Codebase list unbound / f1944ca
Imported Debian patch 1.2.1-2 Robert S. Edmonds 12 years ago
16 changed file(s) with 69 addition(s) and 2087 deletion(s). Raw diff Collapse all Expand all
+1
-1
Makefile.in less more
144144
145145 libunbound.la: $(LIBUNBOUND_OBJ)
146146 $(INFO) Link $@
147 $Q$(LINK_LIB) -export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
147 $Q$(LINK_LIB) --export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
148148
149149 ifeq ($(patsubst ldns-src%,ldns-src,$(ldnsdir)),ldns-src)
150150 ldnslib=$(ldnsdir)/lib/libldns.a
+6
-0
debian/changelog less more
0 unbound (1.2.1-2) unstable; urgency=low
1
2 * Closes: #527753, #509535.
3
4 -- Robert S. Edmonds <edmonds@debian.org> Sat, 09 May 2009 16:46:32 -0400
5
06 unbound (1.2.1-1) unstable; urgency=low
17
28 * New upstream release.
+0
-3
debian/clean less more
0 config.guess
1 config.sub
2 ltmain.sh
+8
-7
debian/control less more
11 Section: net
22 Priority: optional
33 Maintainer: Robert S. Edmonds <edmonds@debian.org>
4 Build-Depends: dpkg-dev (>= 1.14.9), debhelper (>= 7), doxygen, autoconf,
5 automake, libtool, flex, bison, libldns-dev, libssl-dev
6 Standards-Version: 3.8.0.0
4 Build-Depends: dpkg-dev (>= 1.14.9), debhelper (>= 7), quilt, doxygen,
5 autoconf, automake, autotools-dev, libtool, flex, bison, libldns-dev,
6 libssl-dev
7 Standards-Version: 3.8.1
78 Homepage: http://www.unbound.net/
89
910 Package: unbound
1011 Section: net
1112 Architecture: any
12 Depends: ${shlibs:Depends}, adduser
13 Depends: ${misc:Depends}, ${shlibs:Depends}, adduser
1314 Description: validating, recursive, caching DNS resolver
1415 Unbound is a recursive-only caching DNS server which can perform DNSSEC
1516 validation of results. It implements only a minimal amount of authoritative
2223 Package: unbound-host
2324 Section: net
2425 Architecture: any
25 Depends: ${shlibs:Depends}
26 Depends: ${misc:Depends}, ${shlibs:Depends}
2627 Description: reimplementation of the 'host' command
2728 This package provides the 'unbound-host' program that is bundled with the
2829 Unbound domain name server. This version differs from the one provided in the
3233 Package: libunbound0
3334 Section: net
3435 Architecture: any
35 Depends: ${shlibs:Depends}
36 Depends: ${misc:Depends}, ${shlibs:Depends}
3637 Description: library implementing DNS resolution and validation
3738 libunbound performs and validates DNS lookups; it can be used to convert
3839 hostnames to IP addresses and back and obtain other information from the
4142 Package: libunbound-dev
4243 Section: libdevel
4344 Architecture: any
44 Depends: libunbound0 (= ${binary:Version})
45 Depends: ${misc:Depends}, libunbound0 (= ${binary:Version})
4546 Description: static library, header files, and docs for libunbound
4647 Static library, header files, and documentation for libunbound.
4748 .
+22
-22
debian/libunbound0.symbols less more
00 libunbound.so.0 libunbound0 #MINVER#
1 ub_cancel@Base 1.2.1-1
2 ub_ctx_add_ta@Base 1.2.1-1
3 ub_ctx_add_ta_file@Base 1.2.1-1
4 ub_ctx_async@Base 1.2.1-1
5 ub_ctx_config@Base 1.2.1-1
6 ub_ctx_create@Base 1.2.1-1
7 ub_ctx_debuglevel@Base 1.2.1-1
8 ub_ctx_debugout@Base 1.2.1-1
9 ub_ctx_delete@Base 1.2.1-1
10 ub_ctx_hosts@Base 1.2.1-1
11 ub_ctx_resolvconf@Base 1.2.1-1
12 ub_ctx_set_fwd@Base 1.2.1-1
13 ub_ctx_set_option@Base 1.2.1-1
14 ub_ctx_trustedkeys@Base 1.2.1-1
15 ub_fd@Base 1.2.1-1
16 ub_poll@Base 1.2.1-1
17 ub_process@Base 1.2.1-1
18 ub_resolve@Base 1.2.1-1
19 ub_resolve_async@Base 1.2.1-1
20 ub_resolve_free@Base 1.2.1-1
21 ub_strerror@Base 1.2.1-1
22 ub_wait@Base 1.2.1-1
1 ub_cancel@Base 1.2.1
2 ub_ctx_add_ta@Base 1.2.1
3 ub_ctx_add_ta_file@Base 1.2.1
4 ub_ctx_async@Base 1.2.1
5 ub_ctx_config@Base 1.2.1
6 ub_ctx_create@Base 1.2.1
7 ub_ctx_debuglevel@Base 1.2.1
8 ub_ctx_debugout@Base 1.2.1
9 ub_ctx_delete@Base 1.2.1
10 ub_ctx_hosts@Base 1.2.1
11 ub_ctx_resolvconf@Base 1.2.1
12 ub_ctx_set_fwd@Base 1.2.1
13 ub_ctx_set_option@Base 1.2.1
14 ub_ctx_trustedkeys@Base 1.2.1
15 ub_fd@Base 1.2.1
16 ub_poll@Base 1.2.1
17 ub_process@Base 1.2.1
18 ub_resolve@Base 1.2.1
19 ub_resolve_async@Base 1.2.1
20 ub_resolve_free@Base 1.2.1
21 ub_strerror@Base 1.2.1
22 ub_wait@Base 1.2.1
+13
-0
debian/patches/10_libtool_export_smybols_typo less more
0 Index: unbound-1.2.1/Makefile.in
1 ===================================================================
2 --- unbound-1.2.1.orig/Makefile.in 2009-05-09 16:39:59.232932234 -0400
3 +++ unbound-1.2.1/Makefile.in 2009-05-09 16:40:04.674986821 -0400
4 @@ -145,7 +145,7 @@
5
6 libunbound.la: $(LIBUNBOUND_OBJ)
7 $(INFO) Link $@
8 - $Q$(LINK_LIB) --export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
9 + $Q$(LINK_LIB) -export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ $(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
10
11 ifeq ($(patsubst ldns-src%,ldns-src,$(ldnsdir)),ldns-src)
12 ldnslib=$(ldnsdir)/lib/libldns.a
+12
-0
debian/patches/20_example_conf_default_chroot less more
0 Index: unbound-1.2.1/doc/example.conf.in
1 ===================================================================
2 --- unbound-1.2.1.orig/doc/example.conf.in 2009-05-09 16:42:10.188932340 -0400
3 +++ unbound-1.2.1/doc/example.conf.in 2009-05-09 16:42:21.815509323 -0400
4 @@ -173,6 +173,7 @@
5 #
6 # If you give "" no chroot is performed. The path must not end in a /.
7 # chroot: "@UNBOUND_CHROOT_DIR@"
8 + chroot: ""
9
10 # if given, user privileges are dropped (after binding port),
11 # and the given username is assumed. Default is user "unbound".
+2
-0
debian/patches/series less more
0 10_libtool_export_smybols_typo
1 20_example_conf_default_chroot
+5
-3
debian/rules less more
22 %:
33 dh $@
44
5 build: build-stamp
5 include /usr/share/quilt/quilt.make
6
7 build: patch build-stamp
68 build-stamp:
79 dh build --before configure
8 autoreconf -i
10 autoreconf -fvi
911 dh_auto_configure -- \
1012 --disable-rpath \
1113 --with-chroot-dir=/var/lib/unbound \
1416 dh build --after test
1517 touch $@
1618
17 clean:
19 clean: unpatch
1820 dh clean
1921
2022 install: build
+0
-434
doc/example.conf less more
0 #
1 # Example configuration file.
2 #
3 # See unbound.conf(5) man page.
4 #
5 # this is a comment.
6
7 #Use this to include other text into the file.
8 #include: "otherfile.conf"
9
10 # The server clause sets the main parameters.
11 server:
12 # whitespace is not necessary, but looks cleaner.
13
14 # verbosity number, 0 is least verbose. 1 is default.
15 verbosity: 1
16
17 # print statistics to the log (for every thread) every N seconds.
18 # Set to "" or 0 to disable. Default is disabled.
19 # statistics-interval: 0
20
21 # enable cumulative statistics, without clearing them after printing.
22 # statistics-cumulative: no
23
24 # enable extended statistics (query types, answer codes, status)
25 # printed from unbound-control. default off, because of speed.
26 # extended-statistics: no
27
28 # number of threads to create. 1 disables threading.
29 # num-threads: 1
30
31 # specify the interfaces to answer queries from by ip-address.
32 # The default is to listen to localhost (127.0.0.1 and ::1).
33 # specify 0.0.0.0 and ::0 to bind to all available interfaces.
34 # specify every interface on a new 'interface:' labelled line.
35 # The listen interfaces are not changed on reload, only on restart.
36 # interface: 192.0.2.153
37 # interface: 192.0.2.154
38 # interface: 2001:DB8::5
39
40 # enable this feature to copy the source address of queries to reply.
41 # Socket options are not supported on all platforms. experimental.
42 # interface-automatic: no
43
44 # port to answer queries from
45 # port: 53
46
47 # specify the interfaces to send outgoing queries to authoritative
48 # server from by ip-address. If none, the default (all) interface
49 # is used. Specify every interface on a 'outgoing-interface:' line.
50 # outgoing-interface: 192.0.2.153
51 # outgoing-interface: 2001:DB8::5
52 # outgoing-interface: 2001:DB8::6
53
54 # number of ports to allocate per thread, determines the size of the
55 # port range that can be open simultaneously.
56 # outgoing-range: 256
57
58 # permit unbound to use this port number or port range for
59 # making outgoing queries, using an outgoing interface.
60 # outgoing-port-permit: 32768
61
62 # deny unbound the use this of port number or port range for
63 # making outgoing queries, using an outgoing interface.
64 # Use this to make sure unbound does not grab a UDP port that some
65 # other server on this computer needs. The default is to avoid
66 # IANA-assigned port numbers.
67 # outgoing-port-avoid: "3200-3208"
68
69 # number of outgoing simultaneous tcp buffers to hold per thread.
70 # outgoing-num-tcp: 10
71
72 # number of incoming simultaneous tcp buffers to hold per thread.
73 # incoming-num-tcp: 10
74
75 # buffer size for handling DNS data. No messages larger than this
76 # size can be sent or received, by UDP or TCP. In bytes.
77 # msg-buffer-size: 65552
78
79 # the amount of memory to use for the message cache.
80 # plain value in bytes or you can append k, m or G. default is "4Mb".
81 # msg-cache-size: 4m
82
83 # the number of slabs to use for the message cache.
84 # the number of slabs must be a power of 2.
85 # more slabs reduce lock contention, but fragment memory usage.
86 # msg-cache-slabs: 4
87
88 # the number of queries that a thread gets to service.
89 # num-queries-per-thread: 1024
90
91 # if very busy, 50% queries run to completion, 50% get timeout in msec
92 # jostle-timeout: 200
93
94 # the amount of memory to use for the RRset cache.
95 # plain value in bytes or you can append k, m or G. default is "4Mb".
96 # rrset-cache-size: 4m
97
98 # the number of slabs to use for the RRset cache.
99 # the number of slabs must be a power of 2.
100 # more slabs reduce lock contention, but fragment memory usage.
101 # rrset-cache-slabs: 4
102
103 # the time to live (TTL) value cap for RRsets and messages in the
104 # cache. Items are not cached for longer. In seconds.
105 # cache-max-ttl: 86400
106
107 # the time to live (TTL) value for cached roundtrip times and
108 # EDNS version information for hosts. In seconds.
109 # infra-host-ttl: 900
110
111 # the time to live (TTL) value for cached lame delegations. In sec.
112 # infra-lame-ttl: 900
113
114 # the number of slabs to use for the Infrastructure cache.
115 # the number of slabs must be a power of 2.
116 # more slabs reduce lock contention, but fragment memory usage.
117 # infra-cache-slabs: 4
118
119 # the maximum number of hosts that are cached (roundtrip times, EDNS).
120 # infra-cache-numhosts: 10000
121
122 # the maximum size of the lame zones cached per host. in bytes.
123 # infra-cache-lame-size: 10k
124
125 # Enable IPv4, "yes" or "no".
126 # do-ip4: yes
127
128 # Enable IPv6, "yes" or "no".
129 # do-ip6: yes
130
131 # Enable UDP, "yes" or "no".
132 # do-udp: yes
133
134 # Enable TCP, "yes" or "no".
135 # do-tcp: yes
136
137 # Detach from the terminal, run in background, "yes" or "no".
138 # do-daemonize: yes
139
140 # control which clients are allowed to make (recursive) queries
141 # to this server. Specify classless netblocks with /size and action.
142 # By default everything is refused, except for localhost.
143 # Choose deny (drop message), refuse (polite error reply),
144 # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
145 # access-control: 0.0.0.0/0 refuse
146 # access-control: 127.0.0.0/8 allow
147 # access-control: ::0/0 refuse
148 # access-control: ::1 allow
149 # access-control: ::ffff:127.0.0.1 allow
150
151 # if given, a chroot(2) is done to the given directory.
152 # i.e. you can chroot to the working directory, for example,
153 # for extra security, but make sure all files are in that directory.
154 #
155 # If chroot is enabled, you should pass the configfile (from the
156 # commandline) as a full path from the original root. After the
157 # chroot has been performed the now defunct portion of the config
158 # file path is removed to be able to reread the config after a reload.
159 #
160 # All other file paths (working dir, logfile, roothints, and
161 # key files) can be specified in several ways:
162 # o as an absolute path relative to the new root.
163 # o as a relative path to the working directory.
164 # o as an absolute path relative to the original root.
165 # In the last case the path is adjusted to remove the unused portion.
166 #
167 # The pid file can be absolute and outside of the chroot, it is
168 # written just prior to performing the chroot and dropping permissions.
169 #
170 # Additionally, unbound may need to access /dev/random (for entropy).
171 # How to do this is specific to your OS.
172 #
173 # If you give "" no chroot is performed. The path must not end in a /.
174 # chroot: "/var/lib/unbound"
175 chroot: ""
176
177 # if given, user privileges are dropped (after binding port),
178 # and the given username is assumed. Default is user "unbound".
179 # If you give "" no privileges are dropped.
180 # username: "unbound"
181
182 # the working directory. The relative files in this config are
183 # relative to this directory. If you give "" the working directory
184 # is not changed.
185 # directory: "/etc/unbound"
186
187 # the log file, "" means log to stderr.
188 # Use of this option sets use-syslog to "no".
189 # logfile: ""
190
191 # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
192 # log to, with identity "unbound". If yes, it overrides the logfile.
193 # use-syslog: yes
194
195 # the pid file. Can be an absolute path outside of chroot/work dir.
196 # pidfile: "/var/lib/unbound/unbound.pid"
197
198 # file to read root hints from.
199 # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
200 # root-hints: ""
201
202 # enable to not answer id.server and hostname.bind queries.
203 # hide-identity: no
204
205 # enable to not answer version.server and version.bind queries.
206 # hide-version: no
207
208 # the identity to report. Leave "" or default to return hostname.
209 # identity: ""
210
211 # the version to report. Leave "" or default to return package version.
212 # version: ""
213
214 # the target fetch policy.
215 # series of integers describing the policy per dependency depth.
216 # The number of values in the list determines the maximum dependency
217 # depth the recursor will pursue before giving up. Each integer means:
218 # -1 : fetch all targets opportunistically,
219 # 0: fetch on demand,
220 # positive value: fetch that many targets opportunistically.
221 # Enclose the list of numbers between quotes ("").
222 # target-fetch-policy: "3 2 1 0 0"
223
224 # Harden against very small EDNS buffer sizes.
225 # harden-short-bufsize: no
226
227 # Harden against unseemly large queries.
228 # harden-large-queries: no
229
230 # Harden against out of zone rrsets, to avoid spoofing attempts.
231 # harden-glue: yes
232
233 # Harden against receiving dnssec-stripped data. If you turn it
234 # off, failing to validate dnskey data for a trustanchor will
235 # trigger insecure mode for that zone (like without a trustanchor).
236 # Default on, which insists on dnssec data for trust-anchored zones.
237 # harden-dnssec-stripped: yes
238
239 # Harden the referral path by performing additional queries for
240 # infrastructure data. Validates the replies (if possible).
241 # Default off, because the lookups burden the server. Experimental
242 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
243 # harden-referral-path: no
244
245 # Use 0x20-encoded random bits in the query to foil spoof attempts.
246 # This feature is an experimental implementation of draft dns-0x20.
247 # use-caps-for-id: no
248
249 # Enforce privacy of these addresses. Strips them away from answers.
250 # It may cause DNSSEC validation to additionally mark it as bogus.
251 # Protects against 'DNS Rebinding' (uses browser as network proxy).
252 # Only 'private-domain' and 'local-data' names are allowed to have
253 # these private addresses. No default.
254 # private-address: 10.0.0.0/8
255 # private-address: 172.16.0.0/12
256 # private-address: 192.168.0.0/16
257 # private-address: 192.254.0.0/16
258 # private-address: fd00::/8
259 # private-address: fe80::/10
260
261 # Allow the domain (and its subdomains) to contain private addresses.
262 # local-data statements are allowed to contain private addresses too.
263 # private-domain: "example.com"
264
265 # If nonzero, unwanted replies are not only reported in statistics,
266 # but also a running total is kept per thread. If it reaches the
267 # threshold, a warning is printed and a defensive action is taken,
268 # the cache is cleared to flush potential poison out of it.
269 # A suggested value is 10000000, the default is 0 (turned off).
270 # unwanted-reply-threshold: 0
271
272 # Do not query the following addresses. No DNS queries are sent there.
273 # List one address per entry. List classless netblocks with /size,
274 # do-not-query-address: 127.0.0.1/8
275 # do-not-query-address: ::1
276
277 # if yes, the above default do-not-query-address entries are present.
278 # if no, localhost can be queried (for testing and debugging).
279 # do-not-query-localhost: yes
280
281 # module configuration of the server. A string with identifiers
282 # separated by spaces. "iterator" or "validator iterator"
283 # module-config: "validator iterator"
284
285 # File with DLV trusted keys. Same format as trust-anchor-file.
286 # There can be only one DLV configured, it is trusted from root down.
287 # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
288 # dlv-anchor-file: "dlv.isc.org.key"
289
290 # File with trusted keys for validation. Specify more than one file
291 # with several entries, one file per entry.
292 # Zone file format, with DS and DNSKEY entries.
293 # trust-anchor-file: ""
294
295 # Trusted key for validation. DS or DNSKEY. specify the RR on a
296 # single line, surrounded by "". TTL is ignored. class is IN default.
297 # (These examples are from August 2007 and may not be valid anymore).
298 # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
299 # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
300
301 # File with trusted keys for validation. Specify more than one file
302 # with several entries, one file per entry. Like trust-anchor-file
303 # but has a different file format. Format is BIND-9 style format,
304 # the trusted-keys { name flag proto algo "key"; }; clauses are read.
305 # trusted-keys-file: ""
306
307 # Override the date for validation with a specific fixed date.
308 # Do not set this unless you are debugging signature inception
309 # and expiration. "" or "0" turns the feature off.
310 # val-override-date: ""
311
312 # The time to live for bogus data, rrsets and messages. This avoids
313 # some of the revalidation, until the time interval expires. in secs.
314 # val-bogus-ttl: 60
315
316 # Should additional section of secure message also be kept clean of
317 # unsecure data. Useful to shield the users of this validator from
318 # potential bogus data in the additional section. All unsigned data
319 # in the additional section is removed from secure messages.
320 # val-clean-additional: yes
321
322 # Turn permissive mode on to permit bogus messages. Thus, messages
323 # for which security checks failed will be returned to clients,
324 # instead of SERVFAIL. It still performs the security checks, which
325 # result in interesting log files and possibly the AD bit in
326 # replies if the message is found secure. The default is off.
327 # val-permissive-mode: no
328
329 # It is possible to configure NSEC3 maximum iteration counts per
330 # keysize. Keep this table very short, as linear search is done.
331 # A message with an NSEC3 with larger count is marked insecure.
332 # List in ascending order the keysize and count values.
333 # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
334
335 # the amount of memory to use for the key cache.
336 # plain value in bytes or you can append k, m or G. default is "4Mb".
337 # key-cache-size: 4m
338
339 # the number of slabs to use for the key cache.
340 # the number of slabs must be a power of 2.
341 # more slabs reduce lock contention, but fragment memory usage.
342 # key-cache-slabs: 4
343
344 # the amount of memory to use for the negative cache (used for DLV).
345 # plain value in bytes or you can append k, m or G. default is "1Mb".
346 # neg-cache-size: 1m
347
348 # a number of locally served zones can be configured.
349 # local-zone: <zone> <type>
350 # local-data: "<resource record string>"
351 # o deny serves local data (if any), else, drops queries.
352 # o refuse serves local data (if any), else, replies with error.
353 # o static serves local data, else, nxdomain or nodata answer.
354 # o transparent gives local data, but resolves normally for other names
355 # o redirect serves the zone data for any subdomain in the zone.
356 # o nodefault can be used to normally resolve AS112 zones.
357 #
358 # defaults are localhost address, reverse for 127.0.0.1 and ::1
359 # and nxdomain for AS112 zones. If you configure one of these zones
360 # the default content is omitted, or you can omit it with 'nodefault'.
361 #
362 # If you configure local-data without specifying local-zone, by
363 # default a transparent local-zone is created for the data.
364 #
365 # You can add locally served data with
366 # local-zone: "local." static
367 # local-data: "mycomputer.local. IN A 192.0.2.51"
368 # local-data: 'mytext.local TXT "content of text record"'
369 #
370 # You can override certain queries with
371 # local-data: "adserver.example.com A 127.0.0.1"
372 #
373 # You can redirect a domain to a fixed address with
374 # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
375 # local-zone: "example.com" redirect
376 # local-data: "example.com A 192.0.2.3"
377 #
378 # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
379 # You can also add PTR records using local-data directly, but then
380 # you need to do the reverse notation yourself.
381 # local-data-ptr: "192.0.2.3 www.example.com"
382
383 # Remote control config section.
384 remote-control:
385 # Enable remote control with unbound-control(8) here.
386 # set up the keys and certificates with unbound-control-setup.
387 # control-enable: no
388
389 # what interfaces are listened to for remote control.
390 # give 0.0.0.0 and ::0 to listen to all interfaces.
391 # control-interface: 127.0.0.1
392 # control-interface: ::1
393
394 # port number for remote control operations.
395 # control-port: 953
396
397 # unbound server key file.
398 # server-key-file: "/etc/unbound/unbound_server.key"
399
400 # unbound server certificate file.
401 # server-cert-file: "/etc/unbound/unbound_server.pem"
402
403 # unbound-control key file.
404 # control-key-file: "/etc/unbound/unbound_control.key"
405
406 # unbound-control certificate file.
407 # control-cert-file: "/etc/unbound/unbound_control.pem"
408
409 # Stub zones.
410 # Create entries like below, to make all queries for 'example.com' and
411 # 'example.org' go to the given list of nameservers. list zero or more
412 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
413 # the list is treated as priming hints (default is no).
414 # stub-zone:
415 # name: "example.com"
416 # stub-addr: 192.0.2.68
417 # stub-prime: "no"
418 # stub-zone:
419 # name: "example.org"
420 # stub-host: ns.example.com.
421
422 # Forward zones
423 # Create entries like below, to make all queries for 'example.com' and
424 # 'example.org' go to the given list of servers. These servers have to handle
425 # recursion to other nameservers. List zero or more nameservers by hostname
426 # or by ipaddress. Use an entry with name "." to forward all queries.
427 # forward-zone:
428 # name: "example.com"
429 # forward-addr: 192.0.2.68
430 # forward-addr: 192.0.2.73@5355 # forward to port 5355.
431 # forward-zone:
432 # name: "example.org"
433 # forward-host: fwd.example.com
+0
-1
doc/example.conf.in less more
172172 #
173173 # If you give "" no chroot is performed. The path must not end in a /.
174174 # chroot: "@UNBOUND_CHROOT_DIR@"
175 chroot: ""
176175
177176 # if given, user privileges are dropped (after binding port),
178177 # and the given username is assumed. Default is user "unbound".
+0
-335
doc/libunbound.3 less more
0 .TH "libunbound" "3" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1"
1 .\"
2 .\" libunbound.3 -- unbound library functions manual
3 .\"
4 .\" Copyright (c) 2007, NLnet Labs. All rights reserved.
5 .\"
6 .\" See LICENSE for the license.
7 .\"
8 .\"
9 .SH "NAME"
10 .LP
11 .B libunbound,
12 .B unbound.h,
13 .B ub_ctx,
14 .B ub_result,
15 .B ub_callback_t,
16 .B ub_ctx_create,
17 .B ub_ctx_delete,
18 .B ub_ctx_set_option,
19 .B ub_ctx_config,
20 .B ub_ctx_set_fwd,
21 .B ub_ctx_resolvconf,
22 .B ub_ctx_hosts,
23 .B ub_ctx_add_ta,
24 .B ub_ctx_add_ta_file,
25 .B ub_ctx_trustedkeys,
26 .B ub_ctx_debugout,
27 .B ub_ctx_debuglevel,
28 .B ub_ctx_async,
29 .B ub_poll,
30 .B ub_wait,
31 .B ub_fd,
32 .B ub_process,
33 .B ub_resolve,
34 .B ub_resolve_async,
35 .B ub_cancel,
36 .B ub_resolve_free,
37 .B ub_strerror
38 \- Unbound DNS validating resolver 1.2.1 functions.
39 .SH "SYNOPSIS"
40 .LP
41 .B #include <unbound.h>
42 .LP
43 \fIstruct ub_ctx *\fR
44 \fBub_ctx_create\fR(\fIvoid\fR);
45 .LP
46 \fIvoid\fR
47 \fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx);
48 .LP
49 \fIint\fR
50 \fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val);
51 .LP
52 \fIint\fR
53 \fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
54 .LP
55 \fIint\fR
56 \fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
57 .LP
58 \fIint\fR
59 \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
60 .LP
61 \fIint\fR
62 \fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
63 .LP
64 \fIint\fR
65 \fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
66 .LP
67 \fIint\fR
68 \fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
69 .LP
70 \fIint\fR
71 \fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
72 .LP
73 \fIint\fR
74 \fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out);
75 .LP
76 \fIint\fR
77 \fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d);
78 .LP
79 \fIint\fR
80 \fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread);
81 .LP
82 \fIint\fR
83 \fBub_poll\fR(\fIstruct ub_ctx*\fR ctx);
84 .LP
85 \fIint\fR
86 \fBub_wait\fR(\fIstruct ub_ctx*\fR ctx);
87 .LP
88 \fIint\fR
89 \fBub_fd\fR(\fIstruct ub_ctx*\fR ctx);
90 .LP
91 \fIint\fR
92 \fBub_process\fR(\fIstruct ub_ctx*\fR ctx);
93 .LP
94 \fIint\fR
95 \fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
96 .br
97 \fIint\fR rrtype, \fIint\fR rrclass, \fIint*\fR secure,
98 .br
99 \fIint*\fR data, \fIstruct ub_result**\fR result);
100 .LP
101 \fIint\fR
102 \fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
103 .br
104 \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata,
105 .br
106 \fIub_callback_t\fR callback, \fIint*\fR async_id);
107 .LP
108 \fIint\fR
109 \fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
110 .LP
111 \fIvoid\fR
112 \fBub_resolve_free\fR(\fIstruct ub_result*\fR result);
113 .LP
114 \fIconst char *\fR
115 \fBub_strerror\fR(\fIint\fR err);
116 .SH "DESCRIPTION"
117 .LP
118 .B Unbound
119 is an implementation of a DNS resolver, that does caching and
120 DNSSEC validation. This is the library API, for using the \-lunbound library.
121 The server daemon is described in \fIunbound\fR(8).
122 The library can be used to convert hostnames to ip addresses, and back,
123 and obtain other information from the DNS. The library performs public\-key
124 validation of results with DNSSEC.
125 .P
126 The library uses a variable of type \fIstruct ub_ctx\fR to keep context
127 between calls. The user must maintain it, creating it with
128 .B ub_ctx_create
129 and deleting it with
130 .B ub_ctx_delete\fR.
131 It can be created and deleted at any time. Creating it anew removes any
132 previous configuration (such as trusted keys) and clears any cached results.
133 .P
134 The functions are thread\-safe, and a context an be used in a threaded (as
135 well as in a non\-threaded) environment. Also resolution (and validation)
136 can be performed blocking and non\-blocking (also called asynchronous).
137 The async method returns from the call immediately, so that processing
138 can go on, while the results become available later.
139 .P
140 The functions are discussed in turn below.
141 .SH "FUNCTIONS"
142 .TP
143 .B ub_ctx_create
144 Create a new context, initialised with defaults.
145 The information from /etc/resolv.conf and /etc/hosts is not utilised
146 by default. Use
147 .B ub_ctx_resolvconf
148 and
149 .B ub_ctx_hosts
150 to read them.
151 .TP
152 .B ub_ctx_delete
153 Delete validation context and free associated resources.
154 Outstanding async queries are killed and callbacks are not called for them.
155 .TP
156 .B ub_ctx_set_option
157 A power\-user interface that lets you specify one of the options from the
158 config file format, see \fIunbound.conf\fR(5). Not all options are
159 relevant. For some specific options, such as adding trust anchors, special
160 routines exist. Pass the option name with the trailing ':'.
161 .TP
162 .B ub_ctx_config
163 A power\-user interface that lets you specify an unbound config file, see
164 \fIunbound.conf\fR(5), which is read for configuration. Not all options are
165 relevant. For some specific options, such as adding trust anchors, special
166 routines exist.
167 .TP
168 .B ub_ctx_set_fwd
169 Set machine to forward DNS queries to, the caching resolver to use.
170 IP4 or IP6 address. Forwards all DNS requests to that machine, which
171 is expected to run a recursive resolver. If the proxy is not
172 DNSSEC capable, validation may fail. Can be called several times, in
173 that case the addresses are used as backup servers.
174 At this time it is only possible to set configuration before the
175 first resolve is done.
176 .TP
177 .B ub_ctx_resolvconf
178 Read list of nameservers to use from the filename given.
179 Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
180 If they do not support DNSSEC, validation may fail.
181 Only nameservers are picked up, the searchdomain, ndots and other
182 settings from \fIresolv.conf\fR(5) are ignored.
183 If fname NULL is passed, "/etc/resolv.conf" is used.
184 At this time it is only possible to set configuration before the
185 first resolve is done.
186 .TP
187 .B ub_ctx_hosts
188 Read list of hosts from the filename given.
189 Usually "/etc/hosts". When queried for, these addresses are not marked
190 DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used.
191 At this time it is only possible to set configuration before the
192 first resolve is done.
193 .TP
194 .B
195 ub_ctx_add_ta
196 Add a trust anchor to the given context.
197 At this time it is only possible to add trusted keys before the
198 first resolve is done.
199 The format is a string, similar to the zone-file format,
200 [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
201 .TP
202 .B ub_ctx_add_ta_file
203 Add trust anchors to the given context.
204 Pass name of a file with DS and DNSKEY records in zone file format.
205 At this time it is only possible to add trusted keys before the
206 first resolve is done.
207 .TP
208 .B ub_ctx_trustedkeys
209 Add trust anchors to the given context.
210 Pass the name of a bind-style config file with trusted-keys{}.
211 At this time it is only possible to add trusted keys before the
212 first resolve is done.
213 .TP
214 .B ub_ctx_debugout
215 Set debug and error log output to the given stream. Pass NULL to disable
216 output. Default is stderr. File-names or using syslog can be enabled
217 using config options, this routine is for using your own stream.
218 .TP
219 .B ub_ctx_debuglevel
220 Set debug verbosity for the context. Output is directed to stderr.
221 Higher debug level gives more output.
222 .TP
223 .B ub_ctx_async
224 Set a context behaviour for asynchronous action.
225 if set to true, enables threading and a call to
226 .B ub_resolve_async
227 creates a thread to handle work in the background.
228 If false, a process is forked to handle work in the background.
229 Changes to this setting after
230 .B ub_resolve_async
231 calls have been made have no effect (delete and re\-create the context
232 to change).
233 .TP
234 .B ub_poll
235 Poll a context to see if it has any new results.
236 Do not poll in a loop, instead extract the fd below to poll for readiness,
237 and then check, or wait using the wait routine.
238 Returns 0 if nothing to read, or nonzero if a result is available.
239 If nonzero, call
240 .B ub_process
241 to do callbacks.
242 .TP
243 .B ub_wait
244 Wait for a context to finish with results. Calls
245 .B ub_process
246 after the wait for you. After the wait, there are no more outstanding
247 asynchronous queries.
248 .TP
249 .B ub_fd
250 Get file descriptor. Wait for it to become readable, at this point
251 answers are returned from the asynchronous validating resolver.
252 Then call the \fBub_process\fR to continue processing.
253 .TP
254 .B ub_process
255 Call this routine to continue processing results from the validating
256 resolver (when the fd becomes readable).
257 Will perform necessary callbacks.
258 .TP
259 .B ub_resolve
260 Perform resolution and validation of the target name.
261 The name is a domain name in a zero terminated text string.
262 The rrtype and rrclass are DNS type and class codes.
263 The value secure returns true if the answer validated securely.
264 The value data returns true if there was data.
265 The result structure is newly allocated with the resulting data.
266 .TP
267 .B ub_resolve_async
268 Perform asynchronous resolution and validation of the target name.
269 Arguments mean the same as for \fBub_resolve\fR except no
270 data is returned immediately, instead a callback is called later.
271 The callback receives a copy of the mydata pointer, that you can use to pass
272 information to the callback. The callback type is a function pointer to
273 a function declared as
274 .IP
275 void my_callback_function(void* my_arg, int err,
276 .br
277 struct ub_result* result);
278 .IP
279 The async_id is returned so you can (at your option) decide to track it
280 and cancel the request if needed.
281 .TP
282 .B ub_cancel
283 Cancel an async query in progress.
284 .TP
285 .B ub_resolve_free
286 Free struct ub_result contents after use.
287 .TP
288 .B ub_strerror
289 Convert error value from one of the unbound library functions
290 to a human readable string.
291 .SH "RESULT DATA STRUCTURE"
292 .LP
293 The result of the DNS resolution and validation is returned as
294 \fIstruct ub_result\fR. The result structure contains the following entries.
295 .P
296 .nf
297 struct ub_result {
298 char* qname; /* text string, original question */
299 int qtype; /* type code asked for */
300 int qclass; /* class code asked for */
301 char** data; /* array of rdata items, NULL terminated*/
302 int* len; /* array with lengths of rdata items */
303 char* canonname; /* canonical name of result */
304 int rcode; /* additional error code in case of no data */
305 void* answer_packet; /* full network format answer packet */
306 int answer_len; /* length of packet in octets */
307 int havedata; /* true if there is data */
308 int nxdomain; /* true if nodata because name does not exist */
309 int secure; /* true if result is secure */
310 int bogus; /* true if a security failure happened */
311 };
312 .fi
313 .P
314 If both secure and bogus are false, security was not enabled for the
315 domain of the query.
316 .SH "RETURN VALUES"
317 Many routines return an error code. The value 0 (zero) denotes no error
318 happened. Other values can be passed to
319 .B ub_strerror
320 to obtain a readable error string.
321 .B ub_strerror
322 returns a zero terminated string.
323 .B ub_ctx_create
324 returns NULL on an error (a malloc failure).
325 .B ub_poll
326 returns true if some information may be available, false otherwise.
327 .B ub_fd
328 returns a file descriptor or -1 on error.
329 .SH "SEE ALSO"
330 \fIunbound.conf\fR(5),
331 \fIunbound\fR(8).
332 .SH "AUTHORS"
333 .B Unbound
334 developers are mentioned in the CREDITS file in the distribution.
+0
-43
doc/unbound-checkconf.8 less more
0 .TH "unbound-checkconf" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1"
1 .\"
2 .\" unbound-checkconf.8 -- unbound configuration checker manual
3 .\"
4 .\" Copyright (c) 2007, NLnet Labs. All rights reserved.
5 .\"
6 .\" See LICENSE for the license.
7 .\"
8 .\"
9 .SH "NAME"
10 .LP
11 unbound-checkconf
12 \- Check unbound configuration file for errors.
13 .SH "SYNOPSIS"
14 .B unbound-checkconf
15 .RB [ \-h ]
16 .IR cfgfile
17 .SH "DESCRIPTION"
18 .B Unbound-checkconf
19 checks the configuration file for the
20 \fIunbound\fR(8)
21 DNS resolver for syntax and other errors.
22 The config file syntax is described in
23 \fIunbound.conf\fR(5).
24 .P
25 The available options are:
26 .TP
27 .B \-h
28 Show the version and commandline option help.
29 .TP
30 .I cfgfile
31 The config file to read with settings for unbound. It is checked.
32 If omitted, the config file at the default location is checked.
33 .SH "EXIT CODE"
34 The unbound-checkconf program exits with status code 1 on error,
35 0 for a correct config file.
36 .SH "FILES"
37 .TP
38 .I /etc/unbound/unbound.conf
39 unbound configuration file.
40 .SH "SEE ALSO"
41 \fIunbound.conf\fR(5),
42 \fIunbound\fR(8).
+0
-322
doc/unbound-control.8 less more
0 .TH "unbound-control" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1"
1 .\"
2 .\" unbound-control.8 -- unbound remote control manual
3 .\"
4 .\" Copyright (c) 2008, NLnet Labs. All rights reserved.
5 .\"
6 .\" See LICENSE for the license.
7 .\"
8 .\"
9 .SH "NAME"
10 .LP
11 unbound-control
12 \- Unbound remote server control utility.
13 .SH "SYNOPSIS"
14 .B unbound-control
15 .RB [ \-h ]
16 .RB [ \-c
17 .IR cfgfile ]
18 .RB [ \-s
19 .IR server ]
20 .IR command
21 .SH "DESCRIPTION"
22 .B Unbound-control
23 performs remote administration on the \fIunbound\fR(8) DNS server.
24 It reads the configuration file, contacts the unbound server over SSL
25 sends the command and displays the result.
26 .P
27 The available options are:
28 .TP
29 .B \-h
30 Show the version and commandline option help.
31 .TP
32 .B \-c \fIcfgfile
33 The config file to read with settings. If not given the default
34 config file /etc/unbound/unbound.conf is used.
35 .TP
36 .B \-s \fIserver[@port]
37 IPv4 or IPv6 address of the server to contact. If not given, the
38 address is read from the config file.
39 .SH "COMMANDS"
40 There are several commands that the server understands.
41 .TP
42 .B start
43 Start the server. Simply execs \fIunbound\fR(8). The unbound executable
44 is searched for in the \fBPATH\fR set in the environment. It is started
45 with the config file specified using \fI\-c\fR or the default config file.
46 .TP
47 .B stop
48 Stop the server. The server daemon exits.
49 .TP
50 .B reload
51 Reload the server. This flushes the cache and reads the config file fresh.
52 .TP
53 .B verbosity \fInumber
54 Change verbosity value for logging. Same values as \fBverbosity\fR keyword in
55 \fIunbound.conf\fR(5). This new setting lasts until the server is issued
56 a reload (taken from config file again), or the next verbosity control command.
57 .TP
58 .B stats
59 Print statistics. Resets the internal counters to zero, this can be
60 controlled using the \fBstatistics\-cumulative\fR config statement.
61 Statistics are printed with one [name]: [value] per line.
62 .TP
63 .B status
64 Display server status. Exit code 3 if not running (the connection to the
65 port is refused), 1 on error, 0 if running.
66 .TP
67 .B local_zone \fIname\fR \fItype
68 Add new local zone with name and type. Like \fBlocal\-zone\fR config statement.
69 If the zone already exists, the type is changed to the given argument.
70 .TP
71 .B local_zone_remove \fIname
72 Remove the local zone with the given name. Removes all local data inside
73 it. If the zone does not exist, the command succeeds.
74 .TP
75 .B local_data \fIRR data...
76 Add new local data, the given resource record. Like \fBlocal\-data\fR
77 config statement, except for when no covering zone exists. In that case
78 this remote control command creates a transparent zone with the same
79 name as this record. This command is not good at returning detailed syntax
80 errors.
81 .TP
82 .B local_data_remove \fIname
83 Remove all RR data from local name. If the name already has no items,
84 nothing happens. Often results in NXDOMAIN for the name (in a static zone),
85 but if the name has become an empty nonterminal (there is still data in
86 domain names below the removed name), NOERROR nodata answers are the
87 result for that name.
88 .TP
89 .B dump_cache
90 The contents of the cache is printed in a text format to stdout. You can
91 redirect it to a file to store the cache in a file.
92 .TP
93 .B load_cache
94 The contents of the cache is loaded from stdin. Uses the same format as
95 dump_cache uses. Loading the cache with old, or wrong data can result
96 in old or wrong data returned to clients.
97 .TP
98 .B lookup \fIname
99 Print to stdout the name servers that would be used to look up the
100 name specified.
101 .TP
102 .B flush \fIname
103 Remove the name from the cache. Removes the types
104 A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
105 Because that is fast to do. Other record types can be removed using
106 .B flush_type
107 or
108 .B flush_zone\fR.
109 .TP
110 .B flush_type \fIname\fR \fItype
111 Remove the name, type information from the cache.
112 .TP
113 .B flush_zone \fIname
114 Remove all information at or below the name from the cache.
115 The rrsets and key entries are removed so that new lookups will be performed.
116 This needs to walk and inspect the entire cache, and is a slow operation.
117 .SH "EXIT CODE"
118 The unbound-control program exits with status code 1 on error, 0 on success.
119 .SH "SET UP"
120 The setup requires a self\-signed certificate and private keys for both
121 the server and client. The script \fIunbound\-control\-setup\fR generates
122 these in the default run directory, or with \-d in another directory.
123 Run the script under the same username as you have configured in unbound.conf
124 so that the daemon is permitted to read the files, for example with:
125 .nf
126 sudo \-u unbound unbound\-control\-setup
127 .fi
128 If you have not configured
129 a username in unbound.conf, the keys need read permission for the user
130 credentials under which the daemon is started.
131 The script preserves private keys present in the directory.
132 After running the script as root, turn on \fBcontrol-enable\fR in
133 \fIunbound.conf\fR.
134 .SH "STATISTIC COUNTERS"
135 The \fIstats\fR command shows a number of statistic counters.
136 .TP
137 .I threadX.num.queries
138 number of queries received by thread
139 .TP
140 .I threadX.num.cachehits
141 number of queries that were successfully answered using a cache lookup
142 .TP
143 .I threadX.num.cachemiss
144 number of queries that needed recursive processing
145 .TP
146 .I threadX.num.recursivereplies
147 The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
148 .TP
149 .I threadX.requestlist.avg
150 The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query.
151 .TP
152 .I threadX.requestlist.max
153 Maximum size attained by the internal recursive processing request list.
154 .TP
155 .I threadX.requestlist.overwritten
156 Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time.
157 .TP
158 .I threadX.requestlist.exceeded
159 Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up.
160 .TP
161 .I threadX.requestlist.current.all
162 Current size of the request list, includes internally generated queries (such
163 as priming queries and glue lookups).
164 .TP
165 .I threadX.requestlist.current.user
166 Current size of the request list, only the requests from client queries.
167 .TP
168 .I threadX.recursion.time.avg
169 Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average.
170 .TP
171 .I threadX.recursion.time.median
172 The median of the time it took to answer queries that needed recursive
173 processing. The median means that 50% of the user queries were answered in
174 less than this time. Because of big outliers (usually queries to non
175 responsive servers), the average can be bigger than the median. This median
176 has been calculated by interpolation from a histogram.
177 .TP
178 .I total.num.queries
179 summed over threads.
180 .TP
181 .I total.num.cachehits
182 summed over threads.
183 .TP
184 .I total.num.cachemiss
185 summed over threads.
186 .TP
187 .I total.num.recursivereplies
188 summed over threads.
189 .TP
190 .I total.requestlist.avg
191 averaged over threads.
192 .TP
193 .I total.requestlist.max
194 the maximum of the thread requestlist.max values.
195 .TP
196 .I total.requestlist.overwritten
197 summed over threads.
198 .TP
199 .I total.requestlist.exceeded
200 summed over threads.
201 .TP
202 .I total.requestlist.current.all
203 summed over threads.
204 .TP
205 .I total.recursion.time.median
206 averaged over threads.
207 .TP
208 .I time.now
209 current time in seconds since 1970.
210 .TP
211 .I time.up
212 uptime since server boot in seconds.
213 .TP
214 .I time.elapsed
215 time since last statistics printout, in seconds.
216 .SH EXTENDED STATISTICS
217 .TP
218 .I mem.total.sbrk
219 If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps. Could be wrong if the OS allocates memory non\-contiguously.
220 .TP
221 .I mem.cache.rrset
222 Memory in bytes in use by the RRset cache.
223 .TP
224 .I mem.cache.message
225 Memory in bytes in use by the message cache.
226 .TP
227 .I mem.mod.iterator
228 Memory in bytes in use by the iterator module.
229 .TP
230 .I mem.mod.validator
231 Memory in bytes in use by the validator module. Includes the key cache and
232 negative cache.
233 .TP
234 .I histogram.<sec>.<usec>.to.<sec>.<usec>
235 Shows a histogram, summed over all threads. Every element counts the
236 recursive queries whose reply time fit between the lower and upper bound.
237 Times larger or equal to the lowerbound, and smaller than the upper bound.
238 There are 40 buckets, with bucket sizes doubling.
239 .TP
240 .I num.query.type.A
241 The total number of queries over all threads with query type A.
242 Printed for the other query types as well, but only for the types for which
243 queries were received, thus =0 entries are omitted for brevity.
244 .TP
245 .I num.query.type.other
246 Number of queries with query types 256-65535.
247 .TP
248 .I num.query.class.IN
249 The total number of queries over all threads with query class IN (internet).
250 Also printed for other classes (such as CH (CHAOS) sometimes used for
251 debugging), or NONE, ANY, used by dynamic update.
252 num.query.class.other is printed for classes 256-65535.
253 .TP
254 .I num.query.opcode.QUERY
255 The total number of queries over all threads with query opcode QUERY.
256 Also printed for other opcodes, UPDATE, ...
257 .TP
258 .I num.query.tcp
259 Number of queries that were made using TCP towards the unbound server.
260 .TP
261 .I num.query.ipv6
262 Number of queries that were made using IPv6 towards the unbound server.
263 .TP
264 .I num.query.flags.RD
265 The number of queries that had the RD flag set in the header.
266 Also printed for flags QR, AA, TC, RA, Z, AD, CD.
267 Note that queries with flags QR, AA or TC may have been rejected
268 because of that.
269 .TP
270 .I num.query.edns.present
271 number of queries that had an EDNS OPT record present.
272 .TP
273 .I num.query.edns.DO
274 number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
275 These queries are also included in the num.query.edns.present number.
276 .TP
277 .I num.answer.rcode.NXDOMAIN
278 The number of answers to queries, from cache or from recursion, that had the
279 return code NXDOMAIN. Also printed for the other return codes.
280 .TP
281 .I num.answer.rcode.nodata
282 The number of answers to queries that had the pseudo return code nodata.
283 This means the actual return code was NOERROR, but additionally, no data was
284 carried in the answer (making what is called a NOERROR/NODATA answer).
285 These queries are also included in the num.answer.rcode.NOERROR number.
286 Common for AAAA lookups when an A record exists, and no AAAA.
287 .TP
288 .I num.answer.secure
289 Number of answers that were secure. The answer validated correctly.
290 The AD bit might have been set in some of these answers, where the client
291 signalled (with DO or AD bit in the query) that they were ready to accept
292 the AD bit in the answer.
293 .TP
294 .I num.answer.bogus
295 Number of answers that were bogus. These answers resulted in SERVFAIL
296 to the client because the answer failed validation.
297 .TP
298 .I num.rrset.bogus
299 The number of rrsets marked bogus by the validator. Increased for every
300 RRset inspection that fails.
301 .TP
302 .I unwanted.queries
303 Number of queries that were refused or dropped because they failed the
304 access control settings.
305 .TP
306 .I unwanted.replies
307 Replies that were unwanted or unsolicited. Could have been random traffic,
308 delayed duplicates, very late answers, or could be spoofing attempts.
309 Some low level of late answers and delayed duplicates are to be expected
310 with the UDP protocol. Very high values could indicate a threat (spoofing).
311 .SH "FILES"
312 .TP
313 .I /etc/unbound/unbound.conf
314 unbound configuration file.
315 .TP
316 .I /etc/unbound
317 directory with private keys (unbound_server.key and unbound_control.key) and
318 self-signed certificates (unbound_server.pem and unbound_control.pem).
319 .SH "SEE ALSO"
320 \fIunbound.conf\fR(5),
321 \fIunbound\fR(8).
+0
-51
doc/unbound.8 less more
0 .TH "unbound" "8" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1"
1 .\"
2 .\" unbound.8 -- unbound manual
3 .\"
4 .\" Copyright (c) 2007, NLnet Labs. All rights reserved.
5 .\"
6 .\" See LICENSE for the license.
7 .\"
8 .\"
9 .SH "NAME"
10 .LP
11 .B unbound
12 \- Unbound DNS validating resolver 1.2.1.
13 .SH "SYNOPSIS"
14 .LP
15 .B unbound
16 .RB [ \-h ]
17 .RB [ \-d ]
18 .RB [ \-v ]
19 .RB [ \-c
20 .IR cfgfile ]
21 .SH "DESCRIPTION"
22 .LP
23 .B Unbound
24 is an implementation of a DNS resolver, that does caching and
25 DNSSEC validation.
26 .P
27 The available options are:
28 .TP
29 .B \-h
30 Show the version and commandline option help.
31 .TP
32 .B \-c\fI cfgfile
33 Set the config file with settings for unbound to read instead of reading the
34 file at the default location, /etc/unbound/unbound.conf. The syntax is
35 described in \fIunbound.conf\fR(5).
36 .TP
37 .B \-d
38 Debug flag, do not fork into the background, but stay attached to the
39 console. This flag will also delay writing to the logfile until the
40 thread\-spawn time. So that most config and setup errors appear on stderr.
41 .TP
42 .B \-v
43 Increase verbosity. If given multiple times, more information is logged.
44 This is in addition to the verbosity (if any) from the config file.
45 .SH "SEE ALSO"
46 \fIunbound.conf\fR(5),
47 \fIunbound\-checkconf\fR(8).
48 .SH "AUTHORS"
49 .B Unbound
50 developers are mentioned in the CREDITS file in the distribution.
+0
-865
doc/unbound.conf.5 less more
0 .TH "unbound.conf" "5" "Feb 10, 2009" "NLnet Labs" "unbound 1.2.1"
1 .\"
2 .\" unbound.conf.5 -- unbound.conf manual
3 .\"
4 .\" Copyright (c) 2007, NLnet Labs. All rights reserved.
5 .\"
6 .\" See LICENSE for the license.
7 .\"
8 .\"
9 .SH "NAME"
10 .LP
11 .B unbound.conf
12 \- Unbound configuration file.
13 .SH "SYNOPSIS"
14 .LP
15 .B unbound.conf
16 .SH "DESCRIPTION"
17 .LP
18 .B unbound.conf
19 is used to configure
20 \fIunbound\fR(8).
21 The file format has attributes and values. Some attributes have attributes inside them.
22 The notation is: attribute: value.
23 .P
24 Comments start with # and last to the end of line. Empty lines are
25 ignored as is whitespace at the beginning of a line.
26 .P
27 The utility
28 \fIunbound\-checkconf\fR(8)
29 can be used to check unbound.conf prior to usage.
30 .SH "EXAMPLE"
31 An example config file is shown below. Copy this to /etc/unbound/unbound.conf
32 and start the server with:
33 .P
34 .nf
35 $ unbound \-c /etc/unbound/unbound.conf
36 .fi
37 .P
38 Most settings are the defaults. Stop the server with:
39 .P
40 .nf
41 $ kill `cat /etc/unbound/unbound.pid`
42 .fi
43 .P
44 Below is a minimal config file. The source distribution contains an extensive
45 example.conf file with all the options.
46 .P
47 .nf
48 # unbound.conf(5) config file for unbound(8).
49 server:
50 directory: "/etc/unbound"
51 username: unbound
52 # make sure unbound can access entropy from inside the chroot.
53 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
54 # mount --bind -n /dev/random /etc/unbound/dev/random
55 # and mount --bind -n /dev/log /etc/unbound/dev/log
56 chroot: "/etc/unbound"
57 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
58 pidfile: "/etc/unbound/unbound.pid"
59 # verbosity: 1 # uncomment and increase to get more logging.
60 # listen on all interfaces, answer queries from the local subnet.
61 interface: 0.0.0.0
62 interface: ::0
63 access\-control: 10.0.0.0/8 allow
64 access\-control: 2001:DB8::/64 allow
65 .fi
66 .SH "FILE FORMAT"
67 .LP
68 There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
69 is followed by its containing attributes, or a value.
70 .P
71 Files can be included using the
72 .B include:
73 directive. It can appear anywhere, and takes a single filename as an argument.
74 Processing continues as if the text from the included file was copied into
75 the config file at that point. If also using chroot, using full path names
76 for the included files works, relative pathnames for the included names work
77 if the directory where the daemon is started equals its chroot/working
78 directory.
79 .SS "Server Options"
80 These options are part of the
81 .B server:
82 clause.
83 .TP
84 .B verbosity: \fI<number>
85 The verbosity number, level 0 means no verbosity, only errors. Level 1
86 gives operational information. Level 2 gives detailed operational
87 information. Level 3 gives query level information, output per query.
88 Level 4 gives algorithm level information.
89 Default is level 1. The verbosity can also be increased from the commandline,
90 see
91 \fIunbound\fR(8).
92 .TP
93 .B statistics\-interval: \fI<seconds>
94 The number of seconds between printing statistics to the log for every thread.
95 Disable with value 0 or "". Default is disabled.
96 .TP
97 .B statistics\-cumulative: \fI<yes or no>
98 If enabled, statistics are cumulative since starting unbound, without clearing
99 the statistics counters after logging the statistics. Default is no.
100 .TP
101 .B extended\-statistics: \fI<yes or no>
102 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
103 Default is off, because keeping track of more statistics takes time.
104 .TP
105 .B num\-threads: \fI<number>
106 The number of threads to create to serve clients. Use 1 for no threading.
107 .TP
108 .B port: \fI<port number>
109 The port number, default 53, on which the server responds to queries.
110 .TP
111 .B interface: \fI<ip address>
112 Interface to use to connect to the network. This interface is listened to
113 for queries from clients, and answers to clients are given from it.
114 Can be given multiple times to work on several interfaces. If none are
115 given the default is to listen to localhost.
116 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
117 .TP
118 .B interface-automatic: \fI<yes or no>
119 Detect source interface on UDP queries and copy them to replies. This
120 feature is experimental, and needs support in your OS for IPv6
121 (and its socket options) and IPv4 (and have source-interface socket options).
122 Default value is no.
123 .TP
124 .B outgoing\-interface: \fI<ip address>
125 Interface to use to connect to the network. This interface is used to send
126 queries to authoritative servers and receive their replies. Can be given
127 multiple times to work on several interfaces. If none are given the
128 default (all) is used. You can specify the same interfaces in
129 .B interface:
130 and
131 .B outgoing\-interface:
132 lines, the interfaces are then used for both purposes. Outgoing queries are
133 sent via a random outgoing interface to counter spoofing.
134 .TP
135 .B outgoing\-range: \fI<number>
136 Number of ports to open. This number of file descriptors can be opened per
137 thread. Must be at least 1. Default is 256. Larger numbers need extra
138 resources from the operating system.
139 .TP
140 .B outgoing\-port\-permit: \fI<port number or range>
141 Permit unbound to open this port or range of ports for use to send queries.
142 A larger number of permitted outgoing ports increases resilience against
143 spoofing attempts. Make sure these ports are not needed by other daemons.
144 By default only ports above 1024 that have not been assigned by IANA are used.
145 Give a port number or a range of the form "low-high", without spaces.
146 .IP
147 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
148 are processed in the line order of the config file, adding the permitted ports
149 and subtracting the avoided ports from the set of allowed ports. The
150 processing starts with the non IANA allocated ports above 1024 in the set
151 of allowed ports.
152 .TP
153 .B outgoing\-port\-avoid: \fI<port number or range>
154 Do not permit unbound to open this port or range of ports for use to send
155 queries. Use this to make sure unbound does not grab a port that another
156 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
157 By default only ports above 1024 that have not been assigned by IANA are used.
158 Give a port number or a range of the form "low-high", without spaces.
159 .TP
160 .B outgoing\-num\-tcp: \fI<number>
161 Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
162 to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
163 .TP
164 .B incoming\-num\-tcp: \fI<number>
165 Number of incoming TCP buffers to allocate per thread. Default is 10. If set
166 to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
167 .TP
168 .B msg\-buffer\-size: \fI<number>
169 Number of bytes size of the message buffers. Default is 65552 bytes, enough
170 for 64 Kb packets, the maximum DNS message size. No message larger than this
171 can be sent or received. Can be reduced to use less memory, but some requests
172 for DNS data, such as for huge resource records, will result in a SERVFAIL
173 reply to the client.
174 .TP
175 .B msg\-cache\-size: \fI<number>
176 Number of bytes size of the message cache. Default is 4 megabytes.
177 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
178 or gigabytes (1024*1024 bytes in a megabyte).
179 .TP
180 .B msg\-cache\-slabs: \fI<number>
181 Number of slabs in the message cache. Slabs reduce lock contention by threads.
182 Must be set to a power of 2. Setting (close) to the number of cpus is a
183 reasonable guess.
184 .TP
185 .B num\-queries\-per\-thread: \fI<number>
186 The number of queries that every thread will service simultaneously.
187 If more queries arrive that need servicing, and no queries can be jostled out
188 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
189 the client to resend after a timeout; allowing the server time to work on
190 the existing queries. Default 1024.
191 .TP
192 .B jostle\-timeout: \fI<msec>
193 Timeout used when the server is very busy. Set to a value that usually
194 results in one roundtrip to the authority servers. If too many queries
195 arrive, then 50% of the queries are allowed to run to completion, and
196 the other 50% are replaced with the new incoming query if they have already
197 spent more than their allowed time. This protects against denial of
198 service by slow queries or high query rates. Default 200 milliseconds.
199 .TP
200 .B rrset\-cache\-size: \fI<number>
201 Number of bytes size of the RRset cache. Default is 4 megabytes.
202 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
203 or gigabytes (1024*1024 bytes in a megabyte).
204 .TP
205 .B rrset\-cache\-slabs: \fI<number>
206 Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
207 Must be set to a power of 2.
208 .TP
209 .B cache\-max\-ttl: \fI<seconds>
210 Time to live maximum for RRsets and messages in the cache. Default is
211 86400 seconds (1 day). If the maximum kicks in, responses to clients
212 still get decrementing TTLs based on the original (larger) values.
213 When the internal TTL expires, the cache item has expired.
214 Can be set lower to force the resolver to query for data often, and not
215 trust (very large) TTL values.
216 .TP
217 .B infra\-host\-ttl: \fI<seconds>
218 Time to live for entries in the host cache. The host cache contains
219 roundtrip timing and EDNS support information. Default is 900.
220 .TP
221 .B infra\-lame\-ttl: \fI<seconds>
222 The time to live when a delegation is discovered to be lame. Default is 900.
223 .TP
224 .B infra\-cache\-slabs: \fI<number>
225 Number of slabs in the infrastructure cache. Slabs reduce lock contention
226 by threads. Must be set to a power of 2.
227 .TP
228 .B infra\-cache\-numhosts: \fI<number>
229 Number of hosts for which information is cached. Default is 10000.
230 .TP
231 .B infra\-cache\-lame\-size: \fI<number>
232 Number of bytes that the lameness cache per host is allowed to use. Default
233 is 10 kb, which gives maximum storage for a couple score zones, depending on
234 the lame zone name lengths.
235 .TP
236 .B do\-ip4: \fI<yes or no>
237 Enable or disable whether ip4 queries are answered or issued. Default is yes.
238 .TP
239 .B do\-ip6: \fI<yes or no>
240 Enable or disable whether ip6 queries are answered or issued. Default is yes.
241 If disabled, queries are not answered on IPv6, and queries are not sent on
242 IPv6 to the internet nameservers.
243 .TP
244 .B do\-udp: \fI<yes or no>
245 Enable or disable whether UDP queries are answered or issued. Default is yes.
246 .TP
247 .B do\-tcp: \fI<yes or no>
248 Enable or disable whether TCP queries are answered or issued. Default is yes.
249 .TP
250 .B do\-daemonize: \fI<yes or no>
251 Enable or disable whether the unbound server forks into the background as
252 a daemon. Default is yes.
253 .TP
254 .B access\-control: \fI<IP netblock> <action>
255 The netblock is given as an IP4 or IP6 address with /size appended for a
256 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
257 \fIallow\fR or \fIallow_snoop\fR.
258 .IP
259 The action \fIdeny\fR stops queries from hosts from that netblock.
260 .IP
261 The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
262 error message back.
263 .IP
264 The action \fIallow\fR gives access to clients from that netblock.
265 It gives only access for recursion clients (which is
266 what almost all clients need). Nonrecursive queries are refused.
267 .IP
268 The \fIallow\fR action does allow nonrecursive queries to access the
269 local\-data that is configured. The reason is that this does not involve
270 the unbound server recursive lookup algorithm, and static data is served
271 in the reply. This supports normal operations where nonrecursive queries
272 are made for the authoritative data. For nonrecursive queries any replies
273 from the dynamic cache are refused.
274 .IP
275 The action \fIallow_snoop\fR gives nonrecursive access too. This give
276 both recursive and non recursive access. The name \fIallow_snoop\fR refers
277 to cache snooping, a technique to use nonrecursive queries to examine
278 the cache contents (for malicious acts). However, nonrecursive queries can
279 also be a valuable debugging tool (when you want to examine the cache
280 contents). In that case use \fIallow_snoop\fR for your administration host.
281 .IP
282 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
283 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
284 protocol is not designed to handle dropped packets due to policy, and
285 dropping may result in (possibly excessive) retried queries.
286 .TP
287 .B chroot: \fI<directory>
288 If chroot is enabled, you should pass the configfile (from the
289 commandline) as a full path from the original root. After the
290 chroot has been performed the now defunct portion of the config
291 file path is removed to be able to reread the config after a reload.
292 .IP
293 All other file paths (working dir, logfile, roothints, and
294 key files) can be specified in several ways:
295 as an absolute path relative to the new root,
296 as a relative path to the working directory, or
297 as an absolute path relative to the original root.
298 In the last case the path is adjusted to remove the unused portion.
299 .IP
300 The pidfile can be either a relative path to the working directory, or
301 an absolute path relative to the original root. It is written just prior
302 to chroot and dropping permissions. This allows the pidfile to be
303 /var/run/unbound.pid and the chroot to be /var/unbound, for example.
304 .IP
305 Additionally, unbound may need to access /dev/random (for entropy)
306 from inside the chroot.
307 .IP
308 If given a chroot is done to the given directory. The default is
309 "/var/lib/unbound". If you give "" no chroot is performed.
310 .TP
311 .B username: \fI<name>
312 If given, after binding the port the user privileges are dropped. Default is
313 "unbound". If you give username: "" no user change is performed.
314 .IP
315 If this user is not capable of binding the
316 port, reloads (by signal HUP) will still retain the opened ports.
317 If you change the port number in the config file, and that new port number
318 requires privileges, then a reload will fail; a restart is needed.
319 .TP
320 .B directory: \fI<directory>
321 Sets the working directory for the program. Default is "/etc/unbound".
322 .TP
323 .B logfile: \fI<filename>
324 If "" is given, logging goes to stderr, or nowhere once daemonized.
325 The logfile is appended to, in the following format:
326 .nf
327 [seconds since 1970] unbound[pid:tid]: type: message.
328 .fi
329 If this option is given, the use\-syslog is option is set to "no".
330 The logfile is reopened (for append) when the config file is reread, on
331 SIGHUP.
332 .TP
333 .B use\-syslog: \fI<yes or no>
334 Sets unbound to send log messages to the syslogd, using
335 \fIsyslog\fR(3).
336 The log facility LOG_DAEMON is used, with identity "unbound".
337 The logfile setting is overridden when use\-syslog is turned on.
338 The default is to log to syslog.
339 .TP
340 .B pidfile: \fI<filename>
341 The process id is written to the file. Default is "/var/lib/unbound/unbound.pid".
342 So,
343 .nf
344 kill \-HUP `cat /var/lib/unbound/unbound.pid`
345 .fi
346 triggers a reload,
347 .nf
348 kill \-QUIT `cat /var/lib/unbound/unbound.pid`
349 .fi
350 gracefully terminates.
351 .TP
352 .B root\-hints: \fI<filename>
353 Read the root hints from this file. Default is nothing, using builtin hints
354 for the IN class. The file has the format of zone files, with root
355 nameserver names and addresses only. The default may become outdated,
356 when servers change, therefore it is good practice to use a root\-hints file.
357 .TP
358 .B hide\-identity: \fI<yes or no>
359 If enabled id.server and hostname.bind queries are refused.
360 .TP
361 .B identity: \fI<string>
362 Set the identity to report. If set to "", the default, then the hostname
363 of the server is returned.
364 .TP
365 .B hide\-version: \fI<yes or no>
366 If enabled version.server and version.bind queries are refused.
367 .TP
368 .B version: \fI<string>
369 Set the version to report. If set to "", the default, then the package
370 version is returned.
371 .TP
372 .B target\-fetch\-policy: \fI<"list of numbers">
373 Set the target fetch policy used by unbound to determine if it should fetch
374 nameserver target addresses opportunistically. The policy is described per
375 dependency depth.
376 .IP
377 The number of values determines the maximum dependency depth
378 that unbound will pursue in answering a query.
379 A value of \-1 means to fetch all targets opportunistically for that dependency
380 depth. A value of 0 means to fetch on demand only. A positive value fetches
381 that many targets opportunistically.
382 .IP
383 Enclose the list between quotes ("") and put spaces between numbers.
384 The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
385 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
386 rumoured to be closer to that of BIND 8.
387 .TP
388 .B harden\-short\-bufsize: \fI<yes or no>
389 Very small EDNS buffer sizes from queries are ignored. Default is off, since
390 it is legal protocol wise to send these, and unbound tries to give very
391 small answers to these queries, where possible.
392 .TP
393 .B harden\-large\-queries: \fI<yes or no>
394 Very large queries are ignored. Default is off, since it is legal protocol
395 wise to send these, and could be necessary for operation if TSIG or EDNS
396 payload is very large.
397 .TP
398 .B harden\-glue: \fI<yes or no>
399 Will trust glue only if it is within the servers authority. Default is on.
400 .TP
401 .B harden\-dnssec\-stripped: \fI<yes or no>
402 Require DNSSEC data for trust\-anchored zones, if such data is absent,
403 the zone becomes bogus. If turned off, and no DNSSEC data is received
404 (or the DNSKEY data fails to validate), then the zone is made insecure,
405 this behaves like there is no trust anchor. You could turn this off if
406 you are sometimes behind an intrusive firewall (of some sort) that
407 removes DNSSEC data from packets, or a zone changes from signed to
408 unsigned to badly signed often. If turned off you run the risk of a
409 downgrade attack that disables security for a zone. Default is on.
410 .TP
411 .B harden\-referral\-path: \fI<yes or no>
412 Harden the referral path by performing additional queries for
413 infrastructure data. Validates the replies if trust anchors are configured
414 and the zones are signed. This enforces DNSSEC validation on nameserver
415 NS sets and the nameserver addresses that are encountered on the referral
416 path to the answer.
417 Default off, because it burdens the authority servers, and it is
418 not RFC standard, and could lead to performance problems because of the
419 extra query load that is generated. Experimental option.
420 .TP
421 .B use\-caps\-for\-id: \fI<yes or no>
422 Use 0x20-encoded random bits in the query to foil spoof attempts.
423 This perturbs the lowercase and uppercase of query names sent to
424 authority servers and checks if the reply still has the correct casing.
425 Disabled by default.
426 This feature is an experimental implementation of draft dns\-0x20.
427 .TP
428 .B private\-address: \fI<IP address or subnet>
429 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
430 on your private network, and are not allowed to be returned for public
431 internet names. Any occurence of such addresses are removed from
432 DNS answers. Additionally, the DNSSEC validator may mark the answers
433 bogus. This protects against so-called DNS Rebinding, where a user browser
434 is turned into a network proxy, allowing remote access through the browser
435 to other parts of your private network. Some names can be allowed to
436 contain your private addresses, by default all the \fBlocal\-data\fR
437 that you configured is allowed to, and you can specify additional
438 names using \fBprivate\-domain\fR. No private addresses are enabled
439 by default. We consider to enable this for the RFC1918 private IP
440 address space by default in later releases. That would enable private
441 addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 192.254.0.0/16
442 fd00::/8 and fe80::/10, since the RFC standards say these addresses
443 should not be visible on the public internet. Turning on 127.0.0.0/8
444 would hinder many spamblocklists as they use that.
445 .TP
446 .B private\-domain: \fI<domain name>
447 Allow this domain, and all its subdomains to contain private addresses.
448 Give multiple times to allow multiple domain names to contain private
449 addresses. Default is none.
450 .TP
451 .B unwanted\-reply\-threshold: \fI<number>
452 If set, a total number of unwanted replies is kept track of in every thread.
453 When it reaches the threshold, a defensive action is taken and a warning
454 is printed to the log. The defensive action is to clear the rrset and
455 message caches, hopefully flushing away any poison. A value of 10 million
456 is suggested. Default is 0 (turned off).
457 .TP
458 .B do\-not\-query\-address: \fI<IP address>
459 Do not query the given IP address. Can be IP4 or IP6. Append /num to
460 indicate a classless delegation netblock, for example like
461 10.2.3.4/24 or 2001::11/64.
462 .TP
463 .B do\-not\-query\-localhost: \fI<yes or no>
464 If yes, localhost is added to the do\-not\-query\-address entries, both
465 IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
466 queries to. Default is yes.
467 .TP
468 .B module\-config: \fI<"module names">
469 Module configuration, a list of module names separated by spaces, surround
470 the string with quotes (""). The modules can be validator, iterator.
471 Setting this to "iterator" will result in a non\-validating server.
472 Setting this to "validator iterator" will turn on DNSSEC validation.
473 You must also set trust\-anchors for validation to be useful.
474 .TP
475 .B trust\-anchor\-file: \fI<filename>
476 File with trusted keys for validation. Both DS and DNSKEY entries can appear
477 in the file. The format of the file is the standard DNS Zone file format.
478 Default is "", or no trust anchor file.
479 .TP
480 .B trust\-anchor: \fI<"Resource Record">
481 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
482 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
483 The resource record is entered in the same format as 'dig' or 'drill' prints
484 them, the same format as in the zone file. Has to be on a single line, with
485 "" around it. A TTL can be specified for ease of cut and paste, but is ignored.
486 A class can be specified, but class IN is default.
487 .TP
488 .B trusted\-keys\-file: \fI<filename>
489 File with trusted keys for validation. Specify more than one file
490 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
491 but has a different file format. Format is BIND\-9 style format,
492 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
493 It is possible to use wildcards with this statement, the wildcard is
494 expanded on start and on reload.
495 .TP
496 .B dlv\-anchor\-file: \fI<filename>
497 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
498 DNSKEY entries can be used in the file, in the same format as for
499 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
500 would be slow. The DLV configured is used as a root trusted DLV, this
501 means that it is a lookaside for the root. Default is "", or no dlv anchor file.
502 .TP
503 .B dlv\-anchor: \fI<"Resource Record">
504 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
505 .TP
506 .B val\-override\-date: \fI<rrsig\-style date spec>
507 Default is "" or "0", which disables this debugging feature. If enabled by
508 giving a RRSIG style date, that date is used for verifying RRSIG inception
509 and expiration dates, instead of the current date. Do not set this unless
510 you are debugging signature inception and expiration.
511 .TP
512 .B val\-bogus\-ttl: \fI<number>
513 The time to live for bogus data. This is data that has failed validation;
514 due to invalid signatures or other checks. The TTL from that data cannot be
515 trusted, and this value is used instead. The value is in seconds, default 60.
516 The time interval prevents repeated revalidation of bogus data.
517 .TP
518 .B val\-clean\-additional: \fI<yes or no>
519 Instruct the validator to remove data from the additional section of secure
520 messages that are not signed properly. Messages that are insecure, bogus,
521 indeterminate or unchecked are not affected. Default is yes. Use this setting
522 to protect the users that rely on this validator for authentication from
523 protentially bad data in the additional section.
524 .TP
525 .B val\-permissive\-mode: \fI<yes or no>
526 Instruct the validator to mark bogus messages as indeterminate. The security
527 checks are performed, but if the result is bogus (failed security), the
528 reply is not withheld from the client with SERVFAIL as usual. The client
529 receives the bogus data. For messages that are found to be secure the AD bit
530 is set in replies. Also logging is performed as for full validation.
531 The default value is "no".
532 .TP
533 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
534 List of keysize and iteration count values, separated by spaces, surrounded
535 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
536 maximum allowed NSEC3 iteration count before a message is simply marked
537 insecure instead of performing the many hashing iterations. The list must
538 be in ascending order and have at least one entry. If you set it to
539 "1024 65535" there is no restriction to NSEC3 iteration values.
540 This table must be kept short; a very long list could cause slower operation.
541 .TP
542 .B key\-cache\-size: \fI<number>
543 Number of bytes size of the key cache. Default is 4 megabytes.
544 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
545 or gigabytes (1024*1024 bytes in a megabyte).
546 .TP
547 .B key\-cache\-slabs: \fI<number>
548 Number of slabs in the key cache. Slabs reduce lock contention by threads.
549 Must be set to a power of 2. Setting (close) to the number of cpus is a
550 reasonable guess.
551 .TP
552 .B neg\-cache\-size: \fI<number>
553 Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
554 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
555 or gigabytes (1024*1024 bytes in a megabyte).
556 .TP
557 .B local\-zone: \fI<zone> <type>
558 Configure a local zone. The type determines the answer to give if there is
559 no match from local\-data. The types are deny, refuse, static, transparent,
560 redirect, nodefault, and are explained below. After that the default settings
561 are listed. Use local\-data: to enter data into the local zone. Answers for
562 local zones are authoritative DNS answers. By default the zones are class IN.
563 .IP
564 If you need more complicated authoritative data, with referrals, wildcards,
565 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
566 it as detailed in the stub zone section below.
567 .TP 10
568 \h'5'\fIdeny\fR
569 Do not send an answer, drop the query.
570 If there is a match from local data, the query is answered.
571 .TP 10
572 \h'5'\fIrefuse\fR
573 Send an error message reply, with rcode REFUSED.
574 If there is a match from local data, the query is answered.
575 .TP 10
576 \h'5'\fIstatic\fR
577 If there is a match from local data, the query is answered.
578 Otherwise, the query is answered with nodata or nxdomain.
579 For a negative answer a SOA is included in the answer if present
580 as local\-data for the zone apex domain.
581 .TP 10
582 \h'5'\fItransparent\fR
583 If there is a match from local data, the query is answered.
584 Otherwise if the query has a different name, the query is resolved normally.
585 If the query is for a name given in localdata but no such type of data is
586 given in localdata, then a noerror nodata answer is returned.
587 If no local\-zone is given local\-data causes a transparent zone
588 to be created by default.
589 .TP 10
590 \h'5'\fIredirect\fR
591 The query is answered from the local data for the zone name.
592 There may be no local data beneath the zone name.
593 This answers queries for the zone, and all subdomains of the zone
594 with the local data for the zone.
595 It can be used to redirect a domain to a different address, with
596 local\-zone: "example.com." redirect and
597 local\-data: "example.com. A 127.0.0.1"
598 queries for www.example.com and www.foo.example.com are redirected.
599 .TP 10
600 \h'5'\fInodefault\fR
601 Used to turn off default contents for AS112 zones. The other types
602 also turn off default contents for the zone. The 'nodefault' option
603 has no other effect than turning off default contents for the
604 given zone.
605 .P
606 The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
607 zones. The AS112 zones are reverse DNS zones for private use and reserved
608 IP addresses for which the servers on the internet cannot provide correct
609 answers. They are configured by default to give nxdomain (no reverse
610 information) answers. The defaults can be turned off by specifying your
611 own local\-zone of that name, or using the 'nodefault' type. Below is a
612 list of the default zone contents.
613 .TP 10
614 \h'5'\fIlocalhost\fR
615 The IP4 and IP6 localhost information is given. NS and SOA records are provided
616 for completeness and to satisfy some DNS update tools. Default content:
617 .nf
618 local\-zone: "localhost." static
619 local\-data: "localhost. 10800 IN NS localhost."
620 local\-data: "localhost. 10800 IN
621 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
622 local\-data: "localhost. 10800 IN A 127.0.0.1"
623 local\-data: "localhost. 10800 IN AAAA ::1"
624 .fi
625 .TP 10
626 \h'5'\fIreverse IPv4 loopback\fR
627 Default content:
628 .nf
629 local\-zone: "127.in\-addr.arpa." static
630 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
631 local\-data: "127.in\-addr.arpa. 10800 IN
632 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
633 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
634 PTR localhost."
635 .fi
636 .TP 10
637 \h'5'\fIreverse IPv6 loopback\fR
638 Default content:
639 .nf
640 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
641 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
642 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
643 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
644 NS localhost."
645 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
646 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
647 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
648 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
649 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
650 PTR localhost."
651 .fi
652 .TP 10
653 \h'5'\fIreverse RFC1918 local use zones\fR
654 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
655 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
656 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
657 records are provided.
658 .TP 10
659 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
660 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
661 2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa.
662 .TP 10
663 \h'5'\fIreverse RFC4291 IP6 unspecified\fR
664 Reverse data for zone
665 .nf
666 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
667 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
668 .fi
669 .TP 10
670 \h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
671 Reverse data for zone D.F.ip6.arpa.
672 .TP 10
673 \h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
674 Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
675 .TP 10
676 \h'5'\fIreverse IPv6 Example Prefix\fR
677 Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
678 tutorials and examples. You can remove the block on this zone with:
679 .nf
680 local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
681 .fi
682 This also works with the other default zones.
683 .\" End of local-zone listing.
684 .TP 5
685 .B local\-data: \fI"<resource record string>"
686 Configure local data, which is served in reply to queries for it.
687 The query has to match exactly unless you configure the local\-zone as
688 redirect. If not matched exactly, the local\-zone type determines
689 further processing. If local\-data is configured that is not a subdomain of
690 a local\-zone, a transparent local\-zone is configured.
691 For record types such as TXT, use single quotes, as in
692 local\-data: 'example. TXT "text"'.
693 .IP
694 If you need more complicated authoritative data, with referrals, wildcards,
695 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
696 it as detailed in the stub zone section below.
697 .TP 5
698 .B local\-data\-ptr: \fI"IPaddr name"
699 Configure local data shorthand for a PTR record with the reversed IPv4 or
700 IPv6 address and the host name. For example "192.0.2.4 www.example.com".
701 TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
702 .SS "Remote Control Options"
703 In the
704 .B remote\-control:
705 clause are the declarations for the remote control facility. If this is
706 enabled, the \fIunbound\-control\fR(8) utility can be used to send
707 commands to the running unbound server. The server uses these clauses
708 to setup SSLv3 / TLSv1 security for the connection. The
709 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
710 section for options. To setup the correct self-signed certificates use the
711 \fIunbound\-control\-setup\fR(8) utility.
712 .TP 5
713 .B control\-enable: \fI<yes or no>
714 The option is used to enable remote control, default is "no".
715 If turned off, the server does not listen for control commands.
716 .TP 5
717 .B control\-interface: <ip address>
718 Give IPv4 or IPv6 addresses to listen on for control commands.
719 By default localhost (127.0.0.1 and ::1) is listened to.
720 Use 0.0.0.0 and ::0 to listen to all interfaces.
721 .TP 5
722 .B control\-port: <port number>
723 The port number to listen on for control commands, default is 953
724 (that is the same port number named uses to listen to rndc).
725 If you change this port number, and permissions have been dropped, a
726 reload is not sufficient to open the port again, you must then restart.
727 .TP 5
728 .B server\-key\-file: "<private key file>"
729 Path to the server private key, by default unbound_server.key.
730 This file is generated by the \fIunbound\-control\-setup\fR utility.
731 This file is used by the unbound server, but not by \fIunbound\-control\fR.
732 .TP 5
733 .B server\-cert\-file: "<certificate file.pem>"
734 Path to the server self signed certificate, by default unbound_server.pem.
735 This file is generated by the \fIunbound\-control\-setup\fR utility.
736 This file is used by the unbound server, and also by \fIunbound\-control\fR.
737 .TP 5
738 .B control\-key\-file: "<private key file>"
739 Path to the control client private key, by default unbound_control.key.
740 This file is generated by the \fIunbound\-control\-setup\fR utility.
741 This file is used by \fIunbound\-control\fR.
742 .TP 5
743 .B control\-cert\-file: "<certificate file.pem>"
744 Path to the control client certificate, by default unbound_control.pem.
745 This certificate has to be signed with the server certificate.
746 This file is generated by the \fIunbound\-control\-setup\fR utility.
747 This file is used by \fIunbound\-control\fR.
748 .SS "Stub Zone Options"
749 .LP
750 There may be multiple
751 .B stub\-zone:
752 clauses. Each with a name: and zero or more hostnames or IP addresses.
753 For the stub zone this list of nameservers is used. Class IN is assumed.
754 .P
755 The stub zone can be used to configure authoritative data to be used
756 by the resolver that cannot be accessed using the public internet servers.
757 This is useful for company\-local data or private zones. Setup an
758 authoritative server on a different host (or different port). Enter a config
759 entry for unbound with
760 .B stub\-addr:
761 <ip address of host[@port]>.
762 The unbound resolver can then access the data, without referring to the
763 public internet for it.
764 .P
765 This setup allows DNSSEC signed zones to be served by that
766 authoritative server, in which case a trusted key entry with the public key
767 can be put in config, so that unbound can validate the data and set the AD
768 bit on replies for the private zone (authoritative servers do not set the
769 AD bit). This setup makes unbound capable of answering queries for the
770 private zone, and can even set the AD bit ('authentic'), but the AA
771 ('authoritative') bit is not set on these replies.
772 .TP
773 .B name: \fI<domain name>
774 Name of the stub zone.
775 .TP
776 .B stub\-host: \fI<domain name>
777 Name of stub zone nameserver. Is itself resolved before it is used.
778 .TP
779 .B stub\-addr: \fI<IP address>
780 IP address of stub zone nameserver. Can be IP 4 or IP 6.
781 To use a nondefault port for DNS communication append '@' with the port number.
782 .TP
783 .B stub\-prime: \fI<yes or no>
784 This option is by default off. If enabled it performs NS set priming,
785 which is similar to root hints, where it starts using the list of nameservers
786 currently published by the zone. Thus, if the hint list is slightly outdated,
787 the resolver picks up a correct list online.
788 .SS "Forward Zone Options"
789 .LP
790 There may be multiple
791 .B forward\-zone:
792 clauses. Each with a name: and zero or more hostnames or IP addresses.
793 For the forward zone this list of nameservers is used to forward the queries
794 to. The servers have to handle further recursion for the query. Class IN is
795 assumed. A forward\-zone entry with name "." and a forward\-addr target will
796 forward all queries to that other server (unless it can answer from the cache).
797 .TP
798 .B name: \fI<domain name>
799 Name of the forward zone.
800 .TP
801 .B forward\-host: \fI<domain name>
802 Name of server to forward to. Is itself resolved before it is used.
803 .TP
804 .B forward\-addr: \fI<IP address>
805 IP address of server to forward to. Can be IP 4 or IP 6.
806 To use a nondefault port for DNS communication append '@' with the port number.
807 .SH "MEMORY CONTROL EXAMPLE"
808 In the example config settings below memory usage is reduced. Some service
809 levels are lower, notable very large data and a high TCP load are no longer
810 supported. Very large data and high TCP loads are exceptional for the DNS.
811 DNSSEC validation is enabled, just add trust anchors.
812 If you do not have to worry about programs using more than 3 Mb of memory,
813 the below example is not for you. Use the defaults to receive full service,
814 which on BSD-32bit tops out at 30-40 Mb after heavy usage.
815 .P
816 .nf
817 # example settings that reduce memory usage
818 server:
819 num\-threads: 1
820 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
821 incoming\-num\-tcp: 1
822 outgoing\-range: 16 # uses less memory, but less performance.
823 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
824 msg\-cache\-size: 100k
825 msg\-cache\-slabs: 1
826 rrset\-cache\-size: 100k
827 rrset\-cache\-slabs: 1
828 infra\-cache\-numhosts: 200
829 infra\-cache\-slabs: 1
830 infra\-cache\-lame\-size: 1k
831 key\-cache\-size: 100k
832 key\-cache\-slabs: 1
833 neg\-cache\-size: 10k
834 num\-queries\-per\-thread: 30
835 target\-fetch\-policy: "2 1 0 0 0 0"
836 harden\-large\-queries: "yes"
837 harden\-short\-bufsize: "yes"
838 .fi
839 .SH "FILES"
840 .TP
841 .I /etc/unbound
842 default unbound working directory.
843 .TP
844 .I /var/lib/unbound
845 default
846 \fIchroot\fR(2)
847 location.
848 .TP
849 .I /etc/unbound/unbound.conf
850 unbound configuration file.
851 .TP
852 .I /var/lib/unbound/unbound.pid
853 default unbound pidfile with process ID of the running daemon.
854 .TP
855 .I unbound.log
856 unbound log file. default is to log to
857 \fIsyslog\fR(3).
858 .SH "SEE ALSO"
859 \fIunbound\fR(8),
860 \fIunbound\-checkconf\fR(8).
861 .SH "AUTHORS"
862 .B Unbound
863 was written by NLnet Labs. Please see CREDITS file
864 in the distribution for further details.