+.B ratelimit\-factor: \fI<number>
+Set the amount of queries to rate limit when the limit is exceeded.
+If set to 0, all queries are dropped for domains where the limit is
+exceeded.  If set to another value, 1 in that number is allowed through
+to complete.  Default is 10, allowing 1/10 traffic to flow normally.
+This can make ordinary queries complete (if repeatedly queried for),
+and enter the cache, whilst also mitigiting the traffic flow by the
+factor given.
+.TP 5
+.B ratelimit\-for\-domain: \fI<domain> <number qps>
+Override the global ratelimit for an exact match domain name with the listed
+number.  You can give this for any number of names.  For example, for
+a top\-level\-domain you may want to have a higher limit than other names.
+.TP 5
+.B ratelimit\-below\-domain: \fI<domain> <number qps>
+Override the global ratelimit for a domain name that ends in this name.
+You can give this multiple times, it then describes different settings
+in different parts of the namespace.  The closest matching suffix is used
+to determine the qps limit.  The rate for the exact matching domain name
+is not changed, use ratelimit\-for\-domain to set that, you might want
+to use different settings for a top\-level\-domain and subdomains.
 .SS "Remote Control Options"
 In the
 .B remote\-control: