diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Changelog | 153 | ||||
| -rw-r--r-- | doc/FEATURES | 1 | ||||
| -rw-r--r-- | doc/README | 2 | ||||
| -rw-r--r-- | doc/example.conf.in | 47 | ||||
| -rw-r--r-- | doc/libunbound.3.in | 9 | ||||
| -rw-r--r-- | doc/unbound-anchor.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-control.8.in | 12 | ||||
| -rw-r--r-- | doc/unbound-host.1 | 2 | ||||
| -rw-r--r-- | doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | doc/unbound.conf.5.in | 9 |
11 files changed, 229 insertions, 14 deletions
diff --git a/doc/Changelog b/doc/Changelog index 346f02a764e5..544fbef562b5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,158 @@ +16 Sep 2013: Wouter + - Fix#524: max-udp-size not effective to non-EDNS0 queries, from + Daisuke HIGASHI. + +10 Sep 2013: Wouter + - MIN_TTL and MAX_TTL also in time_t. + - tag 1.4.21rc1 made again. + +26 Aug 2013: Wouter + - More fixes for bug#519: for the threaded case test if the bg + thread has been killed, on ub_ctx_delete, to avoid hangs. + +22 Aug 2013: Wouter + - more fixes that I overlooked. + - review fixes from Willem. + +21 Aug 2013: Wouter + - Fix#520: Errors found by static analysis from Tomas Hozza(redhat). + +20 Aug 2013: Wouter + - Fix for 2038, with time_t instead of uint32_t. + +19 Aug 2013: Wouter + - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound). + +14 Aug 2013: Wouter + - Fix uninit variable in fix#516. + +8 Aug 2013: Wouter + - Fix#516 dnssec lameness detection for answers that are improper. + +30 Jun 2013: Wouter + - tag 1.4.21rc1 + +29 Jun 2013: Wouter + - Fix#512 memleak in testcode for testbound (if it fails). + - Fix#512 NSS returned arrays out of setup function to be statics. + +26 Jun 2013: Wouter + - max include of 100.000 files (depth and globbed at one time). + This is to preserve system memory in bug cases, or endless cases. + - iana portlist updated. + +19 Jun 2013: Wouter + - streamtcp man page, contributed by Tomas Hozza. + - iana portlist updated. + - libunbound documentation on how to avoid openssl race conditions. + +25 Jun 2013: Wouter + - Squelch sendto-permission denied errors when the network is + not connected, to avoid spamming syslog. + - configure --disable-flto option (from Robert Edmonds). + +18 Jun 2013: Wouter + - Fix for const string literals in C++ for libunbound, from Karel + Slany. + - iana portlist updated. + +17 Jun 2013: Wouter + - Fixup manpage syntax. + +14 Jun 2013: Wouter + - get_option and set_option support for log-time-ascii, python-script + val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect + immediately. The others are mostly useful for libunbound users. + +13 Jun 2013: Wouter + - get_option, set_option, unbound-checkconf -o and libunbound + getoption and setoption support cache-min-ttl and cache-max-ttl. + +10 Jun 2013: Wouter + - Fix#501: forward-first does not recurse, when forward name is ".". + - iana portlist update. + - Max include depth is unlimited. + +27 May 2013: Wouter + - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply + patch to it to not fail when -Werror is also specified, from the + autoconf-archives. + - iana portlist update. + +21 May 2013: Wouter + - Explain bogus and secure flags in libunbound more. + +16 May 2013: Wouter + - Fix#499 use-after-free in out-of-memory handling code (thanks Jake + Montgomery). + - Fix#500 use on non-initialised values on socket bind failures. + +15 May 2013: Wouter + - Fix round-robin doesn't work with some Windows clients (from Ilya + Bakulin). + +3 May 2013: Wouter + - update acx_nlnetlabs.m4 to v23, sleep w32 fix. + +26 April 2013: Wouter + - add unbound-control insecure_add and insecure_remove for the + administration of negative trust anchors. + +25 April 2013: Wouter + - Implement max-udp-size config option, default 4096 (thanks + Daisuke Higashi). + - Robust checks on dname validity from rdata for dname compare. + - updated iana portlist. + +19 April 2013: Wouter + - Fixup snprintf return value usage, fixed libunbound_get_option. + +18 April 2013: Wouter + - fix bug #491: pick program name (0th argument) as syslog identity. + - own implementation of compat/snprintf.c. + +15 April 2013: Wouter + - Fix so that for a configuration line of include: "*.conf" it is not + an error if there are no files matching the glob pattern. + - unbound-anchor review: BIO_write can return 0 successfully if it + has successfully appended a zero length string. + +11 April 2013: Wouter + - Fix queries leaking up for stubs and forwards, if the configured + nameservers all fail to answer. + +10 April 2013: Wouter + - code improve for minimal responses, small speed increase. + +9 April 2013: Wouter + - updated iana portlist. + - Fix crash in previous private address fixup of 22 March. + +28 March 2013: Wouter + - Make reverse zones easier by documenting the nodefault statements + commented-out in the example config file. + +26 March 2013: Wouter + - more fixes to lookup3.c endianness detection. + +25 March 2013: Wouter + - #492: Fix endianness detection, revert to older lookup3.c detection + and put new detect lines after previous tests, to avoid regressions + but allow new detections to succeed. + And add detection for machine/endian.h to it. + +22 March 2013: Wouter + - Fix resolve of names that use a mix of public and private addresses. + - iana portlist update. + - Fix makedist for new svn for -d option. + - unbound.h header file has UNBOUND_VERSION_MAJOR define. + - Fix windows RSRC version for long version numbers. + 21 March 2013: Wouter - release 1.4.20 + - trunk has 1.4.21 + - committed libunbound version 4:1:2 for binary API updated in 1.4.20 + - install copy of unbound-control.8 man page for unbound-control-setup 14 March 2013: Wouter - iana portlist update. diff --git a/doc/FEATURES b/doc/FEATURES index 93ed2925718c..076988ea9127 100644 --- a/doc/FEATURES +++ b/doc/FEATURES @@ -99,4 +99,5 @@ SSHFP type 4701: DHCID 5155: NSEC3, NSEC3PARAM 4408: SPF +6944: DNSKEY algorithm status diff --git a/doc/README b/doc/README index c8c69c1aa2b6..ebd0518cefc0 100644 --- a/doc/README +++ b/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.4.20 +README for Unbound 1.4.21 Copyright 2007 NLnet Labs http://unbound.net diff --git a/doc/example.conf.in b/doc/example.conf.in index aa9a7f7d44da..a0cffd57fef7 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.4.20. +# See unbound.conf(5) man page, version 1.4.21. # # this is a comment. @@ -89,6 +89,10 @@ server: # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # max-udp-size: 4096 + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -426,6 +430,47 @@ server: # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 0f6f0c6c2947..315a2dff30d2 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "libunbound" "3" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.4.20 functions. +\- Unbound DNS validating resolver 1.4.21 functions. .SH "SYNOPSIS" .LP .B #include <unbound.h> @@ -171,6 +171,9 @@ by default. Use and .B ub_ctx_hosts to read them. +Before you call this, use the openssl functions CRYPTO_set_id_callback and +CRYPTO_set_locking_callback to set up asyncronous operation if you use +lib openssl (the application calls these functions once for initialisation). .TP .B ub_ctx_delete Delete validation context and free associated resources. @@ -364,7 +367,7 @@ The result of the DNS resolution and validation is returned as .fi .P If both secure and bogus are false, security was not enabled for the -domain of the query. +domain of the query. Else, they are not both true, one of them is true. .SH "RETURN VALUES" Many routines return an error code. The value 0 (zero) denotes no error happened. Other values can be passed to diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 0b5e5a0bf2af..8d1a9e523af4 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-anchor" "8" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index 4ae174f22559..dddad989d101 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-checkconf" "8" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 669e81dfd75c..dac67214f6a6 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound-control" "8" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream. +keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -196,6 +196,14 @@ List the local zones in use. These are printed one per line with zone type. .B list_local_data List the local data RRs in use. The resource records are printed. .TP +.B insecure_add \fIzone +Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. +Adds to the running unbound without affecting the cache contents (which may +still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. +.TP +.B insecure_remove \fIzone +Removes domain\-insecure for the given zone. +.TP .B forward_add \fR[\fI+i\fR] \fIzone addr ... Add a new forward zone to running unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have diff --git a/doc/unbound-host.1 b/doc/unbound-host.1 index 4957705cd88e..631e529d6422 100644 --- a/doc/unbound-host.1 +++ b/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound\-host" "1" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/doc/unbound.8.in b/doc/unbound.8.in index 5d84d9a781b3..60c482cea399 100644 --- a/doc/unbound.8.in +++ b/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound" "8" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound.8 -- unbound manual .\" @@ -10,7 +10,7 @@ .SH "NAME" .LP .B unbound -\- Unbound DNS validating resolver 1.4.20. +\- Unbound DNS validating resolver 1.4.21. .SH "SYNOPSIS" .LP .B unbound diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 6dd0216d0367..6c0cdde46010 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" +.TH "unbound.conf" "5" "Sep 19, 2013" "NLnet Labs" "unbound 1.4.21" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -183,6 +183,11 @@ stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning the outgoing tcp number). .TP +.B max\-udp\-size: \fI<number> +Maximum UDP response size (not applied to TCP response). 65536 disables the +udp response size maximum, and uses the choice from the client, always. +Suggested values are 512 to 4096. Default is 4096. +.TP .B msg\-buffer\-size: \fI<number> Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this @@ -492,7 +497,7 @@ unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI<yes or no> -From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name +From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse |