summaryrefslogtreecommitdiff
path: root/doc/unbound.conf.5.in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/unbound.conf.5.in')
-rw-r--r--doc/unbound.conf.5.in20
1 files changed, 16 insertions, 4 deletions
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cd57ab83d3d8..c497eeebf33f 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -296,7 +296,7 @@ trust (very large) TTL values.
.TP
.B cache\-min\-ttl: \fI<seconds>
Time to live minimum for RRsets and messages in the cache. Default is 0.
-If the the minimum kicks in, the data is cached for longer than the domain
+If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
higher values, especially more than an hour or so, can lead to trouble as
@@ -373,6 +373,7 @@ a daemon. Default is yes.
The netblock is given as an IP4 or IP6 address with /size appended for a
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+The most specific netblock match is used, if none match \fIdeny\fR is used.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
@@ -567,7 +568,7 @@ to increase the max depth that is checked to.
.B harden\-algo\-downgrade: \fI<yes or no>
Harden against algorithm downgrade when multiple algorithms are
advertised in the DS record. If no, allows the weakest algorithm to
-validate the zone. Default is yes. Zone signers must produce zones
+validate the zone. Default is no. Zone signers must produce zones
that allow this feature to work, but sometimes they do not, and turning
this option off avoids that validation failure.
.TP
@@ -801,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
The default is 366 days. The value 0 does not remove missing anchors,
as per the RFC.
.TP
+.B permit\-small\-holddown: \fI<yes or no>
+Debug option that allows the autotrust 5011 rollover timers to assume
+very small values. Default is no.
+.TP
.B key\-cache\-size: \fI<number>
Number of bytes size of the key cache. Default is 4 megabytes.
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -895,7 +900,8 @@ infected machines without answering the queries.
Used to turn off default contents for AS112 zones. The other types
also turn off default contents for the zone. The 'nodefault' option
has no other effect than turning off default contents for the
-given zone.
+given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
+use a subzone, use \fItransparent\fR.
.P
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
zones. The AS112 zones are reverse DNS zones for private use and reserved
@@ -1124,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the
AD bit). This setup makes unbound capable of answering queries for the
private zone, and can even set the AD bit ('authentic'), but the AA
('authoritative') bit is not set on these replies.
+.P
+Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
+for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
+served zone. The insecure clause stops DNSSEC from invalidating the
+zone. The local zone nodefault (or \fItransparent\fR) clause makes the
+(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
.TP
.B name: \fI<domain name>
Name of the stub zone.
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-03 15:20:47 +0000