Imported Debian patch 1.2.1-2
Robert S. Edmonds
12 years ago
144 | 144 | |
145 | 145 | libunbound.la: $(LIBUNBOUND_OBJ) |
146 | 146 | $(INFO) Link $@ |
147 | $Q$(LINK_LIB) -export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS) | |
147 | $Q$(LINK_LIB) --export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS) | |
148 | 148 | |
149 | 149 | ifeq ($(patsubst ldns-src%,ldns-src,$(ldnsdir)),ldns-src) |
150 | 150 | ldnslib=$(ldnsdir)/lib/libldns.a |
0 | unbound (1.2.1-2) unstable; urgency=low | |
1 | ||
2 | * Closes: #527753, #509535. | |
3 | ||
4 | -- Robert S. Edmonds <edmonds@debian.org> Sat, 09 May 2009 16:46:32 -0400 | |
5 | ||
0 | 6 | unbound (1.2.1-1) unstable; urgency=low |
1 | 7 | |
2 | 8 | * New upstream release. |
1 | 1 | Section: net |
2 | 2 | Priority: optional |
3 | 3 | Maintainer: Robert S. Edmonds <edmonds@debian.org> |
4 | Build-Depends: dpkg-dev (>= 1.14.9), debhelper (>= 7), doxygen, autoconf, | |
5 | automake, libtool, flex, bison, libldns-dev, libssl-dev | |
6 | Standards-Version: 3.8.0.0 | |
4 | Build-Depends: dpkg-dev (>= 1.14.9), debhelper (>= 7), quilt, doxygen, | |
5 | autoconf, automake, autotools-dev, libtool, flex, bison, libldns-dev, | |
6 | libssl-dev | |
7 | Standards-Version: 3.8.1 | |
7 | 8 | Homepage: http://www.unbound.net/ |
8 | 9 | |
9 | 10 | Package: unbound |
10 | 11 | Section: net |
11 | 12 | Architecture: any |
12 | Depends: ${shlibs:Depends}, adduser | |
13 | Depends: ${misc:Depends}, ${shlibs:Depends}, adduser | |
13 | 14 | Description: validating, recursive, caching DNS resolver |
14 | 15 | Unbound is a recursive-only caching DNS server which can perform DNSSEC |
15 | 16 | validation of results. It implements only a minimal amount of authoritative |
22 | 23 | Package: unbound-host |
23 | 24 | Section: net |
24 | 25 | Architecture: any |
25 | Depends: ${shlibs:Depends} | |
26 | Depends: ${misc:Depends}, ${shlibs:Depends} | |
26 | 27 | Description: reimplementation of the 'host' command |
27 | 28 | This package provides the 'unbound-host' program that is bundled with the |
28 | 29 | Unbound domain name server. This version differs from the one provided in the |
32 | 33 | Package: libunbound0 |
33 | 34 | Section: net |
34 | 35 | Architecture: any |
35 | Depends: ${shlibs:Depends} | |
36 | Depends: ${misc:Depends}, ${shlibs:Depends} | |
36 | 37 | Description: library implementing DNS resolution and validation |
37 | 38 | libunbound performs and validates DNS lookups; it can be used to convert |
38 | 39 | hostnames to IP addresses and back and obtain other information from the |
41 | 42 | Package: libunbound-dev |
42 | 43 | Section: libdevel |
43 | 44 | Architecture: any |
44 | Depends: libunbound0 (= ${binary:Version}) | |
45 | Depends: ${misc:Depends}, libunbound0 (= ${binary:Version}) | |
45 | 46 | Description: static library, header files, and docs for libunbound |
46 | 47 | Static library, header files, and documentation for libunbound. |
47 | 48 | . |
0 | 0 | libunbound.so.0 libunbound0 #MINVER# |
1 | ub_cancel@Base 1.2.1-1 | |
2 | ub_ctx_add_ta@Base 1.2.1-1 | |
3 | ub_ctx_add_ta_file@Base 1.2.1-1 | |
4 | ub_ctx_async@Base 1.2.1-1 | |
5 | ub_ctx_config@Base 1.2.1-1 | |
6 | ub_ctx_create@Base 1.2.1-1 | |
7 | ub_ctx_debuglevel@Base 1.2.1-1 | |
8 | ub_ctx_debugout@Base 1.2.1-1 | |
9 | ub_ctx_delete@Base 1.2.1-1 | |
10 | ub_ctx_hosts@Base 1.2.1-1 | |
11 | ub_ctx_resolvconf@Base 1.2.1-1 | |
12 | ub_ctx_set_fwd@Base 1.2.1-1 | |
13 | ub_ctx_set_option@Base 1.2.1-1 | |
14 | ub_ctx_trustedkeys@Base 1.2.1-1 | |
15 | ub_fd@Base 1.2.1-1 | |
16 | ub_poll@Base 1.2.1-1 | |
17 | ub_process@Base 1.2.1-1 | |
18 | ub_resolve@Base 1.2.1-1 | |
19 | ub_resolve_async@Base 1.2.1-1 | |
20 | ub_resolve_free@Base 1.2.1-1 | |
21 | ub_strerror@Base 1.2.1-1 | |
22 | ub_wait@Base 1.2.1-1 | |
1 | ub_cancel@Base 1.2.1 | |
2 | ub_ctx_add_ta@Base 1.2.1 | |
3 | ub_ctx_add_ta_file@Base 1.2.1 | |
4 | ub_ctx_async@Base 1.2.1 | |
5 | ub_ctx_config@Base 1.2.1 | |
6 | ub_ctx_create@Base 1.2.1 | |
7 | ub_ctx_debuglevel@Base 1.2.1 | |
8 | ub_ctx_debugout@Base 1.2.1 | |
9 | ub_ctx_delete@Base 1.2.1 | |
10 | ub_ctx_hosts@Base 1.2.1 | |
11 | ub_ctx_resolvconf@Base 1.2.1 | |
12 | ub_ctx_set_fwd@Base 1.2.1 | |
13 | ub_ctx_set_option@Base 1.2.1 | |
14 | ub_ctx_trustedkeys@Base 1.2.1 | |
15 | ub_fd@Base 1.2.1 | |
16 | ub_poll@Base 1.2.1 | |
17 | ub_process@Base 1.2.1 | |
18 | ub_resolve@Base 1.2.1 | |
19 | ub_resolve_async@Base 1.2.1 | |
20 | ub_resolve_free@Base 1.2.1 | |
21 | ub_strerror@Base 1.2.1 | |
22 | ub_wait@Base 1.2.1 |
0 | Index: unbound-1.2.1/Makefile.in | |
1 | =================================================================== | |
2 | --- unbound-1.2.1.orig/Makefile.in 2009-05-09 16:39:59.232932234 -0400 | |
3 | +++ unbound-1.2.1/Makefile.in 2009-05-09 16:40:04.674986821 -0400 | |
4 | @@ -145,7 +145,7 @@ | |
5 | ||
6 | libunbound.la: $(LIBUNBOUND_OBJ) | |
7 | $(INFO) Link $@ | |
8 | - $Q$(LINK_LIB) --export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS) | |
9 | + $Q$(LINK_LIB) -export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS) | |
10 | ||
11 | ifeq ($(patsubst ldns-src%,ldns-src,$(ldnsdir)),ldns-src) | |
12 | ldnslib=$(ldnsdir)/lib/libldns.a |
0 | Index: unbound-1.2.1/doc/example.conf.in | |
1 | =================================================================== | |
2 | --- unbound-1.2.1.orig/doc/example.conf.in 2009-05-09 16:42:10.188932340 -0400 | |
3 | +++ unbound-1.2.1/doc/example.conf.in 2009-05-09 16:42:21.815509323 -0400 | |
4 | @@ -173,6 +173,7 @@ | |
5 | # | |
6 | # If you give "" no chroot is performed. The path must not end in a /. | |
7 | # chroot: "@UNBOUND_CHROOT_DIR@" | |
8 | + chroot: "" | |
9 | ||
10 | # if given, user privileges are dropped (after binding port), | |
11 | # and the given username is assumed. Default is user "unbound". |
2 | 2 | %: |
3 | 3 | dh $@ |
4 | 4 | |
5 | build: build-stamp | |
5 | include /usr/share/quilt/quilt.make | |
6 | ||
7 | build: patch build-stamp | |
6 | 8 | build-stamp: |
7 | 9 | dh build --before configure |
8 | autoreconf -i | |
10 | autoreconf -fvi | |
9 | 11 | dh_auto_configure -- \ |
10 | 12 | --disable-rpath \ |
11 | 13 | --with-chroot-dir=/var/lib/unbound \ |
14 | 16 | dh build --after test |
15 | 17 | touch $@ |
16 | 18 | |
17 | clean: | |
19 | clean: unpatch | |
18 | 20 | dh clean |
19 | 21 | |
20 | 22 | install: build |
0 | # | |
1 | # Example configuration file. | |
2 | # | |
3 | # See unbound.conf(5) man page. | |
4 | # | |
5 | # this is a comment. | |
6 | ||
7 | #Use this to include other text into the file. | |
8 | #include: "otherfile.conf" | |
9 | ||
10 | # The server clause sets the main parameters. | |
11 | server: | |
12 | # whitespace is not necessary, but looks cleaner. | |
13 | ||
14 | # verbosity number, 0 is least verbose. 1 is default. | |
15 | verbosity: 1 | |
16 | ||
17 | # print statistics to the log (for every thread) every N seconds. | |
18 | # Set to "" or 0 to disable. Default is disabled. | |
19 | # statistics-interval: 0 | |
20 | ||
21 | # enable cumulative statistics, without clearing them after printing. | |
22 | # statistics-cumulative: no | |
23 | ||
24 | # enable extended statistics (query types, answer codes, status) | |
25 | # printed from unbound-control. default off, because of speed. | |
26 | # extended-statistics: no | |
27 | ||
28 | # number of threads to create. 1 disables threading. | |
29 | # num-threads: 1 | |
30 | ||
31 | # specify the interfaces to answer queries from by ip-address. | |
32 | # The default is to listen to localhost (127.0.0.1 and ::1). | |
33 | # specify 0.0.0.0 and ::0 to bind to all available interfaces. | |
34 | # specify every interface on a new 'interface:' labelled line. | |
35 | # The listen interfaces are not changed on reload, only on restart. | |
36 | # interface: 192.0.2.153 | |
37 | # interface: 192.0.2.154 | |
38 | # interface: 2001:DB8::5 | |
39 | ||
40 | # enable this feature to copy the source address of queries to reply. | |
41 | # Socket options are not supported on all platforms. experimental. | |
42 | # interface-automatic: no | |
43 | ||
44 | # port to answer queries from | |
45 | # port: 53 | |
46 | ||
47 | # specify the interfaces to send outgoing queries to authoritative | |
48 | # server from by ip-address. If none, the default (all) interface | |
49 | # is used. Specify every interface on a 'outgoing-interface:' line. | |
50 | # outgoing-interface: 192.0.2.153 | |
51 | # outgoing-interface: 2001:DB8::5 | |
52 | # outgoing-interface: 2001:DB8::6 | |
53 | ||
54 | # number of ports to allocate per thread, determines the size of the | |
55 | # port range that can be open simultaneously. | |
56 | # outgoing-range: 256 | |
57 | ||
58 | # permit unbound to use this port number or port range for | |
59 | # making outgoing queries, using an outgoing interface. | |
60 | # outgoing-port-permit: 32768 | |
61 | ||
62 | # deny unbound the use this of port number or port range for | |
63 | # making outgoing queries, using an outgoing interface. | |
64 | # Use this to make sure unbound does not grab a UDP port that some | |
65 | # other server on this computer needs. The default is to avoid | |
66 | # IANA-assigned port numbers. | |
67 | # outgoing-port-avoid: "3200-3208" | |
68 | ||
69 | # number of outgoing simultaneous tcp buffers to hold per thread. | |
70 | # outgoing-num-tcp: 10 | |
71 | ||
72 | # number of incoming simultaneous tcp buffers to hold per thread. | |
73 | # incoming-num-tcp: 10 | |
74 | ||
75 | # buffer size for handling DNS data. No messages larger than this | |
76 | # size can be sent or received, by UDP or TCP. In bytes. | |
77 | # msg-buffer-size: 65552 | |
78 | ||
79 | # the amount of memory to use for the message cache. | |
80 | # plain value in bytes or you can append k, m or G. default is "4Mb". | |
81 | # msg-cache-size: 4m | |
82 | ||
83 | # the number of slabs to use for the message cache. | |
84 | # the number of slabs must be a power of 2. | |
85 | # more slabs reduce lock contention, but fragment memory usage. | |
86 | # msg-cache-slabs: 4 | |
87 | ||
88 | # the number of queries that a thread gets to service. | |
89 | # num-queries-per-thread: 1024 | |
90 | ||
91 | # if very busy, 50% queries run to completion, 50% get timeout in msec | |
92 | # jostle-timeout: 200 | |
93 | ||
94 | # the amount of memory to use for the RRset cache. | |
95 | # plain value in bytes or you can append k, m or G. default is "4Mb". | |
96 | # rrset-cache-size: 4m | |
97 | ||
98 | # the number of slabs to use for the RRset cache. | |
99 | # the number of slabs must be a power of 2. | |
100 | # more slabs reduce lock contention, but fragment memory usage. | |
101 | # rrset-cache-slabs: 4 | |
102 | ||
103 | # the time to live (TTL) value cap for RRsets and messages in the | |
104 | # cache. Items are not cached for longer. In seconds. | |
105 | # cache-max-ttl: 86400 | |
106 | ||
107 | # the time to live (TTL) value for cached roundtrip times and | |
108 | # EDNS version information for hosts. In seconds. | |
109 | # infra-host-ttl: 900 | |
110 | ||
111 | # the time to live (TTL) value for cached lame delegations. In sec. | |
112 | # infra-lame-ttl: 900 | |
113 | ||
114 | # the number of slabs to use for the Infrastructure cache. | |
115 | # the number of slabs must be a power of 2. | |
116 | # more slabs reduce lock contention, but fragment memory usage. | |
117 | # infra-cache-slabs: 4 | |
118 | ||
119 | # the maximum number of hosts that are cached (roundtrip times, EDNS). | |
120 | # infra-cache-numhosts: 10000 | |
121 | ||
122 | # the maximum size of the lame zones cached per host. in bytes. | |
123 | # infra-cache-lame-size: 10k | |
124 | ||
125 | # Enable IPv4, "yes" or "no". | |
126 | # do-ip4: yes | |
127 | ||
128 | # Enable IPv6, "yes" or "no". | |
129 | # do-ip6: yes | |
130 | ||
131 | # Enable UDP, "yes" or "no". | |
132 | # do-udp: yes | |
133 | ||
134 | # Enable TCP, "yes" or "no". | |
135 | # do-tcp: yes | |
136 | ||
137 | # Detach from the terminal, run in background, "yes" or "no". | |
138 | # do-daemonize: yes | |
139 | ||
140 | # control which clients are allowed to make (recursive) queries | |
141 | # to this server. Specify classless netblocks with /size and action. | |
142 | # By default everything is refused, except for localhost. | |
143 | # Choose deny (drop message), refuse (polite error reply), | |
144 | # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) | |
145 | # access-control: 0.0.0.0/0 refuse | |
146 | # access-control: 127.0.0.0/8 allow | |
147 | # access-control: ::0/0 refuse | |
148 | # access-control: ::1 allow | |
149 | # access-control: ::ffff:127.0.0.1 allow | |
150 | ||
151 | # if given, a chroot(2) is done to the given directory. | |
152 | # i.e. you can chroot to the working directory, for example, | |
153 | # for extra security, but make sure all files are in that directory. | |
154 | # | |
155 | # If chroot is enabled, you should pass the configfile (from the | |
156 | # commandline) as a full path from the original root. After the | |
157 | # chroot has been performed the now defunct portion of the config | |
158 | # file path is removed to be able to reread the config after a reload. | |
159 | # | |
160 | # All other file paths (working dir, logfile, roothints, and | |
161 | # key files) can be specified in several ways: | |
162 | # o as an absolute path relative to the new root. | |
163 | # o as a relative path to the working directory. | |
164 | # o as an absolute path relative to the original root. | |
165 | # In the last case the path is adjusted to remove the unused portion. | |
166 | # | |
167 | # The pid file can be absolute and outside of the chroot, it is | |
168 | # written just prior to performing the chroot and dropping permissions. | |
169 | # | |
170 | # Additionally, unbound may need to access /dev/random (for entropy). | |
171 | # How to do this is specific to your OS. | |
172 | # | |
173 | # If you give "" no chroot is performed. The path must not end in a /. | |
174 | # chroot: "/var/lib/unbound" | |
175 | chroot: "" | |
176 | ||
177 | # if given, user privileges are dropped (after binding port), | |
178 | # and the given username is assumed. Default is user "unbound". | |
179 | # If you give "" no privileges are dropped. | |
180 | # username: "unbound" | |
181 | ||
182 | # the working directory. The relative files in this config are | |
183 | # relative to this directory. If you give "" the working directory | |
184 | # is not changed. | |
185 | # directory: "/etc/unbound" | |
186 | ||
187 | # the log file, "" means log to stderr. | |
188 | # Use of this option sets use-syslog to "no". | |
189 | # logfile: "" | |
190 | ||
191 | # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to | |
192 | # log to, with identity "unbound". If yes, it overrides the logfile. | |
193 | # use-syslog: yes | |
194 | ||
195 | # the pid file. Can be an absolute path outside of chroot/work dir. | |
196 | # pidfile: "/var/lib/unbound/unbound.pid" | |
197 | ||
198 | # file to read root hints from. | |
199 | # get one from ftp://FTP.INTERNIC.NET/domain/named.cache | |
200 | # root-hints: "" | |
201 | ||
202 | # enable to not answer id.server and hostname.bind queries. | |
203 | # hide-identity: no | |
204 | ||
205 | # enable to not answer version.server and version.bind queries. | |
206 | # hide-version: no | |
207 | ||
208 | # the identity to report. Leave "" or default to return hostname. | |
209 | # identity: "" | |
210 | ||
211 | # the version to report. Leave "" or default to return package version. | |
212 | # version: "" | |
213 | ||
214 | # the target fetch policy. | |
215 | # series of integers describing the policy per dependency depth. | |
216 | # The number of values in the list determines the maximum dependency | |
217 | # depth the recursor will pursue before giving up. Each integer means: | |
218 | # -1 : fetch all targets opportunistically, | |
219 | # 0: fetch on demand, | |
220 | # positive value: fetch that many targets opportunistically. | |
221 | # Enclose the list of numbers between quotes (""). | |
222 | # target-fetch-policy: "3 2 1 0 0" | |
223 | ||
224 | # Harden against very small EDNS buffer sizes. | |
225 | # harden-short-bufsize: no | |
226 | ||
227 | # Harden against unseemly large queries. | |
228 | # harden-large-queries: no | |
229 | ||
230 | # Harden against out of zone rrsets, to avoid spoofing attempts. | |
231 | # harden-glue: yes | |
232 | ||
233 | # Harden against receiving dnssec-stripped data. If you turn it | |
234 | # off, failing to validate dnskey data for a trustanchor will | |
235 | # trigger insecure mode for that zone (like without a trustanchor). | |
236 | # Default on, which insists on dnssec data for trust-anchored zones. | |
237 | # harden-dnssec-stripped: yes | |
238 | ||
239 | # Harden the referral path by performing additional queries for | |
240 | # infrastructure data. Validates the replies (if possible). | |
241 | # Default off, because the lookups burden the server. Experimental | |
242 | # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. | |
243 | # harden-referral-path: no | |
244 | ||
245 | # Use 0x20-encoded random bits in the query to foil spoof attempts. | |
246 | # This feature is an experimental implementation of draft dns-0x20. | |
247 | # use-caps-for-id: no | |
248 | ||
249 | # Enforce privacy of these addresses. Strips them away from answers. | |
250 | # It may cause DNSSEC validation to additionally mark it as bogus. | |
251 | # Protects against 'DNS Rebinding' (uses browser as network proxy). | |
252 | # Only 'private-domain' and 'local-data' names are allowed to have | |
253 | # these private addresses. No default. | |
254 | # private-address: 10.0.0.0/8 | |
255 | # private-address: 172.16.0.0/12 | |
256 | # private-address: 192.168.0.0/16 | |
257 | # private-address: 192.254.0.0/16 | |
258 | # private-address: fd00::/8 | |
259 | # private-address: fe80::/10 | |
260 | ||
261 | # Allow the domain (and its subdomains) to contain private addresses. | |
262 | # local-data statements are allowed to contain private addresses too. | |
263 | # private-domain: "example.com" | |
264 | ||
265 | # If nonzero, unwanted replies are not only reported in statistics, | |
266 | # but also a running total is kept per thread. If it reaches the | |
267 | # threshold, a warning is printed and a defensive action is taken, | |
268 | # the cache is cleared to flush potential poison out of it. | |
269 | # A suggested value is 10000000, the default is 0 (turned off). | |
270 | # unwanted-reply-threshold: 0 | |
271 | ||
272 | # Do not query the following addresses. No DNS queries are sent there. | |
273 | # List one address per entry. List classless netblocks with /size, | |
274 | # do-not-query-address: 127.0.0.1/8 | |
275 | # do-not-query-address: ::1 | |
276 | ||
277 | # if yes, the above default do-not-query-address entries are present. | |
278 | # if no, localhost can be queried (for testing and debugging). | |
279 | # do-not-query-localhost: yes | |
280 | ||
281 | # module configuration of the server. A string with identifiers | |
282 | # separated by spaces. "iterator" or "validator iterator" | |
283 | # module-config: "validator iterator" | |
284 | ||
285 | # File with DLV trusted keys. Same format as trust-anchor-file. | |
286 | # There can be only one DLV configured, it is trusted from root down. | |
287 | # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key | |
288 | # dlv-anchor-file: "dlv.isc.org.key" | |
289 | ||
290 | # File with trusted keys for validation. Specify more than one file | |
291 | # with several entries, one file per entry. | |
292 | # Zone file format, with DS and DNSKEY entries. | |
293 | # trust-anchor-file: "" | |
294 | ||
295 | # Trusted key for validation. DS or DNSKEY. specify the RR on a | |
296 | # single line, surrounded by "". TTL is ignored. class is IN default. | |
297 | # (These examples are from August 2007 and may not be valid anymore). | |
298 | # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" | |
299 | # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" | |
300 | ||
301 | # File with trusted keys for validation. Specify more than one file | |
302 | # with several entries, one file per entry. Like trust-anchor-file | |
303 | # but has a different file format. Format is BIND-9 style format, | |
304 | # the trusted-keys { name flag proto algo "key"; }; clauses are read. | |
305 | # trusted-keys-file: "" | |
306 | ||
307 | # Override the date for validation with a specific fixed date. | |
308 | # Do not set this unless you are debugging signature inception | |
309 | # and expiration. "" or "0" turns the feature off. | |
310 | # val-override-date: "" | |
311 | ||
312 | # The time to live for bogus data, rrsets and messages. This avoids | |
313 | # some of the revalidation, until the time interval expires. in secs. | |
314 | # val-bogus-ttl: 60 | |
315 | ||
316 | # Should additional section of secure message also be kept clean of | |
317 | # unsecure data. Useful to shield the users of this validator from | |
318 | # potential bogus data in the additional section. All unsigned data | |
319 | # in the additional section is removed from secure messages. | |
320 | # val-clean-additional: yes | |
321 | ||
322 | # Turn permissive mode on to permit bogus messages. Thus, messages | |
323 | # for which security checks failed will be returned to clients, | |
324 | # instead of SERVFAIL. It still performs the security checks, which | |
325 | # result in interesting log files and possibly the AD bit in | |
326 | # replies if the message is found secure. The default is off. | |
327 | # val-permissive-mode: no | |
328 | ||
329 | # It is possible to configure NSEC3 maximum iteration counts per | |
330 | # keysize. Keep this table very short, as linear search is done. | |
331 | # A message with an NSEC3 with larger count is marked insecure. | |
332 | # List in ascending order the keysize and count values. | |
333 | # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" | |
334 | ||
335 | # the amount of memory to use for the key cache. | |
336 | # plain value in bytes or you can append k, m or G. default is "4Mb". | |
337 | # key-cache-size: 4m | |
338 | ||
339 | # the number of slabs to use for the key cache. | |
340 | # the number of slabs must be a power of 2. | |
341 | # more slabs reduce lock contention, but fragment memory usage. | |
342 | # key-cache-slabs: 4 | |
343 | ||
344 | # the amount of memory to use for the negative cache (used for DLV). | |
345 | # plain value in bytes or you can append k, m or G. default is "1Mb". | |
346 | # neg-cache-size: 1m | |
347 | ||
348 | # a number of locally served zones can be configured. | |
349 | # local-zone: <zone> <type> | |
350 | # local-data: "<resource record string>" | |
351 | # o deny serves local data (if any), else, drops queries. | |
352 | # o refuse serves local data (if any), else, replies with error. | |
353 | # o static serves local data, else, nxdomain or nodata answer. | |
354 | # o transparent gives local data, but resolves normally for other names | |
355 | # o redirect serves the zone data for any subdomain in the zone. | |
356 | # o nodefault can be used to normally resolve AS112 zones. | |
357 | # | |
358 | # defaults are localhost address, reverse for 127.0.0.1 and ::1 | |
359 | # and nxdomain for AS112 zones. If you configure one of these zones | |
360 | # the default content is omitted, or you can omit it with 'nodefault'. | |
361 | # | |
362 | # If you configure local-data without specifying local-zone, by | |
363 | # default a transparent local-zone is created for the data. | |
364 | # | |
365 | # You can add locally served data with | |
366 | # local-zone: "local." static | |
367 | # local-data: "mycomputer.local. IN A 192.0.2.51" | |
368 | # local-data: 'mytext.local TXT "content of text record"' | |
369 | # | |
370 | # You can override certain queries with | |
371 | # local-data: "adserver.example.com A 127.0.0.1" | |
372 | # | |
373 | # You can redirect a domain to a fixed address with | |
374 | # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) | |
375 | # local-zone: "example.com" redirect | |
376 | # local-data: "example.com A 192.0.2.3" | |
377 | # | |
378 | # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". | |
379 | # You can also add PTR records using local-data directly, but then | |
380 | # you need to do the reverse notation yourself. | |
381 | # local-data-ptr: "192.0.2.3 www.example.com" | |
382 | ||
383 | # Remote control config section. | |
384 | remote-control: | |
385 | # Enable remote control with unbound-control(8) here. | |
386 | # set up the keys and certificates with unbound-control-setup. | |
387 | # control-enable: no | |
388 | ||
389 | # what interfaces are listened to for remote control. | |
390 | # give 0.0.0.0 and ::0 to listen to all interfaces. | |
391 | # control-interface: 127.0.0.1 | |
392 | # control-interface: ::1 | |
393 | ||
394 | # port number for remote control operations. | |
395 | # control-port: 953 | |
396 | ||
397 | # unbound server key file. | |
398 | # server-key-file: "/etc/unbound/unbound_server.key" | |
399 | ||
400 | # unbound server certificate file. | |
401 | # server-cert-file: "/etc/unbound/unbound_server.pem" | |
402 | ||
403 | # unbound-control key file. | |
404 | # control-key-file: "/etc/unbound/unbound_control.key" | |
405 | ||
406 | # unbound-control certificate file. | |
407 | # control-cert-file: "/etc/unbound/unbound_control.pem" | |
408 | ||
409 | # Stub zones. | |
410 | # Create entries like below, to make all queries for 'example.com' and | |
411 | # 'example.org' go to the given list of nameservers. list zero or more | |
412 | # nameservers by hostname or by ipaddress. If you set stub-prime to yes, | |
413 | # the list is treated as priming hints (default is no). | |
414 | # stub-zone: | |
415 | # name: "example.com" | |
416 | # stub-addr: 192.0.2.68 | |
417 | # stub-prime: "no" | |
418 | # stub-zone: | |
419 | # name: "example.org" | |
420 | # stub-host: ns.example.com. | |
421 | ||
422 | # Forward zones | |
423 | # Create entries like below, to make all queries for 'example.com' and | |
424 | # 'example.org' go to the given list of servers. These servers have to handle | |
425 | # recursion to other nameservers. List zero or more nameservers by hostname | |
426 | # or by ipaddress. Use an entry with name "." to forward all queries. | |
427 | # forward-zone: | |
428 | # name: "example.com" | |
429 | # forward-addr: 192.0.2.68 | |
430 | # forward-addr: 192.0.2.73@5355 # forward to port 5355. | |
431 | # forward-zone: | |
432 | # name: "example.org" | |
433 | # forward-host: fwd.example.com |
172 | 172 | # |
173 | 173 | # If you give "" no chroot is performed. The path must not end in a /. |
174 | 174 | # chroot: "@UNBOUND_CHROOT_DIR@" |
175 | chroot: "" | |
176 | 175 | |
177 | 176 | # if given, user privileges are dropped (after binding port), |
178 | 177 | # and the given username is assumed. Default is user "unbound". |
0 | .TH "libunbound" "3" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1" | |
1 | .\" | |
2 | .\" libunbound.3 -- unbound library functions manual | |
3 | .\" | |
4 | .\" Copyright (c) 2007, NLnet Labs. All rights reserved. | |
5 | .\" | |
6 | .\" See LICENSE for the license. | |
7 | .\" | |
8 | .\" | |
9 | .SH "NAME" | |
10 | .LP | |
11 | .B libunbound, | |
12 | .B unbound.h, | |
13 | .B ub_ctx, | |
14 | .B ub_result, | |
15 | .B ub_callback_t, | |
16 | .B ub_ctx_create, | |
17 | .B ub_ctx_delete, | |
18 | .B ub_ctx_set_option, | |
19 | .B ub_ctx_config, | |
20 | .B ub_ctx_set_fwd, | |
21 | .B ub_ctx_resolvconf, | |
22 | .B ub_ctx_hosts, | |
23 | .B ub_ctx_add_ta, | |
24 | .B ub_ctx_add_ta_file, | |
25 | .B ub_ctx_trustedkeys, | |
26 | .B ub_ctx_debugout, | |
27 | .B ub_ctx_debuglevel, | |
28 | .B ub_ctx_async, | |
29 | .B ub_poll, | |
30 | .B ub_wait, | |
31 | .B ub_fd, | |
32 | .B ub_process, | |
33 | .B ub_resolve, | |
34 | .B ub_resolve_async, | |
35 | .B ub_cancel, | |
36 | .B ub_resolve_free, | |
37 | .B ub_strerror | |
38 | \- Unbound DNS validating resolver 1.2.1 functions. | |
39 | .SH "SYNOPSIS" | |
40 | .LP | |
41 | .B #include <unbound.h> | |
42 | .LP | |
43 | \fIstruct ub_ctx *\fR | |
44 | \fBub_ctx_create\fR(\fIvoid\fR); | |
45 | .LP | |
46 | \fIvoid\fR | |
47 | \fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx); | |
48 | .LP | |
49 | \fIint\fR | |
50 | \fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val); | |
51 | .LP | |
52 | \fIint\fR | |
53 | \fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); | |
54 | .LP | |
55 | \fIint\fR | |
56 | \fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr); | |
57 | .LP | |
58 | \fIint\fR | |
59 | \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); | |
60 | .LP | |
61 | \fIint\fR | |
62 | \fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); | |
63 | .LP | |
64 | \fIint\fR | |
65 | \fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta); | |
66 | .LP | |
67 | \fIint\fR | |
68 | \fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); | |
69 | .LP | |
70 | \fIint\fR | |
71 | \fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); | |
72 | .LP | |
73 | \fIint\fR | |
74 | \fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out); | |
75 | .LP | |
76 | \fIint\fR | |
77 | \fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d); | |
78 | .LP | |
79 | \fIint\fR | |
80 | \fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread); | |
81 | .LP | |
82 | \fIint\fR | |
83 | \fBub_poll\fR(\fIstruct ub_ctx*\fR ctx); | |
84 | .LP | |
85 | \fIint\fR | |
86 | \fBub_wait\fR(\fIstruct ub_ctx*\fR ctx); | |
87 | .LP | |
88 | \fIint\fR | |
89 | \fBub_fd\fR(\fIstruct ub_ctx*\fR ctx); | |
90 | .LP | |
91 | \fIint\fR | |
92 | \fBub_process\fR(\fIstruct ub_ctx*\fR ctx); | |
93 | .LP | |
94 | \fIint\fR | |
95 | \fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, | |
96 | .br | |
97 | \fIint\fR rrtype, \fIint\fR rrclass, \fIint*\fR secure, | |
98 | .br | |
99 | \fIint*\fR data, \fIstruct ub_result**\fR result); | |
100 | .LP | |
101 | \fIint\fR | |
102 | \fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, | |
103 | .br | |
104 | \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, | |
105 | .br | |
106 | \fIub_callback_t\fR callback, \fIint*\fR async_id); | |
107 | .LP | |
108 | \fIint\fR | |
109 | \fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id); | |
110 | .LP | |
111 | \fIvoid\fR | |
112 | \fBub_resolve_free\fR(\fIstruct ub_result*\fR result); | |
113 | .LP | |
114 | \fIconst char *\fR | |
115 | \fBub_strerror\fR(\fIint\fR err); | |
116 | .SH "DESCRIPTION" | |
117 | .LP | |
118 | .B Unbound | |
119 | is an implementation of a DNS resolver, that does caching and | |
120 | DNSSEC validation. This is the library API, for using the \-lunbound library. | |
121 | The server daemon is described in \fIunbound\fR(8). | |
122 | The library can be used to convert hostnames to ip addresses, and back, | |
123 | and obtain other information from the DNS. The library performs public\-key | |
124 | validation of results with DNSSEC. | |
125 | .P | |
126 | The library uses a variable of type \fIstruct ub_ctx\fR to keep context | |
127 | between calls. The user must maintain it, creating it with | |
128 | .B ub_ctx_create | |
129 | and deleting it with | |
130 | .B ub_ctx_delete\fR. | |
131 | It can be created and deleted at any time. Creating it anew removes any | |
132 | previous configuration (such as trusted keys) and clears any cached results. | |
133 | .P | |
134 | The functions are thread\-safe, and a context an be used in a threaded (as | |
135 | well as in a non\-threaded) environment. Also resolution (and validation) | |
136 | can be performed blocking and non\-blocking (also called asynchronous). | |
137 | The async method returns from the call immediately, so that processing | |
138 | can go on, while the results become available later. | |
139 | .P | |
140 | The functions are discussed in turn below. | |
141 | .SH "FUNCTIONS" | |
142 | .TP | |
143 | .B ub_ctx_create | |
144 | Create a new context, initialised with defaults. | |
145 | The information from /etc/resolv.conf and /etc/hosts is not utilised | |
146 | by default. Use | |
147 | .B ub_ctx_resolvconf | |
148 | and | |
149 | .B ub_ctx_hosts | |
150 | to read them. | |
151 | .TP | |
152 | .B ub_ctx_delete | |
153 | Delete validation context and free associated resources. | |
154 | Outstanding async queries are killed and callbacks are not called for them. | |
155 | .TP | |
156 | .B ub_ctx_set_option | |
157 | A power\-user interface that lets you specify one of the options from the | |
158 | config file format, see \fIunbound.conf\fR(5). Not all options are | |
159 | relevant. For some specific options, such as adding trust anchors, special | |
160 | routines exist. Pass the option name with the trailing ':'. | |
161 | .TP | |
162 | .B ub_ctx_config | |
163 | A power\-user interface that lets you specify an unbound config file, see | |
164 | \fIunbound.conf\fR(5), which is read for configuration. Not all options are | |
165 | relevant. For some specific options, such as adding trust anchors, special | |
166 | routines exist. | |
167 | .TP | |
168 | .B ub_ctx_set_fwd | |
169 | Set machine to forward DNS queries to, the caching resolver to use. | |
170 | IP4 or IP6 address. Forwards all DNS requests to that machine, which | |
171 | is expected to run a recursive resolver. If the proxy is not | |
172 | DNSSEC capable, validation may fail. Can be called several times, in | |
173 | that case the addresses are used as backup servers. | |
174 | At this time it is only possible to set configuration before the | |
175 | first resolve is done. | |
176 | .TP | |
177 | .B ub_ctx_resolvconf | |
178 | Read list of nameservers to use from the filename given. | |
179 | Usually "/etc/resolv.conf". Uses those nameservers as caching proxies. | |
180 | If they do not support DNSSEC, validation may fail. | |
181 | Only nameservers are picked up, the searchdomain, ndots and other | |
182 | settings from \fIresolv.conf\fR(5) are ignored. | |
183 | If fname NULL is passed, "/etc/resolv.conf" is used. | |
184 | At this time it is only possible to set configuration before the | |
185 | first resolve is done. | |
186 | .TP | |
187 | .B ub_ctx_hosts | |
188 | Read list of hosts from the filename given. | |
189 | Usually "/etc/hosts". When queried for, these addresses are not marked | |
190 | DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used. | |
191 | At this time it is only possible to set configuration before the | |
192 | first resolve is done. | |
193 | .TP | |
194 | .B | |
195 | ub_ctx_add_ta | |
196 | Add a trust anchor to the given context. | |
197 | At this time it is only possible to add trusted keys before the | |
198 | first resolve is done. | |
199 | The format is a string, similar to the zone-file format, | |
200 | [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted. | |
201 | .TP | |
202 | .B ub_ctx_add_ta_file | |
203 | Add trust anchors to the given context. | |
204 | Pass name of a file with DS and DNSKEY records in zone file format. | |
205 | At this time it is only possible to add trusted keys before the | |
206 | first resolve is done. | |
207 | .TP | |
208 | .B ub_ctx_trustedkeys | |
209 | Add trust anchors to the given context. | |
210 | Pass the name of a bind-style config file with trusted-keys{}. | |
211 | At this time it is only possible to add trusted keys before the | |
212 | first resolve is done. | |
213 | .TP | |
214 | .B ub_ctx_debugout | |
215 | Set debug and error log output to the given stream. Pass NULL to disable | |
216 | output. Default is stderr. File-names or using syslog can be enabled | |
217 | using config options, this routine is for using your own stream. | |
218 | .TP | |
219 | .B ub_ctx_debuglevel | |
220 | Set debug verbosity for the context. Output is directed to stderr. | |
221 | Higher debug level gives more output. | |
222 | .TP | |
223 | .B ub_ctx_async | |
224 | Set a context behaviour for asynchronous action. | |
225 | if set to true, enables threading and a call to | |
226 | .B ub_resolve_async | |
227 | creates a thread to handle work in the background. | |
228 | If false, a process is forked to handle work in the background. | |
229 | Changes to this setting after | |
230 | .B ub_resolve_async | |
231 | calls have been made have no effect (delete and re\-create the context | |
232 | to change). | |
233 | .TP | |
234 | .B ub_poll | |
235 | Poll a context to see if it has any new results. | |
236 | Do not poll in a loop, instead extract the fd below to poll for readiness, | |
237 | and then check, or wait using the wait routine. | |
238 | Returns 0 if nothing to read, or nonzero if a result is available. | |
239 | If nonzero, call | |
240 | .B ub_process | |
241 | to do callbacks. | |
242 | .TP | |
243 | .B ub_wait | |
244 | Wait for a context to finish with results. Calls | |
245 | .B ub_process | |
246 | after the wait for you. After the wait, there are no more outstanding | |
247 | asynchronous queries. | |
248 | .TP | |
249 | .B ub_fd | |
250 | Get file descriptor. Wait for it to become readable, at this point | |
251 | answers are returned from the asynchronous validating resolver. | |
252 | Then call the \fBub_process\fR to continue processing. | |
253 | .TP | |
254 | .B ub_process | |
255 | Call this routine to continue processing results from the validating | |
256 | resolver (when the fd becomes readable). | |
257 | Will perform necessary callbacks. | |
258 | .TP | |
259 | .B ub_resolve | |
260 | Perform resolution and validation of the target name. | |
261 | The name is a domain name in a zero terminated text string. | |
262 | The rrtype and rrclass are DNS type and class codes. | |
263 | The value secure returns true if the answer validated securely. | |
264 | The value data returns true if there was data. | |
265 | The result structure is newly allocated with the resulting data. | |
266 | .TP | |
267 | .B ub_resolve_async | |
268 | Perform asynchronous resolution and validation of the target name. | |
269 | Arguments mean the same as for \fBub_resolve\fR except no | |
270 | data is returned immediately, instead a callback is called later. | |
271 | The callback receives a copy of the mydata pointer, that you can use to pass | |
272 | information to the callback. The callback type is a function pointer to | |
273 | a function declared as | |
274 | .IP | |
275 | void my_callback_function(void* my_arg, int err, | |
276 | .br | |
277 | struct ub_result* result); | |
278 | .IP | |
279 | The async_id is returned so you can (at your option) decide to track it | |
280 | and cancel the request if needed. | |
281 | .TP | |
282 | .B ub_cancel | |
283 | Cancel an async query in progress. | |
284 | .TP | |
285 | .B ub_resolve_free | |
286 | Free struct ub_result contents after use. | |
287 | .TP | |
288 | .B ub_strerror | |
289 | Convert error value from one of the unbound library functions | |
290 | to a human readable string. | |
291 | .SH "RESULT DATA STRUCTURE" | |
292 | .LP | |
293 | The result of the DNS resolution and validation is returned as | |
294 | \fIstruct ub_result\fR. The result structure contains the following entries. | |
295 | .P | |
296 | .nf | |
297 | struct ub_result { | |
298 | char* qname; /* text string, original question */ | |
299 | int qtype; /* type code asked for */ | |
300 | int qclass; /* class code asked for */ | |
301 | char** data; /* array of rdata items, NULL terminated*/ | |
302 | int* len; /* array with lengths of rdata items */ | |
303 | char* canonname; /* canonical name of result */ | |
304 | int rcode; /* additional error code in case of no data */ | |
305 | void* answer_packet; /* full network format answer packet */ | |
306 | int answer_len; /* length of packet in octets */ | |
307 | int havedata; /* true if there is data */ | |
308 | int nxdomain; /* true if nodata because name does not exist */ | |
309 | int secure; /* true if result is secure */ | |
310 | int bogus; /* true if a security failure happened */ | |
311 | }; | |
312 | .fi | |
313 | .P | |
314 | If both secure and bogus are false, security was not enabled for the | |
315 | domain of the query. | |
316 | .SH "RETURN VALUES" | |
317 | Many routines return an error code. The value 0 (zero) denotes no error | |
318 | happened. Other values can be passed to | |
319 | .B ub_strerror | |
320 | to obtain a readable error string. | |
321 | .B ub_strerror | |
322 | returns a zero terminated string. | |
323 | .B ub_ctx_create | |
324 | returns NULL on an error (a malloc failure). | |
325 | .B ub_poll | |
326 | returns true if some information may be available, false otherwise. | |
327 | .B ub_fd | |
328 | returns a file descriptor or -1 on error. | |
329 | .SH "SEE ALSO" | |
330 | \fIunbound.conf\fR(5), | |
331 | \fIunbound\fR(8). | |
332 | .SH "AUTHORS" | |
333 | .B Unbound | |
334 | developers are mentioned in the CREDITS file in the distribution. |
0 | .TH "unbound-checkconf" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1" | |
1 | .\" | |
2 | .\" unbound-checkconf.8 -- unbound configuration checker manual | |
3 | .\" | |
4 | .\" Copyright (c) 2007, NLnet Labs. All rights reserved. | |
5 | .\" | |
6 | .\" See LICENSE for the license. | |
7 | .\" | |
8 | .\" | |
9 | .SH "NAME" | |
10 | .LP | |
11 | unbound-checkconf | |
12 | \- Check unbound configuration file for errors. | |
13 | .SH "SYNOPSIS" | |
14 | .B unbound-checkconf | |
15 | .RB [ \-h ] | |
16 | .IR cfgfile | |
17 | .SH "DESCRIPTION" | |
18 | .B Unbound-checkconf | |
19 | checks the configuration file for the | |
20 | \fIunbound\fR(8) | |
21 | DNS resolver for syntax and other errors. | |
22 | The config file syntax is described in | |
23 | \fIunbound.conf\fR(5). | |
24 | .P | |
25 | The available options are: | |
26 | .TP | |
27 | .B \-h | |
28 | Show the version and commandline option help. | |
29 | .TP | |
30 | .I cfgfile | |
31 | The config file to read with settings for unbound. It is checked. | |
32 | If omitted, the config file at the default location is checked. | |
33 | .SH "EXIT CODE" | |
34 | The unbound-checkconf program exits with status code 1 on error, | |
35 | 0 for a correct config file. | |
36 | .SH "FILES" | |
37 | .TP | |
38 | .I /etc/unbound/unbound.conf | |
39 | unbound configuration file. | |
40 | .SH "SEE ALSO" | |
41 | \fIunbound.conf\fR(5), | |
42 | \fIunbound\fR(8). |
0 | .TH "unbound-control" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1" | |
1 | .\" | |
2 | .\" unbound-control.8 -- unbound remote control manual | |
3 | .\" | |
4 | .\" Copyright (c) 2008, NLnet Labs. All rights reserved. | |
5 | .\" | |
6 | .\" See LICENSE for the license. | |
7 | .\" | |
8 | .\" | |
9 | .SH "NAME" | |
10 | .LP | |
11 | unbound-control | |
12 | \- Unbound remote server control utility. | |
13 | .SH "SYNOPSIS" | |
14 | .B unbound-control | |
15 | .RB [ \-h ] | |
16 | .RB [ \-c | |
17 | .IR cfgfile ] | |
18 | .RB [ \-s | |
19 | .IR server ] | |
20 | .IR command | |
21 | .SH "DESCRIPTION" | |
22 | .B Unbound-control | |
23 | performs remote administration on the \fIunbound\fR(8) DNS server. | |
24 | It reads the configuration file, contacts the unbound server over SSL | |
25 | sends the command and displays the result. | |
26 | .P | |
27 | The available options are: | |
28 | .TP | |
29 | .B \-h | |
30 | Show the version and commandline option help. | |
31 | .TP | |
32 | .B \-c \fIcfgfile | |
33 | The config file to read with settings. If not given the default | |
34 | config file /etc/unbound/unbound.conf is used. | |
35 | .TP | |
36 | .B \-s \fIserver[@port] | |
37 | IPv4 or IPv6 address of the server to contact. If not given, the | |
38 | address is read from the config file. | |
39 | .SH "COMMANDS" | |
40 | There are several commands that the server understands. | |
41 | .TP | |
42 | .B start | |
43 | Start the server. Simply execs \fIunbound\fR(8). The unbound executable | |
44 | is searched for in the \fBPATH\fR set in the environment. It is started | |
45 | with the config file specified using \fI\-c\fR or the default config file. | |
46 | .TP | |
47 | .B stop | |
48 | Stop the server. The server daemon exits. | |
49 | .TP | |
50 | .B reload | |
51 | Reload the server. This flushes the cache and reads the config file fresh. | |
52 | .TP | |
53 | .B verbosity \fInumber | |
54 | Change verbosity value for logging. Same values as \fBverbosity\fR keyword in | |
55 | \fIunbound.conf\fR(5). This new setting lasts until the server is issued | |
56 | a reload (taken from config file again), or the next verbosity control command. | |
57 | .TP | |
58 | .B stats | |
59 | Print statistics. Resets the internal counters to zero, this can be | |
60 | controlled using the \fBstatistics\-cumulative\fR config statement. | |
61 | Statistics are printed with one [name]: [value] per line. | |
62 | .TP | |
63 | .B status | |
64 | Display server status. Exit code 3 if not running (the connection to the | |
65 | port is refused), 1 on error, 0 if running. | |
66 | .TP | |
67 | .B local_zone \fIname\fR \fItype | |
68 | Add new local zone with name and type. Like \fBlocal\-zone\fR config statement. | |
69 | If the zone already exists, the type is changed to the given argument. | |
70 | .TP | |
71 | .B local_zone_remove \fIname | |
72 | Remove the local zone with the given name. Removes all local data inside | |
73 | it. If the zone does not exist, the command succeeds. | |
74 | .TP | |
75 | .B local_data \fIRR data... | |
76 | Add new local data, the given resource record. Like \fBlocal\-data\fR | |
77 | config statement, except for when no covering zone exists. In that case | |
78 | this remote control command creates a transparent zone with the same | |
79 | name as this record. This command is not good at returning detailed syntax | |
80 | errors. | |
81 | .TP | |
82 | .B local_data_remove \fIname | |
83 | Remove all RR data from local name. If the name already has no items, | |
84 | nothing happens. Often results in NXDOMAIN for the name (in a static zone), | |
85 | but if the name has become an empty nonterminal (there is still data in | |
86 | domain names below the removed name), NOERROR nodata answers are the | |
87 | result for that name. | |
88 | .TP | |
89 | .B dump_cache | |
90 | The contents of the cache is printed in a text format to stdout. You can | |
91 | redirect it to a file to store the cache in a file. | |
92 | .TP | |
93 | .B load_cache | |
94 | The contents of the cache is loaded from stdin. Uses the same format as | |
95 | dump_cache uses. Loading the cache with old, or wrong data can result | |
96 | in old or wrong data returned to clients. | |
97 | .TP | |
98 | .B lookup \fIname | |
99 | Print to stdout the name servers that would be used to look up the | |
100 | name specified. | |
101 | .TP | |
102 | .B flush \fIname | |
103 | Remove the name from the cache. Removes the types | |
104 | A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. | |
105 | Because that is fast to do. Other record types can be removed using | |
106 | .B flush_type | |
107 | or | |
108 | .B flush_zone\fR. | |
109 | .TP | |
110 | .B flush_type \fIname\fR \fItype | |
111 | Remove the name, type information from the cache. | |
112 | .TP | |
113 | .B flush_zone \fIname | |
114 | Remove all information at or below the name from the cache. | |
115 | The rrsets and key entries are removed so that new lookups will be performed. | |
116 | This needs to walk and inspect the entire cache, and is a slow operation. | |
117 | .SH "EXIT CODE" | |
118 | The unbound-control program exits with status code 1 on error, 0 on success. | |
119 | .SH "SET UP" | |
120 | The setup requires a self\-signed certificate and private keys for both | |
121 | the server and client. The script \fIunbound\-control\-setup\fR generates | |
122 | these in the default run directory, or with \-d in another directory. | |
123 | Run the script under the same username as you have configured in unbound.conf | |
124 | so that the daemon is permitted to read the files, for example with: | |
125 | .nf | |
126 | sudo \-u unbound unbound\-control\-setup | |
127 | .fi | |
128 | If you have not configured | |
129 | a username in unbound.conf, the keys need read permission for the user | |
130 | credentials under which the daemon is started. | |
131 | The script preserves private keys present in the directory. | |
132 | After running the script as root, turn on \fBcontrol-enable\fR in | |
133 | \fIunbound.conf\fR. | |
134 | .SH "STATISTIC COUNTERS" | |
135 | The \fIstats\fR command shows a number of statistic counters. | |
136 | .TP | |
137 | .I threadX.num.queries | |
138 | number of queries received by thread | |
139 | .TP | |
140 | .I threadX.num.cachehits | |
141 | number of queries that were successfully answered using a cache lookup | |
142 | .TP | |
143 | .I threadX.num.cachemiss | |
144 | number of queries that needed recursive processing | |
145 | .TP | |
146 | .I threadX.num.recursivereplies | |
147 | The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries. | |
148 | .TP | |
149 | .I threadX.requestlist.avg | |
150 | The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query. | |
151 | .TP | |
152 | .I threadX.requestlist.max | |
153 | Maximum size attained by the internal recursive processing request list. | |
154 | .TP | |
155 | .I threadX.requestlist.overwritten | |
156 | Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time. | |
157 | .TP | |
158 | .I threadX.requestlist.exceeded | |
159 | Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up. | |
160 | .TP | |
161 | .I threadX.requestlist.current.all | |
162 | Current size of the request list, includes internally generated queries (such | |
163 | as priming queries and glue lookups). | |
164 | .TP | |
165 | .I threadX.requestlist.current.user | |
166 | Current size of the request list, only the requests from client queries. | |
167 | .TP | |
168 | .I threadX.recursion.time.avg | |
169 | Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average. | |
170 | .TP | |
171 | .I threadX.recursion.time.median | |
172 | The median of the time it took to answer queries that needed recursive | |
173 | processing. The median means that 50% of the user queries were answered in | |
174 | less than this time. Because of big outliers (usually queries to non | |
175 | responsive servers), the average can be bigger than the median. This median | |
176 | has been calculated by interpolation from a histogram. | |
177 | .TP | |
178 | .I total.num.queries | |
179 | summed over threads. | |
180 | .TP | |
181 | .I total.num.cachehits | |
182 | summed over threads. | |
183 | .TP | |
184 | .I total.num.cachemiss | |
185 | summed over threads. | |
186 | .TP | |
187 | .I total.num.recursivereplies | |
188 | summed over threads. | |
189 | .TP | |
190 | .I total.requestlist.avg | |
191 | averaged over threads. | |
192 | .TP | |
193 | .I total.requestlist.max | |
194 | the maximum of the thread requestlist.max values. | |
195 | .TP | |
196 | .I total.requestlist.overwritten | |
197 | summed over threads. | |
198 | .TP | |
199 | .I total.requestlist.exceeded | |
200 | summed over threads. | |
201 | .TP | |
202 | .I total.requestlist.current.all | |
203 | summed over threads. | |
204 | .TP | |
205 | .I total.recursion.time.median | |
206 | averaged over threads. | |
207 | .TP | |
208 | .I time.now | |
209 | current time in seconds since 1970. | |
210 | .TP | |
211 | .I time.up | |
212 | uptime since server boot in seconds. | |
213 | .TP | |
214 | .I time.elapsed | |
215 | time since last statistics printout, in seconds. | |
216 | .SH EXTENDED STATISTICS | |
217 | .TP | |
218 | .I mem.total.sbrk | |
219 | If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps. Could be wrong if the OS allocates memory non\-contiguously. | |
220 | .TP | |
221 | .I mem.cache.rrset | |
222 | Memory in bytes in use by the RRset cache. | |
223 | .TP | |
224 | .I mem.cache.message | |
225 | Memory in bytes in use by the message cache. | |
226 | .TP | |
227 | .I mem.mod.iterator | |
228 | Memory in bytes in use by the iterator module. | |
229 | .TP | |
230 | .I mem.mod.validator | |
231 | Memory in bytes in use by the validator module. Includes the key cache and | |
232 | negative cache. | |
233 | .TP | |
234 | .I histogram.<sec>.<usec>.to.<sec>.<usec> | |
235 | Shows a histogram, summed over all threads. Every element counts the | |
236 | recursive queries whose reply time fit between the lower and upper bound. | |
237 | Times larger or equal to the lowerbound, and smaller than the upper bound. | |
238 | There are 40 buckets, with bucket sizes doubling. | |
239 | .TP | |
240 | .I num.query.type.A | |
241 | The total number of queries over all threads with query type A. | |
242 | Printed for the other query types as well, but only for the types for which | |
243 | queries were received, thus =0 entries are omitted for brevity. | |
244 | .TP | |
245 | .I num.query.type.other | |
246 | Number of queries with query types 256-65535. | |
247 | .TP | |
248 | .I num.query.class.IN | |
249 | The total number of queries over all threads with query class IN (internet). | |
250 | Also printed for other classes (such as CH (CHAOS) sometimes used for | |
251 | debugging), or NONE, ANY, used by dynamic update. | |
252 | num.query.class.other is printed for classes 256-65535. | |
253 | .TP | |
254 | .I num.query.opcode.QUERY | |
255 | The total number of queries over all threads with query opcode QUERY. | |
256 | Also printed for other opcodes, UPDATE, ... | |
257 | .TP | |
258 | .I num.query.tcp | |
259 | Number of queries that were made using TCP towards the unbound server. | |
260 | .TP | |
261 | .I num.query.ipv6 | |
262 | Number of queries that were made using IPv6 towards the unbound server. | |
263 | .TP | |
264 | .I num.query.flags.RD | |
265 | The number of queries that had the RD flag set in the header. | |
266 | Also printed for flags QR, AA, TC, RA, Z, AD, CD. | |
267 | Note that queries with flags QR, AA or TC may have been rejected | |
268 | because of that. | |
269 | .TP | |
270 | .I num.query.edns.present | |
271 | number of queries that had an EDNS OPT record present. | |
272 | .TP | |
273 | .I num.query.edns.DO | |
274 | number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set. | |
275 | These queries are also included in the num.query.edns.present number. | |
276 | .TP | |
277 | .I num.answer.rcode.NXDOMAIN | |
278 | The number of answers to queries, from cache or from recursion, that had the | |
279 | return code NXDOMAIN. Also printed for the other return codes. | |
280 | .TP | |
281 | .I num.answer.rcode.nodata | |
282 | The number of answers to queries that had the pseudo return code nodata. | |
283 | This means the actual return code was NOERROR, but additionally, no data was | |
284 | carried in the answer (making what is called a NOERROR/NODATA answer). | |
285 | These queries are also included in the num.answer.rcode.NOERROR number. | |
286 | Common for AAAA lookups when an A record exists, and no AAAA. | |
287 | .TP | |
288 | .I num.answer.secure | |
289 | Number of answers that were secure. The answer validated correctly. | |
290 | The AD bit might have been set in some of these answers, where the client | |
291 | signalled (with DO or AD bit in the query) that they were ready to accept | |
292 | the AD bit in the answer. | |
293 | .TP | |
294 | .I num.answer.bogus | |
295 | Number of answers that were bogus. These answers resulted in SERVFAIL | |
296 | to the client because the answer failed validation. | |
297 | .TP | |
298 | .I num.rrset.bogus | |
299 | The number of rrsets marked bogus by the validator. Increased for every | |
300 | RRset inspection that fails. | |
301 | .TP | |
302 | .I unwanted.queries | |
303 | Number of queries that were refused or dropped because they failed the | |
304 | access control settings. | |
305 | .TP | |
306 | .I unwanted.replies | |
307 | Replies that were unwanted or unsolicited. Could have been random traffic, | |
308 | delayed duplicates, very late answers, or could be spoofing attempts. | |
309 | Some low level of late answers and delayed duplicates are to be expected | |
310 | with the UDP protocol. Very high values could indicate a threat (spoofing). | |
311 | .SH "FILES" | |
312 | .TP | |
313 | .I /etc/unbound/unbound.conf | |
314 | unbound configuration file. | |
315 | .TP | |
316 | .I /etc/unbound | |
317 | directory with private keys (unbound_server.key and unbound_control.key) and | |
318 | self-signed certificates (unbound_server.pem and unbound_control.pem). | |
319 | .SH "SEE ALSO" | |
320 | \fIunbound.conf\fR(5), | |
321 | \fIunbound\fR(8). |
0 | .TH "unbound" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1" | |
1 | .\" | |
2 | .\" unbound.8 -- unbound manual | |
3 | .\" | |
4 | .\" Copyright (c) 2007, NLnet Labs. All rights reserved. | |
5 | .\" | |
6 | .\" See LICENSE for the license. | |
7 | .\" | |
8 | .\" | |
9 | .SH "NAME" | |
10 | .LP | |
11 | .B unbound | |
12 | \- Unbound DNS validating resolver 1.2.1. | |
13 | .SH "SYNOPSIS" | |
14 | .LP | |
15 | .B unbound | |
16 | .RB [ \-h ] | |
17 | .RB [ \-d ] | |
18 | .RB [ \-v ] | |
19 | .RB [ \-c | |
20 | .IR cfgfile ] | |
21 | .SH "DESCRIPTION" | |
22 | .LP | |
23 | .B Unbound | |
24 | is an implementation of a DNS resolver, that does caching and | |
25 | DNSSEC validation. | |
26 | .P | |
27 | The available options are: | |
28 | .TP | |
29 | .B \-h | |
30 | Show the version and commandline option help. | |
31 | .TP | |
32 | .B \-c\fI cfgfile | |
33 | Set the config file with settings for unbound to read instead of reading the | |
34 | file at the default location, /etc/unbound/unbound.conf. The syntax is | |
35 | described in \fIunbound.conf\fR(5). | |
36 | .TP | |
37 | .B \-d | |
38 | Debug flag, do not fork into the background, but stay attached to the | |
39 | console. This flag will also delay writing to the logfile until the | |
40 | thread\-spawn time. So that most config and setup errors appear on stderr. | |
41 | .TP | |
42 | .B \-v | |
43 | Increase verbosity. If given multiple times, more information is logged. | |
44 | This is in addition to the verbosity (if any) from the config file. | |
45 | .SH "SEE ALSO" | |
46 | \fIunbound.conf\fR(5), | |
47 | \fIunbound\-checkconf\fR(8). | |
48 | .SH "AUTHORS" | |
49 | .B Unbound | |
50 | developers are mentioned in the CREDITS file in the distribution. |
0 | .TH "unbound.conf" "5" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1" | |
1 | .\" | |
2 | .\" unbound.conf.5 -- unbound.conf manual | |
3 | .\" | |
4 | .\" Copyright (c) 2007, NLnet Labs. All rights reserved. | |
5 | .\" | |
6 | .\" See LICENSE for the license. | |
7 | .\" | |
8 | .\" | |
9 | .SH "NAME" | |
10 | .LP | |
11 | .B unbound.conf | |
12 | \- Unbound configuration file. | |
13 | .SH "SYNOPSIS" | |
14 | .LP | |
15 | .B unbound.conf | |
16 | .SH "DESCRIPTION" | |
17 | .LP | |
18 | .B unbound.conf | |
19 | is used to configure | |
20 | \fIunbound\fR(8). | |
21 | The file format has attributes and values. Some attributes have attributes inside them. | |
22 | The notation is: attribute: value. | |
23 | .P | |
24 | Comments start with # and last to the end of line. Empty lines are | |
25 | ignored as is whitespace at the beginning of a line. | |
26 | .P | |
27 | The utility | |
28 | \fIunbound\-checkconf\fR(8) | |
29 | can be used to check unbound.conf prior to usage. | |
30 | .SH "EXAMPLE" | |
31 | An example config file is shown below. Copy this to /etc/unbound/unbound.conf | |
32 | and start the server with: | |
33 | .P | |
34 | .nf | |
35 | $ unbound \-c /etc/unbound/unbound.conf | |
36 | .fi | |
37 | .P | |
38 | Most settings are the defaults. Stop the server with: | |
39 | .P | |
40 | .nf | |
41 | $ kill `cat /etc/unbound/unbound.pid` | |
42 | .fi | |
43 | .P | |
44 | Below is a minimal config file. The source distribution contains an extensive | |
45 | example.conf file with all the options. | |
46 | .P | |
47 | .nf | |
48 | # unbound.conf(5) config file for unbound(8). | |
49 | server: | |
50 | directory: "/etc/unbound" | |
51 | username: unbound | |
52 | # make sure unbound can access entropy from inside the chroot. | |
53 | # e.g. on linux the use these commands (on BSD, devfs(8) is used): | |
54 | # mount --bind -n /dev/random /etc/unbound/dev/random | |
55 | # and mount --bind -n /dev/log /etc/unbound/dev/log | |
56 | chroot: "/etc/unbound" | |
57 | # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. | |
58 | pidfile: "/etc/unbound/unbound.pid" | |
59 | # verbosity: 1 # uncomment and increase to get more logging. | |
60 | # listen on all interfaces, answer queries from the local subnet. | |
61 | interface: 0.0.0.0 | |
62 | interface: ::0 | |
63 | access\-control: 10.0.0.0/8 allow | |
64 | access\-control: 2001:DB8::/64 allow | |
65 | .fi | |
66 | .SH "FILE FORMAT" | |
67 | .LP | |
68 | There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute | |
69 | is followed by its containing attributes, or a value. | |
70 | .P | |
71 | Files can be included using the | |
72 | .B include: | |
73 | directive. It can appear anywhere, and takes a single filename as an argument. | |
74 | Processing continues as if the text from the included file was copied into | |
75 | the config file at that point. If also using chroot, using full path names | |
76 | for the included files works, relative pathnames for the included names work | |
77 | if the directory where the daemon is started equals its chroot/working | |
78 | directory. | |
79 | .SS "Server Options" | |
80 | These options are part of the | |
81 | .B server: | |
82 | clause. | |
83 | .TP | |
84 | .B verbosity: \fI<number> | |
85 | The verbosity number, level 0 means no verbosity, only errors. Level 1 | |
86 | gives operational information. Level 2 gives detailed operational | |
87 | information. Level 3 gives query level information, output per query. | |
88 | Level 4 gives algorithm level information. | |
89 | Default is level 1. The verbosity can also be increased from the commandline, | |
90 | see | |
91 | \fIunbound\fR(8). | |
92 | .TP | |
93 | .B statistics\-interval: \fI<seconds> | |
94 | The number of seconds between printing statistics to the log for every thread. | |
95 | Disable with value 0 or "". Default is disabled. | |
96 | .TP | |
97 | .B statistics\-cumulative: \fI<yes or no> | |
98 | If enabled, statistics are cumulative since starting unbound, without clearing | |
99 | the statistics counters after logging the statistics. Default is no. | |
100 | .TP | |
101 | .B extended\-statistics: \fI<yes or no> | |
102 | If enabled, extended statistics are printed from \fIunbound\-control\fR(8). | |
103 | Default is off, because keeping track of more statistics takes time. | |
104 | .TP | |
105 | .B num\-threads: \fI<number> | |
106 | The number of threads to create to serve clients. Use 1 for no threading. | |
107 | .TP | |
108 | .B port: \fI<port number> | |
109 | The port number, default 53, on which the server responds to queries. | |
110 | .TP | |
111 | .B interface: \fI<ip address> | |
112 | Interface to use to connect to the network. This interface is listened to | |
113 | for queries from clients, and answers to clients are given from it. | |
114 | Can be given multiple times to work on several interfaces. If none are | |
115 | given the default is to listen to localhost. | |
116 | The interfaces are not changed on a reload (kill \-HUP) but only on restart. | |
117 | .TP | |
118 | .B interface-automatic: \fI<yes or no> | |
119 | Detect source interface on UDP queries and copy them to replies. This | |
120 | feature is experimental, and needs support in your OS for IPv6 | |
121 | (and its socket options) and IPv4 (and have source-interface socket options). | |
122 | Default value is no. | |
123 | .TP | |
124 | .B outgoing\-interface: \fI<ip address> | |
125 | Interface to use to connect to the network. This interface is used to send | |
126 | queries to authoritative servers and receive their replies. Can be given | |
127 | multiple times to work on several interfaces. If none are given the | |
128 | default (all) is used. You can specify the same interfaces in | |
129 | .B interface: | |
130 | and | |
131 | .B outgoing\-interface: | |
132 | lines, the interfaces are then used for both purposes. Outgoing queries are | |
133 | sent via a random outgoing interface to counter spoofing. | |
134 | .TP | |
135 | .B outgoing\-range: \fI<number> | |
136 | Number of ports to open. This number of file descriptors can be opened per | |
137 | thread. Must be at least 1. Default is 256. Larger numbers need extra | |
138 | resources from the operating system. | |
139 | .TP | |
140 | .B outgoing\-port\-permit: \fI<port number or range> | |
141 | Permit unbound to open this port or range of ports for use to send queries. | |
142 | A larger number of permitted outgoing ports increases resilience against | |
143 | spoofing attempts. Make sure these ports are not needed by other daemons. | |
144 | By default only ports above 1024 that have not been assigned by IANA are used. | |
145 | Give a port number or a range of the form "low-high", without spaces. | |
146 | .IP | |
147 | The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements | |
148 | are processed in the line order of the config file, adding the permitted ports | |
149 | and subtracting the avoided ports from the set of allowed ports. The | |
150 | processing starts with the non IANA allocated ports above 1024 in the set | |
151 | of allowed ports. | |
152 | .TP | |
153 | .B outgoing\-port\-avoid: \fI<port number or range> | |
154 | Do not permit unbound to open this port or range of ports for use to send | |
155 | queries. Use this to make sure unbound does not grab a port that another | |
156 | daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. | |
157 | By default only ports above 1024 that have not been assigned by IANA are used. | |
158 | Give a port number or a range of the form "low-high", without spaces. | |
159 | .TP | |
160 | .B outgoing\-num\-tcp: \fI<number> | |
161 | Number of outgoing TCP buffers to allocate per thread. Default is 10. If set | |
162 | to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done. | |
163 | .TP | |
164 | .B incoming\-num\-tcp: \fI<number> | |
165 | Number of incoming TCP buffers to allocate per thread. Default is 10. If set | |
166 | to 0, or if do_tcp is "no", no TCP queries from clients are accepted. | |
167 | .TP | |
168 | .B msg\-buffer\-size: \fI<number> | |
169 | Number of bytes size of the message buffers. Default is 65552 bytes, enough | |
170 | for 64 Kb packets, the maximum DNS message size. No message larger than this | |
171 | can be sent or received. Can be reduced to use less memory, but some requests | |
172 | for DNS data, such as for huge resource records, will result in a SERVFAIL | |
173 | reply to the client. | |
174 | .TP | |
175 | .B msg\-cache\-size: \fI<number> | |
176 | Number of bytes size of the message cache. Default is 4 megabytes. | |
177 | A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes | |
178 | or gigabytes (1024*1024 bytes in a megabyte). | |
179 | .TP | |
180 | .B msg\-cache\-slabs: \fI<number> | |
181 | Number of slabs in the message cache. Slabs reduce lock contention by threads. | |
182 | Must be set to a power of 2. Setting (close) to the number of cpus is a | |
183 | reasonable guess. | |
184 | .TP | |
185 | .B num\-queries\-per\-thread: \fI<number> | |
186 | The number of queries that every thread will service simultaneously. | |
187 | If more queries arrive that need servicing, and no queries can be jostled out | |
188 | (see \fIjostle\-timeout\fR), then the queries are dropped. This forces | |
189 | the client to resend after a timeout; allowing the server time to work on | |
190 | the existing queries. Default 1024. | |
191 | .TP | |
192 | .B jostle\-timeout: \fI<msec> | |
193 | Timeout used when the server is very busy. Set to a value that usually | |
194 | results in one roundtrip to the authority servers. If too many queries | |
195 | arrive, then 50% of the queries are allowed to run to completion, and | |
196 | the other 50% are replaced with the new incoming query if they have already | |
197 | spent more than their allowed time. This protects against denial of | |
198 | service by slow queries or high query rates. Default 200 milliseconds. | |
199 | .TP | |
200 | .B rrset\-cache\-size: \fI<number> | |
201 | Number of bytes size of the RRset cache. Default is 4 megabytes. | |
202 | A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes | |
203 | or gigabytes (1024*1024 bytes in a megabyte). | |
204 | .TP | |
205 | .B rrset\-cache\-slabs: \fI<number> | |
206 | Number of slabs in the RRset cache. Slabs reduce lock contention by threads. | |
207 | Must be set to a power of 2. | |
208 | .TP | |
209 | .B cache\-max\-ttl: \fI<seconds> | |
210 | Time to live maximum for RRsets and messages in the cache. Default is | |
211 | 86400 seconds (1 day). If the maximum kicks in, responses to clients | |
212 | still get decrementing TTLs based on the original (larger) values. | |
213 | When the internal TTL expires, the cache item has expired. | |
214 | Can be set lower to force the resolver to query for data often, and not | |
215 | trust (very large) TTL values. | |
216 | .TP | |
217 | .B infra\-host\-ttl: \fI<seconds> | |
218 | Time to live for entries in the host cache. The host cache contains | |
219 | roundtrip timing and EDNS support information. Default is 900. | |
220 | .TP | |
221 | .B infra\-lame\-ttl: \fI<seconds> | |
222 | The time to live when a delegation is discovered to be lame. Default is 900. | |
223 | .TP | |
224 | .B infra\-cache\-slabs: \fI<number> | |
225 | Number of slabs in the infrastructure cache. Slabs reduce lock contention | |
226 | by threads. Must be set to a power of 2. | |
227 | .TP | |
228 | .B infra\-cache\-numhosts: \fI<number> | |
229 | Number of hosts for which information is cached. Default is 10000. | |
230 | .TP | |
231 | .B infra\-cache\-lame\-size: \fI<number> | |
232 | Number of bytes that the lameness cache per host is allowed to use. Default | |
233 | is 10 kb, which gives maximum storage for a couple score zones, depending on | |
234 | the lame zone name lengths. | |
235 | .TP | |
236 | .B do\-ip4: \fI<yes or no> | |
237 | Enable or disable whether ip4 queries are answered or issued. Default is yes. | |
238 | .TP | |
239 | .B do\-ip6: \fI<yes or no> | |
240 | Enable or disable whether ip6 queries are answered or issued. Default is yes. | |
241 | If disabled, queries are not answered on IPv6, and queries are not sent on | |
242 | IPv6 to the internet nameservers. | |
243 | .TP | |
244 | .B do\-udp: \fI<yes or no> | |
245 | Enable or disable whether UDP queries are answered or issued. Default is yes. | |
246 | .TP | |
247 | .B do\-tcp: \fI<yes or no> | |
248 | Enable or disable whether TCP queries are answered or issued. Default is yes. | |
249 | .TP | |
250 | .B do\-daemonize: \fI<yes or no> | |
251 | Enable or disable whether the unbound server forks into the background as | |
252 | a daemon. Default is yes. | |
253 | .TP | |
254 | .B access\-control: \fI<IP netblock> <action> | |
255 | The netblock is given as an IP4 or IP6 address with /size appended for a | |
256 | classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, | |
257 | \fIallow\fR or \fIallow_snoop\fR. | |
258 | .IP | |
259 | The action \fIdeny\fR stops queries from hosts from that netblock. | |
260 | .IP | |
261 | The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED | |
262 | error message back. | |
263 | .IP | |
264 | The action \fIallow\fR gives access to clients from that netblock. | |
265 | It gives only access for recursion clients (which is | |
266 | what almost all clients need). Nonrecursive queries are refused. | |
267 | .IP | |
268 | The \fIallow\fR action does allow nonrecursive queries to access the | |
269 | local\-data that is configured. The reason is that this does not involve | |
270 | the unbound server recursive lookup algorithm, and static data is served | |
271 | in the reply. This supports normal operations where nonrecursive queries | |
272 | are made for the authoritative data. For nonrecursive queries any replies | |
273 | from the dynamic cache are refused. | |
274 | .IP | |
275 | The action \fIallow_snoop\fR gives nonrecursive access too. This give | |
276 | both recursive and non recursive access. The name \fIallow_snoop\fR refers | |
277 | to cache snooping, a technique to use nonrecursive queries to examine | |
278 | the cache contents (for malicious acts). However, nonrecursive queries can | |
279 | also be a valuable debugging tool (when you want to examine the cache | |
280 | contents). In that case use \fIallow_snoop\fR for your administration host. | |
281 | .IP | |
282 | By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. | |
283 | The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS | |
284 | protocol is not designed to handle dropped packets due to policy, and | |
285 | dropping may result in (possibly excessive) retried queries. | |
286 | .TP | |
287 | .B chroot: \fI<directory> | |
288 | If chroot is enabled, you should pass the configfile (from the | |
289 | commandline) as a full path from the original root. After the | |
290 | chroot has been performed the now defunct portion of the config | |
291 | file path is removed to be able to reread the config after a reload. | |
292 | .IP | |
293 | All other file paths (working dir, logfile, roothints, and | |
294 | key files) can be specified in several ways: | |
295 | as an absolute path relative to the new root, | |
296 | as a relative path to the working directory, or | |
297 | as an absolute path relative to the original root. | |
298 | In the last case the path is adjusted to remove the unused portion. | |
299 | .IP | |
300 | The pidfile can be either a relative path to the working directory, or | |
301 | an absolute path relative to the original root. It is written just prior | |
302 | to chroot and dropping permissions. This allows the pidfile to be | |
303 | /var/run/unbound.pid and the chroot to be /var/unbound, for example. | |
304 | .IP | |
305 | Additionally, unbound may need to access /dev/random (for entropy) | |
306 | from inside the chroot. | |
307 | .IP | |
308 | If given a chroot is done to the given directory. The default is | |
309 | "/var/lib/unbound". If you give "" no chroot is performed. | |
310 | .TP | |
311 | .B username: \fI<name> | |
312 | If given, after binding the port the user privileges are dropped. Default is | |
313 | "unbound". If you give username: "" no user change is performed. | |
314 | .IP | |
315 | If this user is not capable of binding the | |
316 | port, reloads (by signal HUP) will still retain the opened ports. | |
317 | If you change the port number in the config file, and that new port number | |
318 | requires privileges, then a reload will fail; a restart is needed. | |
319 | .TP | |
320 | .B directory: \fI<directory> | |
321 | Sets the working directory for the program. Default is "/etc/unbound". | |
322 | .TP | |
323 | .B logfile: \fI<filename> | |
324 | If "" is given, logging goes to stderr, or nowhere once daemonized. | |
325 | The logfile is appended to, in the following format: | |
326 | .nf | |
327 | [seconds since 1970] unbound[pid:tid]: type: message. | |
328 | .fi | |
329 | If this option is given, the use\-syslog is option is set to "no". | |
330 | The logfile is reopened (for append) when the config file is reread, on | |
331 | SIGHUP. | |
332 | .TP | |
333 | .B use\-syslog: \fI<yes or no> | |
334 | Sets unbound to send log messages to the syslogd, using | |
335 | \fIsyslog\fR(3). | |
336 | The log facility LOG_DAEMON is used, with identity "unbound". | |
337 | The logfile setting is overridden when use\-syslog is turned on. | |
338 | The default is to log to syslog. | |
339 | .TP | |
340 | .B pidfile: \fI<filename> | |
341 | The process id is written to the file. Default is "/var/lib/unbound/unbound.pid". | |
342 | So, | |
343 | .nf | |
344 | kill \-HUP `cat /var/lib/unbound/unbound.pid` | |
345 | .fi | |
346 | triggers a reload, | |
347 | .nf | |
348 | kill \-QUIT `cat /var/lib/unbound/unbound.pid` | |
349 | .fi | |
350 | gracefully terminates. | |
351 | .TP | |
352 | .B root\-hints: \fI<filename> | |
353 | Read the root hints from this file. Default is nothing, using builtin hints | |
354 | for the IN class. The file has the format of zone files, with root | |
355 | nameserver names and addresses only. The default may become outdated, | |
356 | when servers change, therefore it is good practice to use a root\-hints file. | |
357 | .TP | |
358 | .B hide\-identity: \fI<yes or no> | |
359 | If enabled id.server and hostname.bind queries are refused. | |
360 | .TP | |
361 | .B identity: \fI<string> | |
362 | Set the identity to report. If set to "", the default, then the hostname | |
363 | of the server is returned. | |
364 | .TP | |
365 | .B hide\-version: \fI<yes or no> | |
366 | If enabled version.server and version.bind queries are refused. | |
367 | .TP | |
368 | .B version: \fI<string> | |
369 | Set the version to report. If set to "", the default, then the package | |
370 | version is returned. | |
371 | .TP | |
372 | .B target\-fetch\-policy: \fI<"list of numbers"> | |
373 | Set the target fetch policy used by unbound to determine if it should fetch | |
374 | nameserver target addresses opportunistically. The policy is described per | |
375 | dependency depth. | |
376 | .IP | |
377 | The number of values determines the maximum dependency depth | |
378 | that unbound will pursue in answering a query. | |
379 | A value of \-1 means to fetch all targets opportunistically for that dependency | |
380 | depth. A value of 0 means to fetch on demand only. A positive value fetches | |
381 | that many targets opportunistically. | |
382 | .IP | |
383 | Enclose the list between quotes ("") and put spaces between numbers. | |
384 | The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour | |
385 | closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour | |
386 | rumoured to be closer to that of BIND 8. | |
387 | .TP | |
388 | .B harden\-short\-bufsize: \fI<yes or no> | |
389 | Very small EDNS buffer sizes from queries are ignored. Default is off, since | |
390 | it is legal protocol wise to send these, and unbound tries to give very | |
391 | small answers to these queries, where possible. | |
392 | .TP | |
393 | .B harden\-large\-queries: \fI<yes or no> | |
394 | Very large queries are ignored. Default is off, since it is legal protocol | |
395 | wise to send these, and could be necessary for operation if TSIG or EDNS | |
396 | payload is very large. | |
397 | .TP | |
398 | .B harden\-glue: \fI<yes or no> | |
399 | Will trust glue only if it is within the servers authority. Default is on. | |
400 | .TP | |
401 | .B harden\-dnssec\-stripped: \fI<yes or no> | |
402 | Require DNSSEC data for trust\-anchored zones, if such data is absent, | |
403 | the zone becomes bogus. If turned off, and no DNSSEC data is received | |
404 | (or the DNSKEY data fails to validate), then the zone is made insecure, | |
405 | this behaves like there is no trust anchor. You could turn this off if | |
406 | you are sometimes behind an intrusive firewall (of some sort) that | |
407 | removes DNSSEC data from packets, or a zone changes from signed to | |
408 | unsigned to badly signed often. If turned off you run the risk of a | |
409 | downgrade attack that disables security for a zone. Default is on. | |
410 | .TP | |
411 | .B harden\-referral\-path: \fI<yes or no> | |
412 | Harden the referral path by performing additional queries for | |
413 | infrastructure data. Validates the replies if trust anchors are configured | |
414 | and the zones are signed. This enforces DNSSEC validation on nameserver | |
415 | NS sets and the nameserver addresses that are encountered on the referral | |
416 | path to the answer. | |
417 | Default off, because it burdens the authority servers, and it is | |
418 | not RFC standard, and could lead to performance problems because of the | |
419 | extra query load that is generated. Experimental option. | |
420 | .TP | |
421 | .B use\-caps\-for\-id: \fI<yes or no> | |
422 | Use 0x20-encoded random bits in the query to foil spoof attempts. | |
423 | This perturbs the lowercase and uppercase of query names sent to | |
424 | authority servers and checks if the reply still has the correct casing. | |
425 | Disabled by default. | |
426 | This feature is an experimental implementation of draft dns\-0x20. | |
427 | .TP | |
428 | .B private\-address: \fI<IP address or subnet> | |
429 | Give IPv4 of IPv6 addresses or classless subnets. These are addresses | |
430 | on your private network, and are not allowed to be returned for public | |
431 | internet names. Any occurence of such addresses are removed from | |
432 | DNS answers. Additionally, the DNSSEC validator may mark the answers | |
433 | bogus. This protects against so-called DNS Rebinding, where a user browser | |
434 | is turned into a network proxy, allowing remote access through the browser | |
435 | to other parts of your private network. Some names can be allowed to | |
436 | contain your private addresses, by default all the \fBlocal\-data\fR | |
437 | that you configured is allowed to, and you can specify additional | |
438 | names using \fBprivate\-domain\fR. No private addresses are enabled | |
439 | by default. We consider to enable this for the RFC1918 private IP | |
440 | address space by default in later releases. That would enable private | |
441 | addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 192.254.0.0/16 | |
442 | fd00::/8 and fe80::/10, since the RFC standards say these addresses | |
443 | should not be visible on the public internet. Turning on 127.0.0.0/8 | |
444 | would hinder many spamblocklists as they use that. | |
445 | .TP | |
446 | .B private\-domain: \fI<domain name> | |
447 | Allow this domain, and all its subdomains to contain private addresses. | |
448 | Give multiple times to allow multiple domain names to contain private | |
449 | addresses. Default is none. | |
450 | .TP | |
451 | .B unwanted\-reply\-threshold: \fI<number> | |
452 | If set, a total number of unwanted replies is kept track of in every thread. | |
453 | When it reaches the threshold, a defensive action is taken and a warning | |
454 | is printed to the log. The defensive action is to clear the rrset and | |
455 | message caches, hopefully flushing away any poison. A value of 10 million | |
456 | is suggested. Default is 0 (turned off). | |
457 | .TP | |
458 | .B do\-not\-query\-address: \fI<IP address> | |
459 | Do not query the given IP address. Can be IP4 or IP6. Append /num to | |
460 | indicate a classless delegation netblock, for example like | |
461 | 10.2.3.4/24 or 2001::11/64. | |
462 | .TP | |
463 | .B do\-not\-query\-localhost: \fI<yes or no> | |
464 | If yes, localhost is added to the do\-not\-query\-address entries, both | |
465 | IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send | |
466 | queries to. Default is yes. | |
467 | .TP | |
468 | .B module\-config: \fI<"module names"> | |
469 | Module configuration, a list of module names separated by spaces, surround | |
470 | the string with quotes (""). The modules can be validator, iterator. | |
471 | Setting this to "iterator" will result in a non\-validating server. | |
472 | Setting this to "validator iterator" will turn on DNSSEC validation. | |
473 | You must also set trust\-anchors for validation to be useful. | |
474 | .TP | |
475 | .B trust\-anchor\-file: \fI<filename> | |
476 | File with trusted keys for validation. Both DS and DNSKEY entries can appear | |
477 | in the file. The format of the file is the standard DNS Zone file format. | |
478 | Default is "", or no trust anchor file. | |
479 | .TP | |
480 | .B trust\-anchor: \fI<"Resource Record"> | |
481 | A DS or DNSKEY RR for a key to use for validation. Multiple entries can be | |
482 | given to specify multiple trusted keys, in addition to the trust\-anchor\-files. | |
483 | The resource record is entered in the same format as 'dig' or 'drill' prints | |
484 | them, the same format as in the zone file. Has to be on a single line, with | |
485 | "" around it. A TTL can be specified for ease of cut and paste, but is ignored. | |
486 | A class can be specified, but class IN is default. | |
487 | .TP | |
488 | .B trusted\-keys\-file: \fI<filename> | |
489 | File with trusted keys for validation. Specify more than one file | |
490 | with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR | |
491 | but has a different file format. Format is BIND\-9 style format, | |
492 | the trusted\-keys { name flag proto algo "key"; }; clauses are read. | |
493 | It is possible to use wildcards with this statement, the wildcard is | |
494 | expanded on start and on reload. | |
495 | .TP | |
496 | .B dlv\-anchor\-file: \fI<filename> | |
497 | File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and | |
498 | DNSKEY entries can be used in the file, in the same format as for | |
499 | \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more | |
500 | would be slow. The DLV configured is used as a root trusted DLV, this | |
501 | means that it is a lookaside for the root. Default is "", or no dlv anchor file. | |
502 | .TP | |
503 | .B dlv\-anchor: \fI<"Resource Record"> | |
504 | Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. | |
505 | .TP | |
506 | .B val\-override\-date: \fI<rrsig\-style date spec> | |
507 | Default is "" or "0", which disables this debugging feature. If enabled by | |
508 | giving a RRSIG style date, that date is used for verifying RRSIG inception | |
509 | and expiration dates, instead of the current date. Do not set this unless | |
510 | you are debugging signature inception and expiration. | |
511 | .TP | |
512 | .B val\-bogus\-ttl: \fI<number> | |
513 | The time to live for bogus data. This is data that has failed validation; | |
514 | due to invalid signatures or other checks. The TTL from that data cannot be | |
515 | trusted, and this value is used instead. The value is in seconds, default 60. | |
516 | The time interval prevents repeated revalidation of bogus data. | |
517 | .TP | |
518 | .B val\-clean\-additional: \fI<yes or no> | |
519 | Instruct the validator to remove data from the additional section of secure | |
520 | messages that are not signed properly. Messages that are insecure, bogus, | |
521 | indeterminate or unchecked are not affected. Default is yes. Use this setting | |
522 | to protect the users that rely on this validator for authentication from | |
523 | protentially bad data in the additional section. | |
524 | .TP | |
525 | .B val\-permissive\-mode: \fI<yes or no> | |
526 | Instruct the validator to mark bogus messages as indeterminate. The security | |
527 | checks are performed, but if the result is bogus (failed security), the | |
528 | reply is not withheld from the client with SERVFAIL as usual. The client | |
529 | receives the bogus data. For messages that are found to be secure the AD bit | |
530 | is set in replies. Also logging is performed as for full validation. | |
531 | The default value is "no". | |
532 | .TP | |
533 | .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> | |
534 | List of keysize and iteration count values, separated by spaces, surrounded | |
535 | by quotes. Default is "1024 150 2048 500 4096 2500". This determines the | |
536 | maximum allowed NSEC3 iteration count before a message is simply marked | |
537 | insecure instead of performing the many hashing iterations. The list must | |
538 | be in ascending order and have at least one entry. If you set it to | |
539 | "1024 65535" there is no restriction to NSEC3 iteration values. | |
540 | This table must be kept short; a very long list could cause slower operation. | |
541 | .TP | |
542 | .B key\-cache\-size: \fI<number> | |
543 | Number of bytes size of the key cache. Default is 4 megabytes. | |
544 | A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes | |
545 | or gigabytes (1024*1024 bytes in a megabyte). | |
546 | .TP | |
547 | .B key\-cache\-slabs: \fI<number> | |
548 | Number of slabs in the key cache. Slabs reduce lock contention by threads. | |
549 | Must be set to a power of 2. Setting (close) to the number of cpus is a | |
550 | reasonable guess. | |
551 | .TP | |
552 | .B neg\-cache\-size: \fI<number> | |
553 | Number of bytes size of the aggressive negative cache. Default is 1 megabyte. | |
554 | A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes | |
555 | or gigabytes (1024*1024 bytes in a megabyte). | |
556 | .TP | |
557 | .B local\-zone: \fI<zone> <type> | |
558 | Configure a local zone. The type determines the answer to give if there is | |
559 | no match from local\-data. The types are deny, refuse, static, transparent, | |
560 | redirect, nodefault, and are explained below. After that the default settings | |
561 | are listed. Use local\-data: to enter data into the local zone. Answers for | |
562 | local zones are authoritative DNS answers. By default the zones are class IN. | |
563 | .IP | |
564 | If you need more complicated authoritative data, with referrals, wildcards, | |
565 | CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for | |
566 | it as detailed in the stub zone section below. | |
567 | .TP 10 | |
568 | \h'5'\fIdeny\fR | |
569 | Do not send an answer, drop the query. | |
570 | If there is a match from local data, the query is answered. | |
571 | .TP 10 | |
572 | \h'5'\fIrefuse\fR | |
573 | Send an error message reply, with rcode REFUSED. | |
574 | If there is a match from local data, the query is answered. | |
575 | .TP 10 | |
576 | \h'5'\fIstatic\fR | |
577 | If there is a match from local data, the query is answered. | |
578 | Otherwise, the query is answered with nodata or nxdomain. | |
579 | For a negative answer a SOA is included in the answer if present | |
580 | as local\-data for the zone apex domain. | |
581 | .TP 10 | |
582 | \h'5'\fItransparent\fR | |
583 | If there is a match from local data, the query is answered. | |
584 | Otherwise if the query has a different name, the query is resolved normally. | |
585 | If the query is for a name given in localdata but no such type of data is | |
586 | given in localdata, then a noerror nodata answer is returned. | |
587 | If no local\-zone is given local\-data causes a transparent zone | |
588 | to be created by default. | |
589 | .TP 10 | |
590 | \h'5'\fIredirect\fR | |
591 | The query is answered from the local data for the zone name. | |
592 | There may be no local data beneath the zone name. | |
593 | This answers queries for the zone, and all subdomains of the zone | |
594 | with the local data for the zone. | |
595 | It can be used to redirect a domain to a different address, with | |
596 | local\-zone: "example.com." redirect and | |
597 | local\-data: "example.com. A 127.0.0.1" | |
598 | queries for www.example.com and www.foo.example.com are redirected. | |
599 | .TP 10 | |
600 | \h'5'\fInodefault\fR | |
601 | Used to turn off default contents for AS112 zones. The other types | |
602 | also turn off default contents for the zone. The 'nodefault' option | |
603 | has no other effect than turning off default contents for the | |
604 | given zone. | |
605 | .P | |
606 | The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 | |
607 | zones. The AS112 zones are reverse DNS zones for private use and reserved | |
608 | IP addresses for which the servers on the internet cannot provide correct | |
609 | answers. They are configured by default to give nxdomain (no reverse | |
610 | information) answers. The defaults can be turned off by specifying your | |
611 | own local\-zone of that name, or using the 'nodefault' type. Below is a | |
612 | list of the default zone contents. | |
613 | .TP 10 | |
614 | \h'5'\fIlocalhost\fR | |
615 | The IP4 and IP6 localhost information is given. NS and SOA records are provided | |
616 | for completeness and to satisfy some DNS update tools. Default content: | |
617 | .nf | |
618 | local\-zone: "localhost." static | |
619 | local\-data: "localhost. 10800 IN NS localhost." | |
620 | local\-data: "localhost. 10800 IN | |
621 | SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" | |
622 | local\-data: "localhost. 10800 IN A 127.0.0.1" | |
623 | local\-data: "localhost. 10800 IN AAAA ::1" | |
624 | .fi | |
625 | .TP 10 | |
626 | \h'5'\fIreverse IPv4 loopback\fR | |
627 | Default content: | |
628 | .nf | |
629 | local\-zone: "127.in\-addr.arpa." static | |
630 | local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." | |
631 | local\-data: "127.in\-addr.arpa. 10800 IN | |
632 | SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" | |
633 | local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN | |
634 | PTR localhost." | |
635 | .fi | |
636 | .TP 10 | |
637 | \h'5'\fIreverse IPv6 loopback\fR | |
638 | Default content: | |
639 | .nf | |
640 | local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. | |
641 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static | |
642 | local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. | |
643 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN | |
644 | NS localhost." | |
645 | local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. | |
646 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN | |
647 | SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" | |
648 | local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. | |
649 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN | |
650 | PTR localhost." | |
651 | .fi | |
652 | .TP 10 | |
653 | \h'5'\fIreverse RFC1918 local use zones\fR | |
654 | Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to | |
655 | 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. | |
656 | The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS | |
657 | records are provided. | |
658 | .TP 10 | |
659 | \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR | |
660 | Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, | |
661 | 2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa. | |
662 | .TP 10 | |
663 | \h'5'\fIreverse RFC4291 IP6 unspecified\fR | |
664 | Reverse data for zone | |
665 | .nf | |
666 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. | |
667 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. | |
668 | .fi | |
669 | .TP 10 | |
670 | \h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR | |
671 | Reverse data for zone D.F.ip6.arpa. | |
672 | .TP 10 | |
673 | \h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR | |
674 | Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. | |
675 | .TP 10 | |
676 | \h'5'\fIreverse IPv6 Example Prefix\fR | |
677 | Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for | |
678 | tutorials and examples. You can remove the block on this zone with: | |
679 | .nf | |
680 | local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault | |
681 | .fi | |
682 | This also works with the other default zones. | |
683 | .\" End of local-zone listing. | |
684 | .TP 5 | |
685 | .B local\-data: \fI"<resource record string>" | |
686 | Configure local data, which is served in reply to queries for it. | |
687 | The query has to match exactly unless you configure the local\-zone as | |
688 | redirect. If not matched exactly, the local\-zone type determines | |
689 | further processing. If local\-data is configured that is not a subdomain of | |
690 | a local\-zone, a transparent local\-zone is configured. | |
691 | For record types such as TXT, use single quotes, as in | |
692 | local\-data: 'example. TXT "text"'. | |
693 | .IP | |
694 | If you need more complicated authoritative data, with referrals, wildcards, | |
695 | CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for | |
696 | it as detailed in the stub zone section below. | |
697 | .TP 5 | |
698 | .B local\-data\-ptr: \fI"IPaddr name" | |
699 | Configure local data shorthand for a PTR record with the reversed IPv4 or | |
700 | IPv6 address and the host name. For example "192.0.2.4 www.example.com". | |
701 | TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" | |
702 | .SS "Remote Control Options" | |
703 | In the | |
704 | .B remote\-control: | |
705 | clause are the declarations for the remote control facility. If this is | |
706 | enabled, the \fIunbound\-control\fR(8) utility can be used to send | |
707 | commands to the running unbound server. The server uses these clauses | |
708 | to setup SSLv3 / TLSv1 security for the connection. The | |
709 | \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR | |
710 | section for options. To setup the correct self-signed certificates use the | |
711 | \fIunbound\-control\-setup\fR(8) utility. | |
712 | .TP 5 | |
713 | .B control\-enable: \fI<yes or no> | |
714 | The option is used to enable remote control, default is "no". | |
715 | If turned off, the server does not listen for control commands. | |
716 | .TP 5 | |
717 | .B control\-interface: <ip address> | |
718 | Give IPv4 or IPv6 addresses to listen on for control commands. | |
719 | By default localhost (127.0.0.1 and ::1) is listened to. | |
720 | Use 0.0.0.0 and ::0 to listen to all interfaces. | |
721 | .TP 5 | |
722 | .B control\-port: <port number> | |
723 | The port number to listen on for control commands, default is 953 | |
724 | (that is the same port number named uses to listen to rndc). | |
725 | If you change this port number, and permissions have been dropped, a | |
726 | reload is not sufficient to open the port again, you must then restart. | |
727 | .TP 5 | |
728 | .B server\-key\-file: "<private key file>" | |
729 | Path to the server private key, by default unbound_server.key. | |
730 | This file is generated by the \fIunbound\-control\-setup\fR utility. | |
731 | This file is used by the unbound server, but not by \fIunbound\-control\fR. | |
732 | .TP 5 | |
733 | .B server\-cert\-file: "<certificate file.pem>" | |
734 | Path to the server self signed certificate, by default unbound_server.pem. | |
735 | This file is generated by the \fIunbound\-control\-setup\fR utility. | |
736 | This file is used by the unbound server, and also by \fIunbound\-control\fR. | |
737 | .TP 5 | |
738 | .B control\-key\-file: "<private key file>" | |
739 | Path to the control client private key, by default unbound_control.key. | |
740 | This file is generated by the \fIunbound\-control\-setup\fR utility. | |
741 | This file is used by \fIunbound\-control\fR. | |
742 | .TP 5 | |
743 | .B control\-cert\-file: "<certificate file.pem>" | |
744 | Path to the control client certificate, by default unbound_control.pem. | |
745 | This certificate has to be signed with the server certificate. | |
746 | This file is generated by the \fIunbound\-control\-setup\fR utility. | |
747 | This file is used by \fIunbound\-control\fR. | |
748 | .SS "Stub Zone Options" | |
749 | .LP | |
750 | There may be multiple | |
751 | .B stub\-zone: | |
752 | clauses. Each with a name: and zero or more hostnames or IP addresses. | |
753 | For the stub zone this list of nameservers is used. Class IN is assumed. | |
754 | .P | |
755 | The stub zone can be used to configure authoritative data to be used | |
756 | by the resolver that cannot be accessed using the public internet servers. | |
757 | This is useful for company\-local data or private zones. Setup an | |
758 | authoritative server on a different host (or different port). Enter a config | |
759 | entry for unbound with | |
760 | .B stub\-addr: | |
761 | <ip address of host[@port]>. | |
762 | The unbound resolver can then access the data, without referring to the | |
763 | public internet for it. | |
764 | .P | |
765 | This setup allows DNSSEC signed zones to be served by that | |
766 | authoritative server, in which case a trusted key entry with the public key | |
767 | can be put in config, so that unbound can validate the data and set the AD | |
768 | bit on replies for the private zone (authoritative servers do not set the | |
769 | AD bit). This setup makes unbound capable of answering queries for the | |
770 | private zone, and can even set the AD bit ('authentic'), but the AA | |
771 | ('authoritative') bit is not set on these replies. | |
772 | .TP | |
773 | .B name: \fI<domain name> | |
774 | Name of the stub zone. | |
775 | .TP | |
776 | .B stub\-host: \fI<domain name> | |
777 | Name of stub zone nameserver. Is itself resolved before it is used. | |
778 | .TP | |
779 | .B stub\-addr: \fI<IP address> | |
780 | IP address of stub zone nameserver. Can be IP 4 or IP 6. | |
781 | To use a nondefault port for DNS communication append '@' with the port number. | |
782 | .TP | |
783 | .B stub\-prime: \fI<yes or no> | |
784 | This option is by default off. If enabled it performs NS set priming, | |
785 | which is similar to root hints, where it starts using the list of nameservers | |
786 | currently published by the zone. Thus, if the hint list is slightly outdated, | |
787 | the resolver picks up a correct list online. | |
788 | .SS "Forward Zone Options" | |
789 | .LP | |
790 | There may be multiple | |
791 | .B forward\-zone: | |
792 | clauses. Each with a name: and zero or more hostnames or IP addresses. | |
793 | For the forward zone this list of nameservers is used to forward the queries | |
794 | to. The servers have to handle further recursion for the query. Class IN is | |
795 | assumed. A forward\-zone entry with name "." and a forward\-addr target will | |
796 | forward all queries to that other server (unless it can answer from the cache). | |
797 | .TP | |
798 | .B name: \fI<domain name> | |
799 | Name of the forward zone. | |
800 | .TP | |
801 | .B forward\-host: \fI<domain name> | |
802 | Name of server to forward to. Is itself resolved before it is used. | |
803 | .TP | |
804 | .B forward\-addr: \fI<IP address> | |
805 | IP address of server to forward to. Can be IP 4 or IP 6. | |
806 | To use a nondefault port for DNS communication append '@' with the port number. | |
807 | .SH "MEMORY CONTROL EXAMPLE" | |
808 | In the example config settings below memory usage is reduced. Some service | |
809 | levels are lower, notable very large data and a high TCP load are no longer | |
810 | supported. Very large data and high TCP loads are exceptional for the DNS. | |
811 | DNSSEC validation is enabled, just add trust anchors. | |
812 | If you do not have to worry about programs using more than 3 Mb of memory, | |
813 | the below example is not for you. Use the defaults to receive full service, | |
814 | which on BSD-32bit tops out at 30-40 Mb after heavy usage. | |
815 | .P | |
816 | .nf | |
817 | # example settings that reduce memory usage | |
818 | server: | |
819 | num\-threads: 1 | |
820 | outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. | |
821 | incoming\-num\-tcp: 1 | |
822 | outgoing\-range: 16 # uses less memory, but less performance. | |
823 | msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. | |
824 | msg\-cache\-size: 100k | |
825 | msg\-cache\-slabs: 1 | |
826 | rrset\-cache\-size: 100k | |
827 | rrset\-cache\-slabs: 1 | |
828 | infra\-cache\-numhosts: 200 | |
829 | infra\-cache\-slabs: 1 | |
830 | infra\-cache\-lame\-size: 1k | |
831 | key\-cache\-size: 100k | |
832 | key\-cache\-slabs: 1 | |
833 | neg\-cache\-size: 10k | |
834 | num\-queries\-per\-thread: 30 | |
835 | target\-fetch\-policy: "2 1 0 0 0 0" | |
836 | harden\-large\-queries: "yes" | |
837 | harden\-short\-bufsize: "yes" | |
838 | .fi | |
839 | .SH "FILES" | |
840 | .TP | |
841 | .I /etc/unbound | |
842 | default unbound working directory. | |
843 | .TP | |
844 | .I /var/lib/unbound | |
845 | default | |
846 | \fIchroot\fR(2) | |
847 | location. | |
848 | .TP | |
849 | .I /etc/unbound/unbound.conf | |
850 | unbound configuration file. | |
851 | .TP | |
852 | .I /var/lib/unbound/unbound.pid | |
853 | default unbound pidfile with process ID of the running daemon. | |
854 | .TP | |
855 | .I unbound.log | |
856 | unbound log file. default is to log to | |
857 | \fIsyslog\fR(3). | |
858 | .SH "SEE ALSO" | |
859 | \fIunbound\fR(8), | |
860 | \fIunbound\-checkconf\fR(8). | |
861 | .SH "AUTHORS" | |
862 | .B Unbound | |
863 | was written by NLnet Labs. Please see CREDITS file | |
864 | in the distribution for further details. |