Download raw body.
unbound 1.24.0
loads of churn again, especially the manpages were reformatted
so I hand-applied the changes there.
florian has been running a version of the unbound changes ported to
unwind, and I'm running it.
any further tests appreciated.
Index: Makefile.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/Makefile.in,v
diff -u -p -r1.47 Makefile.in
--- Makefile.in 31 Aug 2025 21:41:09 -0000 1.47
+++ Makefile.in 22 Sep 2025 21:08:22 -0000
@@ -449,9 +449,13 @@ dnstap.lo dnstap.o: $(srcdir)/dnstap/dns
$(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \
$(srcdir)/util/locks.h
-dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
+# Builds both dnstap/dnstap.pb-c.c and dnstap/dnstap.pb-c.h.
+# To avoid double-building we split one target out.
+dnstap/dnstap.pb-c.c: $(srcdir)/dnstap/dnstap.proto
@-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi
$(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto
+dnstap/dnstap.pb-c.h: dnstap/dnstap.pb-c.c
+ touch $@
unbound-dnstap-socket$(EXEEXT): $(DNSTAP_SOCKET_OBJ_LINK)
$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS)
@@ -723,299 +727,338 @@ unitdoq.lo unitdoq.o: $(srcdir)/testcode
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/val_nsec.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h
as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/sldns/sbuffer.h
msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/services/view.h
-msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/respip/respip.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/sldns/sbuffer.h
iter_donotq.lo iter_donotq.o: $(srcdir)/iterator/iter_donotq.c config.h $(srcdir)/iterator/iter_donotq.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h
iter_fwd.lo iter_fwd.o: $(srcdir)/iterator/iter_fwd.c config.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/iterator/iter_delegpt.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h
iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/wire2str.h
iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h
iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \
- $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h
iter_scrub.lo iter_scrub.o: $(srcdir)/iterator/iter_scrub.c config.h $(srcdir)/iterator/iter_scrub.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \
$(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h $(srcdir)/sldns/sbuffer.h
iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h
listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/timeval_func.h \
+
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h $(srcdir)/services/listen_dnsport.h
-modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/timeval_func.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h
+modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(PYTHONMOD_HEADER) \
+ $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h
view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h
rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
$(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \
+ $(srcdir)/dnstap/dnstap.h
+rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c config.h $(srcdir)/util/rfc_1982.h
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
- $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \
+
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
+ util/configparser.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/util/iana_ports.inc
configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
- $(srcdir)/util/config_file.h util/configparser.h
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h util/configparser.h
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
+ $(srcdir)/util/random.h $(srcdir)/sldns/str2wire.h util/configparser.h
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \
- $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/timeval_func.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_sigcrypt.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h \
+ $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/timeval_func.h
-proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
- $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/proxy_protocol.h \
+ $(srcdir)/util/timeval_func.h $(srcdir)/sldns/str2wire.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
+
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
@@ -1023,442 +1066,609 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtre
regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
-siphash.lo siphash.o: $(srcdir)/util/siphash.c
-rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
+siphash.lo siphash.o: $(srcdir)/util/siphash.c config.h $(srcdir)/util/siphash.h
edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h \
+ $(srcdir)/util/siphash.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/sbuffer.h
dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h
lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
tcp_conn_limit.lo tcp_conn_limit.o: $(srcdir)/util/tcp_conn_limit.c config.h $(srcdir)/util/regional.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/tcp_conn_limit.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
-tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/locks.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
+timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h \
+ $(srcdir)/util/timeval_func.h
+tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
+proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c $(srcdir)/util/proxy_protocol.h config.h
+timeval_func.lo timeval_func.o: $(srcdir)/util/timeval_func.c config.h $(srcdir)/util/timeval_func.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/remote.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/tube.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/dnstap/dtstream.h
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/services/mesh.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/services/mesh.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
+
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/str2wire.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/validator/val_kentry.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/keyraw.h \
+
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
$(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_kentry.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h
val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/validator/val_nsec.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
+
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \
- $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/rfc_1982.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/parseutil.h
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_sigcrypt.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
+ $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h
+subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
+ $(srcdir)/cachedb/cachedb.h
addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/edns-subnet/addrtree.h
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h \
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
+cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_secalgo.h \
+ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/sldns/wire2str.h
+redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/timeval_func.h $(srcdir)/sldns/sbuffer.h
respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/regional.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
-ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h
-ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h
+dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
+ $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/dnstap/dtstream.h dnstap/dnstap.pb-c.h
+dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
+dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
+dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/sldns/sbuffer.h \
+
+dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
+ $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/lookup3.h
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
+ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/random.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/outside_network.h
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/util/log.h \
+ $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/respip/respip.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h
unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/testcode/readhex.h \
- $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/testcode/readhex.h $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/wire2str.h
unitneg.lo unitneg.o: $(srcdir)/testcode/unitneg.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h \
- $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/random.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h
unitregional.lo unitregional.o: $(srcdir)/testcode/unitregional.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h
unitslabhash.lo unitslabhash.o: $(srcdir)/testcode/unitslabhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h \
$(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/testcode/testpkts.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/testcode/testpkts.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+
readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/parseutil.h
-unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
+unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/edns-subnet/edns-subnet.h
unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/authzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
- $(srcdir)/validator/val_anchor.h
-unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/services/outside_network.h \
-$(srcdir)/util/random.h
-unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/iterator/iterator.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/regional.h $(srcdir)/validator/val_anchor.h
+unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/testcode/unitmain.h \
+ $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+
+unitdoq.lo unitdoq.o: $(srcdir)/testcode/unitdoq.c config.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/testcode/unitmain.h
+unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/log.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/sldns/str2wire.h
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
- $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
+ $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \
- $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/util/edns.h \
- $(srcdir)/util/locks.h $(srcdir)/util/ub_event.h \
- $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h $(srcdir)/validator/val_neg.h \
- $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_priv.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_neg.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
+ $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_priv.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/regional.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/timeval_func.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h $(srcdir)/cachedb/cachedb.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \
- $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
+
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/ub_event.h
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
$(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
- $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \
+ $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/timeval_func.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h $(srcdir)/daemon/worker.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/ub_event.h
testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
$(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \
- $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
+ $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \
+ $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \
- $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \
- $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/sldns/str2wire.h
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \
+ $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \
- $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
+ $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \
+
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/util/timeval_func.h \
- $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/replay.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \
+ $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/util/timeval_func.h
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h $(srcdir)/util/timeval_func.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/view.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h $(srcdir)/util/storage/slabhash.h $(srcdir)/daemon/daemon.h
+ $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/timeval_func.h
lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
@@ -1467,133 +1677,156 @@ readhex.lo readhex.o: $(srcdir)/testcode
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
+ $(srcdir)/sldns/str2wire.h $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/respip/respip.h $(srcdir)/dnstap/dtstream.h
context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
$(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/util/edns.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
- $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/dnstap/dtstream.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
+
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \
+
streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/util/random.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/str2wire.h
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/random.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/timeval_func.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/daemon/acl_list.h \
+
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
+
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
+
unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
$(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
- $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h dnstap/dnstap.pb-c.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound-event.h
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h \
$(srcdir)/pythonmod/pythonmod_utils.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/net_help.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
+
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
@@ -1601,12 +1834,14 @@ unbound-service-remove.lo unbound-servic
$(srcdir)/winrc/w_inst.h
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/rrdef.h \
+
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h
+ $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/sbuffer.h
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1617,8 +1852,23 @@ dohclient.lo dohclient.o: $(srcdir)/test
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h
-readzone.lo readzone.o: $(srcdir)/testcode/readzone.c
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \
+
+doqclient.lo doqclient.o: $(srcdir)/testcode/doqclient.c config.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/ub_event.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h
+readzone.lo readzone.o: $(srcdir)/testcode/readzone.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/wire2str.h
ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h
@@ -1633,9 +1883,11 @@ strlcat.lo strlcat.o: $(srcdir)/compat/s
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
+
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
+
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/config.h.in,v
diff -u -p -r1.34 config.h.in
--- config.h.in 31 Aug 2025 21:41:09 -0000 1.34
+++ config.h.in 22 Sep 2025 21:08:22 -0000
@@ -173,6 +173,10 @@
0 if you don't. */
#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0
+ if you don't. */
+#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH
+
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
don't. */
#undef HAVE_DECL_STRLCAT
@@ -477,6 +481,9 @@
`ngtcp2_crypto_quictls_from_ossl_encryption_level' function. */
#undef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
+/* Define to 1 if you have the `ngtcp2_crypto_quictls_init' function. */
+#undef HAVE_NGTCP2_CRYPTO_QUICTLS_INIT
+
/* Define to 1 if the system has the type `ngtcp2_encryption_level'. */
#undef HAVE_NGTCP2_ENCRYPTION_LEVEL
@@ -484,6 +491,9 @@
*/
#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H
+/* Define to 1 if you have the <ngtcp2/ngtcp2_crypto_ossl.h> header file. */
+#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
+
/* Define to 1 if you have the <ngtcp2/ngtcp2_crypto_quictls.h> header file.
*/
#undef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
@@ -645,9 +655,6 @@
function. */
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
-/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */
-#undef HAVE_SSL_CTX_SET_TMP_ECDH
-
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
#undef HAVE_SSL_GET0_ALPN_SELECTED
@@ -1022,6 +1029,9 @@
/* Define this to enable client TCP Fast Open. */
#undef USE_MSG_FASTOPEN
+
+/* Define this to use ngtcp2_crypto_ossl. */
+#undef USE_NGTCP2_CRYPTO_OSSL
/* Define this to enable client TCP Fast Open. */
#undef USE_OSX_MSG_FASTOPEN
Index: configure
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure,v
diff -u -p -r1.58 configure
--- configure 31 Aug 2025 21:41:09 -0000 1.58
+++ configure 22 Sep 2025 21:08:22 -0000
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for unbound 1.23.1.
+# Generated by GNU Autoconf 2.71 for unbound 1.24.0.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@@ -622,8 +622,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.23.1'
-PACKAGE_STRING='unbound 1.23.1'
+PACKAGE_VERSION='1.24.0'
+PACKAGE_STRING='unbound 1.24.0'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@@ -685,7 +685,9 @@ opt_dnstap_socket_path
ENABLE_DNSTAP
PROTOBUFC_LIBS
PROTOBUFC_CFLAGS
+PROTOC_GEN_C
PROTOC_C
+PROTOC
UBSYMS
EXTRALINK
COMMON_OBJ_ALL_SYMBOLS
@@ -1511,7 +1513,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.23.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.24.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1577,7 +1579,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.23.1:";;
+ short | recursive ) echo "Configuration of unbound 1.24.0:";;
esac
cat <<\_ACEOF
@@ -1830,7 +1832,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.23.1
+unbound configure 1.24.0
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2487,7 +2489,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.23.1, which was
+It was created by unbound $as_me 1.24.0, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3249,13 +3251,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
UNBOUND_VERSION_MAJOR=1
-UNBOUND_VERSION_MINOR=23
+UNBOUND_VERSION_MINOR=24
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=0
LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=32
+LIBUNBOUND_REVISION=33
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -3355,6 +3357,7 @@ LIBUNBOUND_AGE=1
# 1.22.0 had 9:30:1
# 1.23.0 had 9:31:1
# 1.23.1 had 9:32:1
+# 1.24.0 had 9:33:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -20817,12 +20820,6 @@ then :
printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h
fi
-ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh"
-if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes
-then :
- printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h
-
-fi
# these check_funcs need -lssl
@@ -20981,6 +20978,34 @@ else $as_nop
ac_have_decl=0
fi
printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" "
+$ac_includes_default
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h
if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then
@@ -22285,6 +22310,13 @@ then :
printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_H 1" >>confdefs.h
fi
+ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_ossl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" "$ac_includes_default
+"
+if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" = xyes
+then :
+ printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H 1" >>confdefs.h
+
+fi
ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_openssl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" "$ac_includes_default
"
if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" = xyes
@@ -22324,7 +22356,52 @@ else $as_nop
fi
printf "%s\n" "#define HAVE_DECL_NGTCP2_CRYPTO_ENCRYPT_CB $ac_have_decl" >>confdefs.h
- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl" >&5
+printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl... " >&6; }
+if test ${ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb+y}
+then :
+ printf %s "(cached) " >&6
+else $as_nop
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lngtcp2_crypto_ossl $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+char ngtcp2_crypto_encrypt_cb ();
+int
+main (void)
+{
+return ngtcp2_crypto_encrypt_cb ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+ ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=yes
+else $as_nop
+ ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&5
+printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&6; }
+if test "x$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" = xyes
+then :
+
+ LIBS="$LIBS -lngtcp2_crypto_ossl"
+
+printf "%s\n" "#define USE_NGTCP2_CRYPTO_OSSL 1" >>confdefs.h
+
+
+else $as_nop
+
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl... " >&6; }
if test ${ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb+y}
then :
@@ -22362,9 +22439,9 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_
if test "x$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" = xyes
then :
LIBS="$LIBS -lngtcp2_crypto_openssl"
-fi
+else $as_nop
- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls... " >&6; }
if test ${ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb+y}
then :
@@ -22404,6 +22481,12 @@ then :
LIBS="$LIBS -lngtcp2_crypto_quictls"
fi
+
+fi
+
+
+fi
+
ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_encrypt_cb" "ac_cv_func_ngtcp2_crypto_encrypt_cb"
if test "x$ac_cv_func_ngtcp2_crypto_encrypt_cb" = xyes
then :
@@ -22452,6 +22535,12 @@ then :
printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT 1" >>confdefs.h
fi
+ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_quictls_init" "ac_cv_func_ngtcp2_crypto_quictls_init"
+if test "x$ac_cv_func_ngtcp2_crypto_quictls_init" = xyes
+then :
+ printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_INIT 1" >>confdefs.h
+
+fi
ac_fn_c_check_func "$LINENO" "ngtcp2_conn_get_num_scid" "ac_cv_func_ngtcp2_conn_get_num_scid"
if test "x$ac_cv_func_ngtcp2_conn_get_num_scid" = xyes
then :
@@ -22472,6 +22561,10 @@ then :
fi
+ # these check_funcs need -lssl
+ BAKLIBS="$LIBS"
+ LIBS="-lssl $LIBS"
+
for ac_func in SSL_is_quic
do :
ac_fn_c_check_func "$LINENO" "SSL_is_quic" "ac_cv_func_SSL_is_quic"
@@ -22484,6 +22577,8 @@ else $as_nop
fi
done
+ LIBS="$BAKLIBS"
+
ac_fn_c_check_type "$LINENO" "struct ngtcp2_version_cid" "ac_cv_type_struct_ngtcp2_version_cid" "$ac_includes_default
#include <ngtcp2/ngtcp2.h>
@@ -24249,7 +24344,55 @@ fi
if test "x$opt_dnstap" != "xno"; then
- # Extract the first word of "protoc-c", so it can be a program name with args.
+ # Extract the first word of "protoc", so it can be a program name with args.
+set dummy protoc; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_path_PROTOC+y}
+then :
+ printf %s "(cached) " >&6
+else $as_nop
+ case $PROTOC in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PROTOC="$PROTOC" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ case $as_dir in #(((
+ '') as_dir=./ ;;
+ */) ;;
+ *) as_dir=$as_dir/ ;;
+ esac
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+ ac_cv_path_PROTOC="$as_dir$ac_word$ac_exec_ext"
+ printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PROTOC=$ac_cv_path_PROTOC
+if test -n "$PROTOC"; then
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC" >&5
+printf "%s\n" "$PROTOC" >&6; }
+else
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+ # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be
+ # found, try 'protoc-c'.
+ if test -z "$PROTOC"; then
+ # Extract the first word of "protoc-c", so it can be a program name with args.
set dummy protoc-c; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
@@ -24294,9 +24437,83 @@ printf "%s\n" "no" >&6; }
fi
- if test -z "$PROTOC_C"; then
- as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
- fi
+ else
+ PROTOC_C="$PROTOC"
+ fi
+ if test -z "$PROTOC_C"; then
+ as_fn_error $? "The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c" "$LINENO" 5
+ fi
+
+ # Check for protoc-gen-c plugin
+ # Extract the first word of "protoc-gen-c", so it can be a program name with args.
+set dummy protoc-gen-c; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_path_PROTOC_GEN_C+y}
+then :
+ printf %s "(cached) " >&6
+else $as_nop
+ case $PROTOC_GEN_C in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PROTOC_GEN_C="$PROTOC_GEN_C" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ case $as_dir in #(((
+ '') as_dir=./ ;;
+ */) ;;
+ *) as_dir=$as_dir/ ;;
+ esac
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+ ac_cv_path_PROTOC_GEN_C="$as_dir$ac_word$ac_exec_ext"
+ printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PROTOC_GEN_C=$ac_cv_path_PROTOC_GEN_C
+if test -n "$PROTOC_GEN_C"; then
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC_GEN_C" >&5
+printf "%s\n" "$PROTOC_GEN_C" >&6; }
+else
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+ if test -z "$PROTOC_GEN_C"; then
+ as_fn_error $? "The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c" "$LINENO" 5
+ fi
+
+ # Test that protoc-gen-c actually works
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if protoc-gen-c plugin works" >&5
+printf %s "checking if protoc-gen-c plugin works... " >&6; }
+ cat > conftest.proto << EOF
+syntax = "proto2";
+message TestMessage {
+ optional string test_field = 1;
+}
+EOF
+ if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+ rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
+ else
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+ rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
+ as_fn_error $? "The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed" "$LINENO" 5
+ fi
+
# Check whether --with-protobuf-c was given.
if test ${with_protobuf_c+y}
@@ -25074,7 +25291,7 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 1
-version=1.23.1
+version=1.24.0
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5
printf %s "checking for build time... " >&6; }
@@ -25604,7 +25821,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.23.1, which was
+This file was extended by unbound $as_me 1.24.0, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25672,7 +25889,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-unbound config.status 1.23.1
+unbound config.status 1.24.0
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure.ac,v
diff -u -p -r1.58 configure.ac
--- configure.ac 31 Aug 2025 21:41:09 -0000 1.58
+++ configure.ac 22 Sep 2025 21:08:23 -0000
@@ -11,15 +11,15 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[23])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MINOR],[24])
+m4_define([VERSION_MICRO],[0])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=32
+LIBUNBOUND_REVISION=33
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -119,6 +119,7 @@ LIBUNBOUND_AGE=1
# 1.22.0 had 9:30:1
# 1.23.0 had 9:31:1
# 1.23.1 had 9:32:1
+# 1.24.0 had 9:33:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -996,7 +997,7 @@ else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
@@ -1004,7 +1005,7 @@ LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
LIBS="$BAKLIBS"
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
@@ -1610,17 +1611,29 @@ if test x_$withval = x_yes -o x_$withval
if test x_$found_libngtcp2 != x_yes; then
AC_MSG_ERROR([Could not find libngtcp2, ngtcp2.h])
fi
- AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT])
+ AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_ossl.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_DECLS([ngtcp2_conn_server_new], [], [], [AC_INCLUDES_DEFAULT
#include <ngtcp2/ngtcp2.h>
])
AC_CHECK_DECLS([ngtcp2_crypto_encrypt_cb], [], [], [AC_INCLUDES_DEFAULT
#include <ngtcp2/ngtcp2_crypto.h>
])
- AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ])
- AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ])
- AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params])
+ AC_CHECK_LIB([ngtcp2_crypto_ossl], [ngtcp2_crypto_encrypt_cb], [
+ LIBS="$LIBS -lngtcp2_crypto_ossl"
+ AC_DEFINE(USE_NGTCP2_CRYPTO_OSSL, 1, [Define this to use ngtcp2_crypto_ossl.])
+ ], [
+ AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ], [
+ AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ])
+ ])
+ ])
+ AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_crypto_quictls_init ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params])
+
+ # these check_funcs need -lssl
+ BAKLIBS="$LIBS"
+ LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([SSL_is_quic], [], [AC_MSG_ERROR([No QUIC support detected in OpenSSL. Need OpenSSL version with QUIC support to enable DNS over QUIC with libngtcp2.])])
+ LIBS="$BAKLIBS"
+
AC_CHECK_TYPES([struct ngtcp2_version_cid, ngtcp2_encryption_level],,,[AC_INCLUDES_DEFAULT
#include <ngtcp2/ngtcp2.h>
])
Index: cachedb/redis.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/cachedb/redis.c,v
diff -u -p -r1.1.1.6 redis.c
--- cachedb/redis.c 31 Aug 2025 21:36:34 -0000 1.1.1.6
+++ cachedb/redis.c 22 Sep 2025 21:08:23 -0000
@@ -46,6 +46,8 @@
#include "cachedb/cachedb.h"
#include "util/alloc.h"
#include "util/config_file.h"
+#include "util/locks.h"
+#include "util/timeval_func.h"
#include "sldns/sbuffer.h"
#ifdef USE_REDIS
@@ -75,6 +77,18 @@ struct redis_moddata {
/* timeout for connection setup */
struct timeval connect_timeout;
struct timeval replica_connect_timeout;
+ /* the reconnect interval time. */
+ struct timeval reconnect_interval;
+ struct timeval replica_reconnect_interval;
+ /* reconnect attempts, 0 if connected, counts up failed reconnects. */
+ int reconnect_attempts;
+ int replica_reconnect_attempts;
+ /* Lock on reconnect_wait time. */
+ lock_basic_type wait_lock;
+ lock_basic_type replica_wait_lock;
+ /* reconnect wait time, wait until it has passed before reconnect. */
+ struct timeval reconnect_wait;
+ struct timeval replica_reconnect_wait;
/* the redis logical database to use */
int logical_db;
int replica_logical_db;
@@ -82,6 +96,10 @@ struct redis_moddata {
int set_with_ex_available;
};
+/** The limit on the number of redis connect attempts. After failure if
+ * the number is exceeded, the reconnects are throttled by the wait time. */
+#define REDIS_RECONNECT_ATTEMPT_LIMIT 3
+
static redisReply* redis_command(struct module_env*, struct cachedb_env*,
const char*, const uint8_t*, size_t, int);
@@ -105,6 +123,8 @@ moddata_clean(struct redis_moddata** mod
}
free((*moddata)->replica_ctxs);
}
+ lock_basic_destroy(&(*moddata)->wait_lock);
+ lock_basic_destroy(&(*moddata)->replica_wait_lock);
free(*moddata);
*moddata = NULL;
}
@@ -113,10 +133,39 @@ static redisContext*
redis_connect(const char* host, int port, const char* path,
const char* password, int logical_db,
const struct timeval connect_timeout,
- const struct timeval command_timeout)
+ const struct timeval command_timeout,
+ const struct timeval* reconnect_interval,
+ int* reconnect_attempts,
+ struct timeval* reconnect_wait,
+ lock_basic_type* wait_lock,
+ struct timeval* now_tv,
+ const char* infostr)
{
+ struct timeval now_val;
redisContext* ctx;
+ /* See if the redis server is down, and reconnect has to wait. */
+ if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) {
+ /* Acquire lock to look at timeval, the integer has atomic
+ * integrity. */
+ struct timeval wait_tv;
+ if(now_tv) {
+ now_val = *now_tv;
+ } else {
+ if(gettimeofday(&now_val, NULL) < 0)
+ log_err("redis: gettimeofday: %s",
+ strerror(errno));
+ }
+ lock_basic_lock(wait_lock);
+ wait_tv = *reconnect_wait;
+ lock_basic_unlock(wait_lock);
+ if(timeval_smaller(&now_val, &wait_tv)) {
+ verbose(VERB_ALGO, "redis %sdown, reconnect wait",
+ infostr);
+ return NULL;
+ }
+ }
+
if(path && path[0]!=0) {
ctx = redisConnectUnixWithTimeout(path, connect_timeout);
} else {
@@ -126,18 +175,18 @@ redis_connect(const char* host, int port
const char *errstr = "out of memory";
if(ctx)
errstr = ctx->errstr;
- log_err("failed to connect to redis server: %s", errstr);
+ log_err("failed to connect to redis %sserver: %s", infostr, errstr);
goto fail;
}
if(redisSetTimeout(ctx, command_timeout) != REDIS_OK) {
- log_err("failed to set redis timeout, %s", ctx->errstr);
+ log_err("failed to set redis %stimeout, %s", infostr, ctx->errstr);
goto fail;
}
if(password && password[0]!=0) {
redisReply* rep;
rep = redisCommand(ctx, "AUTH %s", password);
if(!rep || rep->type == REDIS_REPLY_ERROR) {
- log_err("failed to authenticate with password");
+ log_err("failed to authenticate %swith password", infostr);
freeReplyObject(rep);
goto fail;
}
@@ -147,18 +196,20 @@ redis_connect(const char* host, int port
redisReply* rep;
rep = redisCommand(ctx, "SELECT %d", logical_db);
if(!rep || rep->type == REDIS_REPLY_ERROR) {
- log_err("failed to set logical database (%d)",
- logical_db);
+ log_err("failed %sto set logical database (%d)",
+ infostr, logical_db);
freeReplyObject(rep);
goto fail;
}
freeReplyObject(rep);
}
+ *reconnect_attempts = 0;
if(verbosity >= VERB_OPS) {
char port_str[6+1];
port_str[0] = ' ';
(void)snprintf(port_str+1, sizeof(port_str)-1, "%d", port);
- verbose(VERB_OPS, "Connection to Redis established (%s%s)",
+ verbose(VERB_OPS, "Connection to Redis %sestablished (%s%s)",
+ infostr,
path&&path[0]!=0?path:host,
path&&path[0]!=0?"":port_str);
}
@@ -167,6 +218,25 @@ redis_connect(const char* host, int port
fail:
if(ctx)
redisFree(ctx);
+ (*reconnect_attempts)++;
+ if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) {
+ /* Wait for the reconnect interval before trying again. */
+ struct timeval tv;
+ if(now_tv) {
+ now_val = *now_tv;
+ } else {
+ if(gettimeofday(&now_val, NULL) < 0)
+ log_err("redis: gettimeofday: %s",
+ strerror(errno));
+ }
+ tv = now_val;
+ timeval_add(&tv, reconnect_interval);
+ lock_basic_lock(wait_lock);
+ *reconnect_wait = tv;
+ lock_basic_unlock(wait_lock);
+ verbose(VERB_ALGO, "redis %sreconnect wait until %d.%6.6d",
+ infostr, (int)tv.tv_sec, (int)tv.tv_usec);
+ }
return NULL;
}
@@ -191,6 +261,13 @@ redis_init(struct module_env* env, struc
log_err("out of memory");
goto fail;
}
+ lock_basic_init(&moddata->wait_lock);
+ lock_protect(&moddata->wait_lock, &moddata->reconnect_wait,
+ sizeof(moddata->reconnect_wait));
+ lock_basic_init(&moddata->replica_wait_lock);
+ lock_protect(&moddata->replica_wait_lock,
+ &moddata->replica_reconnect_wait,
+ sizeof(moddata->replica_reconnect_wait));
moddata->numctxs = env->cfg->num_threads;
/* note: server_host and similar string configuration options are
* shallow references to configured strings; we don't have to free them
@@ -219,6 +296,8 @@ redis_init(struct module_env* env, struc
set_timeout(&moddata->replica_connect_timeout,
env->cfg->redis_replica_timeout,
env->cfg->redis_replica_connect_timeout);
+ set_timeout(&moddata->reconnect_interval, 1000, 0);
+ set_timeout(&moddata->replica_reconnect_interval, 1000, 0);
moddata->logical_db = env->cfg->redis_logical_db;
moddata->replica_logical_db = env->cfg->redis_replica_logical_db;
@@ -245,7 +324,13 @@ redis_init(struct module_env* env, struc
moddata->server_password,
moddata->logical_db,
moddata->connect_timeout,
- moddata->command_timeout);
+ moddata->command_timeout,
+ &moddata->reconnect_interval,
+ &moddata->reconnect_attempts,
+ &moddata->reconnect_wait,
+ &moddata->wait_lock,
+ env->now_tv,
+ "");
if(!ctx) {
log_err("redis_init: failed to init redis "
"(for thread %d)", i);
@@ -263,7 +348,13 @@ redis_init(struct module_env* env, struc
moddata->replica_server_password,
moddata->replica_logical_db,
moddata->replica_connect_timeout,
- moddata->replica_command_timeout);
+ moddata->replica_command_timeout,
+ &moddata->replica_reconnect_interval,
+ &moddata->replica_reconnect_attempts,
+ &moddata->replica_reconnect_wait,
+ &moddata->replica_wait_lock,
+ env->now_tv,
+ "replica ");
if(!ctx) {
log_err("redis_init: failed to init redis "
"replica (for thread %d)", i);
@@ -301,7 +392,7 @@ redis_init(struct module_env* env, struc
set_with_ex_fail:
log_err("redis_init: failure during redis_init, the "
"redis-expire-records option requires the SET with EX command "
- "(redis >= 2.6.2)");
+ "(redis >= 2.6.12)");
return 1;
fail:
moddata_clean(&moddata);
@@ -364,7 +455,13 @@ redis_command(struct module_env* env, st
d->replica_server_password,
d->replica_logical_db,
d->replica_connect_timeout,
- d->replica_command_timeout);
+ d->replica_command_timeout,
+ &d->replica_reconnect_interval,
+ &d->replica_reconnect_attempts,
+ &d->replica_reconnect_wait,
+ &d->replica_wait_lock,
+ env->now_tv,
+ "replica ");
} else {
ctx = redis_connect(
d->server_host,
@@ -373,7 +470,13 @@ redis_command(struct module_env* env, st
d->server_password,
d->logical_db,
d->connect_timeout,
- d->command_timeout);
+ d->command_timeout,
+ &d->reconnect_interval,
+ &d->reconnect_attempts,
+ &d->reconnect_wait,
+ &d->wait_lock,
+ env->now_tv,
+ "");
}
ctx_selector[env->alloc->thread_num] = ctx;
}
@@ -405,7 +508,14 @@ redis_lookup(struct module_env* env, str
char* key, struct sldns_buffer* result_buffer)
{
redisReply* rep;
- char cmdbuf[4+(CACHEDB_HASHSIZE/8)*2+1]; /* "GET " + key */
+ /* Supported commands:
+ * - "GET " + key
+ */
+#define REDIS_LOOKUP_MAX_BUF_LEN \
+ 4 /* "GET " */ \
+ +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \
+ + 1 /* \0 */
+ char cmdbuf[REDIS_LOOKUP_MAX_BUF_LEN];
int n;
int ret = 0;
@@ -465,7 +575,13 @@ redis_store(struct module_env* env, stru
* older redis 2.0.0 was "SETEX " + key + " " + ttl + " %b"
* - "EXPIRE " + key + " 0"
*/
- char cmdbuf[6+(CACHEDB_HASHSIZE/8)*2+11+3+1];
+#define REDIS_STORE_MAX_BUF_LEN \
+ 7 /* "EXPIRE " */ \
+ +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \
+ + 7 /* " %b EX " */ \
+ + 20 /* ttl (uint64_t) */ \
+ + 1 /* \0 */
+ char cmdbuf[REDIS_STORE_MAX_BUF_LEN];
if (!set_ttl) {
verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len);
Index: daemon/cachedump.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/cachedump.c,v
diff -u -p -r1.12 cachedump.c
--- daemon/cachedump.c 31 Aug 2025 21:41:09 -0000 1.12
+++ daemon/cachedump.c 22 Sep 2025 21:08:23 -0000
@@ -62,84 +62,231 @@
#include "sldns/wire2str.h"
#include "sldns/str2wire.h"
+static void spool_txt_printf(struct config_strlist_head* txt,
+ const char* format, ...) ATTR_FORMAT(printf, 2, 3);
+
+/** Append to strlist at end, and log error if out of memory. */
+static void
+spool_txt_string(struct config_strlist_head* txt, char* str)
+{
+ if(!cfg_strlist_append(txt, strdup(str))) {
+ log_err("out of memory in spool text");
+ }
+}
+
+/** Spool txt to spool list. */
+static void
+spool_txt_vmsg(struct config_strlist_head* txt, const char* format,
+ va_list args)
+{
+ char msg[65535];
+ vsnprintf(msg, sizeof(msg), format, args);
+ spool_txt_string(txt, msg);
+}
+
+/** Print item to spool list. On alloc failure the list is as before. */
+static void
+spool_txt_printf(struct config_strlist_head* txt, const char* format, ...)
+{
+ va_list args;
+ va_start(args, format);
+ spool_txt_vmsg(txt, format, args);
+ va_end(args);
+}
+
/** dump one rrset zonefile line */
-static int
-dump_rrset_line(RES* ssl, struct ub_packed_rrset_key* k, time_t now, size_t i)
+static void
+dump_rrset_line(struct config_strlist_head* txt, struct ub_packed_rrset_key* k,
+ time_t now, size_t i)
{
char s[65535];
if(!packed_rr_to_string(k, i, now, s, sizeof(s))) {
- return ssl_printf(ssl, "BADRR\n");
+ spool_txt_string(txt, "BADRR\n");
+ return;
}
- return ssl_printf(ssl, "%s", s);
+ spool_txt_string(txt, s);
}
/** dump rrset key and data info */
-static int
-dump_rrset(RES* ssl, struct ub_packed_rrset_key* k,
+static void
+dump_rrset(struct config_strlist_head* txt, struct ub_packed_rrset_key* k,
struct packed_rrset_data* d, time_t now)
{
size_t i;
/* rd lock held by caller */
- if(!k || !d) return 1;
- if(k->id == 0) return 1; /* deleted */
- if(d->ttl < now) return 1; /* expired */
+ if(!k || !d) return;
+ if(k->id == 0) return; /* deleted */
+ if(d->ttl < now) return; /* expired */
/* meta line */
- if(!ssl_printf(ssl, ";rrset%s " ARG_LL "d %u %u %d %d\n",
+ spool_txt_printf(txt, ";rrset%s " ARG_LL "d %u %u %d %d\n",
(k->rk.flags & PACKED_RRSET_NSEC_AT_APEX)?" nsec_apex":"",
(long long)(d->ttl - now),
(unsigned)d->count, (unsigned)d->rrsig_count,
(int)d->trust, (int)d->security
- ))
- return 0;
+ );
for(i=0; i<d->count + d->rrsig_count; i++) {
- if(!dump_rrset_line(ssl, k, now, i))
+ dump_rrset_line(txt, k, now, i);
+ }
+}
+
+/** Spool strlist to the output. */
+static int
+spool_strlist(RES* ssl, struct config_strlist* list)
+{
+ struct config_strlist* s;
+ for(s=list; s; s=s->next) {
+ if(!ssl_printf(ssl, "%s", s->str))
return 0;
}
return 1;
}
-/** dump lruhash rrset cache */
+/** dump lruhash cache and call callback for every item. */
static int
-dump_rrset_lruhash(RES* ssl, struct lruhash* h, time_t now)
-{
- struct lruhash_entry* e;
- /* lruhash already locked by caller */
- /* walk in order of lru; best first */
- for(e=h->lru_start; e; e = e->lru_next) {
- lock_rw_rdlock(&e->lock);
- if(!dump_rrset(ssl, (struct ub_packed_rrset_key*)e->key,
- (struct packed_rrset_data*)e->data, now)) {
- lock_rw_unlock(&e->lock);
+dump_lruhash(struct lruhash* table,
+ void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*),
+ RES* ssl, void* arg)
+{
+ int just_started = 1;
+ int not_done = 1;
+ hashvalue_type hash;
+ size_t num = 0; /* number of entries processed. */
+ size_t max = 2; /* number of entries after which it unlocks. */
+ struct config_strlist_head txt; /* Text strings spooled. */
+ memset(&txt, 0, sizeof(txt));
+
+ while(not_done) {
+ size_t i; /* hash bin. */
+ /* Process a number of items. */
+ num = 0;
+ lock_quick_lock(&table->lock);
+ if(just_started) {
+ i = 0;
+ } else {
+ i = hash&table->size_mask;
+ }
+ while(num < max) {
+ /* Process bin. */
+ int found = 0;
+ size_t num_bin = 0;
+ struct lruhash_bin* bin = &table->array[i];
+ struct lruhash_entry* e;
+ lock_quick_lock(&bin->lock);
+ for(e = bin->overflow_list; e; e = e->overflow_next) {
+ /* Entry e is locked by the func. */
+ func(e, &txt, arg);
+ num_bin++;
+ }
+ lock_quick_unlock(&bin->lock);
+ /* This addition of bin number of entries may take
+ * it over the max. */
+ num += num_bin;
+
+ /* Move to next bin. */
+ /* Find one with an entry, with a hash value, so we
+ * can continue from the hash value. The hash value
+ * can be indexed also if the array changes size. */
+ i++;
+ while(i < table->size) {
+ bin = &table->array[i];
+ lock_quick_lock(&bin->lock);
+ if(bin->overflow_list) {
+ hash = bin->overflow_list->hash;
+ lock_quick_unlock(&bin->lock);
+ found = 1;
+ just_started = 0;
+ break;
+ }
+ lock_quick_unlock(&bin->lock);
+ i++;
+ }
+ if(!found) {
+ not_done = 0;
+ break;
+ }
+ }
+ lock_quick_unlock(&table->lock);
+ /* Print the spooled items, that are collected while the
+ * locks are locked. The print happens while they are not
+ * locked. */
+ if(txt.first) {
+ if(!spool_strlist(ssl, txt.first)) {
+ config_delstrlist(txt.first);
+ return 0;
+ }
+ config_delstrlist(txt.first);
+ memset(&txt, 0, sizeof(txt));
+ }
+ }
+ /* Print the final spooled items. */
+ if(txt.first) {
+ if(!spool_strlist(ssl, txt.first)) {
+ config_delstrlist(txt.first);
return 0;
}
- lock_rw_unlock(&e->lock);
+ config_delstrlist(txt.first);
+ }
+ return 1;
+}
+
+/** dump slabhash cache and call callback for every item. */
+static int
+dump_slabhash(struct slabhash* sh,
+ void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*),
+ RES* ssl, void* arg)
+{
+ /* Process a number of items at a time, then unlock the cache,
+ * so that ordinary processing can continue. Keep an iteration marker
+ * to continue the loop. That means the cache can change, items
+ * could be inserted and deleted. And, for example, the hash table
+ * can grow. */
+ size_t slab;
+ for(slab=0; slab<sh->size; slab++) {
+ if(!dump_lruhash(sh->array[slab], func, ssl, arg))
+ return 0;
}
return 1;
}
+/** Struct for dump information. */
+struct dump_info {
+ /** The worker. */
+ struct worker* worker;
+ /** The printout connection. */
+ RES* ssl;
+};
+
+/** Dump the rrset cache entry */
+static void
+dump_rrset_entry(struct lruhash_entry* e, struct config_strlist_head* txt,
+ void* arg)
+{
+ struct dump_info* dump_info = (struct dump_info*)arg;
+ lock_rw_rdlock(&e->lock);
+ dump_rrset(txt, (struct ub_packed_rrset_key*)e->key,
+ (struct packed_rrset_data*)e->data,
+ *dump_info->worker->env.now);
+ lock_rw_unlock(&e->lock);
+}
+
/** dump rrset cache */
static int
dump_rrset_cache(RES* ssl, struct worker* worker)
{
struct rrset_cache* r = worker->env.rrset_cache;
- size_t slab;
+ struct dump_info dump_info;
+ dump_info.worker = worker;
+ dump_info.ssl = ssl;
if(!ssl_printf(ssl, "START_RRSET_CACHE\n")) return 0;
- for(slab=0; slab<r->table.size; slab++) {
- lock_quick_lock(&r->table.array[slab]->lock);
- if(!dump_rrset_lruhash(ssl, r->table.array[slab],
- *worker->env.now)) {
- lock_quick_unlock(&r->table.array[slab]->lock);
- return 0;
- }
- lock_quick_unlock(&r->table.array[slab]->lock);
- }
+ if(!dump_slabhash(&r->table, &dump_rrset_entry, ssl, &dump_info))
+ return 0;
return ssl_printf(ssl, "END_RRSET_CACHE\n");
}
/** dump message to rrset reference */
-static int
-dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k)
+static void
+dump_msg_ref(struct config_strlist_head* txt, struct ub_packed_rrset_key* k)
{
char* nm, *tp, *cl;
nm = sldns_wire2str_dname(k->rk.dname, k->rk.dname_len);
@@ -149,30 +296,25 @@ dump_msg_ref(RES* ssl, struct ub_packed_
free(nm);
free(tp);
free(cl);
- return ssl_printf(ssl, "BADREF\n");
- }
- if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) {
- free(nm);
- free(tp);
- free(cl);
- return 0;
+ spool_txt_string(txt, "BADREF\n");
+ return;
}
+ spool_txt_printf(txt, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags);
free(nm);
free(tp);
free(cl);
-
- return 1;
}
/** dump message entry */
-static int
-dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now)
+static void
+dump_msg(struct config_strlist_head* txt, struct query_info* k,
+ struct reply_info* d, time_t now)
{
size_t i;
char* nm, *tp, *cl;
- if(!k || !d) return 1;
- if(d->ttl < now) return 1; /* expired */
-
+ if(!k || !d) return;
+ if(d->ttl < now) return; /* expired */
+
nm = sldns_wire2str_dname(k->qname, k->qname_len);
tp = sldns_wire2str_type(k->qtype);
cl = sldns_wire2str_class(k->qclass);
@@ -180,45 +322,35 @@ dump_msg(RES* ssl, struct query_info* k,
free(nm);
free(tp);
free(cl);
- return 1; /* skip this entry */
+ return; /* skip this entry */
}
if(!rrset_array_lock(d->ref, d->rrset_count, now)) {
/* rrsets have timed out or do not exist */
free(nm);
free(tp);
free(cl);
- return 1; /* skip this entry */
+ return; /* skip this entry */
}
-
+
/* meta line */
- if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
- nm, cl, tp,
- (int)d->flags, (int)d->qdcount,
- (long long)(d->ttl-now), (int)d->security,
- (unsigned)d->an_numrrsets,
- (unsigned)d->ns_numrrsets,
- (unsigned)d->ar_numrrsets,
- (int)d->reason_bogus,
- d->reason_bogus_str?d->reason_bogus_str:"")) {
- free(nm);
- free(tp);
- free(cl);
- rrset_array_unlock(d->ref, d->rrset_count);
- return 0;
- }
+ spool_txt_printf(txt,
+ "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
+ nm, cl, tp,
+ (int)d->flags, (int)d->qdcount,
+ (long long)(d->ttl-now), (int)d->security,
+ (unsigned)d->an_numrrsets,
+ (unsigned)d->ns_numrrsets,
+ (unsigned)d->ar_numrrsets,
+ (int)d->reason_bogus,
+ d->reason_bogus_str?d->reason_bogus_str:"");
free(nm);
free(tp);
free(cl);
for(i=0; i<d->rrset_count; i++) {
- if(!dump_msg_ref(ssl, d->rrsets[i])) {
- rrset_array_unlock(d->ref, d->rrset_count);
- return 0;
- }
+ dump_msg_ref(txt, d->rrsets[i]);
}
rrset_array_unlock(d->ref, d->rrset_count);
-
- return 1;
}
/** copy msg to worker pad */
@@ -247,49 +379,40 @@ copy_msg(struct regional* region, struct
return (*k)->qname != NULL;
}
-/** dump lruhash msg cache */
-static int
-dump_msg_lruhash(RES* ssl, struct worker* worker, struct lruhash* h)
+/** Dump the msg entry. */
+static void
+dump_msg_entry(struct lruhash_entry* e, struct config_strlist_head* txt,
+ void* arg)
{
- struct lruhash_entry* e;
+ struct dump_info* dump_info = (struct dump_info*)arg;
struct query_info* k;
struct reply_info* d;
- /* lruhash already locked by caller */
- /* walk in order of lru; best first */
- for(e=h->lru_start; e; e = e->lru_next) {
- regional_free_all(worker->scratchpad);
- lock_rw_rdlock(&e->lock);
- /* make copy of rrset in worker buffer */
- if(!copy_msg(worker->scratchpad, e, &k, &d)) {
- lock_rw_unlock(&e->lock);
- return 0;
- }
+ regional_free_all(dump_info->worker->scratchpad);
+ /* Make copy of rrset in worker buffer. */
+ lock_rw_rdlock(&e->lock);
+ if(!copy_msg(dump_info->worker->scratchpad, e, &k, &d)) {
lock_rw_unlock(&e->lock);
- /* release lock so we can lookup the rrset references
- * in the rrset cache */
- if(!dump_msg(ssl, k, d, *worker->env.now)) {
- return 0;
- }
+ log_err("out of memory in dump_msg_entry");
+ return;
}
- return 1;
+ lock_rw_unlock(&e->lock);
+ /* Release lock so we can lookup the rrset references
+ * in the rrset cache. */
+ dump_msg(txt, k, d, *dump_info->worker->env.now);
}
/** dump msg cache */
static int
dump_msg_cache(RES* ssl, struct worker* worker)
{
- struct slabhash* sh = worker->env.msg_cache;
- size_t slab;
+ struct dump_info dump_info;
+ dump_info.worker = worker;
+ dump_info.ssl = ssl;
if(!ssl_printf(ssl, "START_MSG_CACHE\n")) return 0;
- for(slab=0; slab<sh->size; slab++) {
- lock_quick_lock(&sh->array[slab]->lock);
- if(!dump_msg_lruhash(ssl, worker, sh->array[slab])) {
- lock_quick_unlock(&sh->array[slab]->lock);
- return 0;
- }
- lock_quick_unlock(&sh->array[slab]->lock);
- }
+ if(!dump_slabhash(worker->env.msg_cache, &dump_msg_entry, ssl,
+ &dump_info))
+ return 0;
return ssl_printf(ssl, "END_MSG_CACHE\n");
}
@@ -811,12 +934,18 @@ print_dp_main(RES* ssl, struct delegpt*
struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
struct packed_rrset_data* d =
(struct packed_rrset_data*)k->entry.data;
+ struct config_strlist_head txt;
+ memset(&txt, 0, sizeof(txt));
if(d->security == sec_status_bogus) {
if(!ssl_printf(ssl, "Address is BOGUS:\n"))
return;
}
- if(!dump_rrset(ssl, k, d, 0))
+ dump_rrset(&txt, k, d, 0);
+ if(!spool_strlist(ssl, txt.first)) {
+ config_delstrlist(txt.first);
return;
+ }
+ config_delstrlist(txt.first);
}
delegpt_count_ns(dp, &n_ns, &n_miss);
delegpt_count_addr(dp, &n_addr, &n_res, &n_avail);
Index: daemon/remote.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/remote.c,v
diff -u -p -r1.42 remote.c
--- daemon/remote.c 31 Aug 2025 21:41:09 -0000 1.42
+++ daemon/remote.c 22 Sep 2025 21:08:23 -0000
@@ -101,6 +101,10 @@
#ifdef USE_CACHEDB
#include "cachedb/cachedb.h"
#endif
+#ifdef CLIENT_SUBNET
+#include "edns-subnet/subnetmod.h"
+#include "edns-subnet/addrtree.h"
+#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
@@ -1148,6 +1152,8 @@ print_ext(RES* ssl, struct ub_stats_info
(unsigned long)s->svr.ans_bogus)) return 0;
if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
(unsigned long)s->svr.rrset_bogus)) return 0;
+ if(!ssl_printf(ssl, "num.valops"SQ"%lu\n",
+ (unsigned long)s->svr.val_ops)) return 0;
if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
(unsigned long)s->svr.num_neg_cache_noerror)) return 0;
if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
@@ -1576,7 +1582,7 @@ do_view_zone_add(RES* ssl, struct worker
}
if(!v->isfirst) {
/* Global local-zone is not used for this view,
- * therefore add defaults to this view-specic
+ * therefore add defaults to this view-specific
* local-zone. */
struct config_file lz_cfg;
memset(&lz_cfg, 0, sizeof(lz_cfg));
@@ -1740,6 +1746,334 @@ do_view_datas_remove(struct daemon_remot
(void)ssl_printf(ssl, "removed %d datas\n", num);
}
+/** information for the domain search */
+struct cache_lookup_info {
+ /** The connection to print on. */
+ RES* ssl;
+ /** The worker. */
+ struct worker* worker;
+ /** The domain, in wireformat. */
+ uint8_t* nm;
+ /** The length of nm. */
+ size_t nmlen;
+};
+
+#ifdef CLIENT_SUBNET
+static void addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr,
+ size_t addr_size, int is_ipv6, time_t now, struct query_info* q,
+ void (*func)(struct query_info*, struct reply_info*, addrkey_t*,
+ size_t, int, addrlen_t, int, time_t, void*), void* arg);
+
+/** Lookup in subnet addrtree */
+static void
+cache_lookup_subnet_addrnode(struct query_info* q, struct reply_info* d,
+ addrkey_t* addr, size_t addr_size, int is_ipv6, addrlen_t scope,
+ int only_match_scope_zero, time_t ttl, void* arg)
+{
+ size_t i;
+ char s[65535], tp[32], cl[32], rc[32], fg[32], astr[64];
+ struct cache_lookup_info* inf = (struct cache_lookup_info*)arg;
+ if(is_ipv6) {
+ if(addr_size < 16 || inet_ntop(AF_INET6, addr, astr,
+ sizeof(astr)) == NULL)
+ snprintf(astr, sizeof(astr), "(inet6ntoperror)");
+ } else {
+ if(addr_size < 4 || inet_ntop(AF_INET, addr, astr,
+ sizeof(astr)) == NULL)
+ snprintf(astr, sizeof(astr), "(inetntoperror)");
+ }
+ sldns_wire2str_dname_buf(q->qname, q->qname_len, s, sizeof(s));
+ sldns_wire2str_type_buf(q->qtype, tp, sizeof(tp));
+ sldns_wire2str_class_buf(q->qclass, cl, sizeof(cl));
+ sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags),
+ rc, sizeof(rc));
+ snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s",
+ ((d->flags&BIT_QR)?" QR":""),
+ ((d->flags&BIT_AA)?" AA":""),
+ ((d->flags&BIT_TC)?" TC":""),
+ ((d->flags&BIT_RD)?" RD":""),
+ ((d->flags&BIT_RA)?" RA":""),
+ ((d->flags&BIT_Z)?" Z":""),
+ ((d->flags&BIT_AD)?" AD":""),
+ ((d->flags&BIT_CD)?" CD":""));
+ if(!rrset_array_lock(d->ref, d->rrset_count,
+ *inf->worker->env.now)) {
+ /* rrsets have timed out or do not exist */
+ return;
+ }
+ if(!ssl_printf(inf->ssl, "subnet %s/%d%s %s %s %s " ARG_LL "d\n", astr,
+ (int)scope, (only_match_scope_zero?" scope_zero":""),
+ s, cl, tp, (long long)(ttl-*inf->worker->env.now))) {
+ rrset_array_unlock(d->ref, d->rrset_count);
+ return;
+ }
+ ssl_printf(inf->ssl,
+ "subnet msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
+ s, cl, tp, fg, rc,
+ (int)d->flags, (int)d->qdcount,
+ (long long)(d->ttl-*inf->worker->env.now),
+ (int)d->security,
+ (unsigned)d->an_numrrsets,
+ (unsigned)d->ns_numrrsets,
+ (unsigned)d->ar_numrrsets,
+ (int)d->reason_bogus,
+ d->reason_bogus_str?d->reason_bogus_str:"");
+ for(i=0; i<d->rrset_count; i++) {
+ struct ub_packed_rrset_key* rk = d->rrsets[i];
+ struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data;
+ size_t j;
+ for(j=0; j<rd->count + rd->rrsig_count; j++) {
+ if(!packed_rr_to_string(rk, j,
+ *inf->worker->env.now, s, sizeof(s))) {
+ ssl_printf(inf->ssl, "BADRR\n");
+ } else {
+ ssl_printf(inf->ssl, "%s", s);
+ }
+ }
+ }
+ rrset_array_unlock(d->ref, d->rrset_count);
+ ssl_printf(inf->ssl, "\n");
+}
+
+/** Visit an edge in subnet addrtree traverse */
+static void
+addrtree_traverse_visit_edge(struct addredge* edge, addrkey_t* addr,
+ size_t addr_size, int is_ipv6, time_t now, struct query_info* q,
+ void (*func)(struct query_info*, struct reply_info*, addrkey_t*,
+ size_t, int, addrlen_t, int, time_t, void*), void* arg)
+{
+ size_t n;
+ addrlen_t addrlen;
+ if(!edge || !edge->node)
+ return;
+ addrlen = edge->len;
+ /* ceil() */
+ n = (size_t)((addrlen / KEYWIDTH) + ((addrlen % KEYWIDTH != 0)?1:0));
+ if(n > addr_size)
+ n = addr_size;
+ memset(addr, 0, addr_size);
+ memcpy(addr, edge->str, n);
+ addrtree_traverse_visit_node(edge->node, addr, addr_size, is_ipv6,
+ now, q, func, arg);
+}
+
+/** Visit a node in subnet addrtree traverse */
+static void
+addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr,
+ size_t addr_size, int is_ipv6, time_t now, struct query_info* q,
+ void (*func)(struct query_info*, struct reply_info*, addrkey_t*,
+ size_t, int, addrlen_t, int, time_t, void*), void* arg)
+{
+ /* If this node has data, and not expired. */
+ if(n->elem && n->ttl >= now) {
+ func(q, (struct reply_info*)n->elem, addr, addr_size, is_ipv6,
+ n->scope, n->only_match_scope_zero, n->ttl, arg);
+ }
+ /* Traverse edges. */
+ addrtree_traverse_visit_edge(n->edge[0], addr, addr_size, is_ipv6,
+ now, q, func, arg);
+ addrtree_traverse_visit_edge(n->edge[1], addr, addr_size, is_ipv6,
+ now, q, func, arg);
+}
+
+/** Traverse subnet addrtree */
+static void
+addrtree_traverse(struct addrtree* tree, int is_ipv6, time_t now,
+ struct query_info* q,
+ void (*func)(struct query_info*, struct reply_info*, addrkey_t*,
+ size_t, int, addrlen_t, int, time_t, void*), void* arg)
+{
+ uint8_t addr[16]; /* Large enough for IPv4 and IPv6. */
+ memset(addr, 0, sizeof(addr));
+ addrtree_traverse_visit_node(tree->root, (addrkey_t*)addr,
+ sizeof(addr), is_ipv6, now, q, func, arg);
+}
+
+/** Lookup cache_lookup for subnet content. */
+static void
+cache_lookup_subnet_msg(struct lruhash_entry* e, void* arg)
+{
+ struct cache_lookup_info* inf = (struct cache_lookup_info*)arg;
+ struct msgreply_entry *k = (struct msgreply_entry*)e->key;
+ struct subnet_msg_cache_data* d =
+ (struct subnet_msg_cache_data*)e->data;
+ if(!dname_subdomain_c(k->key.qname, inf->nm))
+ return;
+
+ if(d->tree4) {
+ addrtree_traverse(d->tree4, 0, *inf->worker->env.now, &k->key,
+ &cache_lookup_subnet_addrnode, inf);
+ }
+ if(d->tree6) {
+ addrtree_traverse(d->tree6, 1, *inf->worker->env.now, &k->key,
+ &cache_lookup_subnet_addrnode, inf);
+ }
+}
+#endif /* CLIENT_SUBNET */
+
+static void
+cache_lookup_rrset(struct lruhash_entry* e, void* arg)
+{
+ struct cache_lookup_info* inf = (struct cache_lookup_info*)arg;
+ struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
+ struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+ if(*inf->worker->env.now < d->ttl &&
+ k->id != 0 && /* not deleted */
+ dname_subdomain_c(k->rk.dname, inf->nm)) {
+ size_t i;
+ for(i=0; i<d->count + d->rrsig_count; i++) {
+ char s[65535];
+ if(!packed_rr_to_string(k, i, *inf->worker->env.now,
+ s, sizeof(s))) {
+ ssl_printf(inf->ssl, "BADRR\n");
+ return;
+ }
+ ssl_printf(inf->ssl, "%s", s);
+ }
+ ssl_printf(inf->ssl, "\n");
+ }
+}
+
+static void
+cache_lookup_msg(struct lruhash_entry* e, void* arg)
+{
+ struct cache_lookup_info* inf = (struct cache_lookup_info*)arg;
+ struct msgreply_entry* k = (struct msgreply_entry*)e->key;
+ struct reply_info* d = (struct reply_info*)e->data;
+ if(*inf->worker->env.now < d->ttl &&
+ dname_subdomain_c(k->key.qname, inf->nm)) {
+ size_t i;
+ char s[65535], tp[32], cl[32], rc[32], fg[32];
+ sldns_wire2str_dname_buf(k->key.qname, k->key.qname_len,
+ s, sizeof(s));
+ sldns_wire2str_type_buf(k->key.qtype, tp, sizeof(tp));
+ sldns_wire2str_class_buf(k->key.qclass, cl, sizeof(cl));
+ sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags),
+ rc, sizeof(rc));
+ snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s",
+ ((d->flags&BIT_QR)?" QR":""),
+ ((d->flags&BIT_AA)?" AA":""),
+ ((d->flags&BIT_TC)?" TC":""),
+ ((d->flags&BIT_RD)?" RD":""),
+ ((d->flags&BIT_RA)?" RA":""),
+ ((d->flags&BIT_Z)?" Z":""),
+ ((d->flags&BIT_AD)?" AD":""),
+ ((d->flags&BIT_CD)?" CD":""));
+ if(!rrset_array_lock(d->ref, d->rrset_count,
+ *inf->worker->env.now)) {
+ /* rrsets have timed out or do not exist */
+ return;
+ }
+ ssl_printf(inf->ssl,
+ "msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
+ s, cl, tp, fg, rc,
+ (int)d->flags, (int)d->qdcount,
+ (long long)(d->ttl-*inf->worker->env.now),
+ (int)d->security,
+ (unsigned)d->an_numrrsets,
+ (unsigned)d->ns_numrrsets,
+ (unsigned)d->ar_numrrsets,
+ (int)d->reason_bogus,
+ d->reason_bogus_str?d->reason_bogus_str:"");
+ for(i=0; i<d->rrset_count; i++) {
+ struct ub_packed_rrset_key* rk = d->rrsets[i];
+ struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data;
+ size_t j;
+ for(j=0; j<rd->count + rd->rrsig_count; j++) {
+ if(!packed_rr_to_string(rk, j,
+ *inf->worker->env.now, s, sizeof(s))) {
+ rrset_array_unlock(d->ref, d->rrset_count);
+ ssl_printf(inf->ssl, "BADRR\n");
+ return;
+ }
+ ssl_printf(inf->ssl, "%s", s);
+ }
+ }
+ rrset_array_unlock(d->ref, d->rrset_count);
+ ssl_printf(inf->ssl, "\n");
+ }
+}
+
+/** perform cache search for domain */
+static void
+do_cache_lookup_domain(RES* ssl, struct worker* worker, uint8_t* nm,
+ size_t nmlen)
+{
+#ifdef CLIENT_SUBNET
+ int m;
+ struct subnet_env* sn_env = NULL;
+#endif /* CLIENT_SUBNET */
+ struct cache_lookup_info inf;
+ inf.ssl = ssl;
+ inf.worker = worker;
+ inf.nm = nm;
+ inf.nmlen = nmlen;
+
+#ifdef CLIENT_SUBNET
+ m = modstack_find(worker->env.modstack, "subnetcache");
+ if(m != -1) sn_env = (struct subnet_env*)worker->env.modinfo[m];
+ if(sn_env) {
+ lock_rw_rdlock(&sn_env->biglock);
+ slabhash_traverse(sn_env->subnet_msg_cache, 0,
+ &cache_lookup_subnet_msg, &inf);
+ lock_rw_unlock(&sn_env->biglock);
+ }
+#endif /* CLIENT_SUBNET */
+
+ slabhash_traverse(&worker->env.rrset_cache->table, 0,
+ &cache_lookup_rrset, &inf);
+ slabhash_traverse(worker->env.msg_cache, 0, &cache_lookup_msg, &inf);
+}
+
+/** cache lookup of domain */
+static void
+do_cache_lookup(RES* ssl, struct worker* worker, char* arg)
+{
+ uint8_t nm[LDNS_MAX_DOMAINLEN+1];
+ size_t nmlen;
+ int status;
+ char* s = arg, *next = NULL;
+ int allow_long = 0;
+
+ if(arg[0] == '+' && arg[1] == 't' && (arg[2]==' ' || arg[2]=='\t')) {
+ allow_long = 1;
+ s = arg+2;
+ }
+
+ /* Find the commandline arguments of domains. */
+ while(s && *s != 0) {
+ s = skipwhite(s);
+ if(*s == 0)
+ break;
+ if(strchr(s, ' ') || strchr(s, '\t')) {
+ char* sp = strchr(s, ' ');
+ if(strchr(s, '\t') != 0 && strchr(s, '\t') < sp)
+ sp = strchr(s, '\t');
+ *sp = 0;
+ next = sp+1;
+ } else {
+ next = NULL;
+ }
+
+ nmlen = sizeof(nm);
+ status = sldns_str2wire_dname_buf(s, nm, &nmlen);
+ if(status != 0) {
+ ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", s,
+ LDNS_WIREPARSE_OFFSET(status),
+ sldns_get_errorstr_parse(status));
+ return;
+ }
+ if(!allow_long && dname_count_labels(nm) < 3) {
+ ssl_printf(ssl, "error name too short: '%s'. Need example.com. or longer, short names take very long, use +t to allow them.\n", s);
+ return;
+ }
+
+ do_cache_lookup_domain(ssl, worker, nm, nmlen);
+
+ s = next;
+ }
+}
+
/** cache lookup of nameservers */
static void
do_lookup(RES* ssl, struct worker* worker, char* arg)
@@ -2887,10 +3221,13 @@ do_auth_zone_reload(RES* ssl, struct wor
(void)ssl_printf(ssl, "error: no SOA in zone after read %s\n", arg);
return;
}
- if(xfr->have_zone)
+ if(xfr->have_zone) {
xfr->lease_time = *worker->env.now;
+ xfr->soa_zone_acquired = *worker->env.now;
+ }
lock_basic_unlock(&xfr->lock);
}
+ z->soa_zone_acquired = *worker->env.now;
auth_zone_verify_zonemd(z, &worker->env, &worker->env.mesh->mods,
&reason, 0, 0);
@@ -3039,7 +3376,7 @@ static void
do_list_auth_zones(RES* ssl, struct auth_zones* az)
{
struct auth_zone* z;
- char buf[LDNS_MAX_DOMAINLEN], buf2[256];
+ char buf[LDNS_MAX_DOMAINLEN], buf2[256], buf3[256];
lock_rw_rdlock(&az->lock);
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
lock_rw_rdlock(&z->lock);
@@ -3048,18 +3385,41 @@ do_list_auth_zones(RES* ssl, struct auth
snprintf(buf2, sizeof(buf2), "expired");
else {
uint32_t serial = 0;
- if(auth_zone_get_serial(z, &serial))
+ if(auth_zone_get_serial(z, &serial)) {
snprintf(buf2, sizeof(buf2), "serial %u",
(unsigned)serial);
- else snprintf(buf2, sizeof(buf2), "no serial");
+ if(z->soa_zone_acquired != 0) {
+#if defined(HAVE_STRFTIME) && defined(HAVE_LOCALTIME_R)
+ char tmbuf[32];
+ struct tm tm;
+ struct tm *tm_p;
+ tm_p = localtime_r(
+ &z->soa_zone_acquired, &tm);
+ if(!strftime(tmbuf, sizeof(tmbuf), "%Y-%m-%dT%H:%M:%S", tm_p))
+ snprintf(tmbuf, sizeof(tmbuf), "strftime-err-%u", (unsigned)z->soa_zone_acquired);
+ snprintf(buf3, sizeof(buf3),
+ "\t since %u %s",
+ (unsigned)z->soa_zone_acquired,
+ tmbuf);
+#else
+ snprintf(buf3, sizeof(buf3),
+ "\t since %u",
+ (unsigned)z->soa_zone_acquired);
+#endif
+ } else {
+ buf3[0]=0;
+ }
+ } else {
+ snprintf(buf2, sizeof(buf2), "no serial");
+ buf3[0]=0;
+ }
}
- if(!ssl_printf(ssl, "%s\t%s\n", buf, buf2)) {
+ lock_rw_unlock(&z->lock);
+ if(!ssl_printf(ssl, "%s\t%s%s\n", buf, buf2, buf3)) {
/* failure to print */
- lock_rw_unlock(&z->lock);
lock_rw_unlock(&az->lock);
return;
}
- lock_rw_unlock(&z->lock);
}
lock_rw_unlock(&az->lock);
}
@@ -3502,6 +3862,30 @@ do_print_cookie_secrets(RES* ssl, struct
explicit_bzero(secret_hex, sizeof(secret_hex));
}
+/** check that there is no argument after a command that takes no arguments. */
+static int
+cmd_no_args(RES* ssl, char* cmd, char* p)
+{
+ if(p && *p != 0) {
+ /* cmd contains the command that is called at the start,
+ * with space or tab after it. */
+ char* c = cmd;
+ if(strchr(c, ' ') && strchr(c, '\t')) {
+ if(strchr(c, ' ') < strchr(c, '\t'))
+ *strchr(c, ' ')=0;
+ else *strchr(c, '\t')=0;
+ } else if(strchr(c, ' ')) {
+ *strchr(c, ' ')=0;
+ } else if(strchr(c, '\t')) {
+ *strchr(c, '\t')=0;
+ }
+ (void)ssl_printf(ssl, "error command %s takes no arguments,"
+ " have '%s'\n", c, p);
+ return 1;
+ }
+ return 0;
+}
+
/** check for name with end-of-string, space or tab after it */
static int
cmdcmp(char* p, const char* cmd, size_t len)
@@ -3517,27 +3901,41 @@ execute_cmd(struct daemon_remote* rc, st
char* p = skipwhite(cmd);
/* compare command */
if(cmdcmp(p, "stop", 4)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+4)))
+ return;
do_stop(ssl, worker);
return;
} else if(cmdcmp(p, "reload_keep_cache", 17)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+17)))
+ return;
do_reload(ssl, worker, 1);
return;
} else if(cmdcmp(p, "reload", 6)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+6)))
+ return;
do_reload(ssl, worker, 0);
return;
} else if(cmdcmp(p, "fast_reload", 11)) {
do_fast_reload(ssl, worker, s, skipwhite(p+11));
return;
} else if(cmdcmp(p, "stats_noreset", 13)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+13)))
+ return;
do_stats(ssl, worker, 0);
return;
} else if(cmdcmp(p, "stats", 5)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+5)))
+ return;
do_stats(ssl, worker, 1);
return;
} else if(cmdcmp(p, "status", 6)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+6)))
+ return;
do_status(ssl, worker);
return;
} else if(cmdcmp(p, "dump_cache", 10)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+10)))
+ return;
#ifdef THREADS_DISABLED
if(worker->daemon->num > 1) {
(void)ssl_printf(ssl, "dump_cache/load_cache is not "
@@ -3548,6 +3946,8 @@ execute_cmd(struct daemon_remote* rc, st
(void)dump_cache(ssl, worker);
return;
} else if(cmdcmp(p, "load_cache", 10)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+10)))
+ return;
#ifdef THREADS_DISABLED
if(worker->daemon->num > 1) {
/* The warning can't be printed when stdin is sending
@@ -3558,18 +3958,28 @@ execute_cmd(struct daemon_remote* rc, st
if(load_cache(ssl, worker)) send_ok(ssl);
return;
} else if(cmdcmp(p, "list_forwards", 13)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+13)))
+ return;
do_list_forwards(ssl, worker);
return;
} else if(cmdcmp(p, "list_stubs", 10)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+10)))
+ return;
do_list_stubs(ssl, worker);
return;
} else if(cmdcmp(p, "list_insecure", 13)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+13)))
+ return;
do_insecure_list(ssl, worker);
return;
} else if(cmdcmp(p, "list_local_zones", 16)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+16)))
+ return;
do_list_local_zones(ssl, worker->daemon->local_zones);
return;
} else if(cmdcmp(p, "list_local_data", 15)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+15)))
+ return;
do_list_local_data(ssl, worker, worker->daemon->local_zones);
return;
} else if(cmdcmp(p, "view_list_local_zones", 21)) {
@@ -3585,6 +3995,8 @@ execute_cmd(struct daemon_remote* rc, st
do_ip_ratelimit_list(ssl, worker, p+17);
return;
} else if(cmdcmp(p, "list_auth_zones", 15)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+15)))
+ return;
do_list_auth_zones(ssl, worker->env.auth_zones);
return;
} else if(cmdcmp(p, "auth_zone_reload", 16)) {
@@ -3605,14 +4017,21 @@ execute_cmd(struct daemon_remote* rc, st
return;
} else if(cmdcmp(p, "flush_stats", 11)) {
/* must always distribute this cmd */
+ if(cmd_no_args(ssl, p, skipwhite(p+11)))
+ return;
if(rc) distribute_cmd(rc, ssl, cmd);
do_flush_stats(ssl, worker);
return;
} else if(cmdcmp(p, "flush_requestlist", 17)) {
/* must always distribute this cmd */
+ if(cmd_no_args(ssl, p, skipwhite(p+17)))
+ return;
if(rc) distribute_cmd(rc, ssl, cmd);
do_flush_requestlist(ssl, worker);
return;
+ } else if(cmdcmp(p, "cache_lookup", 12)) {
+ do_cache_lookup(ssl, worker, skipwhite(p+12));
+ return;
} else if(cmdcmp(p, "lookup", 6)) {
do_lookup(ssl, worker, skipwhite(p+6));
return;
@@ -3620,15 +4039,23 @@ execute_cmd(struct daemon_remote* rc, st
* Each line needs to be distributed if THREADS_DISABLED.
*/
} else if(cmdcmp(p, "local_zones_remove", 18)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+18)))
+ return;
do_zones_remove(rc, ssl, worker);
return;
} else if(cmdcmp(p, "local_zones", 11)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+11)))
+ return;
do_zones_add(rc, ssl, worker);
return;
} else if(cmdcmp(p, "local_datas_remove", 18)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+18)))
+ return;
do_datas_remove(rc, ssl, worker);
return;
} else if(cmdcmp(p, "local_datas", 11)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+11)))
+ return;
do_datas_add(rc, ssl, worker);
return;
} else if(cmdcmp(p, "view_local_datas_remove", 23)){
@@ -3638,6 +4065,8 @@ execute_cmd(struct daemon_remote* rc, st
do_view_datas_add(rc, ssl, worker, skipwhite(p+16));
return;
} else if(cmdcmp(p, "print_cookie_secrets", 20)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+20)))
+ return;
do_print_cookie_secrets(ssl, worker);
return;
}
@@ -3687,10 +4116,16 @@ execute_cmd(struct daemon_remote* rc, st
} else if(cmdcmp(p, "flush", 5)) {
do_flush_name(ssl, worker, skipwhite(p+5));
} else if(cmdcmp(p, "dump_requestlist", 16)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+16)))
+ return;
do_dump_requestlist(ssl, worker);
} else if(cmdcmp(p, "dump_infra", 10)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+10)))
+ return;
do_dump_infra(ssl, worker);
} else if(cmdcmp(p, "log_reopen", 10)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+10)))
+ return;
do_log_reopen(ssl, worker);
} else if(cmdcmp(p, "set_option", 10)) {
do_set_option(ssl, worker, skipwhite(p+10));
@@ -3707,8 +4142,12 @@ execute_cmd(struct daemon_remote* rc, st
} else if(cmdcmp(p, "add_cookie_secret", 17)) {
do_add_cookie_secret(ssl, worker, skipwhite(p+17));
} else if(cmdcmp(p, "drop_cookie_secret", 18)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+18)))
+ return;
do_drop_cookie_secret(ssl, worker);
} else if(cmdcmp(p, "activate_cookie_secret", 22)) {
+ if(cmd_no_args(ssl, p, skipwhite(p+22)))
+ return;
do_activate_cookie_secret(ssl, worker);
} else {
(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
@@ -4348,37 +4787,45 @@ fr_check_tag_defines(struct fast_reload_
return 1;
}
-/** fast reload thread, check if config item has changed, if not add to
- * the explanatory string. */
+/** fast reload thread, add incompatible option to the explanatory string */
static void
-fr_check_changed_cfg(int cmp, const char* desc, char* str, size_t len)
+fr_add_incompatible_option(const char* desc, char* str, size_t len)
{
- if(cmp) {
- size_t slen = strlen(str);
- size_t desclen = strlen(desc);
- if(slen == 0) {
- snprintf(str, len, "%s", desc);
- return;
- }
- if(len - slen < desclen+2)
- return; /* It does not fit */
- snprintf(str+slen, len-slen, " %s", desc);
+ size_t slen = strlen(str);
+ size_t desclen = strlen(desc);
+ if(slen == 0) {
+ snprintf(str, len, "%s", desc);
+ return;
}
+ if(len - slen < desclen+2)
+ return; /* It does not fit */
+ snprintf(str+slen, len-slen, " %s", desc);
}
+/** fast reload thread, check if config item has changed; thus incompatible */
+#define FR_CHECK_CHANGED_CFG(desc, var, str) \
+do { \
+ if(cfg->var != newcfg->var) { \
+ fr_add_incompatible_option(desc, str, sizeof(str)); \
+ } \
+} while(0);
+
/** fast reload thread, check if config string has changed, checks NULLs. */
-static void
-fr_check_changed_cfg_str(char* cmp1, char* cmp2, const char* desc, char* str,
- size_t len)
-{
- if((!cmp1 && cmp2) ||
- (cmp1 && !cmp2) ||
- (cmp1 && cmp2 && strcmp(cmp1, cmp2) != 0)) {
- fr_check_changed_cfg(1, desc, str, len);
- }
-}
+#define FR_CHECK_CHANGED_CFG_STR(desc, var, str) \
+do { \
+ if((!cfg->var && newcfg->var) || \
+ (cfg->var && !newcfg->var) || \
+ (cfg->var && newcfg->var \
+ && strcmp(cfg->var, newcfg->var) != 0)) { \
+ fr_add_incompatible_option(desc, str, sizeof(str)); \
+ } \
+} while(0);
/** fast reload thread, check if config strlist has changed. */
+#define FR_CHECK_CHANGED_CFG_STRLIST(desc, var, str) do { \
+ fr_check_changed_cfg_strlist(cfg->var, newcfg->var, desc, str, \
+ sizeof(str)); \
+ } while(0);
static void
fr_check_changed_cfg_strlist(struct config_strlist* cmp1,
struct config_strlist* cmp2, const char* desc, char* str, size_t len)
@@ -4389,18 +4836,22 @@ fr_check_changed_cfg_strlist(struct conf
(p1->str && !p2->str) ||
(p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) {
/* The strlist is different. */
- fr_check_changed_cfg(1, desc, str, len);
+ fr_add_incompatible_option(desc, str, len);
return;
}
p1 = p1->next;
p2 = p2->next;
}
if((!p1 && p2) || (p1 && !p2)) {
- fr_check_changed_cfg(1, desc, str, len);
+ fr_add_incompatible_option(desc, str, len);
}
}
/** fast reload thread, check if config str2list has changed. */
+#define FR_CHECK_CHANGED_CFG_STR2LIST(desc, var, buff) do { \
+ fr_check_changed_cfg_str2list(cfg->var, newcfg->var, desc, buff,\
+ sizeof(buff)); \
+ } while(0);
static void
fr_check_changed_cfg_str2list(struct config_str2list* cmp1,
struct config_str2list* cmp2, const char* desc, char* str, size_t len)
@@ -4411,7 +4862,7 @@ fr_check_changed_cfg_str2list(struct con
(p1->str && !p2->str) ||
(p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) {
/* The str2list is different. */
- fr_check_changed_cfg(1, desc, str, len);
+ fr_add_incompatible_option(desc, str, len);
return;
}
if((!p1->str2 && p2->str2) ||
@@ -4419,14 +4870,14 @@ fr_check_changed_cfg_str2list(struct con
(p1->str2 && p2->str2 &&
strcmp(p1->str2, p2->str2) != 0)) {
/* The str2list is different. */
- fr_check_changed_cfg(1, desc, str, len);
+ fr_add_incompatible_option(desc, str, len);
return;
}
p1 = p1->next;
p2 = p2->next;
}
if((!p1 && p2) || (p1 && !p2)) {
- fr_check_changed_cfg(1, desc, str, len);
+ fr_add_incompatible_option(desc, str, len);
}
}
@@ -4440,98 +4891,54 @@ fr_check_compat_cfg(struct fast_reload_t
changed_str[0]=0;
/* Find incompatible options, and if so, print an error. */
- fr_check_changed_cfg(cfg->num_threads != newcfg->num_threads,
- "num-threads", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_ip4 != newcfg->do_ip4,
- "do-ip4", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_ip6 != newcfg->do_ip6,
- "do-ip6", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_udp != newcfg->do_udp,
- "do-udp", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_tcp != newcfg->do_tcp,
- "do-tcp", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->port != newcfg->port,
- "port", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("num-threads", num_threads, changed_str);
+ FR_CHECK_CHANGED_CFG("do-ip4", do_ip4, changed_str);
+ FR_CHECK_CHANGED_CFG("do-ip6", do_ip6, changed_str);
+ FR_CHECK_CHANGED_CFG("do-udp", do_udp, changed_str);
+ FR_CHECK_CHANGED_CFG("do-tcp", do_tcp, changed_str);
+ FR_CHECK_CHANGED_CFG("port", port, changed_str);
/* But cfg->outgoing_num_ports has been changed at startup,
* possibly to reduce it, so do not check it here. */
- fr_check_changed_cfg(cfg->outgoing_num_tcp != newcfg->outgoing_num_tcp,
- "outgoing-num-tcp", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->incoming_num_tcp != newcfg->incoming_num_tcp,
- "incoming-num-tcp", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->num_out_ifs != newcfg->num_out_ifs,
- "outgoing-interface", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("outgoing-num-tcp", outgoing_num_tcp, changed_str);
+ FR_CHECK_CHANGED_CFG("incoming-num-tcp", incoming_num_tcp, changed_str);
+ FR_CHECK_CHANGED_CFG("outgoing-interface", num_out_ifs, changed_str);
if(cfg->num_out_ifs == newcfg->num_out_ifs) {
for(i=0; i<cfg->num_out_ifs; i++)
- fr_check_changed_cfg(strcmp(cfg->out_ifs[i],
- newcfg->out_ifs[i]) != 0, "outgoing-interface",
- changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG_STR("outgoing-interface",
+ out_ifs[i], changed_str);
}
- fr_check_changed_cfg(cfg->num_ifs != newcfg->num_ifs,
- "interface", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("interface", num_ifs, changed_str);
if(cfg->num_ifs == newcfg->num_ifs) {
for(i=0; i<cfg->num_ifs; i++)
- fr_check_changed_cfg(strcmp(cfg->ifs[i],
- newcfg->ifs[i]) != 0, "interface",
- changed_str, sizeof(changed_str));
- }
- fr_check_changed_cfg(cfg->if_automatic != newcfg->if_automatic,
- "interface-automatic", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->so_rcvbuf != newcfg->so_rcvbuf,
- "so-rcvbuf", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->so_sndbuf != newcfg->so_sndbuf,
- "so-sndbuf", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->so_reuseport != newcfg->so_reuseport,
- "so-reuseport", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->ip_transparent != newcfg->ip_transparent,
- "ip-transparent", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->ip_freebind != newcfg->ip_freebind,
- "ip-freebind", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->udp_connect != newcfg->udp_connect,
- "udp-connect", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->msg_buffer_size != newcfg->msg_buffer_size,
- "msg-buffer-size", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_tcp_keepalive != newcfg->do_tcp_keepalive,
- "edns-tcp-keepalive", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->tcp_keepalive_timeout != newcfg->tcp_keepalive_timeout,
- "edns-tcp-keepalive-timeout", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->tcp_idle_timeout != newcfg->tcp_idle_timeout,
- "tcp-idle-timeout", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG_STR("interface",
+ ifs[i], changed_str);
+ }
+ FR_CHECK_CHANGED_CFG("interface-automatic", if_automatic, changed_str);
+ FR_CHECK_CHANGED_CFG("so-rcvbuf", so_rcvbuf, changed_str);
+ FR_CHECK_CHANGED_CFG("so-sndbuf", so_sndbuf, changed_str);
+ FR_CHECK_CHANGED_CFG("so-reuseport", so_reuseport, changed_str);
+ FR_CHECK_CHANGED_CFG("ip-transparent", ip_transparent, changed_str);
+ FR_CHECK_CHANGED_CFG("ip-freebind", ip_freebind, changed_str);
+ FR_CHECK_CHANGED_CFG("udp-connect", udp_connect, changed_str);
+ FR_CHECK_CHANGED_CFG("msg-buffer-size", msg_buffer_size, changed_str);
+ FR_CHECK_CHANGED_CFG("edns-tcp-keepalive", do_tcp_keepalive, changed_str);
+ FR_CHECK_CHANGED_CFG("edns-tcp-keepalive-timeout", tcp_keepalive_timeout, changed_str);
+ FR_CHECK_CHANGED_CFG("tcp-idle-timeout", tcp_idle_timeout, changed_str);
/* Not changed, only if DoH is used, it is then stored in commpoints,
* as well as used from cfg. */
- fr_check_changed_cfg(
- cfg->harden_large_queries != newcfg->harden_large_queries,
- "harden-large-queries", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->http_max_streams != newcfg->http_max_streams,
- "http-max-streams", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->http_endpoint, newcfg->http_endpoint,
- "http-endpoint", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->http_notls_downstream != newcfg->http_notls_downstream,
- "http_notls_downstream", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->https_port != newcfg->https_port,
- "https-port", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->ssl_port != newcfg->ssl_port,
- "tls-port", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->ssl_service_key, newcfg->ssl_service_key,
- "tls-service-key", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->ssl_service_pem, newcfg->ssl_service_pem,
- "tls-service-pem", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->tls_cert_bundle, newcfg->tls_cert_bundle,
- "tls-cert-bundle", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->proxy_protocol_port,
- newcfg->proxy_protocol_port, "proxy-protocol-port",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->tls_additional_port,
- newcfg->tls_additional_port, "tls-additional-port",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->if_automatic_ports,
- newcfg->if_automatic_ports, "interface-automatic-ports",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->udp_upstream_without_downstream !=
- newcfg->udp_upstream_without_downstream,
- "udp-upstream-without-downstream", changed_str,
- sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("harden-large-queries", harden_large_queries, changed_str);
+ FR_CHECK_CHANGED_CFG("http-max-streams", http_max_streams, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("http-endpoint", http_endpoint, changed_str);
+ FR_CHECK_CHANGED_CFG("http_notls_downstream", http_notls_downstream, changed_str);
+ FR_CHECK_CHANGED_CFG("https-port", https_port, changed_str);
+ FR_CHECK_CHANGED_CFG("tls-port", ssl_port, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("tls-service-key", ssl_service_key, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("tls-service-pem", ssl_service_pem, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("tls-cert-bundle", tls_cert_bundle, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("proxy-protocol-port", proxy_protocol_port, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("tls-additional-port", tls_additional_port, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("interface-automatic-ports", if_automatic_ports, changed_str);
+ FR_CHECK_CHANGED_CFG("udp-upstream-without-downstream", udp_upstream_without_downstream, changed_str);
if(changed_str[0] != 0) {
/* The new config changes some items that do not work with
@@ -4549,7 +4956,7 @@ fr_check_compat_cfg(struct fast_reload_t
/** fast reload thread, check nopause config items */
static int
-fr_check_nopause_cfg(struct fast_reload_thread* fr, struct config_file* newcfg)
+fr_check_nopause_compat_cfg(struct fast_reload_thread* fr, struct config_file* newcfg)
{
char changed_str[1024];
struct config_file* cfg = fr->worker->env.cfg;
@@ -4558,94 +4965,43 @@ fr_check_nopause_cfg(struct fast_reload_
changed_str[0]=0;
/* Check for iter_env. */
- fr_check_changed_cfg(
- cfg->outbound_msg_retry != newcfg->outbound_msg_retry,
- "outbound-msg-retry", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->max_sent_count != newcfg->max_sent_count,
- "max-sent-count", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->max_query_restarts != newcfg->max_query_restarts,
- "max-query-restarts", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(strcmp(cfg->target_fetch_policy,
- newcfg->target_fetch_policy) != 0,
- "target-fetch-policy", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->donotquery_localhost != newcfg->donotquery_localhost,
- "do-not-query-localhost", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->donotqueryaddrs,
- newcfg->donotqueryaddrs, "do-not-query-localhost",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->private_address,
- newcfg->private_address, "private-address",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->private_domain,
- newcfg->private_domain, "private-domain",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_strlist(cfg->caps_whitelist,
- newcfg->caps_whitelist, "caps-exempt",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->do_nat64 != newcfg->do_nat64,
- "do-nat64", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->nat64_prefix, newcfg->nat64_prefix,
- "nat64-prefix", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("outbound-msg-retry", outbound_msg_retry, changed_str);
+ FR_CHECK_CHANGED_CFG("max-sent-count", max_sent_count, changed_str);
+ FR_CHECK_CHANGED_CFG("max-query-restarts", max_query_restarts, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("target-fetch-policy", target_fetch_policy, changed_str);
+ FR_CHECK_CHANGED_CFG("do-not-query-localhost", donotquery_localhost, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("do-not-query-address", donotqueryaddrs, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("private-address", private_address, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("private-domain", private_domain, changed_str);
+ FR_CHECK_CHANGED_CFG_STRLIST("caps-exempt", caps_whitelist, changed_str);
+ FR_CHECK_CHANGED_CFG("do-nat64", do_nat64, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("nat64-prefix", nat64_prefix, changed_str);
/* Check for val_env. */
- fr_check_changed_cfg(cfg->bogus_ttl != newcfg->bogus_ttl,
- "val-bogus-ttl", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->val_date_override != newcfg->val_date_override,
- "val-date-override", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->val_sig_skew_min != newcfg->val_sig_skew_min,
- "val-sig-skew-min", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->val_sig_skew_max != newcfg->val_sig_skew_max,
- "val-sig-skew-max", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(cfg->val_max_restart != newcfg->val_max_restart,
- "val-max-restart", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(strcmp(cfg->val_nsec3_key_iterations,
- newcfg->val_nsec3_key_iterations) != 0,
- "val-nsec3-keysize-iterations", changed_str,
- sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("val-bogus-ttl", bogus_ttl, changed_str);
+ FR_CHECK_CHANGED_CFG("val-date-override", val_date_override, changed_str);
+ FR_CHECK_CHANGED_CFG("val-sig-skew-min", val_sig_skew_min, changed_str);
+ FR_CHECK_CHANGED_CFG("val-sig-skew-max", val_sig_skew_max, changed_str);
+ FR_CHECK_CHANGED_CFG("val-max-restart", val_max_restart, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("val-nsec3-keysize-iterations",
+ val_nsec3_key_iterations, changed_str);
/* Check for infra. */
- fr_check_changed_cfg(cfg->host_ttl != newcfg->host_ttl,
- "infra-host-ttl", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->infra_keep_probing != newcfg->infra_keep_probing,
- "infra-keep-probing", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->ratelimit != newcfg->ratelimit,
- "ratelimit", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->ip_ratelimit != newcfg->ip_ratelimit,
- "ip-ratelimit", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->ip_ratelimit_cookie != newcfg->ip_ratelimit_cookie,
- "ip-ratelimit-cookie", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str2list(cfg->wait_limit_netblock,
- newcfg->wait_limit_netblock, "wait-limit-netblock",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str2list(cfg->wait_limit_cookie_netblock,
- newcfg->wait_limit_cookie_netblock,
- "wait-limit-cookie-netblock", changed_str,
- sizeof(changed_str));
- fr_check_changed_cfg_str2list(cfg->ratelimit_below_domain,
- newcfg->ratelimit_below_domain, "ratelimit-below-domain",
- changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str2list(cfg->ratelimit_for_domain,
- newcfg->ratelimit_for_domain, "ratelimit-for-domain",
- changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("infra-host-ttl", host_ttl, changed_str);
+ FR_CHECK_CHANGED_CFG("infra-keep-probing", infra_keep_probing, changed_str);
+ FR_CHECK_CHANGED_CFG("ratelimit", ratelimit, changed_str);
+ FR_CHECK_CHANGED_CFG("ip-ratelimit", ip_ratelimit, changed_str);
+ FR_CHECK_CHANGED_CFG("ip-ratelimit-cookie", ip_ratelimit_cookie, changed_str);
+ FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-netblock", wait_limit_netblock, changed_str);
+ FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-cookie-netblock", wait_limit_cookie_netblock, changed_str);
+ FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-below-domain", ratelimit_below_domain, changed_str);
+ FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-for-domain", ratelimit_for_domain, changed_str);
/* Check for dnstap. */
- fr_check_changed_cfg(
- cfg->dnstap_send_identity != newcfg->dnstap_send_identity,
- "dnstap-send-identity", changed_str, sizeof(changed_str));
- fr_check_changed_cfg(
- cfg->dnstap_send_version != newcfg->dnstap_send_version,
- "dnstap-send-version", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->dnstap_identity, newcfg->dnstap_identity,
- "dnstap-identity", changed_str, sizeof(changed_str));
- fr_check_changed_cfg_str(cfg->dnstap_version, newcfg->dnstap_version,
- "dnstap-version", changed_str, sizeof(changed_str));
+ FR_CHECK_CHANGED_CFG("dnstap-send-identity", dnstap_send_identity, changed_str);
+ FR_CHECK_CHANGED_CFG("dnstap-send-version", dnstap_send_version, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("dnstap-identity", dnstap_identity, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("dnstap-version", dnstap_version, changed_str);
if(changed_str[0] != 0) {
/* The new config changes some items that need a pause,
@@ -5507,7 +5863,7 @@ fr_atomic_copy_cfg(struct config_file* o
COPY_VAR_ptr(tls_cert_bundle);
COPY_VAR_int(tls_win_cert);
COPY_VAR_ptr(tls_additional_port);
- /* The first is used to walk throught the list but last is
+ /* The first is used to walk through the list but last is
* only used during config read. */
COPY_VAR_ptr(tls_session_ticket_keys.first);
COPY_VAR_ptr(tls_session_ticket_keys.last);
@@ -5694,7 +6050,7 @@ fr_atomic_copy_cfg(struct config_file* o
tagname, num_tags
*/
COPY_VAR_int(remote_control_enable);
- /* The first is used to walk throught the list but last is
+ /* The first is used to walk through the list but last is
* only used during config read. */
COPY_VAR_ptr(control_ifs.first);
COPY_VAR_ptr(control_ifs.last);
@@ -6193,7 +6549,7 @@ fr_load_config(struct fast_reload_thread
config_delete(newcfg);
return 0;
}
- if(!fr_check_nopause_cfg(fr, newcfg)) {
+ if(!fr_check_nopause_compat_cfg(fr, newcfg)) {
config_delete(newcfg);
return 0;
}
@@ -7131,6 +7487,7 @@ fr_worker_auth_add(struct worker* worker
xfr->serial = 0;
}
}
+ auth_zone_pickup_initial_zone(item->new_z, &worker->env);
lock_rw_unlock(&item->new_z->lock);
lock_rw_unlock(&worker->env.auth_zones->lock);
lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock);
@@ -7257,7 +7614,7 @@ void
fast_reload_worker_pickup_changes(struct worker* worker)
{
/* The pickup of changes is called when the fast reload has
- * a syncronized moment, and all the threads are paused and the
+ * a synchronized moment, and all the threads are paused and the
* reload has been applied. Then the worker can pick up the new
* changes and store them in worker-specific structs.
* The pickup is also called when there is no pause, and then
Index: daemon/stats.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/stats.c,v
diff -u -p -r1.18 stats.c
--- daemon/stats.c 31 Aug 2025 21:41:09 -0000 1.18
+++ daemon/stats.c 22 Sep 2025 21:08:23 -0000
@@ -273,6 +273,7 @@ server_stats_compile(struct worker* work
/* add in the values from the mesh */
s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+ s->svr.val_ops += (long long)worker->env.mesh->val_ops;
s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
for(i=0; i<UB_STATS_RCODE_NUM; i++)
@@ -495,6 +496,7 @@ void server_stats_add(struct ub_stats_in
total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
total->svr.ans_secure += a->svr.ans_secure;
total->svr.ans_bogus += a->svr.ans_bogus;
+ total->svr.val_ops += a->svr.val_ops;
total->svr.unwanted_replies += a->svr.unwanted_replies;
total->svr.unwanted_queries += a->svr.unwanted_queries;
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
Index: daemon/unbound.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/unbound.c,v
diff -u -p -r1.34 unbound.c
--- daemon/unbound.c 31 Aug 2025 21:41:09 -0000 1.34
+++ daemon/unbound.c 22 Sep 2025 21:08:23 -0000
@@ -174,7 +174,7 @@ static void
checkrlimits(struct config_file* cfg)
{
#ifndef S_SPLINT_S
-#ifdef HAVE_GETRLIMIT
+#if defined(HAVE_GETRLIMIT) && !defined(unbound_testbound)
/* list has number of ports to listen to, ifs number addresses */
int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 +
(int)cfg->incoming_num_tcp:0));
@@ -463,11 +463,11 @@ detach(void)
#endif /* HAVE_DAEMON */
}
+#ifdef HAVE_SSL
/* setup a listening ssl context, fatal_exit() on any failure */
static void
setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg)
{
-#ifdef HAVE_SSL
if(!(*ctx = listen_sslctx_create(
cfg->ssl_service_key, cfg->ssl_service_pem, NULL,
cfg->tls_ciphers, cfg->tls_ciphersuites,
@@ -476,10 +476,8 @@ setup_listen_sslctx(void** ctx, int is_d
is_dot, is_doh))) {
fatal_exit("could not set up listen SSL_CTX");
}
-#else /* HAVE_SSL */
- (void)ctx;(void)is_dot;(void)is_doh;(void)cfg;
-#endif /* HAVE_SSL */
}
+#endif /* HAVE_SSL */
/* setups the needed ssl contexts, fatal_exit() on any failure */
static void
@@ -747,6 +745,7 @@ run_daemon(const char* cfgfile, int cmdl
"the commandline to see more errors, "
"or unbound-checkconf", cfgfile);
log_warn("Continuing with default config settings");
+ config_auto_slab_values(cfg);
}
apply_settings(daemon, cfg, cmdline_verbose, debug_mode);
if(!done_setup)
Index: daemon/worker.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/worker.c,v
diff -u -p -r1.43 worker.c
--- daemon/worker.c 31 Aug 2025 21:41:09 -0000 1.43
+++ daemon/worker.c 22 Sep 2025 21:08:23 -0000
@@ -1707,6 +1707,7 @@ worker_handle_request(struct comm_point*
repinfo->client_addrlen, edns.cookie_valid,
c->buffer)) {
worker->stats.num_queries_ip_ratelimited++;
+ regional_free_all(worker->scratchpad);
comm_point_drop_reply(repinfo);
return 0;
}
@@ -1818,8 +1819,9 @@ worker_handle_request(struct comm_point*
goto send_reply;
}
if(worker->env.auth_zones &&
- auth_zones_answer(worker->env.auth_zones, &worker->env,
- &qinfo, &edns, repinfo, c->buffer, worker->scratchpad)) {
+ auth_zones_downstream_answer(worker->env.auth_zones,
+ &worker->env, &qinfo, &edns, repinfo, c->buffer,
+ worker->scratchpad)) {
regional_free_all(worker->scratchpad);
if(sldns_buffer_limit(c->buffer) == 0) {
comm_point_drop_reply(repinfo);
@@ -1872,20 +1874,11 @@ worker_handle_request(struct comm_point*
/* If we've found a local alias, replace the qname with the alias
* target before resolving it. */
if(qinfo.local_alias) {
- struct ub_packed_rrset_key* rrset = qinfo.local_alias->rrset;
- struct packed_rrset_data* d = rrset->entry.data;
-
- /* Sanity check: our current implementation only supports
- * a single CNAME RRset as a local alias. */
- if(qinfo.local_alias->next ||
- rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) ||
- d->count != 1) {
- log_err("assumption failure: unexpected local alias");
+ if(!local_alias_shallow_copy_qname(qinfo.local_alias, &qinfo.qname,
+ &qinfo.qname_len)) {
regional_free_all(worker->scratchpad);
return 0; /* drop it */
}
- qinfo.qname = d->rr_data[0] + 2;
- qinfo.qname_len = d->rr_len[0] - 2;
}
/* If we may apply IP-based actions to the answer, build the client
Index: dns64/dns64.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dns64/dns64.c,v
diff -u -p -r1.23 dns64.c
--- dns64/dns64.c 31 Aug 2025 21:41:09 -0000 1.23
+++ dns64/dns64.c 22 Sep 2025 21:08:23 -0000
@@ -631,7 +631,7 @@ handle_event_moddone(struct module_qstat
/* When an AAAA query completes check if we want to perform DNS64
* synthesis. We skip queries with DNSSEC enabled (!CD) and
- * ones generated by us to retrive the A/PTR record to use for
+ * ones generated by us to retrieve the A/PTR record to use for
* synth. */
int could_synth =
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
Index: dnstap/dnstap.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dnstap/dnstap.c,v
diff -u -p -r1.13 dnstap.c
--- dnstap/dnstap.c 31 Aug 2025 21:41:09 -0000 1.13
+++ dnstap/dnstap.c 22 Sep 2025 21:08:23 -0000
@@ -542,7 +542,7 @@ dt_msg_send_outside_query(struct dt_env
qflags = sldns_buffer_read_u16_at(qmsg, 2);
/* type */
- if (qflags & BIT_RD) {
+ if ((qflags & BIT_RD)) {
if (!env->log_forwarder_query_messages)
return;
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY);
@@ -599,7 +599,7 @@ dt_msg_send_outside_response(struct dt_e
qflags = ntohs(qflags);
/* type */
- if (qflags & BIT_RD) {
+ if ((qflags & BIT_RD)) {
if (!env->log_forwarder_response_messages)
return;
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE);
Index: dnstap/dnstap.m4
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dnstap/dnstap.m4,v
diff -u -p -r1.3 dnstap.m4
--- dnstap/dnstap.m4 31 Aug 2025 21:41:09 -0000 1.3
+++ dnstap/dnstap.m4 22 Sep 2025 21:08:23 -0000
@@ -18,10 +18,41 @@ AC_DEFUN([dt_DNSTAP],
[opt_dnstap_socket_path="$1"])
if test "x$opt_dnstap" != "xno"; then
- AC_PATH_PROG([PROTOC_C], [protoc-c])
- if test -z "$PROTOC_C"; then
- AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
- fi
+ AC_PATH_PROG([PROTOC], [protoc])
+ # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be
+ # found, try 'protoc-c'.
+ if test -z "$PROTOC"; then
+ AC_PATH_PROG([PROTOC_C], [protoc-c])
+ else
+ PROTOC_C="$PROTOC"
+ fi
+ if test -z "$PROTOC_C"; then
+ AC_MSG_ERROR([[The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c]])
+ fi
+
+ # Check for protoc-gen-c plugin
+ AC_PATH_PROG([PROTOC_GEN_C], [protoc-gen-c])
+ if test -z "$PROTOC_GEN_C"; then
+ AC_MSG_ERROR([[The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c]])
+ fi
+
+ # Test that protoc-gen-c actually works
+ AC_MSG_CHECKING([if protoc-gen-c plugin works])
+ cat > conftest.proto << EOF
+syntax = "proto2";
+message TestMessage {
+ optional string test_field = 1;
+}
+EOF
+ if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then
+ AC_MSG_RESULT([yes])
+ rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
+ else
+ AC_MSG_RESULT([no])
+ rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
+ AC_MSG_ERROR([[The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed]])
+ fi
+
AC_ARG_WITH([protobuf-c],
AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]),
[
Index: dnstap/dnstap.proto
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dnstap/dnstap.proto,v
diff -u -p -r1.4 dnstap.proto
--- dnstap/dnstap.proto 13 Apr 2024 12:24:57 -0000 1.4
+++ dnstap/dnstap.proto 22 Sep 2025 21:08:23 -0000
@@ -98,7 +98,7 @@ message Policy {
// rule: the rule matched by the message.
//
// In a RPZ context, this is the owner name of the rule in
- // the Reponse Policy Zone in wire format.
+ // the Response Policy Zone in wire format.
optional bytes rule = 2;
// action: the policy action taken in response to the
Index: dnstap/dtstream.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dnstap/dtstream.c,v
diff -u -p -r1.2 dtstream.c
--- dnstap/dtstream.c 4 Sep 2024 09:36:40 -0000 1.2
+++ dnstap/dtstream.c 22 Sep 2025 21:08:23 -0000
@@ -1509,7 +1509,7 @@ void dtio_output_cb(int ATTR_UNUSED(fd),
}
#endif
- if((bits&UB_EV_READ || dtio->ssl_brief_write)) {
+ if((bits&UB_EV_READ) || dtio->ssl_brief_write) {
#ifdef HAVE_SSL
if(dtio->ssl_brief_write)
(void)dtio_disable_brief_write(dtio);
Index: doc/Changelog
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v
diff -u -p -r1.55 Changelog
--- doc/Changelog 31 Aug 2025 21:41:09 -0000 1.55
+++ doc/Changelog 22 Sep 2025 21:08:23 -0000
@@ -1,3 +1,270 @@
+17 September 2025: Yorgos
+ - Too many quotes for the EDE message debug printout.
+
+15 September 2025: Yorgos
+ - Small debug output improvement when attaching an EDE.
+
+15 September 2025: Wouter
+ - Fix to print warning for when so-sndbuf setsockopt is not granted.
+
+11 September 2025: Wouter
+ - version set to 1.24.0 for release.
+ - tag for 1.24.0rc1.
+ - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
+
+9 September 2025: Wouter
+ - Fix #1332: CNAME chains are sometimes not followed when RPZs add a
+ local CNAME rewrite.
+
+8 September 2025: Yorgos
+ - Update documentation for using "SET ... EX" in Redis.
+ - Document max buffer sizes for Redis commands.
+ - Update man pages.
+
+3 September 2025: Wouter
+ - For #1328: make depend.
+
+2 September 2025: Wouter
+ - Fix #1235: Outdated Python2 code in
+ unbound/pythonmod/examples/log.py.
+ - Fix #1324: Memory leak in 'msgparse.c' in
+ 'parse_edns_options_from_query(...)'.
+ - Fix indentation in tcp-mss option parsing.
+
+1 September 2025: Wouter
+ - Fix for #1324: Fix to free edns options scratch in ratelimit case.
+
+29 August 2025: Yorgos
+ - Limit the number of consecutive reads on an HTTP/2 session.
+ Thanks to Gal Bar Nahum for exposing the possibility of infinite
+ reads on the session.
+
+28 August 2025: Wouter
+ - Fix setup_listen_sslctx warning for nettle compile.
+
+27 August 2025: Wouter
+ - Fix unbound-control dump_cache for double unlock of lruhash table.
+
+26 August 2025: Wouter
+ - Fix ports workflow to install expat for macos.
+
+22 August 2025: Wouter
+ - For #1318: Fix compile warnings for DoH compile on windows.
+ - Fix sha1 enable environment variable in test code on windows.
+ - Fix #1319: [FR] zone status for Unbound auth-zones.
+ - Fix that the zone acquired timestamp is set after the
+ zonefile is read.
+
+21 August 2025: Wouter
+ - Fix to check for extraneous command arguments for unbound-control,
+ when the command takes no arguments but there are arguments present.
+ - Fix #1317: Unbound starts too early. Add
+ Wants=network-online.target under [Unit] in unbound.service.
+ - Fix for #1317: Fix contrib/unbound.service comment path for
+ systemd network configuration.
+
+15 August 2025: Wouter
+ - unbound-control cache_lookup +t allows tld and root names. And
+ subnet cache contents are printed.
+ - Fix cache_lookup subnet printout to wipe zero part of the prefix.
+ - Fix cache_lookup subnet print to not print messages without rrsets
+ and perform in-depth check on node in the addrtree.
+
+14 August 2025: Wouter
+ - Fix to increase responsiveness of dump_cache.
+ - Fix to decouple file descriptor activity and cache lookups in
+ dump_cache.
+
+13 August 2025: Wouter
+ - unbound-control cache_lookup <domains> prints the cached rrsets
+ and messages for those.
+ - Fix to remove debug from cache_lookup.
+ - Fix to unlock cache_lookup message for malformed records.
+
+12 August 2025: Wouter
+ - Fix that unbound-control dump_cache releases the cache locks
+ every so often, so that the server stays responsive.
+
+7 August 2025: Wouter
+ - Fix dname_str for printout of long names. Thanks to Jan Komissar
+ for the fix.
+ - Fix that edns-subnet failure to create a subquery errors as
+ servfail, and not formerror.
+ - Fix to whitespace in dname_str.
+
+6 August 2025: Wouter
+ - Fix edns subnet, so that the subquery without subnet is stored in
+ global cache if the querier used 0.0.0.0/0 and the name and address
+ do not receive subnet treatment. If the name and address are
+ configured for subnet, it is stored in the subnet cache.
+
+5 August 2025: Wouter
+ - Fix #1309: incorrectly reclaimed tcp handler can cause data
+ corruption and segfault.
+ - Fix to use assertions for consistency checks in #1309 reclaimed
+ tcp handlers.
+
+1 August 2025: Wouter
+ - Fix testbound test program to accurately output packets from hex.
+
+28 July 2025: Wouter
+ - Fix redis cachedb module gettimeofday init failure.
+
+24 July 2025: Wouter
+ - Redis checks for server down and throttles reconnects.
+
+17 July 2025: Wouter
+ - Fix to not set rlimits in the unit tests.
+ - Fix #1303: [FR] Disable TLSv1.2.
+ - iana portlist updated.
+
+16 July 2025: Wouter
+ - Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li
+ from AOSP Lab Nankai University.
+ - Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the
+ repository continues with the previous fixes, with 1.23.2.
+ - Add unit tests for non-ecs aggregation.
+
+12 July 2025: Yorgos
+ - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
+ track the number of signature validation operations.
+ Adds 'num.valops' to extended statistics.
+ - For #1289: test num.valops in existing stat_values.tdir.
+ - For #1289: add num.valops in the unbound-control man page.
+
+11 July 2025: Wouter
+ - Fix detection of SSL_CTX_set_tmp_ecdh function.
+ - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
+
+8 July 2025: Wouter
+ - Fix to improve dnstap discovery on Fedora.
+
+3 July 2025: Wouter
+ - Fix #1300: Is 'sock-queue-timeout' a linux only feature.
+ - For #1300: implement sock-queue-timeout for FreeBSD as well.
+ - Fix layout of comm_point_udp_ancil_callback.
+
+2 July 2025: Wouter
+ - Merge #1299: Fix typos.
+ - Generate ltmain.sh and configure again.
+
+25 June 2025: Yorgos
+ - Fix #1247: forward-first: ssl handshake failed on root nameservers.
+ - For #1247, turn off fetch-policy for delegation when looking into
+ parent side name servers that may not update the addresses and hit
+ NXNS limits.
+ - For #1247, replay test (added tcp_transport to
+ outnet_serviced_query).
+
+20 June 2025: Yorgos
+ - Fix #1293: EDE 6 is attached to insecure cached answers when client
+ sends the CD bit.
+
+19 June 2025: Wouter
+ - Fix #1296: DNS over QUIC depends on a very outdated version of
+ ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
+ - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
+ - Fix rrset cache create allocation failure case.
+
+17 June 2025: Yorgos
+ - Fix for consistent use of local zone CNAME alias for configured auth
+ zones. Now it also applies to downstream configured auth zones.
+
+16 June 2025: Wouter
+ - Fix to check control-interface addresses in unbound-checkconf.
+ - Fix #1295: Windows 32-bit binaries download seems to be missing dll
+ dependency.
+
+12 June 2025: Wouter
+ - Fix header return value description for skip_pkt_rrs and
+ parse_edns_from_query_pkt.
+
+11 June 2025: Wouter
+ - Fix bitwise operators in conditional expressions with parentheses.
+ - Fix conditional expressions with parentheses for bitwise and.
+
+5 June 2025: Wouter
+ - Fix unbound-anchor certificate file read for line ends and end of
+ file.
+ - Fix comment for the dname_remove_label_limit_len function.
+ - iana portlist updated.
+
+3 June 2025: Yorgos
+ - Small manpage corrections for the 'disable-dnssec-lame-check' option.
+
+21 May 2025: Wouter
+ - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
+ program.
+
+20 May 2025: Yorgos
+ - Merge #1285: RST man pages. It introduces restructuredText man pages
+ to sync the online and source code man page documentation.
+ The templated man pages (*.in) are still part of the repo but
+ generated with docutils from their .rst counterpart.
+ Documentation on how to generate those (mainly for core developers)
+ is in README.man.
+ - Add more checks about respip in unbound-checkconf.
+ Also fixes #310: unbound-checkconf not reporting RPZ configuration
+ error.
+
+19 May 2025: Wouter
+ - Fix for cname chain length with qtype ANY and qname minimisation.
+ Thanks to Jim Greenwood from Nominet for the report.
+
+15 May 2025: Wouter
+ - Fix config of slab values when there is no config file.
+
+13 May 2025: Yorgos
+ - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
+ by adding a log_assert() to safeguard future development.
+ - Fix #1282: log-destaddr fail on long ipv6 addresses.
+
+13 May 2025: Wouter
+ - Change default for so-sndbuf to 1m, to mitigate a cross-layer
+ issue where the UDP socket send buffers are exhausted waiting
+ for ARP/NDP resolution. Thanks to Reflyable for the report.
+ - Adjusted so-sndbuf default to 4m.
+
+12 May 2025: Yorgos
+ - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
+ broken auth zones that include unsigned out of zone (above apex)
+ data. Could lead to hang while trying to prove a wildcard answer.
+
+12 May 2025: Wouter
+ - Fix #1283: Unsafe usage of atoi() while parsing the configuration
+ file.
+
+9 May 2025: Wouter
+ - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
+ in 1.23.0, but worked in 1.22.0.
+
+5 May 2025: Yorgos
+ - Sync unbound and unbound-checkconf log output for unknown modules.
+
+29 April 2025: Wouter
+ - Fix for parallel build of dnstap protoc-c output.
+ - Fix dnstap to use protoc.
+
+29 April 2025: Yorgos
+ - Merge #1276: Auto-configure '-slabs' values.
+
+28 April 2025: Yorgos
+ - Merge #1275: Use macros for the fr_check_changed* functions.
+
+25 April 2025: Wouter
+ - Fix #1272: assertion failure testcode/unitverify.c:202.
+
+16 April 2025: Wouter
+ - Increase default to `num-queries-per-thread: 2048`, when unbound is
+ compiled with libevent. It makes saturation of the task queue more
+ resource intensive and less practical. Thanks to Shiming Liu,
+ Network and Information Security Lab, Tsinghua University for the
+ report.
+
+11 April 2025: Wouter
+ - Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April
+ 2025. The code repository continues with 1.23.1 in development.
+
11 April 2025: Yorgos
- Merge #1265: Fix WSAPoll.
@@ -651,7 +918,7 @@
now checks both single and multi process/thread operation.
16 May 2024: Yorgos
- - Merge #1070: Fix rtt assignement for low values of
+ - Merge #1070: Fix rtt assignment for low values of
infra-cache-max-rtt.
16 May 2024: Wouter
@@ -1059,7 +1326,7 @@
13 October 2023: George
- Better fix for infinite loop when reading multiple lines of input on
a broken remote control socket, by treating a zero byte line the
- same as transmission end. Addesses #947 and #948.
+ same as transmission end. Addresses #947 and #948.
12 October 2023: Wouter
- Merge #944: Disable EDNS DO.
@@ -1082,7 +1349,7 @@
10 October 2023: George
- Fix infinite loop when reading multiple lines of input on a broken
- remote control socket. Addesses #947 and #948.
+ remote control socket. Addresses #947 and #948.
9 October 2023: Wouter
- Fix edns subnet so that queries with a source prefix of zero cause
@@ -1515,7 +1782,7 @@
- Ignore expired error responses.
11 November 2022: Wouter
- - Fix #779: [doc] Missing documention in ub_resolve_event() for
+ - Fix #779: [doc] Missing documentation in ub_resolve_event() for
callback parameter was_ratelimited.
9 November 2022: George
@@ -2479,7 +2746,7 @@
not hang. removed trailing slashes from configure paths. Moved iOS
tests to allow-failure.
- travis, analyzer disabled on test without debug, that does not
- run anway. Turn off failing tests except one. Update iOS test
+ run anyway. Turn off failing tests except one. Update iOS test
to xcode image 12.2.
22 March 2021: George
@@ -2568,7 +2835,7 @@
- Fix build on Python 3.10.
10 February 2021: Wouter
- - Merge PR #420 from dyunwei: DOH not responsing with
+ - Merge PR #420 from dyunwei: DOH not responding with
"http2_query_read_done failure" logged.
9 February 2021: Wouter
@@ -2968,7 +3235,7 @@
6 August 2020: Wouter
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
- The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
+ The DLV has been decommissioned and in unbound 1.5.4, in 2015, there
was advise to stop using it. The current code base does not contain
DLV code any more. The use of dlv options displays a warning.
@@ -3517,7 +3784,7 @@
3 December 2019: Wouter
- Merge pull request #124 from rmetrich: Changed log lock
from 'quick' to 'basic' because this is an I/O lock.
- - Fix text around serial arithmatic used for RRSIG times to refer
+ - Fix text around serial arithmetic used for RRSIG times to refer
to correct RFC number.
- Fix Assert Causing DoS in synth_cname(),
reported by X41 D-Sec.
@@ -3780,7 +4047,7 @@
- For #52 #53, second context does not close logfile override.
- Fix #52 #53, fix for example fail program.
- Fix to return after failed auth zone http chunk write.
- - Fix to remove unused test for task_probe existance.
+ - Fix to remove unused test for task_probe existence.
- Fix to timeval_add for remaining second in microseconds.
- Check repinfo in worker_handle_request, if null, drop it.
@@ -5037,7 +5304,7 @@
1 February 2018: Wouter
- fix unaligned structure making a false positive in checklock
- unitialised memory.
+ uninitialised memory.
29 January 2018: Ralph
- Use NSEC with longest ce to prove wildcard absence.
@@ -5640,8 +5907,8 @@
- Remove (now unused) event2 include from dnscrypt code.
24 March 2017: George
- - Fix to prevent non-referal query from being cached as referal when the
- no_cache_store flag was set.
+ - Fix to prevent non-referral query from being cached as referral when
+ the no_cache_store flag was set.
23 March 2017: Wouter
- Fix #1239: configure fails to find python distutils if python
@@ -5704,7 +5971,7 @@
7 March 2017: Wouter
- Fix #1230: swig version 2.0.0 is required for pythonmod, with
- 1.3.40 it crashes when running repeatly unbound-control reload.
+ 1.3.40 it crashes when running repeatedly unbound-control reload.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
6 March 2017: Wouter
@@ -5720,7 +5987,7 @@
known vulns.
27 February 2017: Wouter
- - Fix #1227: Fix that Unbound control allows weak ciphersuits.
+ - Fix #1227: Fix that Unbound control allows weak ciphersuites.
- Fix #1226: provide official 32bit binary for windows.
24 February 2017: Wouter
@@ -6709,7 +6976,7 @@
- Fix #674: Do not free pointers given by getenv.
29 May 2015: Wouter
- - Fix that unparseable error responses are ratelimited.
+ - Fix that unparsable error responses are ratelimited.
- SOA negative TTL is capped at minimumttl in its rdata section.
- cache-max-negative-ttl config option, default 3600.
@@ -6727,7 +6994,7 @@
10 May 2015: Wouter
- Change syntax of particular validator error to be easier for
- machine parse, swap rrset and ip adres info so it looks like:
+ machine parse, swap rrset and ip address info so it looks like:
validation failure <www.example.nl. TXT IN>: signature crypto
failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
@@ -8307,7 +8574,7 @@
- fix that --enable-static-exe does not complain about it unknown.
30 June 2011: Wouter
- - tag relase 1.4.11, trunk is 1.4.12 development.
+ - tag release 1.4.11, trunk is 1.4.12 development.
- iana portlist updated.
- fix bug#395: id bits of other query may leak out under conditions
- fix replyaddr count wrong after jostled queries, which leads to
@@ -9637,7 +9904,7 @@
8 June 2009: Wouter
- Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
- inadvertant behaviour.
+ inadvertent behaviour.
- 1.3.0 tarball for release created.
- 1.3.1 development in svn trunk.
- iana portlist updated.
@@ -9986,7 +10253,7 @@
- initgroups(3) is called to drop secondary group permissions, if
applicable.
- configure option --with-ldns-builtin forces the use of the
- inluded ldns package with the unbound source. The -I include
+ included ldns package with the unbound source. The -I include
is put before the others, so it avoids bad include files from
an older ldns install.
- daemon(3) posix call is used when available.
@@ -10291,7 +10558,7 @@
please ranlib, stop file without symbols warning.
- harden referral path now also validates the root after priming.
It looks up the root NS authoritatively as well as the root servers
- and attemps to validate the entries.
+ and attempts to validate the entries.
16 October 2008: Wouter
- Fixup negative TTL values appearing (reported by Attila Nagy).
@@ -11070,7 +11337,7 @@
- please doxygen, put doxygen comment in one place.
- asynclook -b blocking mode and test.
- refactor asynclook, nicer code.
- - fixup race problems from opensll in rand init from library, with
+ - fixup race problems from openssl in rand init from library, with
a mutex around the rand init.
- fix pass async_id=NULL to _async resolve().
- rewrote _wait() routine, so that it is threadsafe.
@@ -12043,7 +12310,7 @@
11 June 2007: Wouter
- replies on TCP queries have the address field set in replyinfo,
for serviced queries, because the initiator does not know that
- a TCP fallback has occured.
+ a TCP fallback has occurred.
- omit DNSSEC types from nonDO replies, except if qtype is ANY or
if qtype directly queries for the type (and then only show that
'unknown type' in the answer section).
Index: doc/README
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/README,v
diff -u -p -r1.42 README
--- doc/README 31 Aug 2025 21:41:09 -0000 1.42
+++ doc/README 22 Sep 2025 21:08:23 -0000
@@ -1,4 +1,4 @@
-README for Unbound 1.23.1
+README for Unbound 1.24.0
Copyright 2007 NLnet Labs
http://unbound.net
Index: doc/example.conf.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/example.conf.in,v
diff -u -p -r1.47 example.conf.in
--- doc/example.conf.in 31 Aug 2025 21:41:09 -0000 1.47
+++ doc/example.conf.in 22 Sep 2025 21:08:23 -0000
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.23.1.
+# See unbound.conf(5) man page, version 1.24.0.
#
# this is a comment.
@@ -116,8 +116,8 @@ server:
# so-rcvbuf: 0
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
- # 0 is system default. Use 4m to handle spikes on very busy servers.
- # so-sndbuf: 0
+ # 0 is system default. Set larger to handle spikes on very busy servers.
+ # so-sndbuf: 4m
# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
@@ -163,7 +163,7 @@ server:
# msg-cache-slabs: 4
# the number of queries that a thread gets to service.
- # num-queries-per-thread: 1024
+ # num-queries-per-thread: 2048
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
@@ -279,7 +279,7 @@ server:
# do-ip6: yes
# If running unbound on an IPv6-only host, domains that only have
- # IPv4 servers would become unresolveable. If NAT64 is available in
+ # IPv4 servers would become unresolvable. If NAT64 is available in
# the network, unbound can use NAT64 to reach these servers with
# the following option. This is NOT needed for enabling DNS64 on a
# system that has IPv4 connectivity.
Index: doc/libunbound.3.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/libunbound.3.in,v
diff -u -p -r1.45 libunbound.3.in
--- doc/libunbound.3.in 31 Aug 2025 21:41:09 -0000 1.45
+++ doc/libunbound.3.in 22 Sep 2025 21:08:23 -0000
@@ -1,335 +1,306 @@
-.TH "libunbound" "3" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" libunbound.3 -- unbound library functions manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B libunbound,
-.B unbound.h,
-.B ub_ctx,
-.B ub_result,
-.B ub_callback_type,
-.B ub_ctx_create,
-.B ub_ctx_delete,
-.B ub_ctx_set_option,
-.B ub_ctx_get_option,
-.B ub_ctx_config,
-.B ub_ctx_set_fwd,
-.B ub_ctx_set_stub,
-.B ub_ctx_set_tls,
-.B ub_ctx_resolvconf,
-.B ub_ctx_hosts,
-.B ub_ctx_add_ta,
-.B ub_ctx_add_ta_autr,
-.B ub_ctx_add_ta_file,
-.B ub_ctx_trustedkeys,
-.B ub_ctx_debugout,
-.B ub_ctx_debuglevel,
-.B ub_ctx_async,
-.B ub_poll,
-.B ub_wait,
-.B ub_fd,
-.B ub_process,
-.B ub_resolve,
-.B ub_resolve_async,
-.B ub_cancel,
-.B ub_resolve_free,
-.B ub_strerror,
-.B ub_ctx_print_local_zones,
-.B ub_ctx_zone_add,
-.B ub_ctx_zone_remove,
-.B ub_ctx_data_add,
-.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.23.1 functions.
-.SH "SYNOPSIS"
-.B #include <unbound.h>
-.LP
-\fIstruct ub_ctx *\fR
-\fBub_ctx_create\fR(\fIvoid\fR);
-.LP
-\fIvoid\fR
-\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val);
-.LP
-\fIint\fR
-\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val);
-.LP
-\fIint\fR
-\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
-.LP
-\fIint\fR
-\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone,
-\fIchar*\fR addr,
-.br
- \fIint\fR isprime);
-.LP
-\fIint\fR
-\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
-.LP
-\fIint\fR
-\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
-\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out);
-.LP
-\fIint\fR
-\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d);
-.LP
-\fIint\fR
-\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread);
-.LP
-\fIint\fR
-\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_process\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
-.br
- \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result);
-.LP
-\fIint\fR
-\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
-.br
- \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata,
-.br
- \fIub_callback_type\fR callback, \fIint*\fR async_id);
-.LP
-\fIint\fR
-\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
-.LP
-\fIvoid\fR
-\fBub_resolve_free\fR(\fIstruct ub_result*\fR result);
-.LP
-\fIconst char *\fR
-\fBub_strerror\fR(\fIint\fR err);
-.LP
-\fIint\fR
-\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx);
-.LP
-\fIint\fR
-\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type);
-.LP
-\fIint\fR
-\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name);
-.LP
-\fIint\fR
-\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
-.LP
-\fIint\fR
-\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
-.SH "DESCRIPTION"
-.B Unbound
-is an implementation of a DNS resolver, that does caching and
-DNSSEC validation. This is the library API, for using the \-lunbound library.
-The server daemon is described in \fIunbound\fR(8).
-The library works independent from a running unbound server, and
-can be used to convert hostnames to ip addresses, and back,
-and obtain other information from the DNS. The library performs public\-key
-validation of results with DNSSEC.
-.P
-The library uses a variable of type \fIstruct ub_ctx\fR to keep context
-between calls. The user must maintain it, creating it with
-.B ub_ctx_create
-and deleting it with
-.B ub_ctx_delete\fR.
-It can be created and deleted at any time. Creating it anew removes any
-previous configuration (such as trusted keys) and clears any cached results.
-.P
-The functions are thread\-safe, and a context can be used in a threaded (as
-well as in a non\-threaded) environment. Also resolution (and validation)
-can be performed blocking and non\-blocking (also called asynchronous).
-The async method returns from the call immediately, so that processing
-can go on, while the results become available later.
-.P
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "LIBUNBOUND" "3" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+libunbound \- Unbound DNS validating resolver 1.24.0 functions.
+.SH SYNOPSIS
+.sp
+\fB#include <unbound.h>\fP
+.sp
+struct ub_ctx * \fBub_ctx_create\fP(void);
+.sp
+void \fBub_ctx_delete\fP(struct ub_ctx* ctx);
+.sp
+int \fBub_ctx_set_option\fP(struct ub_ctx* ctx, char* opt, char* val);
+.sp
+int \fBub_ctx_get_option\fP(struct ub_ctx* ctx, char* opt, char** val);
+.sp
+int \fBub_ctx_config\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_set_fwd\fP(struct ub_ctx* ctx, char* addr);
+.INDENT 0.0
+.TP
+int \fBub_ctx_set_stub\fP(struct ub_ctx* ctx, char* zone, char* addr,
+int isprime);
+.UNINDENT
+.sp
+int \fBub_ctx_set_tls\fP(struct ub_ctx* ctx, int tls);
+.sp
+int \fBub_ctx_resolvconf\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_hosts\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_add_ta\fP(struct ub_ctx* ctx, char* ta);
+.sp
+int \fBub_ctx_add_ta_autr\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_add_ta_file\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_trustedkeys\fP(struct ub_ctx* ctx, char* fname);
+.sp
+int \fBub_ctx_debugout\fP(struct ub_ctx* ctx, FILE* out);
+.sp
+int \fBub_ctx_debuglevel\fP(struct ub_ctx* ctx, int d);
+.sp
+int \fBub_ctx_async\fP(struct ub_ctx* ctx, int dothread);
+.sp
+int \fBub_poll\fP(struct ub_ctx* ctx);
+.sp
+int \fBub_wait\fP(struct ub_ctx* ctx);
+.sp
+int \fBub_fd\fP(struct ub_ctx* ctx);
+.sp
+int \fBub_process\fP(struct ub_ctx* ctx);
+.INDENT 0.0
+.TP
+int \fBub_resolve\fP(struct ub_ctx* ctx, char* name,
+int rrtype, int rrclass, struct ub_result** result);
+.TP
+int \fBub_resolve_async\fP(struct ub_ctx* ctx, char* name,
+int rrtype, int rrclass, void* mydata,
+ub_callback_type* callback, int* async_id);
+.UNINDENT
+.sp
+int \fBub_cancel\fP(struct ub_ctx* ctx, int async_id);
+.sp
+void \fBub_resolve_free\fP(struct ub_result* result);
+.sp
+const char * \fBub_strerror\fP(int err);
+.sp
+int \fBub_ctx_print_local_zones\fP(struct ub_ctx* ctx);
+.sp
+int \fBub_ctx_zone_add\fP(struct ub_ctx* ctx, char* zone_name, char* zone_type);
+.sp
+int \fBub_ctx_zone_remove\fP(struct ub_ctx* ctx, char* zone_name);
+.sp
+int \fBub_ctx_data_add\fP(struct ub_ctx* ctx, char* data);
+.sp
+int \fBub_ctx_data_remove\fP(struct ub_ctx* ctx, char* data);
+.SH DESCRIPTION
+.sp
+Unbound is an implementation of a DNS resolver, that does caching and DNSSEC
+validation.
+This is the library API, for using the \fB\-lunbound\fP library.
+The server daemon is described in \fI\%unbound(8)\fP\&.
+The library works independent from a running unbound server, and can be used to
+convert hostnames to ip addresses, and back, and obtain other information from
+the DNS.
+The library performs public\-key validation of results with DNSSEC.
+.sp
+The library uses a variable of type \fIstruct ub_ctx\fP to keep context between
+calls.
+The user must maintain it, creating it with \fBub_ctx_create\fP and deleting it
+with \fBub_ctx_delete\fP\&.
+It can be created and deleted at any time.
+Creating it anew removes any previous configuration (such as trusted keys) and
+clears any cached results.
+.sp
+The functions are thread\-safe, and a context can be used in a threaded (as well
+as in a non\-threaded) environment.
+Also resolution (and validation) can be performed blocking and non\-blocking
+(also called asynchronous).
+The async method returns from the call immediately, so that processing can go
+on, while the results become available later.
+.sp
The functions are discussed in turn below.
-.SH "FUNCTIONS"
-.TP
+.SH FUNCTIONS
+.INDENT 0.0
+.TP
.B ub_ctx_create
Create a new context, initialised with defaults.
-The information from /etc/resolv.conf and /etc/hosts is not utilised
-by default. Use
-.B ub_ctx_resolvconf
-and
-.B ub_ctx_hosts
-to read them.
-Before you call this, use the openssl functions CRYPTO_set_id_callback and
-CRYPTO_set_locking_callback to set up asynchronous operation if you use
-lib openssl (the application calls these functions once for initialisation).
-Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
+The information from \fB/etc/resolv.conf\fP and \fB/etc/hosts\fP is
+not utilised by default.
+Use \fBub_ctx_resolvconf\fP and \fBub_ctx_hosts\fP to read them.
+Before you call this, use the openssl functions
+\fBCRYPTO_set_id_callback\fP and \fBCRYPTO_set_locking_callback\fP to set
+up asynchronous operation if you use lib openssl (the application calls
+these functions once for initialisation).
+Openssl 1.0.0 or later uses the \fBCRYPTO_THREADID_set_callback\fP
+function.
.TP
.B ub_ctx_delete
Delete validation context and free associated resources.
-Outstanding async queries are killed and callbacks are not called for them.
+Outstanding async queries are killed and callbacks are not called for
+them.
.TP
.B ub_ctx_set_option
-A power\-user interface that lets you specify one of the options from the
-config file format, see \fIunbound.conf\fR(5). Not all options are
-relevant. For some specific options, such as adding trust anchors, special
-routines exist. Pass the option name with the trailing ':'.
+A power\-user interface that lets you specify one of the options from
+the config file format, see \fI\%unbound.conf(5)\fP\&.
+Not all options are relevant.
+For some specific options, such as adding trust anchors, special
+routines exist.
+Pass the option name with the trailing \fB\(aq:\(aq\fP\&.
.TP
.B ub_ctx_get_option
-A power\-user interface that gets an option value. Some options cannot be
-gotten, and others return a newline separated list. Pass the option name
-without trailing ':'. The returned value must be free(2)d by the caller.
+A power\-user interface that gets an option value.
+Some options cannot be gotten, and others return a newline separated
+list.
+Pass the option name without trailing \fB\(aq:\(aq\fP\&.
+The returned value must be free(2)d by the caller.
.TP
.B ub_ctx_config
-A power\-user interface that lets you specify an unbound config file, see
-\fIunbound.conf\fR(5), which is read for configuration. Not all options are
-relevant. For some specific options, such as adding trust anchors, special
-routines exist. This function is thread\-safe only if a single instance of
-ub_ctx* exists in the application. If several instances exist the
-application has to ensure that ub_ctx_config is not called in parallel by
-the different instances.
+A power\-user interface that lets you specify an unbound config file,
+see \fI\%unbound.conf(5)\fP, which is read for
+configuration.
+Not all options are relevant.
+For some specific options, such as adding trust anchors, special
+routines exist.
+This function is thread\-safe only if a single instance of \fBub_ctx\fP*
+exists in the application.
+If several instances exist the application has to ensure that
+\fBub_ctx_config\fP is not called in parallel by the different instances.
.TP
.B ub_ctx_set_fwd
-Set machine to forward DNS queries to, the caching resolver to use.
-IP4 or IP6 address. Forwards all DNS requests to that machine, which
-is expected to run a recursive resolver. If the proxy is not
-DNSSEC capable, validation may fail. Can be called several times, in
-that case the addresses are used as backup servers.
-At this time it is only possible to set configuration before the
-first resolve is done.
+Set machine to forward DNS queries to, the caching resolver to use.
+IP4 or IP6 address.
+Forwards all DNS requests to that machine, which is expected to run a
+recursive resolver.
+If the proxy is not DNSSEC capable, validation may fail.
+Can be called several times, in that case the addresses are used as
+backup servers.
+At this time it is only possible to set configuration before the first
+resolve is done.
.TP
.B ub_ctx_set_stub
-Set a stub zone, authoritative dns servers to use for a particular zone.
-IP4 or IP6 address. If the address is NULL the stub entry is removed.
-Set isprime true if you configure root hints with it. Otherwise similar to
-the stub zone item from unbound's config file. Can be called several times,
-for different zones, or to add multiple addresses for a particular zone.
-At this time it is only possible to set configuration before the
-first resolve is done.
+Set a stub zone, authoritative dns servers to use for a particular
+zone.
+IP4 or IP6 address.
+If the address is NULL the stub entry is removed.
+Set isprime true if you configure root hints with it.
+Otherwise similar to the stub zone item from unbound\(aqs config file.
+Can be called several times, for different zones, or to add multiple
+addresses for a particular zone.
+At this time it is only possible to set configuration before the first
+resolve is done.
.TP
.B ub_ctx_set_tls
-Enable DNS over TLS (DoT) for machines set with
-.B ub_ctx_set_fwd.
-At this time it is only possible to set configuration before the
-first resolve is done.
+Enable DNS over TLS (DoT) for machines set with \fBub_ctx_set_fwd\fP\&.
+At this time it is only possible to set configuration before the first
+resolve is done.
.TP
.B ub_ctx_resolvconf
-By default the root servers are queried and full resolver mode is used, but
-you can use this call to read the list of nameservers to use from the
-filename given.
-Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
+By default the root servers are queried and full resolver mode is used,
+but you can use this call to read the list of nameservers to use from
+the filename given.
+Usually \fB\(dq/etc/resolv.conf\(dq\fP\&.
+Uses those nameservers as caching proxies.
If they do not support DNSSEC, validation may fail.
Only nameservers are picked up, the searchdomain, ndots and other
-settings from \fIresolv.conf\fR(5) are ignored.
-If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows,
-the system\-wide configured nameserver is picked instead).
-At this time it is only possible to set configuration before the
-first resolve is done.
+settings from \fIresolv.conf(5)\fP are ignored.
+If fname NULL is passed, \fB\(dq/etc/resolv.conf\(dq\fP is used (if on
+Windows, the system\-wide configured nameserver is picked instead).
+At this time it is only possible to set configuration before the first
+resolve is done.
.TP
.B ub_ctx_hosts
Read list of hosts from the filename given.
-Usually "/etc/hosts". When queried for, these addresses are not marked
-DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used
-(if on Windows, etc/hosts from WINDIR is picked instead).
-At this time it is only possible to set configuration before the
-first resolve is done.
+Usually \fB\(dq/etc/hosts\(dq\fP\&.
+When queried for, these addresses are not marked DNSSEC secure.
+If fname NULL is passed, \fB\(dq/etc/hosts\(dq\fP is used (if on Windows,
+\fBetc/hosts\fP from WINDIR is picked instead).
+At this time it is only possible to set configuration before the first
+resolve is done.
.TP
-.B
-ub_ctx_add_ta
+.B ub_ctx_add_ta
Add a trust anchor to the given context.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
+At this time it is only possible to add trusted keys before the first
+resolve is done.
The format is a string, similar to the zone\-file format,
-[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
+\fB[domainname]\fP \fB[type]\fP \fB[rdata contents]\fP\&.
+Both DS and DNSKEY records are accepted.
.TP
.B ub_ctx_add_ta_autr
-Add filename with automatically tracked trust anchor to the given context.
-Pass name of a file with the managed trust anchor. You can create this
-file with \fIunbound\-anchor\fR(8) for the root anchor. You can also
-create it with an initial file with one line with a DNSKEY or DS record.
+Add filename with automatically tracked trust anchor to the given
+context.
+Pass name of a file with the managed trust anchor.
+You can create this file with
+\fI\%unbound\-anchor(8)\fP for the root anchor.
+You can also create it with an initial file with one line with a DNSKEY
+or DS record.
If the file is writable, it is updated when the trust anchor changes.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
+At this time it is only possible to add trusted keys before the first
+resolve is done.
.TP
.B ub_ctx_add_ta_file
Add trust anchors to the given context.
Pass name of a file with DS and DNSKEY records in zone file format.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
+At this time it is only possible to add trusted keys before the first
+resolve is done.
.TP
.B ub_ctx_trustedkeys
Add trust anchors to the given context.
-Pass the name of a bind\-style config file with trusted\-keys{}.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
+Pass the name of a bind\-style config file with \fBtrusted\-keys{}\fP\&.
+At this time it is only possible to add trusted keys before the first
+resolve is done.
.TP
.B ub_ctx_debugout
-Set debug and error log output to the given stream. Pass NULL to disable
-output. Default is stderr. File\-names or using syslog can be enabled
-using config options, this routine is for using your own stream.
+Set debug and error log output to the given stream.
+Pass NULL to disable output.
+Default is stderr.
+File\-names or using syslog can be enabled using config options, this
+routine is for using your own stream.
.TP
.B ub_ctx_debuglevel
-Set debug verbosity for the context. Output is directed to stderr.
+Set debug verbosity for the context.
+Output is directed to stderr.
Higher debug level gives more output.
.TP
.B ub_ctx_async
Set a context behaviour for asynchronous action.
-if set to true, enables threading and a call to
-.B ub_resolve_async
+if set to true, enables threading and a call to \fBub_resolve_async\fP
creates a thread to handle work in the background.
If false, a process is forked to handle work in the background.
-Changes to this setting after
-.B ub_resolve_async
-calls have been made have no effect (delete and re\-create the context
-to change).
+Changes to this setting after \fBub_resolve_async\fP calls have been made
+have no effect (delete and re\-create the context to change).
.TP
.B ub_poll
Poll a context to see if it has any new results.
-Do not poll in a loop, instead extract the fd below to poll for readiness,
-and then check, or wait using the wait routine.
+Do not poll in a loop, instead extract the \fBfd\fP below to poll for
+readiness, and then check, or wait using the wait routine.
Returns 0 if nothing to read, or nonzero if a result is available.
-If nonzero, call
-.B ub_process
-to do callbacks.
+If nonzero, call \fBub_process\fP to do callbacks.
.TP
.B ub_wait
-Wait for a context to finish with results. Calls
-.B ub_process
-after the wait for you. After the wait, there are no more outstanding
-asynchronous queries.
+Wait for a context to finish with results.
+Calls \fBub_process\fP after the wait for you.
+After the wait, there are no more outstanding asynchronous queries.
.TP
.B ub_fd
-Get file descriptor. Wait for it to become readable, at this point
-answers are returned from the asynchronous validating resolver.
-Then call the \fBub_process\fR to continue processing.
+Get file descriptor.
+Wait for it to become readable, at this point answers are returned from
+the asynchronous validating resolver.
+Then call the \fBub_process\fP to continue processing.
.TP
.B ub_process
Call this routine to continue processing results from the validating
-resolver (when the fd becomes readable).
+resolver (when the \fBfd\fP becomes readable).
Will perform necessary callbacks.
.TP
.B ub_resolve
@@ -340,95 +311,111 @@ The result structure is newly allocated
.TP
.B ub_resolve_async
Perform asynchronous resolution and validation of the target name.
-Arguments mean the same as for \fBub_resolve\fR except no
-data is returned immediately, instead a callback is called later.
-The callback receives a copy of the mydata pointer, that you can use to pass
-information to the callback. The callback type is a function pointer to
-a function declared as
-.IP
-void my_callback_function(void* my_arg, int err,
-.br
- struct ub_result* result);
-.IP
-The async_id is returned so you can (at your option) decide to track it
-and cancel the request if needed. If you pass a NULL pointer the async_id
-is not returned.
+Arguments mean the same as for \fBub_resolve\fP except no data is
+returned immediately, instead a callback is called later.
+The callback receives a copy of the mydata pointer, that you can use to
+pass information to the callback.
+The callback type is a function pointer to a function declared as:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+void my_callback_function(void* my_arg, int err,
+ struct ub_result* result);
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fBasync_id\fP is returned so you can (at your option) decide to
+track it and cancel the request if needed.
+If you pass a NULL pointer the \fBasync_id\fP is not returned.
.TP
.B ub_cancel
-Cancel an async query in progress. This may return an error if the query
-does not exist, or the query is already being delivered, in that case you
-may still get a callback for the query.
+Cancel an async query in progress.
+This may return an error if the query does not exist, or the query is
+already being delivered, in that case you may still get a callback for
+the query.
.TP
.B ub_resolve_free
-Free struct ub_result contents after use.
+Free struct \fBub_result\fP contents after use.
.TP
.B ub_strerror
-Convert error value from one of the unbound library functions
-to a human readable string.
+Convert error value from one of the unbound library functions to a
+human readable string.
.TP
.B ub_ctx_print_local_zones
Debug printout the local authority information to debug output.
.TP
.B ub_ctx_zone_add
-Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5)
-statement.
+Add new zone to local authority info, like local\-zone
+\fI\%unbound.conf(5)\fP statement.
.TP
.B ub_ctx_zone_remove
Delete zone from local authority info.
.TP
.B ub_ctx_data_add
Add resource record data to local authority info, like local\-data
-\fIunbound.conf\fR(5) statement.
+\fI\%unbound.conf(5)\fP statement.
.TP
.B ub_ctx_data_remove
Delete local authority data from the name given.
-.SH "RESULT DATA STRUCTURE"
-The result of the DNS resolution and validation is returned as
-\fIstruct ub_result\fR. The result structure contains the following entries.
-.P
+.UNINDENT
+.SH RESULT DATA STRUCTURE
+.sp
+The result of the DNS resolution and validation is returned as \fIstruct
+ub_result\fP\&.
+The result structure contains the following entries:
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- struct ub_result {
- char* qname; /* text string, original question */
- int qtype; /* type code asked for */
- int qclass; /* class code asked for */
- char** data; /* array of rdata items, NULL terminated*/
- int* len; /* array with lengths of rdata items */
- char* canonname; /* canonical name of result */
- int rcode; /* additional error code in case of no data */
- void* answer_packet; /* full network format answer packet */
- int answer_len; /* length of packet in octets */
- int havedata; /* true if there is data */
- int nxdomain; /* true if nodata because name does not exist */
- int secure; /* true if result is secure */
- int bogus; /* true if a security failure happened */
- char* why_bogus; /* string with error if bogus */
- int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */
- int ttl; /* number of seconds the result is valid */
- };
+.ft C
+struct ub_result {
+ char* qname; /* text string, original question */
+ int qtype; /* type code asked for */
+ int qclass; /* class code asked for */
+ char** data; /* array of rdata items, NULL terminated*/
+ int* len; /* array with lengths of rdata items */
+ char* canonname; /* canonical name of result */
+ int rcode; /* additional error code in case of no data */
+ void* answer_packet; /* full network format answer packet */
+ int answer_len; /* length of packet in octets */
+ int havedata; /* true if there is data */
+ int nxdomain; /* true if nodata because name does not exist */
+ int secure; /* true if result is secure */
+ int bogus; /* true if a security failure happened */
+ char* why_bogus; /* string with error if bogus */
+ int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */
+ int ttl; /* number of seconds the result is valid */
+};
+.ft P
.fi
-.P
-If both secure and bogus are false, security was not enabled for the
-domain of the query. Else, they are not both true, one of them is true.
-.SH "RETURN VALUES"
-Many routines return an error code. The value 0 (zero) denotes no error
-happened. Other values can be passed to
-.B ub_strerror
-to obtain a readable error string.
-.B ub_strerror
-returns a zero terminated string.
-.B ub_ctx_create
-returns NULL on an error (a malloc failure).
-.B ub_poll
-returns true if some information may be available, false otherwise.
-.B ub_fd
-returns a file descriptor or \-1 on error.
-.B ub_ctx_config
-and
-.B ub_ctx_resolvconf
-attempt to leave errno informative on a function return with file read failure.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
-.SH "AUTHORS"
-.B Unbound
-developers are mentioned in the CREDITS file in the distribution.
+.UNINDENT
+.UNINDENT
+.sp
+If both secure and bogus are false, security was not enabled for the domain of
+the query.
+Else, they are not both true, one of them is true.
+.SH RETURN VALUES
+.sp
+Many routines return an error code.
+The value 0 (zero) denotes no error happened.
+Other values can be passed to \fBub_strerror\fP to obtain a readable error
+string.
+\fBub_strerror\fP returns a zero terminated string.
+\fBub_ctx_create\fP returns NULL on an error (a malloc failure).
+\fBub_poll\fP returns true if some information may be available, false otherwise.
+\fBub_fd\fP returns a file descriptor or \-1 on error.
+\fBub_ctx_config\fP and \fBub_ctx_resolvconf\fP attempt to leave errno informative
+on a function return with file read failure.
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP, \fI\%unbound(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound-anchor.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-anchor.8.in,v
diff -u -p -r1.44 unbound-anchor.8.in
--- doc/unbound-anchor.8.in 31 Aug 2025 21:41:09 -0000 1.44
+++ doc/unbound-anchor.8.in 22 Sep 2025 21:08:23 -0000
@@ -1,189 +1,300 @@
-.TH "unbound-anchor" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
-.\"
-.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-anchor
-\- Unbound anchor utility.
-.SH "SYNOPSIS"
-.B unbound\-anchor
-.RB [ opts ]
-.SH "DESCRIPTION"
-.B Unbound\-anchor
-performs setup or update of the root trust anchor for DNSSEC validation.
-The program fetches the trust anchor with the method from RFC7958 when
-regular RFC5011 update fails to bring it up to date.
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND-ANCHOR" "8" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound-anchor \- Unbound 1.24.0 anchor utility.
+.SH SYNOPSIS
+.sp
+\fBunbound\-anchor\fP [\fBopts\fP]
+.SH DESCRIPTION
+.sp
+\fBunbound\-anchor\fP performs setup or update of the root trust anchor for DNSSEC
+validation.
+The program fetches the trust anchor with the method from \fI\%RFC 7958\fP when
+regular \fI\%RFC 5011\fP update fails to bring it up to date.
It can be run (as root) from the commandline, or run as part of startup
-scripts. Before you start the \fIunbound\fR(8) DNS server.
-.P
+scripts.
+Before you start the \fI\%unbound(8)\fP DNS server.
+.sp
Suggested usage:
-.P
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- # in the init scripts.
- # provide or update the root anchor (if necessary)
- unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
- # Please note usage of this root anchor is at your own risk
- # and under the terms of our LICENSE (see source).
- #
- # start validating resolver
- # the unbound.conf contains:
- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
- unbound \-c unbound.conf
+.ft C
+# in the init scripts.
+# provide or update the root anchor (if necessary)
+unbound\-anchor \-a \(dq@UNBOUND_ROOTKEY_FILE@\(dq
+# Please note usage of this root anchor is at your own risk
+# and under the terms of our LICENSE (see source).
+#
+# start validating resolver
+# the unbound.conf contains:
+# auto\-trust\-anchor\-file: \(dq@UNBOUND_ROOTKEY_FILE@\(dq
+unbound \-c unbound.conf
+.ft P
.fi
-.P
-This tool provides builtin default contents for the root anchor and root
-update certificate files.
-.P
+.UNINDENT
+.UNINDENT
+.sp
+This tool provides builtin default contents for the root anchor and root update
+certificate files.
+.sp
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
-if all checks are successful, it updates the root anchor file. Otherwise
-the root anchor file is unchanged. It performs RFC5011 tracking if the
-DNSSEC information available via the DNS makes that possible.
-.P
-It does not perform an update if the certificate is expired, if the network
-is down or other errors occur.
-.P
+It performs a https fetch of
+\fI\%root\-anchors.xml\fP
+and checks the results (\fI\%RFC 7958\fP); if all checks are successful, it updates
+the root anchor file.
+Otherwise the root anchor file is unchanged.
+It performs \fI\%RFC 5011\fP tracking if the DNSSEC information available via the
+DNS makes that possible.
+.sp
+It does not perform an update if the certificate is expired, if the network is
+down or other errors occur.
+.sp
The available options are:
+.INDENT 0.0
.TP
-.B \-a \fIfile
+.B \-a <file>
The root anchor key file, that is read in and written out.
-Default is @UNBOUND_ROOTKEY_FILE@.
-If the file does not exist, or is empty, a builtin root key is written to it.
+Default is \fB@UNBOUND_ROOTKEY_FILE@\fP\&.
+If the file does not exist, or is empty, a builtin root key is written
+to it.
+.UNINDENT
+.INDENT 0.0
.TP
-.B \-c \fIfile
+.B \-c <file>
The root update certificate file, that is read in.
-Default is @UNBOUND_ROOTCERT_FILE@.
+Default is \fB@UNBOUND_ROOTCERT_FILE@\fP\&.
If the file does not exist, or is empty, a builtin certificate is used.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-l
List the builtin root key and builtin root update certificate on stdout.
+.UNINDENT
+.INDENT 0.0
.TP
-.B \-u \fIname
-The server name, it connects to https://name. Specify without https:// prefix.
-The default is "data.iana.org". It connects to the port specified with \-P.
+.B \-u <name>
+The server name, it connects to \fBhttps://name\fP\&.
+Specify without \fBhttps://\fP prefix.
+The default is \fB\(dqdata.iana.org\(dq\fP\&.
+It connects to the port specified with \fI\%\-P\fP\&.
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-S
-Do not use SNI for the HTTPS connection. Default is to use SNI.
-.TP
-.B \-b \fIaddress
-The source address to bind to for domain resolution and contacting the server
-on https. May be either an IPv4 address or IPv6 address (no brackets).
-.TP
-.B \-x \fIpath
-The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
-The default is /root\-anchors/root\-anchors.xml.
-.TP
-.B \-s \fIpath
-The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
-The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7
-signature over the xml file, using the pem file (\-c) as trust anchor.
-.TP
-.B \-n \fIname
-The emailAddress for the Subject of the signer's certificate from the p7s
-signature file. Only signatures from this name are allowed. default is
-dnssec@iana.org. If you pass "" then the emailAddress is not checked.
+Do not use SNI for the HTTPS connection.
+Default is to use SNI.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-b <address>
+The source address to bind to for domain resolution and contacting the
+server on https.
+May be either an IPv4 address or IPv6 address (no brackets).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-x <path>
+The pathname to the root\-anchors.xml file on the server.
+(forms URL with \fI\%\-u\fP).
+The default is \fB/root\-anchors/root\-anchors.xml\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-s <path>
+The pathname to the root\-anchors.p7s file on the server.
+(forms URL with \fI\%\-u\fP).
+The default is \fB/root\-anchors/root\-anchors.p7s\fP\&.
+This file has to be a PKCS7 signature over the xml file, using the pem
+file (\fI\%\-c\fP) as trust anchor.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-n <name>
+The emailAddress for the Subject of the signer\(aqs certificate from the
+p7s signature file.
+Only signatures from this name are allowed.
+The default is \fBdnssec@iana.org\fP\&.
+If you pass \fB\(dq\(dq\fP then the emailAddress is not checked.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-4
-Use IPv4 for domain resolution and contacting the server on https. Default is
-to use IPv4 and IPv6 where appropriate.
+Use IPv4 for domain resolution and contacting the server on
+https.
+Default is to use IPv4 and IPv6 where appropriate.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-6
-Use IPv6 for domain resolution and contacting the server on https. Default is
-to use IPv4 and IPv6 where appropriate.
-.TP
-.B \-f \fIresolv.conf
-Use the given resolv.conf file. Not enabled by default, but you could try to
-pass /etc/resolv.conf on some systems. It contains the IP addresses of the
-recursive nameservers to use. However, since this tool could be used to
-bootstrap that very recursive nameserver, it would not be useful (since
-that server is not up yet, since we are bootstrapping it). It could be
-useful in a situation where you know an upstream cache is deployed (and
-running) and in captive portal situations.
-.TP
-.B \-r \fIroot.hints
-Use the given root.hints file (same syntax as the BIND and Unbound root hints
-file) to bootstrap domain resolution. By default a list of builtin root
-hints is used. Unbound\-anchor goes to the network itself for these roots,
-to resolve the server (\-u option) and to check the root DNSKEY records.
+Use IPv6 for domain resolution and contacting the server on https.
+Default is to use IPv4 and IPv6 where appropriate.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-f <resolv.conf>
+Use the given resolv.conf file.
+Not enabled by default, but you could try to pass
+\fB/etc/resolv.conf\fP on some systems.
+It contains the IP addresses of the recursive nameservers to use.
+However, since this tool could be used to bootstrap that very recursive
+nameserver, it would not be useful (since that server is not up yet,
+since we are bootstrapping it).
+It could be useful in a situation where you know an upstream cache is
+deployed (and running) and in captive portal situations.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-r <root.hints>
+Use the given root.hints file (same syntax as the BIND and Unbound root
+hints file) to bootstrap domain resolution.
+By default a list of builtin root hints is used.
+unbound\-anchor goes to the network itself for these roots, to resolve
+the server (\fI\%\-u\fP option) and to check the root DNSKEY records.
It does so, because the tool when used for bootstrapping the recursive
-resolver, cannot use that recursive resolver itself because it is bootstrapping
-that server.
+resolver, cannot use that recursive resolver itself because it is
+bootstrapping that server.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-R
-Allow fallback from \-f resolv.conf file to direct root servers query.
-It allows you to prefer local resolvers, but fallback automatically
-to direct root query if they do not respond or do not support DNSSEC.
+Allow fallback from \fI\%\-f\fP \fB<resolv.conf>\fP file to direct root
+servers query.
+It allows you to prefer local resolvers, but fallback automatically to
+direct root query if they do not respond or do not support DNSSEC.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-v
-More verbose. Once prints informational messages, multiple times may enable
-large debug amounts (such as full certificates or byte\-dumps of downloaded
-files). By default it prints almost nothing. It also prints nothing on
-errors by default; in that case the original root anchor file is simply
-left undisturbed, so that a recursive server can start right after it.
-.TP
-.B \-C \fIunbound.conf
-Debug option to read unbound.conf into the resolver process used.
-.TP
-.B \-P \fIport
-Set the port number to use for the https connection. The default is 443.
+More verbose.
+Once prints informational messages, multiple times may enable large
+debug amounts (such as full certificates or byte\-dumps of downloaded
+files).
+By default it prints almost nothing.
+It also prints nothing on errors by default; in that case the original
+root anchor file is simply left undisturbed, so that a recursive server
+can start right after it.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-C <unbound.conf>
+Debug option to read \fB<unbound.conf>\fP into the resolver process
+used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-P <port>
+Set the port number to use for the https connection.
+The default is 443.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-F
-Debug option to force update of the root anchor through downloading the xml
-file and verifying it with the certificate. By default it first tries to
-update by contacting the DNS, which uses much less bandwidth, is much
-faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
-With this option, it still attempts to do so (and may verbosely tell you),
-but then ignores the result and goes on to use the xml fallback method.
+Debug option to force update of the root anchor through downloading the
+xml file and verifying it with the certificate.
+By default it first tries to update by contacting the DNS, which uses
+much less bandwidth, is much faster (200 msec not 2 sec), and is nicer
+to the deployed infrastructure.
+With this option, it still attempts to do so (and may verbosely tell
+you), but then ignores the result and goes on to use the xml fallback
+method.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-h
Show the version and commandline option help.
-.SH "EXIT CODE"
+.UNINDENT
+.SH EXIT CODE
+.sp
This tool exits with value 1 if the root anchor was updated using the
-certificate or if the builtin root-anchor was used. It exits with code
-0 if no update was necessary, if the update was possible with RFC5011
-tracking, or if an error occurred.
-.P
+certificate or if the builtin root\-anchor was used.
+It exits with code 0 if no update was necessary, if the update was possible
+with \fI\%RFC 5011\fP tracking, or if an error occurred.
+.sp
You can check the exit value in this manner:
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- unbound-anchor \-a "root.key" || logger "Please check root.key"
+.ft C
+unbound\-anchor \-a \(dqroot.key\(dq || logger \(dqPlease check root.key\(dq
+.ft P
.fi
+.UNINDENT
+.UNINDENT
+.sp
Or something more suitable for your operational environment.
-.SH "TRUST"
-The root keys and update certificate included in this tool
-are provided for convenience and under the terms of our
-license (see the LICENSE file in the source distribution or
-https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
-not suitable to your purpose.
-.P
-By running "unbound\-anchor \-l" the keys and certificate that are
+.SH TRUST
+.sp
+The root keys and update certificate included in this tool are provided for
+convenience and under the terms of our license (see the LICENSE file in the
+source distribution or \fI\%https://github.com/NLnetLabs/unbound/blob/master/LICENSE\fP
+and might be stale or not suitable to your purpose.
+.sp
+By running \fI\%unbound\-anchor \-l\fP the keys and certificate that are
configured in the code are printed for your convenience.
-.P
-The build\-in configuration can be overridden by providing a root\-cert
-file and a rootkey file.
-.SH "FILES"
-.TP
-.I @UNBOUND_ROOTKEY_FILE@
-The root anchor file, updated with 5011 tracking, and read and written to.
+.sp
+The built\-in configuration can be overridden by providing a root\-cert file and
+a rootkey file.
+.SH FILES
+.INDENT 0.0
+.TP
+.B @UNBOUND_ROOTKEY_FILE@
+The root anchor file, updated with 5011 tracking, and read and written
+to.
The file is created if it does not exist.
.TP
-.I @UNBOUND_ROOTCERT_FILE@
-The trusted self\-signed certificate that is used to verify the downloaded
-DNSSEC root trust anchor. You can update it by fetching it from
-https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
+.B @UNBOUND_ROOTCERT_FILE@
+The trusted self\-signed certificate that is used to verify the
+downloaded DNSSEC root trust anchor.
+You can update it by fetching it from
+\fI\%https://data.iana.org/root\-anchors/icannbundle.pem\fP (and validate it).
If the file does not exist or is empty, a builtin version is used.
.TP
-.I https://data.iana.org/root\-anchors/root\-anchors.xml
+.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.xml\fP
Source for the root key information.
.TP
-.I https://data.iana.org/root\-anchors/root\-anchors.p7s
+.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.p7s\fP
Signature on the root key information.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP,
+\fI\%unbound(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound-checkconf.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-checkconf.8.in,v
diff -u -p -r1.44 unbound-checkconf.8.in
--- doc/unbound-checkconf.8.in 31 Aug 2025 21:41:09 -0000 1.44
+++ doc/unbound-checkconf.8.in 22 Sep 2025 21:08:23 -0000
@@ -1,56 +1,93 @@
-.TH "unbound-checkconf" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound-checkconf.8 -- unbound configuration checker manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-unbound\-checkconf
-\- Check Unbound configuration file for errors.
-.SH "SYNOPSIS"
-.B unbound\-checkconf
-.RB [ \-h ]
-.RB [ \-f ]
-.RB [ \-q ]
-.RB [ \-o
-.IR option ]
-.RI [ cfgfile ]
-.SH "DESCRIPTION"
-.B Unbound\-checkconf
-checks the configuration file for the
-\fIunbound\fR(8)
-DNS resolver for syntax and other errors.
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND-CHECKCONF" "8" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound-checkconf \- Check Unbound 1.24.0 configuration file for errors.
+.SH SYNOPSIS
+.sp
+\fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile]
+.SH DESCRIPTION
+.sp
+\fBunbound\-checkconf\fP checks the configuration file for the
+\fI\%unbound(8)\fP DNS resolver for syntax and other errors.
The config file syntax is described in
-\fIunbound.conf\fR(5).
-.P
+\fI\%unbound.conf(5)\fP\&.
+.sp
The available options are:
+.INDENT 0.0
.TP
.B \-h
Show the version and commandline option help.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-f
-Print full pathname, with chroot applied to it. Use with the \-o option.
-.TP
-.B \-o\fI option
-If given, after checking the config file the value of this option is
-printed to stdout. For "" (disabled) options an empty line is printed.
+Print full pathname, with chroot applied to it.
+Use with the \fI\%\-o\fP option.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-q
Make the operation quiet, suppress output on success.
+.UNINDENT
+.INDENT 0.0
.TP
-.I cfgfile
-The config file to read with settings for Unbound. It is checked.
+.B \-o <option>
+If given, after checking the config file the value of this option is
+printed to stdout.
+For \fB\(dq\(dq\fP (disabled) options an empty line is printed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cfgfile
+The config file to read with settings for Unbound.
+It is checked.
If omitted, the config file at the default location is checked.
-.SH "EXIT CODE"
-The unbound\-checkconf program exits with status code 1 on error,
-0 for a correct config file.
-.SH "FILES"
+.UNINDENT
+.SH EXIT CODE
+.sp
+The \fBunbound\-checkconf\fP program exits with status code 1 on error, 0 for a
+correct config file.
+.SH FILES
+.INDENT 0.0
.TP
-.I @ub_conf_file@
+.B @ub_conf_file@
Unbound configuration file.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP,
+\fI\%unbound(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound-control.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-control.8.in,v
diff -u -p -r1.46 unbound-control.8.in
--- doc/unbound-control.8.in 31 Aug 2025 21:41:09 -0000 1.46
+++ doc/unbound-control.8.in 22 Sep 2025 21:08:23 -0000
@@ -1,982 +1,1547 @@
-.TH "unbound-control" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound-control.8 -- unbound remote control manual
-.\"
-.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-control,
-.B unbound\-control\-setup
-\- Unbound remote server control utility.
-.SH "SYNOPSIS"
-.B unbound\-control
-.RB [ \-hq ]
-.RB [ \-c
-.IR cfgfile ]
-.RB [ \-s
-.IR server ]
-.IR command
-.SH "DESCRIPTION"
-.B Unbound\-control
-performs remote administration on the \fIunbound\fR(8) DNS server.
-It reads the configuration file, contacts the Unbound server over SSL
-sends the command and displays the result.
-.P
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND-CONTROL" "8" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound-control \- Unbound 1.24.0 remote server control utility.
+.SH SYNOPSIS
+.sp
+\fBunbound\-control\fP [\fB\-hq\fP] [\fB\-c cfgfile\fP] [\fB\-s server\fP] command
+.SH DESCRIPTION
+.sp
+\fBunbound\-control\fP performs remote administration on the
+\fI\%unbound(8)\fP DNS server.
+It reads the configuration file, contacts the Unbound server over TLS sends the
+command and displays the result.
+.sp
The available options are:
+.INDENT 0.0
.TP
.B \-h
Show the version and commandline option help.
+.UNINDENT
+.INDENT 0.0
.TP
-.B \-c \fIcfgfile
-The config file to read with settings. If not given the default
-config file @ub_conf_file@ is used.
-.TP
-.B \-s \fIserver[@port]
-IPv4 or IPv6 address of the server to contact. If not given, the
-address is read from the config file.
+.B \-c <cfgfile>
+The config file to read with settings.
+If not given the default config file
+\fB@ub_conf_file@\fP is used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-s <server[@port]>
+IPv4 or IPv6 address of the server to contact.
+If not given, the address is read from the config file.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-q
-quiet, if the option is given it does not print anything if it works ok.
-.SH "COMMANDS"
+Quiet, if the option is given it does not print anything if it works ok.
+.UNINDENT
+.SH COMMANDS
+.sp
There are several commands that the server understands.
+.INDENT 0.0
.TP
-.B start
-Start the server. Simply execs \fIunbound\fR(8). The Unbound executable
-is searched for in the \fBPATH\fR set in the environment. It is started
-with the config file specified using \fI\-c\fR or the default config file.
+.B start
+Start the server.
+Simply execs \fI\%unbound(8)\fP\&.
+The \fBunbound\fP executable is searched for in the \fBPATH\fP set in the
+environment.
+It is started with the config file specified using \fI\%\-c\fP or the
+default config file.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stop
+Stop the server.
+The server daemon exits.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B reload
+Reload the server.
+This flushes the cache and reads the config file fresh.
+.UNINDENT
+.INDENT 0.0
.TP
-.B stop
-Stop the server. The server daemon exits.
-.TP
-.B reload
-Reload the server. This flushes the cache and reads the config file fresh.
-.TP
-.B reload_keep_cache
+.B reload_keep_cache
Reload the server but try to keep the RRset and message cache if
(re)configuration allows for it.
-That means the caches sizes and the number of threads must not change between
-reloads.
+That means the caches sizes and the number of threads must not change
+between reloads.
+.UNINDENT
+.INDENT 0.0
.TP
-.B fast_reload \fR[\fI+dpv\fR]
+.B fast_reload [\fB+dpv\fP]
Reload the server, but keep downtime to a minimum, so that user queries
-keep seeing service. This needs the code compiled with threads. The config
-is loaded in a thread, and prepared, then it briefly pauses the existing
-server and updates config options. The intent is that the pause does not
-impact the service of user queries. The cache is kept. Also user queries
-worked on are kept and continue, but with the new config options.
-.IP
+keep seeing service.
+This needs the code compiled with threads.
+The config is loaded in a thread, and prepared, then it briefly pauses the
+existing server and updates config options.
+The intent is that the pause does not impact the service of user queries.
+The cache is kept.
+Also user queries worked on are kept and continue, but with the new config
+options.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
This command is experimental at this time.
-.IP
+.UNINDENT
+.UNINDENT
+.sp
The amount of temporal memory needed during a fast_reload is twice the
amount needed for configuration.
-This is because Unbound temporarily needs to store both current configuration
-values and new ones while trying to fast_reload.
+This is because Unbound temporarily needs to store both current
+configuration values and new ones while trying to fast_reload.
Zones loaded from disk (authority zones and RPZ zones) are included in such
memory needs.
-.IP
+.sp
Options that can be changed are for
-forwards,
-stubs,
-views,
-authority zones,
-RPZ zones and
-local zones.
-.IP
+\fI\%forwards\fP,
+\fI\%stubs\fP,
+\fI\%views\fP,
+\fI\%authority zones\fP,
+\fI\%RPZ zones\fP and
+\fI\%local zones\fP\&.
+.sp
Also
-access-control and similar options,
-interface-action and similar options and
-tcp-connection-limit.
+\fI\%access\-control\fP and similar options,
+\fI\%interface\-action\fP and similar
+options and
+\fI\%tcp\-connection\-limit\fP\&.
It can reload some
-define-tag
+\fI\%define\-tag\fP
changes, more on that below.
Further options include
-insecure-lan-zones,
-domain-insecure,
-trust-anchor-file,
-trust-anchor,
-trusted-keys-file,
-auto-trust-anchor-file,
-edns-client-string,
+\fI\%insecure\-lan\-zones\fP,
+\fI\%domain\-insecure\fP,
+\fI\%trust\-anchor\-file\fP,
+\fI\%trust\-anchor\fP,
+\fI\%trusted\-keys\-file\fP,
+\fI\%auto\-trust\-anchor\-file\fP,
+\fI\%edns\-client\-string\fP,
ipset,
-log-identity,
-infra-cache-numhosts,
-msg-cache-size,
-rrset-cache-size,
-key-cache-size,
-ratelimit-size,
-neg-cache-size,
-num-queries-per-thread,
-jostle-timeout,
-use-caps-for-id,
-unwanted-reply-threshold,
-tls-use-sni,
-outgoing-tcp-mss,
-ip-dscp,
-max-reuse-tcp-queries,
-tcp-reuse-timeout,
-tcp-auth-query-timeout,
-delay-close.
-.IP
+\fI\%log\-identity\fP,
+\fI\%infra\-cache\-numhosts\fP,
+\fI\%msg\-cache\-size\fP,
+\fI\%rrset\-cache\-size\fP,
+\fI\%key\-cache\-size\fP,
+\fI\%ratelimit\-size\fP,
+\fI\%neg\-cache\-size\fP,
+\fI\%num\-queries\-per\-thread\fP,
+\fI\%jostle\-timeout\fP,
+\fI\%use\-caps\-for\-id\fP,
+\fI\%unwanted\-reply\-threshold\fP,
+\fI\%tls\-use\-sni\fP,
+\fI\%outgoing\-tcp\-mss\fP,
+\fI\%ip\-dscp\fP,
+\fI\%max\-reuse\-tcp\-queries\fP,
+\fI\%tcp\-reuse\-timeout\fP,
+\fI\%tcp\-auth\-query\-timeout\fP,
+\fI\%delay\-close\fP\&.
+.sp
It does not work with
-interface and
-outgoing-interface changes,
+\fI\%interface\fP and
+\fI\%outgoing\-interface\fP changes,
also not with
-remote control,
-outgoing-port-permit,
-outgoing-port-avoid,
-msg-buffer-size,
-any **\*-slabs** options and
-statistics-interval changes.
-.IP
-For dnstap these options can be changed:
-dnstap-log-resolver-query-messages,
-dnstap-log-resolver-response-messages,
-dnstap-log-client-query-messages,
-dnstap-log-client-response-messages,
-dnstap-log-forwarder-query-messages and
-dnstap-log-forwarder-response-messages.
-.IP
+\fI\%remote control\fP,
+\fI\%outgoing\-port\-permit\fP,
+\fI\%outgoing\-port\-avoid\fP,
+\fI\%msg\-buffer\-size\fP,
+any \fB*\-slabs\fP options and
+\fI\%statistics\-interval\fP changes.
+.sp
+For \fI\%dnstap\fP these options can be changed:
+\fI\%dnstap\-log\-resolver\-query\-messages\fP,
+\fI\%dnstap\-log\-resolver\-response\-messages\fP,
+\fI\%dnstap\-log\-client\-query\-messages\fP,
+\fI\%dnstap\-log\-client\-response\-messages\fP,
+\fI\%dnstap\-log\-forwarder\-query\-messages\fP and
+\fI\%dnstap\-log\-forwarder\-response\-messages\fP\&.
+.sp
It does not work with these options:
-dnstap-enable,
-dnstap-bidirectional,
-dnstap-socket-path,
-dnstap-ip,
-dnstap-tls,
-dnstap-tls-server-name,
-dnstap-tls-cert-bundle,
-dnstap-tls-client-key-file and
-dnstap-tls-client-cert-file.
-.IP
+\fI\%dnstap\-enable\fP,
+\fI\%dnstap\-bidirectional\fP,
+\fI\%dnstap\-socket\-path\fP,
+\fI\%dnstap\-ip\fP,
+\fI\%dnstap\-tls\fP,
+\fI\%dnstap\-tls\-server\-name\fP,
+\fI\%dnstap\-tls\-cert\-bundle\fP,
+\fI\%dnstap\-tls\-client\-key\-file\fP and
+\fI\%dnstap\-tls\-client\-cert\-file\fP\&.
+.sp
The options
-dnstap-send-identity,
-dnstap-send-version,
-dnstap-identity, and
-dnstap-version can be loaded
-when ``+p`` is not used.
-.IP
-The '+v' option makes the output verbose which includes the time it took to do
-the reload.
-With '+vv' it is more verbose which includes the amount of memory that was
-allocated temporarily to perform the reload; this amount of memory can be big
-if the config has large contents.
-In the timing output the 'reload' time is the time during which the server was
-paused.
-.IP
-The '+p' option makes the reload not pause threads, they keep running.
+\fI\%dnstap\-send\-identity\fP,
+\fI\%dnstap\-send\-version\fP,
+\fI\%dnstap\-identity\fP, and
+\fI\%dnstap\-version\fP can be loaded
+when \fB+p\fP is not used.
+.sp
+The \fB+v\fP option makes the output verbose which includes the time it took
+to do the reload.
+With \fB+vv\fP it is more verbose which includes the amount of memory that
+was allocated temporarily to perform the reload; this amount of memory can
+be big if the config has large contents.
+In the timing output the \(aqreload\(aq time is the time during which the server
+was paused.
+.sp
+The \fB+p\fP option makes the reload not pause threads, they keep running.
Locks are acquired, but items are updated in sequence, so it is possible
for threads to see an inconsistent state with some options from the old
and some options from the new config, such as cache TTL parameters from the
-old config and forwards from the new config. The stubs and forwards are
-updated at the same time, so that they are viewed consistently, either old
-or new values together. The option makes the reload time take eg. 3
-microseconds instead of 0.3 milliseconds during which the worker threads are
-interrupted. So, the interruption is much shorter, at the expense of some
-inconsistency. After the reload itself, every worker thread is briefly
-contacted to make them release resources, this makes the delete timing
-a little longer, and takes up time from the remote control servicing
-worker thread.
-.IP
-With the nopause option, the reload does not work to reload some options,
-that fast reload works on without the nopause option: val-bogus-ttl,
-val-override-date, val-sig-skew-min, val-sig-skew-max, val-max-restart,
-val-nsec3-keysize-iterations, target-fetch-policy, outbound-msg-retry,
-max-sent-count, max-query-restarts, do-not-query-address,
-do-not-query-localhost, private-address, private-domain, caps-exempt,
-nat64-prefix, do-nat64, infra-host-ttl, infra-keep-probing, ratelimit,
-ip-ratelimit, ip-ratelimit-cookie, wait-limit-netblock,
-wait-limit-cookie-netblock, ratelimit-below-domain, ratelimit-for-domain.
-.IP
-The '+d' option makes the reload drop queries that the worker threads are
-working on. This is like flush_requestlist. Without it the queries are kept
-so that users keep getting answers for those queries that are currently
-processed. The drop makes it so that queries during the life time of the
+old config and forwards from the new config.
+The stubs and forwards are updated at the same time, so that they are
+viewed consistently, either old or new values together.
+The option makes the reload time take eg. 3 microseconds instead of 0.3
+milliseconds during which the worker threads are interrupted.
+So, the interruption is much shorter, at the expense of some inconsistency.
+After the reload itself, every worker thread is briefly contacted to make
+them release resources, this makes the delete timing a little longer, and
+takes up time from the remote control servicing worker thread.
+.sp
+With the nopause option (\fB+p\fP), the reload does not work to reload some
+options, that fast reload works on without the nopause option:
+\fI\%val\-bogus\-ttl\fP,
+\fI\%val\-override\-date\fP,
+\fI\%val\-sig\-skew\-min\fP,
+\fI\%val\-sig\-skew\-max\fP,
+\fI\%val\-max\-restart\fP,
+\fI\%val\-nsec3\-keysize\-iterations\fP,
+\fI\%target\-fetch\-policy\fP,
+\fI\%outbound\-msg\-retry\fP,
+\fI\%max\-sent\-count\fP,
+\fI\%max\-query\-restarts\fP,
+\fI\%do\-not\-query\-address\fP,
+\fI\%do\-not\-query\-localhost\fP,
+\fI\%private\-address\fP,
+\fI\%private\-domain\fP,
+\fI\%caps\-exempt\fP,
+\fI\%nat64\-prefix\fP,
+\fI\%do\-nat64\fP,
+\fI\%infra\-host\-ttl\fP,
+\fI\%infra\-keep\-probing\fP,
+\fI\%ratelimit\fP,
+\fI\%ip\-ratelimit\fP,
+\fI\%ip\-ratelimit\-cookie\fP,
+\fI\%wait\-limit\-netblock\fP,
+\fI\%wait\-limit\-cookie\-netblock\fP,
+\fI\%ratelimit\-below\-domain\fP,
+\fI\%ratelimit\-for\-domain\fP\&.
+.sp
+The \fB+d\fP option makes the reload drop queries that the worker threads are
+working on.
+This is like
+\fI\%flush_requestlist\fP\&.
+Without it the queries are kept so that users keep getting answers for
+those queries that are currently processed.
+The drop makes it so that queries during the life time of the
query processing see only old, or only new config options.
-.IP
-When there are changes to the config tags, from the \fBdefine\-tag\fR option,
-then the '+d' option is implicitly turned on with a warning printout, and
+.sp
+When there are changes to the config tags, from the
+\fI\%define\-tag\fP option,
+then the \fB+d\fP option is implicitly turned on with a warning printout, and
queries are dropped.
This is to stop references to the old tag information, by the old
-queries. If the number of tags is increased in the newly loaded config, by
-adding tags at the end, then the implicit '+d' option is not needed.
-.IP
+queries.
+If the number of tags is increased in the newly loaded config, by
+adding tags at the end, then the implicit \fB+d\fP option is not needed.
+.sp
For response ip, that is actions associated with IP addresses, and perhaps
intersected with access control tag and action information, those settings
are stored with a query when it comes in based on its source IP address.
The old information is kept with the query until the queries are done.
-This is gone when those queries are resolved and finished, or it is possible
-to flush the requestlist with '+d'.
-.TP
-.B verbosity \fInumber
-Change verbosity value for logging. Same values as \fBverbosity\fR keyword in
-\fIunbound.conf\fR(5). This new setting lasts until the server is issued
-a reload (taken from config file again), or the next verbosity control command.
-.TP
-.B log_reopen
-Reopen the logfile, close and open it. Useful for logrotation to make the
-daemon release the file it is logging to. If you are using syslog it will
-attempt to close and open the syslog (which may not work if chrooted).
-.TP
-.B stats
-Print statistics. Resets the internal counters to zero, this can be
-controlled using the \fBstatistics\-cumulative\fR config statement.
-Statistics are printed with one [name]: [value] per line.
-.TP
-.B stats_noreset
-Peek at statistics. Prints them like the \fBstats\fR command does, but does not
-reset the internal counters to zero.
-.TP
-.B status
-Display server status. Exit code 3 if not running (the connection to the
-port is refused), 1 on error, 0 if running.
-.TP
-.B local_zone \fIname\fR \fItype
-Add new local zone with name and type. Like \fBlocal\-zone\fR config statement.
+This is gone when those queries are resolved and finished, or it is
+possible to flush the requestlist with \fB+d\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B verbosity \fInumber\fP
+Change verbosity value for logging.
+Same values as the \fBverbosity:\fP keyword in
+\fI\%unbound.conf(5)\fP\&.
+This new setting lasts until the server is issued a reload (taken from
+config file again), or the next verbosity control command.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log_reopen
+Reopen the logfile, close and open it.
+Useful for logrotation to make the daemon release the file it is logging
+to.
+If you are using syslog it will attempt to close and open the syslog (which
+may not work if chrooted).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stats
+Print statistics.
+Resets the internal counters to zero, this can be controlled using the
+\fBstatistics\-cumulative:\fP config statement.
+Statistics are printed with one \fB[name]: [value]\fP per line.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stats_noreset
+Peek at statistics.
+Prints them like the stats command does, but does not reset the internal
+counters to zero.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B status
+Display server status.
+Exit code 3 if not running (the connection to the port is refused), 1 on
+error, 0 if running.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_zone \fIname type\fP
+Add new local zone with name and type.
+Like local\-zone config statement.
If the zone already exists, the type is changed to the given argument.
+.UNINDENT
+.INDENT 0.0
.TP
-.B local_zone_remove \fIname
-Remove the local zone with the given name. Removes all local data inside
-it. If the zone does not exist, the command succeeds.
-.TP
-.B local_data \fIRR data...
-Add new local data, the given resource record. Like \fBlocal\-data\fR
-config statement, except for when no covering zone exists. In that case
-this remote control command creates a transparent zone with the same
-name as this record.
-.TP
-.B local_data_remove \fIname
-Remove all RR data from local name. If the name already has no items,
-nothing happens. Often results in NXDOMAIN for the name (in a static zone),
-but if the name has become an empty nonterminal (there is still data in
-domain names below the removed name), NOERROR nodata answers are the
-result for that name.
-.TP
-.B local_zones
-Add local zones read from stdin of unbound\-control. Input is read per line,
-with name space type on a line. For bulk additions.
-.TP
-.B local_zones_remove
-Remove local zones read from stdin of unbound\-control. Input is one name per
-line. For bulk removals.
-.TP
-.B local_datas
-Add local data RRs read from stdin of unbound\-control. Input is one RR per
-line. For bulk additions.
-.TP
-.B local_datas_remove
-Remove local data RRs read from stdin of unbound\-control. Input is one name per
-line. For bulk removals.
+.B local_zone_remove \fIname\fP
+Remove the local zone with the given name.
+Removes all local data inside it.
+If the zone does not exist, the command succeeds.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_data \fIRR data...\fP
+Add new local data, the given resource record.
+Like \fBlocal\-data:\fP keyword, except for when no covering zone exists.
+In that case this remote control command creates a transparent zone with
+the same name as this record.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_data_remove \fIname\fP
+Remove all RR data from local name.
+If the name already has no items, nothing happens.
+Often results in NXDOMAIN for the name (in a static zone), but if the name
+has become an empty nonterminal (there is still data in domain names below
+the removed name), NOERROR nodata answers are the result for that name.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_zones
+Add local zones read from stdin of unbound\-control.
+Input is read per line, with name space type on a line.
+For bulk additions.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_zones_remove
+Remove local zones read from stdin of unbound\-control.
+Input is one name per line.
+For bulk removals.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_datas
+Add local data RRs read from stdin of unbound\-control.
+Input is one RR per line.
+For bulk additions.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local_datas_remove
+Remove local data RRs read from stdin of unbound\-control.
+Input is one name per line.
+For bulk removals.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dump_cache
-The content of the cache is printed in a text format to stdout.
+.B dump_cache
+The contents of the cache is printed in a text format to stdout.
You can redirect it to a file to store the cache in a file.
-Not supported in remote Unbounds in multi-process operation.
+Not supported in remote Unbounds in multi\-process operation.
+.UNINDENT
+.INDENT 0.0
.TP
-.B load_cache
-The content of the cache is loaded from stdin.
+.B load_cache
+The contents of the cache is loaded from stdin.
Uses the same format as dump_cache uses.
Loading the cache with old, or wrong data can result in old or wrong data
returned to clients.
Loading data into the cache in this way is supported in order to aid with
debugging.
-Not supported in remote Unbounds in multi-process operation.
-.TP
-.B lookup \fIname
-Print to stdout the name servers that would be used to look up the
-name specified.
-.TP
-.B flush \fR[\fI+c\fR] \fIname
-Remove the name from the cache. Removes the types
-A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS.
-Because that is fast to do. Other record types can be removed using
-.B flush_type
-or
-.B flush_zone\fR.
-.IP
-The '+c' option removes the items also from the cachedb cache. If
-cachedb is in use.
+Not supported in remote Unbounds in multi\-process operation.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cache_lookup [\fB+t\fP] \fInames\fP
+Print to stdout the RRsets and messages that are in the cache.
+For every name listed the content at or under the name is printed.
+Several names separated by spaces can be given, each is printed.
+When subnetcache is enabled, also matching entries from the subnet
+cache are printed.
+.sp
+The \fB+t\fP option allows tld and root names.
+With it names like \(aqcom\(aq and \(aq.\(aq can be used, but it takes a lot of
+effort to look up in the cache.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B lookup \fIname\fP
+Print to stdout the name servers that would be used to look up the name
+specified.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B flush [\fB+c\fP] \fIname\fP
+Remove the name from the cache.
+Removes the types A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR,
+SVCB and HTTPS.
+Because that is fast to do.
+Other record types can be removed using \fBflush_type\fP or \fBflush_zone\fP\&.
+.sp
+The \fB+c\fP option removes the items also from the cachedb cache.
+If cachedb is in use.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_type \fR[\fI+c\fR] \fIname\fR \fItype
+.B flush_type [\fB+c\fP] \fIname type\fP
Remove the name, type information from the cache.
+.sp
+The \fB+c\fP option removes the items also from the cachedb cache.
+If cachedb is in use.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_zone \fR[\fI+c\fR] \fIname
+.B flush_zone [\fB+c\fP] name
Remove all information at or below the name from the cache.
-The rrsets and key entries are removed so that new lookups will be performed.
+The rrsets and key entries are removed so that new lookups will be
+performed.
This needs to walk and inspect the entire cache, and is a slow operation.
The entries are set to expired in the implementation of this command (so,
-with serve\-expired enabled, it'll serve that information but schedule a
+with serve\-expired enabled, it\(aqll serve that information but schedule a
prefetch for new information).
+.sp
+The \fB+c\fP option removes the items also from the cachedb cache.
+If cachedb is in use.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_bogus \fR[\fI+c\fR]
+.B flush_bogus [\fB+c\fP]
Remove all bogus data from the cache.
+.sp
+The \fB+c\fP option removes the items also from the cachedb cache.
+If cachedb is in use.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B flush_negative [\fB+c\fP]
+Remove all negative data from the cache.
+This is nxdomain answers, nodata answers and servfail answers.
+Also removes bad key entries (which could be due to failed lookups) from
+the dnssec key cache, and iterator last\-resort lookup failures from the
+rrset cache.
+.sp
+The \fB+c\fP option removes the items also from the cachedb cache.
+If cachedb is in use.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_negative \fR[\fI+c\fR]
-Remove all negative data from the cache. This is nxdomain answers,
-nodata answers and servfail answers. Also removes bad key entries
-(which could be due to failed lookups) from the dnssec key cache, and
-iterator last-resort lookup failures from the rrset cache.
-.TP
-.B flush_stats
+.B flush_stats
Reset statistics to zero.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_requestlist
-Drop the queries that are worked on. Stops working on the queries that the
-server is working on now. The cache is unaffected. No reply is sent for
-those queries, probably making those users request again later.
+.B flush_requestlist
+Drop the queries that are worked on.
+Stops working on the queries that the server is working on now.
+The cache is unaffected.
+No reply is sent for those queries, probably making those users request
+again later.
Useful to make the server restart working on queries with new settings,
such as a higher verbosity level.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dump_requestlist
-Show what is worked on. Prints all queries that the server is currently
-working on. Prints the time that users have been waiting. For internal
-requests, no time is printed. And then prints out the module status.
+.B dump_requestlist
+Show what is worked on.
+Prints all queries that the server is currently working on.
+Prints the time that users have been waiting.
+For internal requests, no time is printed.
+And then prints out the module status.
This prints the queries from the first thread, and not queries that are
being serviced from other threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.B flush_infra \fIall|IP
-If all then entire infra cache is emptied. If a specific IP address, the
-entry for that address is removed from the cache. It contains EDNS, ping
-and lameness data.
+.B flush_infra \fIall|IP\fP
+If all then entire infra cache is emptied.
+If a specific IP address, the entry for that address is removed from the
+cache.
+It contains EDNS, ping and lameness data.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dump_infra
+.B dump_infra
Show the contents of the infra cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.B set_option \fIopt: val
-Set the option to the given value without a reload. The cache is
-therefore not flushed. The option must end with a ':' and whitespace
-must be between the option and the value. Some values may not have an
-effect if set this way, the new values are not written to the config file,
-not all options are supported. This is different from the set_option call
-in libunbound, where all values work because Unbound has not been initialized.
-.IP
+.B set_option \fIopt: val\fP
+Set the option to the given value without a reload.
+The cache is therefore not flushed.
+The option must end with a \fB\(aq:\(aq\fP and whitespace must be between the
+option and the value.
+Some values may not have an effect if set this way, the new values are not
+written to the config file, not all options are supported.
+This is different from the set_option call in libunbound, where all values
+work because Unbound has not been initialized.
+.sp
The values that work are: statistics\-interval, statistics\-cumulative,
-do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
+do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
-harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
-hide\-identity, hide\-version, identity, version, val\-log\-level,
-val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
-keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit,
-ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
-.TP
-.B get_option \fIopt
-Get the value of the option. Give the option name without a trailing ':'.
-The value is printed. If the value is "", nothing is printed
-and the connection closes. On error 'error ...' is printed (it gives
-a syntax error on unknown option). For some options a list of values,
-one on each line, is printed. The options are shown from the config file
-as modified with set_option. For some options an override may have been
-taken that does not show up with this command, not results from e.g. the
-verbosity and forward control commands. Not all options work, see list_stubs,
-list_forwards, list_local_zones and list_local_data for those.
-.TP
-.B list_stubs
-List the stub zones in use. These are printed one by one to the output.
+harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity,
+hide\-version, identity, version, val\-log\-level, val\-log\-squelch,
+ignore\-cd\-flag, add\-holddown, del\-holddown, keep\-missing, tcp\-upstream,
+ssl\-upstream, max\-udp\-size, ratelimit, ip\-ratelimit, cache\-max\-ttl,
+cache\-min\-ttl, cache\-max\-negative\-ttl.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B get_option \fIopt\fP
+Get the value of the option.
+Give the option name without a trailing \fB\(aq:\(aq\fP\&.
+The value is printed.
+If the value is \fB\(dq\(dq\fP, nothing is printed and the connection closes.
+On error \fB\(aqerror ...\(aq\fP is printed (it gives a syntax error on unknown
+option).
+For some options a list of values, one on each line, is printed.
+The options are shown from the config file as modified with set_option.
+For some options an override may have been taken that does not show up with
+this command, not results from e.g. the verbosity and forward control
+commands.
+Not all options work, see list_stubs, list_forwards, list_local_zones and
+list_local_data for those.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B list_stubs
+List the stub zones in use.
+These are printed one by one to the output.
This includes the root hints in use.
+.UNINDENT
+.INDENT 0.0
.TP
-.B list_forwards
-List the forward zones in use. These are printed zone by zone to the output.
+.B list_forwards
+List the forward zones in use.
+These are printed zone by zone to the output.
+.UNINDENT
+.INDENT 0.0
.TP
-.B list_insecure
+.B list_insecure
List the zones with domain\-insecure.
+.UNINDENT
+.INDENT 0.0
.TP
-.B list_local_zones
-List the local zones in use. These are printed one per line with zone type.
-.TP
-.B list_local_data
-List the local data RRs in use. The resource records are printed.
+.B list_local_zones
+List the local zones in use.
+These are printed one per line with zone type.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B list_local_data
+List the local data RRs in use.
+The resource records are printed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B insecure_add \fIzone\fP
+Add a domain\-insecure for the given zone, like the statement in
+unbound.conf.
+Adds to the running Unbound without affecting the cache
+contents (which may still be bogus, use flush_zone to remove it), does not
+affect the config file.
+.UNINDENT
+.INDENT 0.0
.TP
-.B insecure_add \fIzone
-Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
-Adds to the running Unbound without affecting the cache contents (which may
-still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
-.TP
-.B insecure_remove \fIzone
+.B insecure_remove \fIzone\fP
Removes domain\-insecure for the given zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.B forward_add \fR[\fI+it\fR] \fIzone addr ...
-Add a new forward zone to running Unbound. With +i option also adds a
-\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
-a DNSSEC root trust anchor configured for other names).
-The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
-in unbound.conf.
-The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
-.TP
-.B forward_remove \fR[\fI+i\fR] \fIzone
-Remove a forward zone from running Unbound. The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
-.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
-Add a new stub zone to running Unbound. With +i option also adds a
-\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
-without it it is set to notprime. The addr can be IP4, IP6 or nameserver
-names, like the \fIstub-zone\fR config in unbound.conf.
-The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
-.TP
-.B stub_remove \fR[\fI+i\fR] \fIzone
-Remove a stub zone from running Unbound. The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
-.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
-Setup forwarding mode. Configures if the server should ask other upstream
-nameservers, should go to the internet root nameservers itself, or show
-the current config. You could pass the nameservers after a DHCP update.
-.IP
+.B forward_add [\fB+it\fP] \fIzone addr ...\fP
+Add a new forward zone to running Unbound.
+With \fB+i\fP option also adds a domain\-insecure for the zone (so it can
+resolve insecurely if you have a DNSSEC root trust anchor configured for
+other names).
+The addr can be IP4, IP6 or nameserver names, like forward\-zone config in
+unbound.conf.
+The \fB+t\fP option sets it to use TLS upstream, like
+\fI\%forward\-tls\-upstream: yes\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward_remove [\fB+i\fP] \fIzone\fP
+Remove a forward zone from running Unbound.
+The \fB+i\fP also removes a domain\-insecure for the zone.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub_add [\fB+ipt\fP] \fIzone addr ...\fP
+Add a new stub zone to running Unbound.
+With \fB+i\fP option also adds a domain\-insecure for the zone.
+With \fB+p\fP the stub zone is set to prime, without it it is set to
+notprime.
+The addr can be IP4, IP6 or nameserver names, like the \fBstub\-zone:\fP
+config in unbound.conf.
+The \fB+t\fP option sets it to use TLS upstream, like
+\fI\%stub\-tls\-upstream: yes\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub_remove [\fB+i\fP] \fIzone\fP
+Remove a stub zone from running Unbound.
+The \fB+i\fP also removes a domain\-insecure for the zone.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward [\fIoff\fP | \fIaddr ...\fP ]
+Setup forwarding mode.
+Configures if the server should ask other upstream nameservers, should go
+to the internet root nameservers itself, or show the current config.
+You could pass the nameservers after a DHCP update.
+.sp
Without arguments the current list of addresses used to forward all queries
-to is printed. On startup this is from the forward\-zone "." configuration.
-Afterwards it shows the status. It prints off when no forwarding is used.
-.IP
-If \fIoff\fR is passed, forwarding is disabled and the root nameservers
-are used. This can be used to avoid to avoid buggy or non\-DNSSEC supporting
-nameservers returned from DHCP. But may not work in hotels or hotspots.
-.IP
-If one or more IPv4 or IPv6 addresses are given, those are then used to forward
-queries to. The addresses must be separated with spaces. With '@port' the
-port number can be set explicitly (default port is 53 (DNS)).
-.IP
-By default the forwarder information from the config file for the root "." is
-used. The config file is not changed, so after a reload these changes are
-gone. Other forward zones from the config file are not affected by this command.
-.TP
-.B ratelimit_list \fR[\fI+a\fR]
-List the domains that are ratelimited. Printed one per line with current
-estimated qps and qps limit from config. With +a it prints all domains, not
-just the ratelimited domains, with their estimated qps. The ratelimited
-domains return an error for uncached (new) queries, but cached queries work
-as normal.
-.TP
-.B ip_ratelimit_list \fR[\fI+a\fR]
-List the ip addresses that are ratelimited. Printed one per line with current
-estimated qps and qps limit from config. With +a it prints all ips, not
-just the ratelimited ips, with their estimated qps. The ratelimited
-ips are dropped before checking the cache.
-.TP
-.B list_auth_zones
-List the auth zones that are configured. Printed one per line with a status,
-indicating if the zone is expired and current serial number. Configured RPZ
-zones are included.
-.TP
-.B auth_zone_reload \fIzone\fR
-Reload the auth zone (or RPZ zone) from zonefile. The zonefile is read in
-overwriting the current contents of the zone in memory. This changes the auth
-zone contents itself, not the cache contents. Such cache contents exists if
-you set Unbound to validate with for-upstream yes and that can be cleared with
-\fBflush_zone\fR \fIzone\fR.
-.TP
-.B auth_zone_transfer \fIzone\fR
-Transfer the auth zone (or RPZ zone) from master. The auth zone probe sequence
-is started, where the masters are probed to see if they have an updated zone
-(with the SOA serial check). And then the zone is transferred for a newer zone
-version.
+to is printed.
+On startup this is from the forward\-zone \fB\(dq.\(dq\fP configuration.
+Afterwards it shows the status.
+It prints off when no forwarding is used.
+.sp
+If off is passed, forwarding is disabled and the root nameservers are
+used.
+This can be used to avoid to avoid buggy or non\-DNSSEC supporting
+nameservers returned from DHCP.
+But may not work in hotels or hotspots.
+.sp
+If one or more IPv4 or IPv6 addresses are given, those are then used to
+forward queries to.
+The addresses must be separated with spaces.
+With \fB\(aq@port\(aq\fP the port number can be set explicitly (default port is 53
+(DNS)).
+.sp
+By default the forwarder information from the config file for the root
+\fB\(dq.\(dq\fP is used.
+The config file is not changed, so after a reload these changes are gone.
+Other forward zones from the config file are not affected by this command.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit_list [\fB+a\fP]
+List the domains that are ratelimited.
+Printed one per line with current estimated qps and qps limit from config.
+With \fB+a\fP it prints all domains, not just the ratelimited domains, with
+their estimated qps.
+The ratelimited domains return an error for uncached (new) queries, but
+cached queries work as normal.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip_ratelimit_list [\fB+a\fP]
+List the ip addresses that are ratelimited.
+Printed one per line with current estimated qps and qps limit from config.
+With \fB+a\fP it prints all ips, not just the ratelimited ips, with their
+estimated qps.
+The ratelimited ips are dropped before checking the cache.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B list_auth_zones
+List the auth zones that are configured.
+Printed one per line with a status, indicating if the zone is expired and
+current serial number.
+Configured RPZ zones are included.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B auth_zone_reload \fIzone\fP
+Reload the auth zone (or RPZ zone) from zonefile.
+The zonefile is read in overwriting the current contents of the zone in
+memory.
+This changes the auth zone contents itself, not the cache contents.
+Such cache contents exists if you set Unbound to validate with
+\fBfor\-upstream: yes\fP and that can be cleared with \fBflush_zone\fP \fIzone\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B auth_zone_transfer \fIzone\fP
+Transfer the auth zone (or RPZ zone) from master.
+The auth zone probe sequence is started, where the masters are probed to
+see if they have an updated zone (with the SOA serial check).
+And then the zone is transferred for a newer zone version.
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz_enable \fIzone\fR
+.B rpz_enable \fIzone\fP
Enable the RPZ zone if it had previously been disabled.
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz_disable \fIzone\fR
+.B rpz_disable \fIzone\fP
Disable the RPZ zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.B view_list_local_zones \fIview\fR
-\fIlist_local_zones\fR for given view.
-.TP
-.B view_local_zone \fIview\fR \fIname\fR \fItype
-\fIlocal_zone\fR for given view.
+.B view_list_local_zones \fIview\fP
+\fIlist_local_zones\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_zone \fIview name type\fP
+\fIlocal_zone\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_zone_remove \fIview name\fP
+\fIlocal_zone_remove\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_list_local_data \fIview\fP
+\fIlist_local_data\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_data \fIview RR data...\fP
+\fIlocal_data\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_data_remove \fIview name\fP
+\fIlocal_data_remove\fP for given view.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_datas_remove \fIview\fP
+Remove a list of \fIlocal_data\fP for given view from stdin.
+Like \fIlocal_datas_remove\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view_local_datas \fIview\fP
+Add a list of \fIlocal_data\fP for given view from stdin.
+Like \fIlocal_datas\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B add_cookie_secret \fIsecret\fP
+Add or replace a cookie secret persistently.
+\fIsecret\fP needs to be an 128 bit hex string.
+.sp
+Cookie secrets can be either \fBactive\fP or \fBstaging\fP\&.
+\fBActive\fP cookie secrets are used to create DNS Cookies, but verification
+of a DNS Cookie succeeds with any of the \fBactive\fP or \fBstaging\fP cookie
+secrets.
+The state of the current cookie secrets can be printed with the
+\fI\%print_cookie_secrets\fP
+command.
+.sp
+When there are no cookie secrets configured yet, the \fIsecret\fP is added as
+\fBactive\fP\&.
+If there is already an \fBactive\fP cookie secret, the \fIsecret\fP is added as
+\fBstaging\fP or replacing an existing \fBstaging\fP secret.
+.sp
+To \(dqroll\(dq a cookie secret used in an anycast set.
+The new secret has to be added as \fBstaging\fP secret to \fBall\fP nodes in
+the anycast set.
+When \fBall\fP nodes can verify DNS Cookies with the new secret, the new
+secret can be activated with the
+\fI\%activate_cookie_secret\fP
+command.
+After \fBall\fP nodes have the new secret \fBactive\fP for at least one hour,
+the previous secret can be dropped with the
+\fI\%drop_cookie_secret\fP
+command.
+.sp
+Persistence is accomplished by writing to a file which is configured with
+the
+\fI\%cookie\-secret\-file\fP
+option in the server section of the config file.
+This is disabled by default, \(dq\(dq.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B drop_cookie_secret
+Drop the \fBstaging\fP cookie secret.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B activate_cookie_secret
+Make the current \fBstaging\fP cookie secret \fBactive\fP, and the current
+\fBactive\fP cookie secret \fBstaging\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
-.B view_local_zone_remove \fIview\fR \fIname
-\fIlocal_zone_remove\fR for given view.
-.TP
-.B view_list_local_data \fIview\fR
-\fIlist_local_data\fR for given view.
-.TP
-.B view_local_data \fIview\fR \fIRR data...
-\fIlocal_data\fR for given view.
-.TP
-.B view_local_data_remove \fIview\fR \fIname
-\fIlocal_data_remove\fR for given view.
-.TP
-.B view_local_datas_remove \fIview\fR
-Remove a list of \fIlocal_data\fR for given view from stdin. Like local_datas_remove.
-.TP
-.B view_local_datas \fIview\fR
-Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
-.TP
-.B add_cookie_secret <secret>
-Add or replace a cookie secret persistently. <secret> needs to be an 128 bit
-hex string.
-.IP
-Cookie secrets can be either \fIactive\fR or \fIstaging\fR. \fIActive\fR cookie
-secrets are used to create DNS Cookies, but verification of a DNS Cookie
-succeeds with any of the \fIactive\fR or \fIstaging\fR cookie secrets. The
-state of the current cookie secrets can be printed with the
-\fBprint_cookie_secrets\fR command.
-.IP
-When there are no cookie secrets configured yet, the <secret> is added as
-\fIactive\fR. If there is already an \fIactive\fR cookie secret, the <secret>
-is added as \fIstaging\fR or replacing an existing \fIstaging\fR secret.
-.IP
-To "roll" a cookie secret used in an anycast set. The new secret has to be
-added as staging secret to \fBall\fR nodes in the anycast set. When \fBall\fR
-nodes can verify DNS Cookies with the new secret, the new secret can be
-activated with the \fBactivate_cookie_secret\fR command. After \fBall\fR nodes
-have the new secret \fIactive\fR for at least one hour, the previous secret can
-be dropped with the \fBdrop_cookie_secret\fR command.
-.IP
-Persistence is accomplished by writing to a file which if configured with the
-\fBcookie\-secret\-file\fR option in the server section of the config file.
-This is disabled by default, "".
-.TP
-.B drop_cookie_secret
-Drop the \fIstaging\fR cookie secret.
-.TP
-.B activate_cookie_secret
-Make the current \fIstaging\fR cookie secret \fIactive\fR, and the current
-\fIactive\fR cookie secret \fIstaging\fR.
-.TP
-.B print_cookie_secrets
+.B print_cookie_secrets
Show the current configured cookie secrets with their status.
-.SH "EXIT CODE"
-The unbound\-control program exits with status code 1 on error, 0 on success.
-.SH "SET UP"
-The setup requires a self\-signed certificate and private keys for both
-the server and client. The script \fIunbound\-control\-setup\fR generates
-these in the default run directory, or with \-d in another directory.
+.UNINDENT
+.SH EXIT CODE
+.sp
+The \fBunbound\-control\fP program exits with status code 1 on error, 0 on
+success.
+.SH SET UP
+.sp
+The setup requires a self\-signed certificate and private keys for both the
+server and client.
+The script \fBunbound\-control\-setup\fP generates these in the default run
+directory, or with \fB\-d\fP in another directory.
If you change the access control permissions on the key files you can decide
-who can use unbound\-control, by default owner and group but not all users.
-Run the script under the same username as you have configured in unbound.conf
-or as root, so that the daemon is permitted to read the files, for example with:
+who can use \fBunbound\-control\fP, by default owner and group but not all users.
+Run the script under the same username as you have configured in
+\fBunbound.conf\fP or as root, so that the daemon is permitted to read the
+files, for example with:
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- sudo \-u unbound unbound\-control\-setup
+.ft C
+sudo \-u unbound unbound\-control\-setup
+.ft P
.fi
-If you have not configured
-a username in unbound.conf, the keys need read permission for the user
-credentials under which the daemon is started.
+.UNINDENT
+.UNINDENT
+.sp
+If you have not configured a username in \fBunbound.conf\fP, the keys need
+read permission for the user credentials under which the daemon is started.
The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol\-enable\fR in
-\fIunbound.conf\fR.
-.SH "STATISTIC COUNTERS"
-The \fIstats\fR command shows a number of statistic counters.
+After running the script as root, turn on
+\fI\%control\-enable\fP in
+\fBunbound.conf\fP\&.
+.SH STATISTIC COUNTERS
+.sp
+The \fI\%stats\fP and
+\fI\%stats_noreset\fP commands show a
+number of statistic counters:
+.INDENT 0.0
.TP
-.I threadX.num.queries
+.B threadX.num.queries
number of queries received by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_ip_ratelimited
+.B threadX.num.queries_ip_ratelimited
number of queries rate limited by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_cookie_valid
+.B threadX.num.queries_cookie_valid
number of queries with a valid DNS Cookie by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_cookie_client
+.B threadX.num.queries_cookie_client
number of queries with a client part only DNS Cookie by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_cookie_invalid
+.B threadX.num.queries_cookie_invalid
number of queries with an invalid DNS Cookie by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_discard_timeout
-number of queries removed due to discard-timeout by thread
-.TP
-.I threadX.num.queries_wait_limit
-number of queries removed due to wait-limit by thread
+.B threadX.num.queries_discard_timeout
+number of queries removed due to discard\-timeout by thread
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.num.queries_wait_limit
+number of queries removed due to wait\-limit by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.cachehits
+.B threadX.num.cachehits
number of queries that were successfully answered using a cache lookup
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.cachemiss
+.B threadX.num.cachemiss
number of queries that needed recursive processing
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.dnscrypt.crypted
-number of queries that were encrypted and successfully decapsulated by dnscrypt.
+.B threadX.num.dnscrypt.crypted
+number of queries that were encrypted and successfully decapsulated by
+dnscrypt.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.dnscrypt.cert
+.B threadX.num.dnscrypt.cert
number of queries that were requesting dnscrypt certificates.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.dnscrypt.cleartext
+.B threadX.num.dnscrypt.cleartext
number of queries received on dnscrypt port that were cleartext and not a
request for certificates.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.dnscrypt.malformed
+.B threadX.num.dnscrypt.malformed
number of request that were neither cleartext, not valid dnscrypt messages.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.dns_error_reports
+.B threadX.num.dns_error_reports
number of DNS Error Reports generated by thread
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.prefetch
-number of cache prefetches performed. This number is included in
-cachehits, as the original query had the unprefetched answer from cache,
-and resulted in recursive processing, taking a slot in the requestlist.
+.B threadX.num.prefetch
+number of cache prefetches performed.
+This number is included in cachehits, as the original query had the
+unprefetched answer from cache, and resulted in recursive processing,
+taking a slot in the requestlist.
Not part of the recursivereplies (or the histogram thereof) or cachemiss,
as a cache response was sent.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.expired
+.B threadX.num.expired
number of replies that served an expired cache entry.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.num.queries_timed_out
-number of queries that are dropped because they waited in the UDP socket buffer
-for too long.
-.TP
-.I threadX.query.queue_time_us.max
-The maximum wait time for packets in the socket buffer, in microseconds. This
-is only reported when sock-queue-timeout is enabled.
-.TP
-.I threadX.num.recursivereplies
-The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
+.B threadX.num.queries_timed_out
+number of queries that are dropped because they waited in the UDP socket
+buffer for too long.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.query.queue_time_us.max
+The maximum wait time for packets in the socket buffer, in microseconds.
+This is only reported when
+\fI\%sock\-queue\-timeout\fP is enabled.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.num.recursivereplies
+The number of replies sent to queries that needed recursive processing.
+Could be smaller than threadX.num.cachemiss if due to timeouts no replies
+were sent for some queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.requestlist.avg
+The average number of requests in the internal recursive processing request
+list on insert of a new incoming recursive processing query.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.requestlist.avg
-The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query.
-.TP
-.I threadX.requestlist.max
+.B threadX.requestlist.max
Maximum size attained by the internal recursive processing request list.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.requestlist.overwritten
-Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time.
-.TP
-.I threadX.requestlist.exceeded
-Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up.
+.B threadX.requestlist.overwritten
+Number of requests in the request list that were overwritten by newer
+entries.
+This happens if there is a flood of queries that recursive processing and
+the server has a hard time.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.requestlist.exceeded
+Queries that were dropped because the request list was full.
+This happens if a flood of queries need recursive processing, and the
+server can not keep up.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B threadX.requestlist.current.all
+Current size of the request list, includes internally generated queries
+(such as priming queries and glue lookups).
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.requestlist.current.all
-Current size of the request list, includes internally generated queries (such
-as priming queries and glue lookups).
-.TP
-.I threadX.requestlist.current.user
+.B threadX.requestlist.current.user
Current size of the request list, only the requests from client queries.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.recursion.time.avg
-Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average.
+.B threadX.recursion.time.avg
+Average time it took to answer queries that needed recursive processing.
+Note that queries that were answered from the cache are not in this average.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.recursion.time.median
+.B threadX.recursion.time.median
The median of the time it took to answer queries that needed recursive
-processing. The median means that 50% of the user queries were answered in
-less than this time. Because of big outliers (usually queries to non
-responsive servers), the average can be bigger than the median. This median
-has been calculated by interpolation from a histogram.
+processing.
+The median means that 50% of the user queries were answered in less than
+this time.
+Because of big outliers (usually queries to non responsive servers), the
+average can be bigger than the median.
+This median has been calculated by interpolation from a histogram.
+.UNINDENT
+.INDENT 0.0
.TP
-.I threadX.tcpusage
-The currently held tcp buffers for incoming connections. A spot value on
-the time of the request. This helps you spot if the incoming\-num\-tcp
-buffers are full.
+.B threadX.tcpusage
+The currently held tcp buffers for incoming connections.
+A spot value on the time of the request.
+This helps you spot if the incoming\-num\-tcp buffers are full.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries
+.B total.num.queries
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_ip_ratelimited
+.B total.num.queries_ip_ratelimited
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_cookie_valid
+.B total.num.queries_cookie_valid
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_cookie_client
+.B total.num.queries_cookie_client
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_cookie_invalid
+.B total.num.queries_cookie_invalid
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_discard_timeout
+.B total.num.queries_discard_timeout
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_wait_limit
+.B total.num.queries_wait_limit
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.cachehits
+.B total.num.cachehits
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.cachemiss
+.B total.num.cachemiss
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.dnscrypt.crypted
+.B total.num.dnscrypt.crypted
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.dnscrypt.cert
+.B total.num.dnscrypt.cert
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.dnscrypt.cleartext
+.B total.num.dnscrypt.cleartext
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.dnscrypt.malformed
+.B total.num.dnscrypt.malformed
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.dns_error_reports
+.B total.num.dns_error_reports
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.prefetch
+.B total.num.prefetch
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.expired
+.B total.num.expired
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.queries_timed_out
+.B total.num.queries_timed_out
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.query.queue_time_us.max
+.B total.query.queue_time_us.max
the maximum of the thread values.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.num.recursivereplies
+.B total.num.recursivereplies
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.requestlist.avg
+.B total.requestlist.avg
averaged over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.requestlist.max
+.B total.requestlist.max
the maximum of the thread requestlist.max values.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.requestlist.overwritten
+.B total.requestlist.overwritten
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.requestlist.exceeded
+.B total.requestlist.exceeded
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.requestlist.current.all
+.B total.requestlist.current.all
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.recursion.time.median
+.B total.recursion.time.median
averaged over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I total.tcpusage
+.B total.tcpusage
summed over threads.
+.UNINDENT
+.INDENT 0.0
.TP
-.I time.now
+.B time.now
current time in seconds since 1970.
+.UNINDENT
+.INDENT 0.0
.TP
-.I time.up
+.B time.up
uptime since server boot in seconds.
+.UNINDENT
+.INDENT 0.0
.TP
-.I time.elapsed
+.B time.elapsed
time since last statistics printout, in seconds.
+.UNINDENT
.SH EXTENDED STATISTICS
+.INDENT 0.0
.TP
-.I mem.cache.rrset
+.B mem.cache.rrset
Memory in bytes in use by the RRset cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.I mem.cache.message
+.B mem.cache.message
Memory in bytes in use by the message cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.I mem.cache.dnscrypt_shared_secret
+.B mem.cache.dnscrypt_shared_secret
Memory in bytes in use by the dnscrypt shared secrets cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.I mem.cache.dnscrypt_nonce
+.B mem.cache.dnscrypt_nonce
Memory in bytes in use by the dnscrypt nonce cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.I mem.mod.iterator
+.B mem.mod.iterator
Memory in bytes in use by the iterator module.
+.UNINDENT
+.INDENT 0.0
.TP
-.I mem.mod.validator
-Memory in bytes in use by the validator module. Includes the key cache and
-negative cache.
-.TP
-.I mem.streamwait
-Memory in bytes in used by the TCP and TLS stream wait buffers. These are
-answers waiting to be written back to the clients.
-.TP
-.I mem.http.query_buffer
-Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
-queries waiting for request stream completion.
-.TP
-.I mem.http.response_buffer
-Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
-waiting to be written back to the clients.
-.TP
-.I mem.quic
-Memory in bytes used by QUIC. Containing connection information, stream
-information, queries read and responses written back to the clients.
-.TP
-.I histogram.<sec>.<usec>.to.<sec>.<usec>
-Shows a histogram, summed over all threads. Every element counts the
-recursive queries whose reply time fit between the lower and upper bound.
+.B mem.mod.validator
+Memory in bytes in use by the validator module.
+Includes the key cache and negative cache.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B mem.streamwait
+Memory in bytes in used by the TCP and TLS stream wait buffers.
+These are answers waiting to be written back to the clients.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B mem.http.query_buffer
+Memory in bytes used by the HTTP/2 query buffers.
+Containing (partial) DNS queries waiting for request stream completion.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B mem.http.response_buffer
+Memory in bytes used by the HTTP/2 response buffers.
+Containing DNS responses waiting to be written back to the clients.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B mem.quic
+Memory in bytes used by QUIC.
+Containing connection information, stream information, queries read and
+responses written back to the clients.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B histogram.<sec>.<usec>.to.<sec>.<usec>
+Shows a histogram, summed over all threads.
+Every element counts the recursive queries whose reply time fit between the
+lower and upper bound.
Times larger or equal to the lowerbound, and smaller than the upper bound.
There are 40 buckets, with bucket sizes doubling.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.type.A
+.B num.query.type.A
The total number of queries over all threads with query type A.
Printed for the other query types as well, but only for the types for which
queries were received, thus =0 entries are omitted for brevity.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.type.other
+.B num.query.type.other
Number of queries with query types 256\-65535.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.class.IN
-The total number of queries over all threads with query class IN (internet).
+.B num.query.class.IN
+The total number of queries over all threads with query class IN
+(internet).
Also printed for other classes (such as CH (CHAOS) sometimes used for
debugging), or NONE, ANY, used by dynamic update.
num.query.class.other is printed for classes 256\-65535.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.opcode.QUERY
+.B num.query.opcode.QUERY
The total number of queries over all threads with query opcode QUERY.
Also printed for other opcodes, UPDATE, ...
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.tcp
+.B num.query.tcp
Number of queries that were made using TCP towards the Unbound server.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.tcpout
+.B num.query.tcpout
Number of queries that the Unbound server made using TCP outgoing towards
other servers.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.udpout
+.B num.query.udpout
Number of queries that the Unbound server made using UDP outgoing towards
other servers.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.tls
+.B num.query.tls
Number of queries that were made using TLS towards the Unbound server.
These are also counted in num.query.tcp, because TLS uses TCP.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.tls.resume
-Number of TLS session resumptions, these are queries over TLS towards
-the Unbound server where the client negotiated a TLS session resumption key.
+.B num.query.tls.resume
+Number of TLS session resumptions, these are queries over TLS towards the
+Unbound server where the client negotiated a TLS session resumption key.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.https
+.B num.query.https
Number of queries that were made using HTTPS towards the Unbound server.
These are also counted in num.query.tcp and num.query.tls, because HTTPS
uses TLS and TCP.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.quic
+.B num.query.quic
Number of queries that were made using QUIC towards the Unbound server.
-These are also counted in num.query.tls, because TLS is used for these queries.
+These are also counted in num.query.tls, because TLS is used for these
+queries.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.ipv6
+.B num.query.ipv6
Number of queries that were made using IPv6 towards the Unbound server.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.flags.RD
+.B num.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD.
-Note that queries with flags QR, AA or TC may have been rejected
-because of that.
+Note that queries with flags QR, AA or TC may have been rejected because of
+that.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.edns.present
+.B num.query.edns.present
number of queries that had an EDNS OPT record present.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.edns.DO
-number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
+.B num.query.edns.DO
+number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit
+set.
These queries are also included in the num.query.edns.present number.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.ratelimited
-The number of queries that are turned away from being send to nameserver due to
-ratelimiting.
-.TP
-.I num.query.dnscrypt.shared_secret.cachemiss
-The number of dnscrypt queries that did not find a shared secret in the cache.
-This can be used to compute the shared secret hitrate.
-.TP
-.I num.query.dnscrypt.replay
-The number of dnscrypt queries that found a nonce hit in the nonce cache and
-hence are considered a query replay.
-.TP
-.I num.answer.rcode.NXDOMAIN
-The number of answers to queries, from cache or from recursion, that had the
-return code NXDOMAIN. Also printed for the other return codes.
+.B num.query.ratelimited
+The number of queries that are turned away from being send to nameserver
+due to ratelimiting.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.query.dnscrypt.shared_secret.cachemiss
+The number of dnscrypt queries that did not find a shared secret in the
+cache.
+This can be use to compute the shared secret hitrate.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.query.dnscrypt.replay
+The number of dnscrypt queries that found a nonce hit in the nonce cache
+and hence are considered a query replay.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.answer.rcode.NXDOMAIN
+The number of answers to queries, from cache or from recursion, that had
+the return code NXDOMAIN.
+Also printed for the other return codes.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.answer.rcode.nodata
+.B num.answer.rcode.nodata
The number of answers to queries that had the pseudo return code nodata.
-This means the actual return code was NOERROR, but additionally, no data was
-carried in the answer (making what is called a NOERROR/NODATA answer).
+This means the actual return code was NOERROR, but additionally, no data
+was carried in the answer (making what is called a NOERROR/NODATA answer).
These queries are also included in the num.answer.rcode.NOERROR number.
Common for AAAA lookups when an A record exists, and no AAAA.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.answer.secure
-Number of answers that were secure. The answer validated correctly.
+.B num.answer.secure
+Number of answers that were secure.
+The answer validated correctly.
The AD bit might have been set in some of these answers, where the client
signalled (with DO or AD bit in the query) that they were ready to accept
the AD bit in the answer.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.answer.bogus
-Number of answers that were bogus. These answers resulted in SERVFAIL
-to the client because the answer failed validation.
-.TP
-.I num.rrset.bogus
-The number of rrsets marked bogus by the validator. Increased for every
-RRset inspection that fails.
+.B num.answer.bogus
+Number of answers that were bogus.
+These answers resulted in SERVFAIL to the client because the answer failed
+validation.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.rrset.bogus
+The number of rrsets marked bogus by the validator.
+Increased for every RRset inspection that fails.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.valops
+The number of validation operations performed by the validator.
+Increased for every RRSIG verification operation regardless of the
+validation result.
+The RRSIG and key combination needs to first pass some sanity checks before
+Unbound even performs the verification, e.g., length/protocol checks.
+.UNINDENT
+.INDENT 0.0
.TP
-.I unwanted.queries
+.B unwanted.queries
Number of queries that were refused or dropped because they failed the
access control settings.
+.UNINDENT
+.INDENT 0.0
.TP
-.I unwanted.replies
-Replies that were unwanted or unsolicited. Could have been random traffic,
-delayed duplicates, very late answers, or could be spoofing attempts.
+.B unwanted.replies
+Replies that were unwanted or unsolicited.
+Could have been random traffic, delayed duplicates, very late answers, or
+could be spoofing attempts.
Some low level of late answers and delayed duplicates are to be expected
-with the UDP protocol. Very high values could indicate a threat (spoofing).
+with the UDP protocol.
+Very high values could indicate a threat (spoofing).
+.UNINDENT
+.INDENT 0.0
.TP
-.I msg.cache.count
+.B msg.cache.count
The number of items (DNS replies) in the message cache.
+.UNINDENT
+.INDENT 0.0
.TP
-.I rrset.cache.count
-The number of RRsets in the rrset cache. This includes rrsets used by
-the messages in the message cache, but also delegation information.
-.TP
-.I infra.cache.count
-The number of items in the infra cache. These are IP addresses with their
-timing and protocol support information.
-.TP
-.I key.cache.count
-The number of items in the key cache. These are DNSSEC keys, one item
-per delegation point, and their validation status.
-.TP
-.I msg.cache.max_collisions
-The maximum number of hash table collisions in the msg cache. This is the
-number of hashes that are identical when a new element is inserted in the
-hash table. If the value is very large, like hundreds, something is wrong
-with the performance of the hash table, hash values are incorrect or malicious.
-.TP
-.I rrset.cache.max_collisions
-The maximum number of hash table collisions in the rrset cache. This is the
-number of hashes that are identical when a new element is inserted in the
-hash table. If the value is very large, like hundreds, something is wrong
-with the performance of the hash table, hash values are incorrect or malicious.
-.TP
-.I dnscrypt_shared_secret.cache.count
-The number of items in the shared secret cache. These are precomputed shared
-secrets for a given client public key/server secret key pair. Shared secrets
-are CPU intensive and this cache allows Unbound to avoid recomputing the
-shared secret when multiple dnscrypt queries are sent from the same client.
-.TP
-.I dnscrypt_nonce.cache.count
-The number of items in the client nonce cache. This cache is used to prevent
-dnscrypt queries replay. The client nonce must be unique for each client public
-key/server secret key pair. This cache should be able to host QPS * `replay
-window` interval keys to prevent replay of a query during `replay window`
-seconds.
+.B rrset.cache.count
+The number of RRsets in the rrset cache.
+This includes rrsets used by the messages in the message cache, but also
+delegation information.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B infra.cache.count
+The number of items in the infra cache.
+These are IP addresses with their timing and protocol support information.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B key.cache.count
+The number of items in the key cache.
+These are DNSSEC keys, one item per delegation point, and their validation
+status.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B msg.cache.max_collisions
+The maximum number of hash table collisions in the msg cache.
+This is the number of hashes that are identical when a new element is
+inserted in the hash table.
+If the value is very large, like hundreds, something is wrong with the
+performance of the hash table, hash values are incorrect or malicious.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B rrset.cache.max_collisions
+The maximum number of hash table collisions in the rrset cache.
+This is the number of hashes that are identical when a new element is
+inserted in the hash table.
+If the value is very large, like hundreds, something is wrong with the
+performance of the hash table, hash values are incorrect or malicious.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt_shared_secret.cache.count
+The number of items in the shared secret cache.
+These are precomputed shared secrets for a given client public key/server
+secret key pair.
+Shared secrets are CPU intensive and this cache allows Unbound to avoid
+recomputing the shared secret when multiple dnscrypt queries are sent from
+the same client.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt_nonce.cache.count
+The number of items in the client nonce cache.
+This cache is used to prevent dnscrypt queries replay.
+The client nonce must be unique for each client public key/server secret
+key pair.
+This cache should be able to host QPS * \fIreplay window\fP interval keys to
+prevent replay of a query during \fIreplay window\fP seconds.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.authzone.up
+.B num.query.authzone.up
The number of queries answered from auth\-zone data, upstream queries.
-These queries would otherwise have been sent (with fallback enabled) to
-the internet, but are now answered from the auth zone.
+These queries would otherwise have been sent (with fallback enabled) to the
+internet, but are now answered from the auth zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.authzone.down
+.B num.query.authzone.down
The number of queries for downstream answered from auth\-zone data.
-These queries are from downstream clients, and have had an answer from
-the data in the auth zone.
+These queries are from downstream clients, and have had an answer from the
+data in the auth zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.aggressive.NOERROR
+.B num.query.aggressive.NOERROR
The number of queries answered using cached NSEC records with NODATA RCODE.
These queries would otherwise have been sent to the internet, but are now
answered using cached data.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.aggressive.NXDOMAIN
-The number of queries answered using cached NSEC records with NXDOMAIN RCODE.
+.B num.query.aggressive.NXDOMAIN
+The number of queries answered using cached NSEC records with NXDOMAIN
+RCODE.
These queries would otherwise have been sent to the internet, but are now
answered using cached data.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.subnet
-Number of queries that got an answer that contained EDNS client subnet data.
-.TP
-.I num.query.subnet_cache
-Number of queries answered from the edns client subnet cache. These are
-counted as cachemiss by the main counters, but hit the client subnet
-specific cache after getting processed by the edns client subnet module.
+.B num.query.subnet
+Number of queries that got an answer that contained EDNS client subnet
+data.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B num.query.subnet_cache
+Number of queries answered from the edns client subnet cache.
+These are counted as cachemiss by the main counters, but hit the client
+subnet specific cache after getting processed by the edns client subnet
+module.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.query.cachedb
+.B num.query.cachedb
Number of queries answered from the external cache of cachedb.
These are counted as cachemiss by the main counters, but hit the cachedb
external cache after getting processed by the cachedb module.
+.UNINDENT
+.INDENT 0.0
.TP
-.I num.rpz.action.<rpz_action>
-Number of queries answered using configured RPZ policy, per RPZ action type.
-Possible actions are: nxdomain, nodata, passthru, drop, tcp\-only, local\-data,
-disabled, and cname\-override.
-.SH "FILES"
+.B num.rpz.action.<rpz_action>
+Number of queries answered using configured RPZ policy, per RPZ action
+type.
+Possible actions are: nxdomain, nodata, passthru, drop, tcp\-only,
+local\-data, disabled, and cname\-override.
+.UNINDENT
+.SH FILES
+.INDENT 0.0
.TP
-.I @ub_conf_file@
+.B @ub_conf_file@
Unbound configuration file.
.TP
-.I @UNBOUND_RUN_DIR@
-directory with private keys (unbound_server.key and unbound_control.key) and
-self\-signed certificates (unbound_server.pem and unbound_control.pem).
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
+.B @UNBOUND_RUN_DIR@
+directory with private keys (\fBunbound_server.key\fP and
+\fBunbound_control.key\fP) and self\-signed certificates
+(\fBunbound_server.pem\fP and \fBunbound_control.pem\fP).
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP,
+\fI\%unbound(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound-host.1.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-host.1.in,v
diff -u -p -r1.46 unbound-host.1.in
--- doc/unbound-host.1.in 31 Aug 2025 21:41:09 -0000 1.46
+++ doc/unbound-host.1.in 22 Sep 2025 21:08:23 -0000
@@ -1,118 +1,190 @@
-.TH "unbound\-host" "1" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound-host.1 -- unbound DNS lookup utility
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound\-host
-\- unbound DNS lookup utility
-.SH "SYNOPSIS"
-.B unbound\-host
-.RB [ \-C
-.IR configfile ]
-.RB [ \-vdhr46D ]
-.RB [ \-c
-.IR class ]
-.RB [ \-t
-.IR type ]
-.RB [ \-y
-.IR key ]
-.RB [ \-f
-.IR keyfile ]
-.RB [ \-F
-.IR namedkeyfile ]
-.I hostname
-.SH "DESCRIPTION"
-.B Unbound\-host
-uses the Unbound validating resolver to query for the hostname and display
-results. With the \fB\-v\fR option it displays validation
-status: secure, insecure, bogus (security failure).
-.P
-By default it reads no configuration file whatsoever. It attempts to reach
-the internet root servers. With \fB\-C\fR an Unbound config file and with
-\fB\-r\fR resolv.conf can be read.
-.P
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND-HOST" "1" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound-host \- Unbound 1.24.0 DNS lookup utility.
+.SH SYNOPSIS
+.sp
+\fBunbound\-host\fP [\fB\-C configfile\fP] [\fB\-vdhr46D\fP] [\fB\-c class\fP]
+[\fB\-t type\fP] [\fB\-y key\fP] [\fB\-f keyfile\fP] [\fB\-F namedkeyfile\fP] hostname
+.SH DESCRIPTION
+.sp
+\fBunbound\-host\fP uses the Unbound validating resolver to query for the hostname
+and display results.
+With the \fI\%\-v\fP option it displays validation status: secure, insecure,
+bogus (security failure).
+.sp
+By default it reads no configuration file whatsoever.
+It attempts to reach the internet root servers.
+With \fI\%\-C\fP an unbound config file and with \fI\%\-r\fP \fBresolv.conf\fP
+can be read.
+.sp
The available options are:
+.INDENT 0.0
.TP
-.I hostname
+.B hostname
This name is resolved (looked up in the DNS).
If a IPv4 or IPv6 address is given, a reverse lookup is performed.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-h
Show the version and commandline option help.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-v
Enable verbose output and it shows validation results, on every line.
-Secure means that the NXDOMAIN (no such domain name), nodata (no such data)
-or positive data response validated correctly with one of the keys.
+Secure means that the NXDOMAIN (no such domain name), nodata (no such
+data) or positive data response validated correctly with one of the
+keys.
Insecure means that that domain name has no security set up for it.
-Bogus (security failure) means that the response failed one or more checks,
-it is likely wrong, outdated, tampered with, or broken.
+Bogus (security failure) means that the response failed one or more
+checks, it is likely wrong, outdated, tampered with, or broken.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-d
-Enable debug output to stderr. One \-d shows what the resolver and validator
-are doing and may tell you what is going on. More times, \-d \-d, gives a
-lot of output, with every packet sent and received.
-.TP
-.B \-c \fIclass
-Specify the class to lookup for, the default is IN the internet class.
-.TP
-.B \-t \fItype
-Specify the type of data to lookup. The default looks for IPv4, IPv6 and
-mail handler data, or domain name pointers for reverse queries.
-.TP
-.B \-y \fIkey
-Specify a public key to use as trust anchor. This is the base for a chain
-of trust that is built up from the trust anchor to the response, in order
-to validate the response message. Can be given as a DS or DNSKEY record.
-For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
+Enable debug output to stderr.
+One \fI\%\-d\fP shows what the resolver and validator are doing and may
+tell you what is going on.
+More times, \fI\%\-d\fP \fI\%\-d\fP, gives a lot of output, with every
+packet sent and received.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-c <class>
+Specify the class to lookup for, the default is IN the internet
+class.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-t <type>
+Specify the type of data to lookup.
+The default looks for IPv4, IPv6 and mail handler data, or domain name
+pointers for reverse queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-y <key>
+Specify a public key to use as trust anchor.
+This is the base for a chain of trust that is built up from the trust
+anchor to the response, in order to validate the response message.
+Can be given as a DS or DNSKEY record.
+For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
.TP
.B \-D
-Enables DNSSEC validation. Reads the root anchor from the default configured
-root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
+Enables DNSSEC validation.
+Reads the root anchor from the default configured root anchor at the
+default location, \fB@UNBOUND_ROOTKEY_FILE@\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-f <keyfile>
+Reads keys from a file.
+Every line has a DS or DNSKEY record, in the format as for \fI\%\-y\fP\&.
+The zone file format, the same as \fBdig\fP and \fBdrill\fP produce.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-F <namedkeyfile>
+Reads keys from a BIND\-style \fBnamed.conf\fP file.
+Only the \fBtrusted\-key {};\fP entries are read.
+.UNINDENT
+.INDENT 0.0
.TP
-.B \-f \fIkeyfile
-Reads keys from a file. Every line has a DS or DNSKEY record, in the format
-as for \-y. The zone file format, the same as dig and drill produce.
-.TP
-.B \-F \fInamedkeyfile
-Reads keys from a BIND\-style named.conf file. Only the trusted\-key {}; entries
-are read.
-.TP
-.B \-C \fIconfigfile
-Uses the specified unbound.conf to prime
-.IR libunbound (3).
+.B \-C <configfile>
+Uses the specified unbound.conf to prime \fI\%libunbound(3)\fP\&.
Pass it as first argument if you want to override some options from the
config file with further arguments on the commandline.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-r
-Read /etc/resolv.conf, and use the forward DNS servers from there (those could
-have been set by DHCP). More info in
-.IR resolv.conf (5).
+Read \fB/etc/resolv.conf\fP, and use the forward DNS servers from
+there (those could have been set by DHCP).
+More info in \fIresolv.conf(5)\fP\&.
Breaks validation if those servers do not support DNSSEC.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-4
Use solely the IPv4 network for sending packets.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-6
Use solely the IPv6 network for sending packets.
-.SH "EXAMPLES"
-Some examples of use. The keys shown below are fakes, thus a security failure
-is encountered.
-.P
+.UNINDENT
+.SH EXAMPLES
+.sp
+Some examples of use.
+The keys shown below are fakes, thus a security failure is encountered.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
$ unbound\-host www.example.com
-.P
-$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
-.P
-$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
-.SH "EXIT CODE"
-The unbound\-host program exits with status code 1 on error,
-0 on no error. The data may not be available on exit code 0, exit code 1
-means the lookup encountered a fatal error.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\fR(8).
+
+$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq www.example.com
+
+$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq 192.0.2.153
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH EXIT CODE
+.sp
+The \fBunbound\-host\fP program exits with status code 1 on error, 0 on no error.
+The data may not be available on exit code 0, exit code 1 means the lookup
+encountered a fatal error.
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP,
+\fI\%unbound(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.8.in,v
diff -u -p -r1.47 unbound.8.in
--- doc/unbound.8.in 31 Aug 2025 21:41:09 -0000 1.47
+++ doc/unbound.8.in 22 Sep 2025 21:08:23 -0000
@@ -1,88 +1,123 @@
-.TH "unbound" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound.8 -- unbound manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound
-\- Unbound DNS validating resolver 1.23.1.
-.SH "SYNOPSIS"
-.B unbound
-.RB [ \-h ]
-.RB [ \-d ]
-.RB [ \-p ]
-.RB [ \-v ]
-.RB [ \-c
-.IR cfgfile ]
-.SH "DESCRIPTION"
-.B Unbound
-is a caching DNS resolver.
-.P
-It uses a built in list of authoritative nameservers for the root zone (.),
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND" "8" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound \- Unbound DNS validating resolver 1.24.0.
+.SH SYNOPSIS
+.sp
+\fBunbound\fP [\fB\-hdpv\fP] [\fB\-c <cfgfile>\fP]
+.SH DESCRIPTION
+.sp
+\fBunbound\fP is a caching DNS resolver.
+.sp
+It uses a built in list of authoritative nameservers for the root zone (\fB\&.\fP),
the so called root hints.
-On receiving a DNS query it will ask the root nameservers for
-an answer and will in almost all cases receive a delegation to a top level
-domain (TLD) authoritative nameserver.
+On receiving a DNS query it will ask the root nameservers for an answer and
+will in almost all cases receive a delegation to a top level domain (TLD)
+authoritative nameserver.
It will then ask that nameserver for an answer.
-It will recursively continue until an answer is found or no answer is
-available (NXDOMAIN).
-For performance and efficiency reasons that answer is cached for a
-certain time (the answer's time\-to\-live or TTL).
+It will recursively continue until an answer is found or no answer is available
+(NXDOMAIN).
+For performance and efficiency reasons that answer is cached for a certain time
+(the answer\(aqs time\-to\-live or TTL).
A second query for the same name will then be answered from the cache.
Unbound can also do DNSSEC validation.
-.P
-To use a locally running
-.B Unbound
-for resolving put
.sp
-.RS 6n
+To use a locally running Unbound for resolving put:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
nameserver 127.0.0.1
-.RE
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+into \fIresolv.conf(5)\fP\&.
+.sp
+If authoritative DNS is needed as well using \fI\%nsd(8)\fP,
+careful setup is required because authoritative nameservers and resolvers are
+using the same port number (53).
.sp
-into
-.IR resolv.conf (5).
-.P
-If authoritative DNS is needed as well using
-.IR nsd (8),
-careful setup is required because authoritative nameservers and
-resolvers are using the same port number (53).
-.P
The available options are:
+.INDENT 0.0
.TP
.B \-h
Show the version number and commandline option help, and exit.
+.UNINDENT
+.INDENT 0.0
.TP
-.B \-c\fI cfgfile
-Set the config file with settings for Unbound to read instead of reading the
-file at the default location, @ub_conf_file@. The syntax is
-described in \fIunbound.conf\fR(5).
+.B \-c <cfgfile>
+Set the config file with settings for unbound to read instead of reading the
+file at the default location, \fB@ub_conf_file@\fP\&.
+The syntax is described in \fI\%unbound.conf(5)\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-d
-Debug flag: do not fork into the background, but stay attached to
-the console. This flag will also delay writing to the log file until
-the thread\-spawn time, so that most config and setup errors appear on
-stderr. If given twice or more, logging does not switch to the log file
-or to syslog, but the log messages are printed to stderr all the time.
+Debug flag: do not fork into the background, but stay attached to the
+console.
+This flag will also delay writing to the log file until the thread\-spawn
+time, so that most config and setup errors appear on stderr.
+If given twice or more, logging does not switch to the log file or to
+syslog, but the log messages are printed to stderr all the time.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-p
-Don't use a pidfile. This argument should only be used by supervision
-systems which can ensure that only one instance of Unbound will run
-concurrently.
+Don\(aqt use a pidfile.
+This argument should only be used by supervision systems which can ensure
+that only one instance of Unbound will run concurrently.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-v
-Increase verbosity. If given multiple times, more information is logged.
-This is added to the verbosity (if any) from the config file.
+Increase verbosity.
+If given multiple times, more information is logged.
+This is in addition to the verbosity (if any) from the config file.
+.UNINDENT
+.INDENT 0.0
.TP
.B \-V
Show the version number and build options, and exit.
-.SH "SEE ALSO"
-\fIunbound.conf\fR(5),
-\fIunbound\-checkconf\fR(8),
-\fInsd\fR(8).
-.SH "AUTHORS"
-.B Unbound
-developers are mentioned in the CREDITS file in the distribution.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%unbound.conf(5)\fP,
+\fI\%unbound\-checkconf(8)\fP,
+\fI\%nsd(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: doc/unbound.conf.5.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.conf.5.in,v
diff -u -p -r1.51 unbound.conf.5.in
--- doc/unbound.conf.5.in 31 Aug 2025 21:41:09 -0000 1.51
+++ doc/unbound.conf.5.in 22 Sep 2025 21:08:23 -0000
@@ -1,1350 +1,2463 @@
-.TH "unbound.conf" "5" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
-.\"
-.\" unbound.conf.5 -- unbound.conf manual
-.\"
-.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
-.\"
-.\" See LICENSE for the license.
-.\"
-.\"
-.SH "NAME"
-.B unbound.conf
-\- Unbound configuration file.
-.SH "SYNOPSIS"
-.B unbound.conf
-.SH "DESCRIPTION"
-.B unbound.conf
-is used to configure
-\fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes
-inside them.
-The notation is: attribute: value.
-.P
-Comments start with # and last to the end of line. Empty lines are
-ignored as is whitespace at the beginning of a line.
-.P
-The utility
-\fIunbound\-checkconf\fR(8)
-can be used to check unbound.conf prior to usage.
-.SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a
-colon ':'. An attribute is followed by a value, or its containing attributes
-in which case it is referred to as a clause. Clauses can be repeated throughout
-the file (or included files) to group attributes under the same clause.
-.P
-Files can be included using the
-.B include:
-directive. It can appear anywhere, it accepts a single file name as argument.
-Processing continues as if the text from the included file was copied into
-the config file at that point. If also using chroot, using full path names
-for the included files works, relative pathnames for the included names work
-if the directory where the daemon is started equals its chroot/working
-directory or is specified before the include statement with directory: dir.
-Wildcards can be used to include multiple files, see \fIglob\fR(7).
-.P
-For a more structural include option, the
-.B include\-toplevel:
-directive can be used. This closes whatever clause is currently active (if any)
-and forces the use of clauses in the included files and right after this
-directive.
-.SS "Server Options"
-These options are part of the
-.B server:
-clause.
-.TP
-.B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1
-gives operational information. Level 2 gives detailed operational
-information including short information per query. Level 3 gives query level
-information, output per query. Level 4 gives algorithm level information.
-Level 5 logs client identification for cache misses. Default is level 1.
-The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
-.TP
-.B statistics\-interval: \fI<seconds>
-The number of seconds between printing statistics to the log for every thread.
-Disable with value 0 or "". Default is disabled. The histogram statistics
-are only printed if replies were sent during the statistics interval,
-requestlist statistics are printed for every interval (but can be 0).
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "UNBOUND.CONF" "5" "Sep 18, 2025" "1.24.0" "Unbound"
+.SH NAME
+unbound.conf \- Unbound 1.24.0 configuration file.
+.SH SYNOPSIS
+.sp
+\fBunbound.conf\fP
+.SH DESCRIPTION
+.sp
+\fBunbound.conf\fP is used to configure \fI\%unbound(8)\fP\&.
+The file format has attributes and values.
+Some attributes have attributes inside them.
+The notation is: \fBattribute: value\fP\&.
+.sp
+Comments start with \fB#\fP and last to the end of line.
+Empty lines are ignored as is whitespace at the beginning of a line.
+.sp
+The utility \fI\%unbound\-checkconf(8)\fP can be
+used to check \fBunbound.conf\fP prior to usage.
+.SH FILE FORMAT
+.sp
+There must be whitespace between keywords.
+Attribute keywords end with a colon \fB\(aq:\(aq\fP\&.
+An attribute is followed by a value, or its containing attributes in which case
+it is referred to as a clause.
+Clauses can be repeated throughout the file (or included files) to group
+attributes under the same clause.
+.sp
+Files can be included using the \fBinclude:\fP directive.
+It can appear anywhere, it accepts a single file name as argument.
+Processing continues as if the text from the included file was copied into the
+config file at that point.
+If also using \fI\%chroot\fP, using full path names for
+the included files works, relative pathnames for the included names work if the
+directory where the daemon is started equals its chroot/working directory or is
+specified before the include statement with \fI\%directory:
+dir\fP\&.
+Wildcards can be used to include multiple files, see \fIglob(7)\fP\&.
+.sp
+For a more structural include option, the \fBinclude\-toplevel:\fP directive can
+be used.
+This closes whatever clause is currently active (if any) and forces the use of
+clauses in the included files and right after this directive.
+.SS Server Options
+.sp
+These options are part of the \fBserver:\fP clause.
+.INDENT 0.0
+.TP
+.B verbosity: \fI<number>\fP
+The verbosity level.
+.INDENT 7.0
+.TP
+.B Level 0
+No verbosity, only errors.
+.TP
+.B Level 1
+Gives operational information.
+.TP
+.B Level 2
+Gives detailed operational information including short information per
+query.
+.TP
+.B Level 3
+Gives query level information, output per query.
+.TP
+.B Level 4
+Gives algorithm level information.
+.TP
+.B Level 5
+Logs client identification for cache misses.
+.UNINDENT
+.sp
+The verbosity can also be increased from the command line and during run
+time via remote control. See \fI\%unbound(8)\fP and
+\fI\%unbound\-control(8)\fP respectively.
+.sp
+Default: 1
+.UNINDENT
+.INDENT 0.0
+.TP
+.B statistics\-interval: \fI<seconds>\fP
+The number of seconds between printing statistics to the log for every
+thread.
+Disable with value \fB0\fP or \fB\(dq\(dq\fP\&.
+The histogram statistics are only printed if replies were sent during the
+statistics interval, requestlist statistics are printed for every interval
+(but can be 0).
This is because the median calculation requires data to be present.
-.TP
-.B statistics\-cumulative: \fI<yes or no>
-If enabled, statistics are cumulative since starting Unbound, without clearing
-the statistics counters after logging the statistics. Default is no.
-.TP
-.B extended\-statistics: \fI<yes or no>
-If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
-Default is off, because keeping track of more statistics takes time. The
-counters are listed in \fIunbound\-control\fR(8).
-.TP
-.B statistics\-inhibit\-zero: \fI<yes or no>
-If enabled, selected extended statistics with a value of 0 are inhibited from
-printing with \fIunbound\-control\fR(8).
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B statistics\-cumulative: \fI<yes or no>\fP
+If enabled, statistics are cumulative since starting Unbound, without
+clearing the statistics counters after logging the statistics.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B extended\-statistics: \fI<yes or no>\fP
+If enabled, extended statistics are printed from
+\fI\%unbound\-control(8)\fP\&.
+The counters are listed in
+\fI\%unbound\-control(8)\fP\&.
+Keeping track of more statistics takes time.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B statistics\-inhibit\-zero: \fI<yes or no>\fP
+If enabled, selected extended statistics with a value of 0 are inhibited
+from printing with
+\fI\%unbound\-control(8)\fP\&.
These are query types, query classes, query opcodes, answer rcodes
-(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and
-RPZ actions.
-Default is on.
+(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED)
+and PRZ actions.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B num\-threads: \fI<number>
+.B num\-threads: \fI<number>\fP
The number of threads to create to serve clients. Use 1 for no threading.
+.sp
+Default: 1
+.UNINDENT
+.INDENT 0.0
+.TP
+.B port: \fI<port number>\fP
+The port number on which the server responds to queries.
+.sp
+Default: 53
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface: \fI<IP address or interface name[@port]>\fP
+Interface to use to connect to the network.
+This interface is listened to for queries from clients, and answers to
+clients are given from it.
+Can be given multiple times to work on several interfaces.
+If none are given the default is to listen on localhost.
+.sp
+If an interface name is used instead of an IP address, the list of IP
+addresses on that interface are used.
+The interfaces are not changed on a reload (\fBkill \-HUP\fP) but only on
+restart.
+.sp
+A port number can be specified with @port (without spaces between interface
+and port number), if not specified the default port (from
+\fI\%port\fP) is used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-address: \fI<IP address or interface name[@port]>\fP
+Same as \fI\%interface\fP (for ease of
+compatibility with \fI\%nsd.conf(5)\fP).
+.UNINDENT
+.INDENT 0.0
.TP
-.B port: \fI<port number>
-The port number, default 53, on which the server responds to queries.
-.TP
-.B interface: \fI<ip address or interface name [@port]>
-Interface to use to connect to the network. This interface is listened to
-for queries from clients, and answers to clients are given from it.
-Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost. If an interface name is used
-instead of an ip address, the list of ip addresses on that interface are used.
-The interfaces are not changed on a reload (kill \-HUP) but only on restart.
-A port number can be specified with @port (without spaces between
-interface and port number), if not specified the default port (from
-\fBport\fR) is used.
-.TP
-.B ip\-address: \fI<ip address or interface name [@port]>
-Same as interface: (for ease of compatibility with nsd.conf).
-.TP
-.B interface\-automatic: \fI<yes or no>
+.B interface\-automatic: \fI<yes or no>\fP
Listen on all addresses on all (current and future) interfaces, detect the
-source interface on UDP queries and copy them to replies. This is a lot like
-ip\-transparent, but this option services all interfaces whilst with
-ip\-transparent you can select which (future) interfaces Unbound provides
-service on. This feature is experimental, and needs support in your OS for
-particular socket options. Default value is no.
-.TP
-.B interface\-automatic\-ports: \fI<string>
-List the port numbers that interface-automatic listens on. If empty, the
-default port is listened on. The port numbers are separated by spaces in the
-string. Default is "".
-.IP
+source interface on UDP queries and copy them to replies.
+This is a lot like \fI\%ip\-transparent\fP, but
+this option services all interfaces whilst with
+\fI\%ip\-transparent\fP you can select which
+(future) interfaces Unbound provides service on.
+This feature is experimental, and needs support in your OS for particular
+socket options.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface\-automatic\-ports: \fI\(dq<string>\(dq\fP
+List the port numbers that
+\fI\%interface\-automatic\fP listens on.
+If empty, the default port is listened on.
+The port numbers are separated by spaces in the string.
+.sp
This can be used to have interface automatic to deal with the interface,
and listen on the normal port number, by including it in the list, and
-also https or dns over tls port numbers by putting them in the list as well.
-.TP
-.B outgoing\-interface: \fI<ip address or ip6 netblock>
-Interface to use to connect to the network. This interface is used to send
-queries to authoritative servers and receive their replies. Can be given
-multiple times to work on several interfaces. If none are given the
-default (all) is used. You can specify the same interfaces in
-.B interface:
-and
-.B outgoing\-interface:
-lines, the interfaces are then used for both purposes. Outgoing queries are
-sent via a random outgoing interface to counter spoofing.
-.IP
+also HTTPS or DNS\-over\-TLS port numbers by putting them in the list as
+well.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B outgoing\-interface: \fI<IPv4/IPv6 address or IPv6 netblock>\fP
+Interface to use to connect to the network.
+This interface is used to send queries to authoritative servers and receive
+their replies.
+Can be given multiple times to work on several interfaces.
+If none are given the default (all) is used.
+You can specify the same interfaces in
+\fI\%interface\fP and
+\fI\%outgoing\-interface\fP lines, the
+interfaces are then used for both purposes.
+Outgoing queries are sent via a random outgoing interface to counter
+spoofing.
+.sp
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
-netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
-host running Unbound, and requires OS support for unprivileged non-local binds
-(currently only supported on Linux). Several netblocks may be specified with
-multiple
-.B outgoing\-interface:
-options, but do not specify both an individual IPv6 address and an IPv6
-netblock, or the randomisation will be compromised. Consider combining with
-.B prefer\-ip6: yes
-to increase the likelihood of IPv6 nameservers being selected for queries.
+netblock to counter spoofing.
+Requires the IPv6 netblock to be routed to the host running Unbound, and
+requires OS support for unprivileged non\-local binds (currently only
+supported on Linux).
+Several netblocks may be specified with multiple
+\fI\%outgoing\-interface\fP options, but do
+not specify both an individual IPv6 address and an IPv6 netblock, or the
+randomisation will be compromised.
+Consider combining with \fI\%prefer\-ip6: yes\fP to
+increase the likelihood of IPv6 nameservers being selected for queries.
On Linux you need these two commands to be able to use the freebind socket
option to receive traffic for the ip6 netblock:
-ip \-6 addr add mynetblock/64 dev lo &&
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+ip \-6 addr add mynetblock/64 dev lo && \e
ip \-6 route add local mynetblock/64 dev lo
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B outgoing\-range: \fI<number>\fP
+Number of ports to open.
+This number of file descriptors can be opened per thread.
+Must be at least 1.
+Default depends on compile options.
+Larger numbers need extra resources from the operating system.
+For performance a very large value is best, use libevent to make this
+possible.
+.sp
+Default: 4096 (libevent) / 960 (minievent) / 48 (windows)
+.UNINDENT
+.INDENT 0.0
.TP
-.B outgoing\-range: \fI<number>
-Number of ports to open. This number of file descriptors can be opened per
-thread. Must be at least 1. Default depends on compile options. Larger
-numbers need extra resources from the operating system. For performance a
-very large value is best, use libevent to make this possible.
-.TP
-.B outgoing\-port\-permit: \fI<port number or range>
+.B outgoing\-port\-permit: \fI<port number or range>\fP
Permit Unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
-spoofing attempts. Make sure these ports are not needed by other daemons.
-By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low\-high", without spaces.
-.IP
-The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
-are processed in the line order of the config file, adding the permitted ports
-and subtracting the avoided ports from the set of allowed ports. The
-processing starts with the non IANA allocated ports above 1024 in the set
-of allowed ports.
+spoofing attempts.
+Make sure these ports are not needed by other daemons.
+By default only ports above 1024 that have not been assigned by IANA are
+used.
+Give a port number or a range of the form \(dqlow\-high\(dq, without spaces.
+.sp
+The \fI\%outgoing\-port\-permit\fP and
+\fI\%outgoing\-port\-avoid\fP statements
+are processed in the line order of the config file, adding the permitted
+ports and subtracting the avoided ports from the set of allowed ports.
+The processing starts with the non IANA allocated ports above 1024 in the
+set of allowed ports.
+.UNINDENT
+.INDENT 0.0
.TP
-.B outgoing\-port\-avoid: \fI<port number or range>
+.B outgoing\-port\-avoid: \fI<port number or range>\fP
Do not permit Unbound to open this port or range of ports for use to send
-queries. Use this to make sure Unbound does not grab a port that another
-daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
-By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low\-high", without spaces.
-.TP
-.B outgoing\-num\-tcp: \fI<number>
-Number of outgoing TCP buffers to allocate per thread. Default is 10. If
-set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
-are done. For larger installations increasing this value is a good idea.
-.TP
-.B incoming\-num\-tcp: \fI<number>
-Number of incoming TCP buffers to allocate per thread. Default is
-10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
-accepted. For larger installations increasing this value is a good idea.
+queries.
+Use this to make sure Unbound does not grab a port that another daemon
+needs.
+The port is avoided on all outgoing interfaces, both IPv4 and IPv6.
+By default only ports above 1024 that have not been assigned by IANA are
+used.
+Give a port number or a range of the form \(dqlow\-high\(dq, without spaces.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B outgoing\-num\-tcp: \fI<number>\fP
+Number of outgoing TCP buffers to allocate per thread.
+If set to 0, or if \fI\%do\-tcp: no\fP is set, no TCP
+queries to authoritative servers are done.
+For larger installations increasing this value is a good idea.
+.sp
+Default: 10
+.UNINDENT
+.INDENT 0.0
+.TP
+.B incoming\-num\-tcp: \fI<number>\fP
+Number of incoming TCP buffers to allocate per thread.
+If set to 0, or if \fI\%do\-tcp: no\fP is set, no TCP
+queries from clients are accepted.
+For larger installations increasing this value is a good idea.
+.sp
+Default: 10
+.UNINDENT
+.INDENT 0.0
.TP
-.B edns\-buffer\-size: \fI<number>
+.B edns\-buffer\-size: \fI<number>\fP
Number of bytes size to advertise as the EDNS reassembly buffer size.
-This is the value put into datagrams over UDP towards peers. The actual
-buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
-not set higher than that value. Default is 1232 which is the DNS Flag Day 2020
-recommendation. Setting to 512 bypasses even the most stringent path MTU
-problems, but is seen as extreme, since the amount of TCP fallback generated is
-excessive (probably also for this resolver, consider tuning the outgoing tcp
-number).
-.TP
-.B max\-udp\-size: \fI<number>
-Maximum UDP response size (not applied to TCP response). 65536 disables the
-udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 1232. The default value is the
-same as the default for edns\-buffer\-size.
-.TP
-.B stream\-wait\-size: \fI<number>
-Number of bytes size maximum to use for waiting stream buffers. Default is
-4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
-megabytes or gigabytes (1024*1024 bytes in a megabyte). As TCP and TLS streams
-queue up multiple results, the amount of memory used for these buffers does
-not exceed this number, otherwise the responses are dropped. This manages
-the total memory usage of the server (under heavy use), the number of requests
-that can be queued up per connection is also limited, with further requests
-waiting in TCP buffers.
-.TP
-.B msg\-buffer\-size: \fI<number>
-Number of bytes size of the message buffers. Default is 65552 bytes, enough
-for 64 Kb packets, the maximum DNS message size. No message larger than this
-can be sent or received. Can be reduced to use less memory, but some requests
-for DNS data, such as for huge resource records, will result in a SERVFAIL
-reply to the client.
-.TP
-.B msg\-cache\-size: \fI<number>
-Number of bytes size of the message cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+This is the value put into datagrams over UDP towards peers.
+The actual buffer size is determined by
+\fI\%msg\-buffer\-size\fP (both for TCP and
+UDP).
+Do not set higher than that value.
+Setting to 512 bypasses even the most stringent path MTU problems, but is
+seen as extreme, since the amount of TCP fallback generated is excessive
+(probably also for this resolver, consider tuning
+\fI\%outgoing\-num\-tcp\fP).
+.sp
+Default: 1232 (\fI\%DNS Flag Day 2020 recommendation\fP)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-udp\-size: \fI<number>\fP
+Maximum UDP response size (not applied to TCP response).
+65536 disables the UDP response size maximum, and uses the choice from the
+client, always.
+Suggested values are 512 to 4096.
+.sp
+Default: 1232 (same as \fI\%edns\-buffer\-size\fP)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stream\-wait\-size: \fI<number>\fP
+Number of bytes size maximum to use for waiting stream buffers.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
or gigabytes (1024*1024 bytes in a megabyte).
+As TCP and TLS streams queue up multiple results, the amount of memory used
+for these buffers does not exceed this number, otherwise the responses are
+dropped.
+This manages the total memory usage of the server (under heavy use), the
+number of requests that can be queued up per connection is also limited,
+with further requests waiting in TCP buffers.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B msg\-buffer\-size: \fI<number>\fP
+Number of bytes size of the message buffers.
+Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message
+size.
+No message larger than this can be sent or received.
+Can be reduced to use less memory, but some requests for DNS data, such as
+for huge resource records, will result in a SERVFAIL reply to the client.
+.sp
+Default: 65552
+.UNINDENT
+.INDENT 0.0
+.TP
+.B msg\-cache\-size: \fI<number>\fP
+Number of bytes size of the message cache.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B msg\-cache\-slabs: \fI<number>\fP
+Number of slabs in the message cache.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
.TP
-.B msg\-cache\-slabs: \fI<number>
-Number of slabs in the message cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
-reasonable guess.
-.TP
-.B num\-queries\-per\-thread: \fI<number>
+.B num\-queries\-per\-thread: \fI<number>\fP
The number of queries that every thread will service simultaneously.
-If more queries arrive that need servicing, and no queries can be jostled out
-(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
-the client to resend after a timeout; allowing the server time to work on
-the existing queries. Default depends on compile options, 512 or 1024.
-.TP
-.B jostle\-timeout: \fI<msec>
-Timeout used when the server is very busy. Set to a value that usually
-results in one roundtrip to the authority servers. If too many queries
-arrive, then 50% of the queries are allowed to run to completion, and
-the other 50% are replaced with the new incoming query if they have already
-spent more than their allowed time. This protects against denial of
-service by slow queries or high query rates. Default 200 milliseconds.
-The effect is that the qps for long-lasting queries is about
-(numqueriesperthread / 2) / (average time for such long queries) qps.
-The qps for short queries can be about (numqueriesperthread / 2)
-/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
-qps by default.
+If more queries arrive that need servicing, and no queries can be jostled
+out (see \fI\%jostle\-timeout\fP), then the
+queries are dropped.
+This forces the client to resend after a timeout; allowing the server time
+to work on the existing queries.
+Default depends on compile options.
+.sp
+Default: 2048 (libevent) / 512 (minievent) / 24 (windows)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B jostle\-timeout: \fI<msec>\fP
+Timeout used when the server is very busy.
+Set to a value that usually results in one roundtrip to the authority
+servers.
+.sp
+If too many queries arrive, then 50% of the queries are allowed to run to
+completion, and the other 50% are replaced with the new incoming query if
+they have already spent more than their allowed time.
+This protects against denial of service by slow queries or high query
+rates.
+.sp
+The effect is that the qps for long\-lasting queries is about:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+(num\-queries\-per\-thread / 2) / (average time for such long queries) qps
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The qps for short queries can be about:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+(num\-queries\-per\-thread / 2) / (jostle\-timeout in whole seconds) qps per thread
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+about (2048/2)*5 = 5120 qps by default.
+.sp
+Default: 200
+.UNINDENT
+.INDENT 0.0
.TP
-.B delay\-close: \fI<msec>
+.B delay\-close: \fI<msec>\fP
Extra delay for timeouted UDP ports before they are closed, in msec.
-Default is 0, and that disables it. This prevents very delayed answer
-packets from the upstream (recursive) servers from bouncing against
-closed ports and setting off all sort of close-port counters, with
-eg. 1500 msec. When timeouts happen you need extra sockets, it checks
-the ID and remote IP of packets, and unwanted packets are added to the
-unwanted packet counter.
-.TP
-.B udp\-connect: \fI<yes or no>
-Perform connect for UDP sockets that mitigates ICMP side channel leakage.
-Default is yes.
+This prevents very delayed answer packets from the upstream (recursive)
+servers from bouncing against closed ports and setting off all sort of
+close\-port counters, with eg. 1500 msec.
+When timeouts happen you need extra sockets, it checks the ID and remote IP
+of packets, and unwanted packets are added to the unwanted packet counter.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B udp\-connect: \fI<yes or no>\fP
+Perform \fIconnect(2)\fP for UDP sockets that mitigates ICMP side channel
+leakage.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B unknown\-server\-time\-limit: \fI<msec>
+.B unknown\-server\-time\-limit: \fI<msec>\fP
The wait time in msec for waiting for an unknown server to reply.
Increase this if you are behind a slow satellite link, to eg. 1128.
That would then avoid re\-querying every initial query because it times out.
-Default is 376 msec.
-.TP
-.B discard\-timeout: \fI<msec>
-The wait time in msec where recursion requests are dropped. This is
-to stop a large number of replies from accumulating. They receive
-no reply, the work item continues to recurse. It is nice to be a bit
-larger than serve\-expired\-client\-timeout if that is enabled.
-A value of 1900 msec is suggested. The value 0 disables it.
-Default 1900 msec.
+.sp
+Default: 376
+.UNINDENT
+.INDENT 0.0
+.TP
+.B discard\-timeout: \fI<msec>\fP
+The wait time in msec where recursion requests are dropped.
+This is to stop a large number of replies from accumulating.
+They receive no reply, the work item continues to recurse.
+It is nice to be a bit larger than
+\fI\%serve\-expired\-client\-timeout\fP
+if that is enabled.
+A value of \fB1900\fP msec is suggested.
+The value \fB0\fP disables it.
+.sp
+Default: 1900
+.UNINDENT
+.INDENT 0.0
.TP
-.B wait\-limit: \fI<number>
+.B wait\-limit: \fI<number>\fP
The number of replies that can wait for recursion, for an IP address.
This makes a ratelimit per IP address of waiting replies for recursion.
It stops very large amounts of queries waiting to be returned to one
-destination. The value 0 disables wait limits. Default is 1000.
+destination.
+The value \fB0\fP disables wait limits.
+.sp
+Default: 1000
+.UNINDENT
+.INDENT 0.0
.TP
-.B wait\-limit\-cookie: \fI<number>
+.B wait\-limit\-cookie: \fI<number>\fP
The number of replies that can wait for recursion, for an IP address
-that sent the query with a valid DNS cookie. Since the cookie validates
-the client address, the limit can be higher. Default is 10000.
-.TP
-.B wait\-limit\-netblock: \fI<netblock> <number>
-The wait limit for the netblock. If not given the wait\-limit value is
-used. The most specific netblock is used to determine the limit. Useful for
-overriding the default for a specific, group or individual, server.
-The value -1 disables wait limits for the netblock.
-By default the loopback has a wait limit netblock of -1, it is not limited,
-because it is separated from the rest of network for spoofed packets.
-The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
-.TP
-.B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
-The wait limit for the netblock, when the query has a DNS cookie.
-If not given, the wait\-limit\-cookie value is used.
-The value -1 disables wait limits for the netblock.
-The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
-.TP
-.B so\-rcvbuf: \fI<number>
-If not 0, then set the SO_RCVBUF socket option to get more buffer
-space on UDP port 53 incoming queries. So that short spikes on busy
-servers do not drop packets (see counter in netstat \-su). Default is
-0 (use system value). Otherwise, the number of bytes to ask for, try
-"4m" on a busy server. The OS caps it at a maximum, on linux Unbound
-needs root permission to bypass the limit, or the admin can use sysctl
-net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
-On OpenBSD change header and recompile kernel. On Solaris ndd \-set
-/dev/udp udp_max_buf 8388608.
+that sent the query with a valid DNS Cookie.
+Since the cookie validates the client address, this limit can be higher.
+.sp
+Default: 10000
+.UNINDENT
+.INDENT 0.0
+.TP
+.B wait\-limit\-netblock: \fI<netblock>\fP \fI<number>\fP
+The wait limit for the netblock.
+If not given the
+\fI\%wait\-limit\fP
+value is used.
+The most specific netblock is used to determine the limit.
+Useful for overriding the default for a specific, group or individual,
+server.
+The value \fB\-1\fP disables wait limits for the netblock.
+By default the loopback has a wait limit netblock of \fB\-1\fP, it is not
+limited, because it is separated from the rest of network for spoofed
+packets.
+The loopback addresses \fB127.0.0.0/8\fP and \fB::1/128\fP are default at \fB\-1\fP\&.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B wait\-limit\-cookie\-netblock: \fI<netblock>\fP \fI<number>\fP
+The wait limit for the netblock, when the query has a DNS Cookie.
+If not given, the
+\fI\%wait\-limit\-cookie\fP
+value is used.
+The value \fB\-1\fP disables wait limits for the netblock.
+The loopback addresses \fB127.0.0.0/8\fP and \fB::1/128\fP are default at \fB\-1\fP\&.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B so\-rcvbuf: \fI<number>\fP
+If not 0, then set the SO_RCVBUF socket option to get more buffer space on
+UDP port 53 incoming queries.
+So that short spikes on busy servers do not drop packets (see counter in
+\fBnetstat \-su\fP).
+Otherwise, the number of bytes to ask for, try \(dq4m\(dq on a busy server.
+.sp
+The OS caps it at a maximum, on linux Unbound needs root permission to
+bypass the limit, or the admin can use \fBsysctl net.core.rmem_max\fP\&.
+.sp
+On BSD change \fBkern.ipc.maxsockbuf\fP in \fB/etc/sysctl.conf\fP\&.
+.sp
+On OpenBSD change header and recompile kernel.
+.sp
+On Solaris \fBndd \-set /dev/udp udp_max_buf 8388608\fP\&.
+.sp
+Default: 0 (use system value)
+.UNINDENT
+.INDENT 0.0
.TP
-.B so\-sndbuf: \fI<number>
+.B so\-sndbuf: \fI<number>\fP
If not 0, then set the SO_SNDBUF socket option to get more buffer space on
-UDP port 53 outgoing queries. This for very busy servers handles spikes
-in answer traffic, otherwise 'send: resource temporarily unavailable'
-can get logged, the buffer overrun is also visible by netstat \-su.
-Default is 0 (use system value). Specify the number of bytes to ask
-for, try "4m" on a very busy server. The OS caps it at a maximum, on
-linux Unbound needs root permission to bypass the limit, or the admin
-can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
-to so\-rcvbuf.
+UDP port 53 outgoing queries.
+This for very busy servers handles spikes in answer traffic, otherwise:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+send: resource temporarily unavailable
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+can get logged, the buffer overrun is also visible by \fBnetstat \-su\fP\&.
+If set to 0 it uses the system value.
+Specify the number of bytes to ask for, try \(dq8m\(dq on a very busy server.
+.sp
+It needs some space to be able to deal with packets that wait for local
+address resolution, from like ARP and NDP discovery, before they are sent
+out, hence it is elevated above the system default by default.
+.sp
+The OS caps it at a maximum, on linux Unbound needs root permission to
+bypass the limit, or the admin can use \fBsysctl net.core.wmem_max\fP\&.
+.sp
+On BSD, Solaris changes are similar to
+\fI\%so\-rcvbuf\fP\&.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
.TP
-.B so\-reuseport: \fI<yes or no>
+.B so\-reuseport: \fI<yes or no>\fP
If yes, then open dedicated listening sockets for incoming queries for each
-thread and try to set the SO_REUSEPORT socket option on each socket. May
-distribute incoming queries to threads more evenly. Default is yes.
-On Linux it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX
-it may also work. You can enable it (on any platform and kernel),
-it then attempts to open the port and passes the option if it was available
-at compile time, if that works it is used, if it fails, it continues
-silently (unless verbosity 3) without the option.
+thread and try to set the SO_REUSEPORT socket option on each socket.
+May distribute incoming queries to threads more evenly.
+.sp
+On Linux it is supported in kernels >= 3.9.
+.sp
+On other systems, FreeBSD, OSX it may also work.
+.sp
+You can enable it (on any platform and kernel), it then attempts to open
+the port and passes the option if it was available at compile time, if that
+works it is used, if it fails, it continues silently (unless verbosity 3)
+without the option.
+.sp
At extreme load it could be better to turn it off to distribute the queries
evenly, reported for Linux systems (4.4.x).
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-transparent: \fI<yes or no>\fP
+If yes, then use IP_TRANSPARENT socket option on sockets where Unbound is
+listening for incoming traffic.
+Allows you to bind to non\-local interfaces.
+For example for non\-existent IP addresses that are going to exist later on,
+with host failover configuration.
+.sp
+This is a lot like
+\fI\%interface\-automatic\fP, but that one
+services all interfaces and with this option you can select which (future)
+interfaces Unbound provides service on.
+.sp
+This option needs Unbound to be started with root permissions on some
+systems.
+The option uses IP_BINDANY on FreeBSD systems and SO_BINDANY on OpenBSD
+systems.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-freebind: \fI<yes or no>\fP
+If yes, then use IP_FREEBIND socket option on sockets where Unbound is
+listening to incoming traffic.
+Allows you to bind to IP addresses that are nonlocal or do not exist, like
+when the network interface or IP address is down.
+.sp
+Exists only on Linux, where the similar
+\fI\%ip\-transparent\fP option is also
+available.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B ip\-transparent: \fI<yes or no>
-If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
-is listening for incoming traffic. Default no. Allows you to bind to
-non\-local interfaces. For example for non\-existent IP addresses that
-are going to exist later on, with host failover configuration. This is
-a lot like interface\-automatic, but that one services all interfaces
-and with this option you can select which (future) interfaces Unbound
-provides service on. This option needs Unbound to be started with root
-permissions on some systems. The option uses IP_BINDANY on FreeBSD systems
-and SO_BINDANY on OpenBSD systems.
-.TP
-.B ip\-freebind: \fI<yes or no>
-If yes, then use IP_FREEBIND socket option on sockets where Unbound
-is listening to incoming traffic. Default no. Allows you to bind to
-IP addresses that are nonlocal or do not exist, like when the network
-interface or IP address is down. Exists only on Linux, where the similar
-ip\-transparent option is also available.
-.TP
-.B ip-dscp: \fI<number>
+.B ip\-dscp: \fI<number>\fP
The value of the Differentiated Services Codepoint (DSCP) in the
differentiated services field (DS) of the outgoing IP packet headers.
-The field replaces the outdated IPv4 Type-Of-Service field and the
-IPv6 traffic class field.
-.TP
-.B rrset\-cache\-size: \fI<number>
-Number of bytes size of the RRset cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+The field replaces the outdated IPv4 Type\-Of\-Service field and the IPv6
+traffic class field.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B rrset\-cache\-size: \fI<number>\fP
+Number of bytes size of the RRset cache.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B rrset\-cache\-slabs: \fI<number>
-Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B rrset\-cache\-slabs: \fI<number>\fP
+Number of slabs in the RRset cache.
+Slabs reduce lock contention by threads.
Must be set to a power of 2.
-.TP
-.B cache\-max\-ttl: \fI<seconds>
-Time to live maximum for RRsets and messages in the cache. Default is
-86400 seconds (1 day). When the TTL expires, the cache item has expired.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cache\-max\-ttl: \fI<seconds>\fP
+Time to live maximum for RRsets and messages in the cache.
+When the TTL expires, the cache item has expired.
Can be set lower to force the resolver to query for data often, and not
-trust (very large) TTL values. Downstream clients also see the lower TTL.
+trust (very large) TTL values.
+Downstream clients also see the lower TTL.
+.sp
+Default: 86400 (1 day)
+.UNINDENT
+.INDENT 0.0
.TP
-.B cache\-min\-ttl: \fI<seconds>
-Time to live minimum for RRsets and messages in the cache. Default is 0.
+.B cache\-min\-ttl: \fI<seconds>\fP
+Time to live minimum for RRsets and messages in the cache.
If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
higher values, especially more than an hour or so, can lead to trouble as
the data in the cache does not match up with the actual data any more.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B cache\-max\-negative\-ttl: \fI<seconds>
+.B cache\-max\-negative\-ttl: \fI<seconds>\fP
Time to live maximum for negative responses, these have a SOA in the
-authority section that is limited in time. Default is 3600.
-This applies to nxdomain and nodata answers.
+authority section that is limited in time.
+This applies to NXDOMAIN and NODATA answers.
+.sp
+Default: 3600
+.UNINDENT
+.INDENT 0.0
.TP
-.B cache\-min\-negative\-ttl: \fI<seconds>
+.B cache\-min\-negative\-ttl: \fI<seconds>\fP
Time to live minimum for negative responses, these have a SOA in the
authority section that is limited in time.
-Default is 0 (disabled).
-If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
-instead.
-In that case you can set this to 1 to honor the upstream TTL.
-This applies to nxdomain and nodata answers.
-.TP
-.B infra\-host\-ttl: \fI<seconds>
-Time to live for entries in the host cache. The host cache contains
-roundtrip timing, lameness and EDNS support information. Default is 900.
-.TP
-.B infra\-cache\-slabs: \fI<number>
-Number of slabs in the infrastructure cache. Slabs reduce lock contention
-by threads. Must be set to a power of 2.
-.TP
-.B infra\-cache\-numhosts: \fI<number>
-Number of hosts for which information is cached. Default is 10000.
+If this is disabled and
+\fI\%cache\-min\-ttl\fP
+is configured, it will take effect instead.
+In that case you can set this to \fB1\fP to honor the upstream TTL.
+This applies to NXDOMAIN and NODATA answers.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B infra\-host\-ttl: \fI<seconds>\fP
+Time to live for entries in the host cache.
+The host cache contains roundtrip timing, lameness and EDNS support
+information.
+.sp
+Default: 900
+.UNINDENT
+.INDENT 0.0
+.TP
+.B infra\-cache\-slabs: \fI<number>\fP
+Number of slabs in the infrastructure cache.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B infra\-cache\-numhosts: \fI<number>\fP
+Number of hosts for which information is cached.
+.sp
+Default: 10000
+.UNINDENT
+.INDENT 0.0
.TP
-.B infra\-cache\-min\-rtt: \fI<msec>
+.B infra\-cache\-min\-rtt: \fI<msec>\fP
Lower limit for dynamic retransmit timeout calculation in infrastructure
-cache. Default is 50 milliseconds. Increase this value if using forwarders
-needing more time to do recursive name resolution.
+cache.
+Increase this value if using forwarders needing more time to do recursive
+name resolution.
+.sp
+Default: 50
+.UNINDENT
+.INDENT 0.0
.TP
-.B infra\-cache\-max\-rtt: \fI<msec>
+.B infra\-cache\-max\-rtt: \fI<msec>\fP
Upper limit for dynamic retransmit timeout calculation in infrastructure
-cache. Default is 2 minutes.
+cache.
+.sp
+Default: 120000 (2 minutes)
+.UNINDENT
+.INDENT 0.0
.TP
-.B infra\-keep\-probing: \fI<yes or no>
+.B infra\-keep\-probing: \fI<yes or no>\fP
If enabled the server keeps probing hosts that are down, in the one probe
-at a time regime. Default is no. Hosts that are down, eg. they did
-not respond during the one probe at a time period, are marked as down and
-it may take \fBinfra\-host\-ttl\fR time to get probed again.
-.TP
-.B define\-tag: \fI<"list of tags">
-Define the tags that can be used with local\-zone and access\-control.
-Enclose the list between quotes ("") and put spaces between tags.
+at a time regime.
+Hosts that are down, eg. they did not respond during the one probe at a
+time period, are marked as down and it may take
+\fI\%infra\-host\-ttl\fP time to get probed
+again.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B define\-tag: \fI\(dq<list of tags>\(dq\fP
+Define the tags that can be used with
+\fI\%local\-zone\fP and
+\fI\%access\-control\fP\&.
+Enclose the list between quotes (\fB\(dq\(dq\fP) and put spaces between tags.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-ip4: \fI<yes or no>\fP
+Enable or disable whether IPv4 queries are answered or issued.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B do\-ip4: \fI<yes or no>
-Enable or disable whether ip4 queries are answered or issued. Default is yes.
-.TP
-.B do\-ip6: \fI<yes or no>
-Enable or disable whether ip6 queries are answered or issued. Default is yes.
+.B do\-ip6: \fI<yes or no>\fP
+Enable or disable whether IPv6 queries are answered or issued.
If disabled, queries are not answered on IPv6, and queries are not sent on
-IPv6 to the internet nameservers. With this option you can disable the
-IPv6 transport for sending DNS traffic, it does not impact the contents of
-the DNS traffic, which may have ip4 and ip6 addresses in it.
+IPv6 to the internet nameservers.
+With this option you can disable the IPv6 transport for sending DNS
+traffic, it does not impact the contents of the DNS traffic, which may have
+IPv4 (A) and IPv6 (AAAA) addresses in it.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B prefer\-ip4: \fI<yes or no>
+.B prefer\-ip4: \fI<yes or no>\fP
If enabled, prefer IPv4 transport for sending DNS queries to internet
-nameservers. Default is no. Useful if the IPv6 netblock the server has,
-the entire /64 of that is not owned by one operator and the reputation of
-the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that
-the upstream servers have.
+nameservers.
+Useful if the IPv6 netblock the server has, the entire /64 of that is not
+owned by one operator and the reputation of the netblock /64 is an issue,
+using IPv4 then uses the IPv4 filters that the upstream servers have.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B prefer\-ip6: \fI<yes or no>
+.B prefer\-ip6: \fI<yes or no>\fP
If enabled, prefer IPv6 transport for sending DNS queries to internet
-nameservers. Default is no.
-.TP
-.B do\-udp: \fI<yes or no>
-Enable or disable whether UDP queries are answered or issued. Default is yes.
-.TP
-.B do\-tcp: \fI<yes or no>
-Enable or disable whether TCP queries are answered or issued. Default is yes.
-.TP
-.B tcp\-mss: \fI<number>
-Maximum segment size (MSS) of TCP socket on which the server responds
-to queries. Value lower than common MSS on Ethernet
-(1220 for example) will address path MTU problem.
+nameservers.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-udp: \fI<yes or no>\fP
+Enable or disable whether UDP queries are answered or issued.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-tcp: \fI<yes or no>\fP
+Enable or disable whether TCP queries are answered or issued.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tcp\-mss: \fI<number>\fP
+Maximum segment size (MSS) of TCP socket on which the server responds to
+queries.
+Value lower than common MSS on Ethernet (1220 for example) will address
+path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
-Default is system default MSS determined by interface MTU and
-negotiation between server and client.
-.TP
-.B outgoing\-tcp\-mss: \fI<number>
-Maximum segment size (MSS) of TCP socket for outgoing queries
-(from Unbound to other servers). Value lower than
-common MSS on Ethernet (1220 for example) will address path MTU problem.
+Default is system default MSS determined by interface MTU and negotiation
+between server and client.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B outgoing\-tcp\-mss: \fI<number>\fP
+Maximum segment size (MSS) of TCP socket for outgoing queries (from Unbound
+to other servers).
+Value lower than common MSS on Ethernet (1220 for example) will address
+path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
-Default is system default MSS determined by interface MTU and
-negotiation between Unbound and other servers.
+Default is system default MSS determined by interface MTU and negotiation
+between Unbound and other servers.
+.UNINDENT
+.INDENT 0.0
.TP
-.B tcp-idle-timeout: \fI<msec>\fR
+.B tcp\-idle\-timeout: \fI<msec>\fP
The period Unbound will wait for a query on a TCP connection.
If this timeout expires Unbound closes the connection.
-This option defaults to 30000 milliseconds.
-When the number of free incoming TCP buffers falls below 50% of the
-total number configured, the option value used is progressively
-reduced, first to 1% of the configured value, then to 0.2% of the
-configured value if the number of free buffers falls below 35% of the
-total number configured, and finally to 0 if the number of free buffers
-falls below 20% of the total number configured. A minimum timeout of
-200 milliseconds is observed regardless of the option value used.
-It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
-\fBedns\-tcp\-keepalive\fR is enabled.
-.TP
-.B tcp-reuse-timeout: \fI<msec>\fR
-The period Unbound will keep TCP persistent connections open to
-authority servers. This option defaults to 60000 milliseconds.
+When the number of free incoming TCP buffers falls below 50% of the total
+number configured, the option value used is progressively reduced, first to
+1% of the configured value, then to 0.2% of the configured value if the
+number of free buffers falls below 35% of the total number configured, and
+finally to 0 if the number of free buffers falls below 20% of the total
+number configured.
+A minimum timeout of 200 milliseconds is observed regardless of the option
+value used.
+It will be overridden by
+\fI\%edns\-tcp\-keepalive\-timeout\fP
+if
+\fI\%edns\-tcp\-keepalive\fP
+is enabled.
+.sp
+Default: 30000 (30 seconds)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tcp\-reuse\-timeout: \fI<msec>\fP
+The period Unbound will keep TCP persistent connections open to authority
+servers.
+.sp
+Default: 60000 (60 seconds)
+.UNINDENT
+.INDENT 0.0
.TP
-.B max-reuse-tcp-queries: \fI<number>\fR
+.B max\-reuse\-tcp\-queries: \fI<number>\fP
The maximum number of queries that can be sent on a persistent TCP
connection.
-This option defaults to 200 queries.
+.sp
+Default: 200
+.UNINDENT
+.INDENT 0.0
.TP
-.B tcp-auth-query-timeout: \fI<number>\fR
+.B tcp\-auth\-query\-timeout: \fI<number>\fP
Timeout in milliseconds for TCP queries to auth servers.
-This option defaults to 3000 milliseconds.
-.TP
-.B edns-tcp-keepalive: \fI<yes or no>\fR
-Enable or disable EDNS TCP Keepalive. Default is no.
-.TP
-.B edns-tcp-keepalive-timeout: \fI<msec>\fR
-Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
+.sp
+Default: 3000 (3 seconds)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B edns\-tcp\-keepalive: \fI<yes or no>\fP
+Enable or disable EDNS TCP Keepalive.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B edns\-tcp\-keepalive\-timeout: \fI<msec>\fP
+Overrides
+\fI\%tcp\-idle\-timeout\fP
+when
+\fI\%edns\-tcp\-keepalive\fP
+is enabled.
If the client supports the EDNS TCP Keepalive option,
-Unbound sends the timeout value to the client to encourage it to
-close the connection before the server times out.
-This option defaults to 120000 milliseconds.
+If the client supports the EDNS TCP Keepalive option, Unbound sends the
+timeout value to the client to encourage it to close the connection before
+the server times out.
+.sp
+Default: 120000 (2 minutes)
+.UNINDENT
+.INDENT 0.0
.TP
-.B sock\-queue\-timeout: \fI<sec>\fR
+.B sock\-queue\-timeout: \fI<sec>\fP
UDP queries that have waited in the socket buffer for a long time can be
-dropped. Default is 0, disabled. The time is set in seconds, 3 could be a
-good value to ignore old queries that likely the client does not need a reply
-for any more. This could happen if the host has not been able to service
-the queries for a while, i.e. Unbound is not running, and then is enabled
-again. It uses timestamp socket options.
+dropped.
+The time is set in seconds, 3 could be a good value to ignore old queries
+that likely the client does not need a reply for any more.
+This could happen if the host has not been able to service the queries for
+a while, i.e. Unbound is not running, and then is enabled again.
+It uses timestamp socket options.
+The socket option is available on the Linux and FreeBSD platforms.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B tcp\-upstream: \fI<yes or no>
+.B tcp\-upstream: \fI<yes or no>\fP
Enable or disable whether the upstream queries use TCP only for transport.
-Default is no. Useful in tunneling scenarios. If set to no you can specify
-TCP transport only for selected forward or stub zones using forward-tcp-upstream
-or stub-tcp-upstream respectively.
-.TP
-.B udp\-upstream\-without\-downstream: \fI<yes or no>
-Enable udp upstream even if do-udp is no. Default is no, and this does not
-change anything. Useful for TLS service providers, that want no udp downstream
-but use udp to fetch data upstream.
+Useful in tunneling scenarios.
+If set to no you can specify TCP transport only for selected forward or
+stub zones using
+\fI\%forward\-tcp\-upstream\fP or
+\fI\%stub\-tcp\-upstream\fP
+respectively.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B udp\-upstream\-without\-downstream: \fI<yes or no>\fP
+Enable UDP upstream even if \fI\%do\-udp: no\fP is set.
+Useful for TLS service providers, that want no UDP downstream but use UDP
+to fetch data upstream.
+.sp
+Default: no (no changes)
+.UNINDENT
+.INDENT 0.0
.TP
-.B tls\-upstream: \fI<yes or no>
+.B tls\-upstream: \fI<yes or no>\fP
Enabled or disable whether the upstream queries use TLS only for transport.
-Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
-TCP wireformat. The other server must support this (see
-\fBtls\-service\-key\fR).
-If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
-tls\-system\-cert to load CA certs, otherwise the connections cannot be
-authenticated. This option enables TLS for all of them, but if you do not set
-this you can configure TLS specifically for some forward zones with
-forward\-tls\-upstream. And also with stub\-tls\-upstream.
-If the tls\-upstream option is enabled, it is for all the forwards and stubs,
-where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
-as if they had been set to yes.
-.TP
-.B ssl\-upstream: \fI<yes or no>
-Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
-file the last is used.
-.TP
-.B tls\-service\-key: \fI<file>
-If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
-TCP ports marked implicitly or explicitly for these services with tls\-port or
-https\-port. The file must contain the private key for the TLS session, the
-public certificate is in the tls\-service\-pem file and it must also be
-specified if tls\-service\-key is specified. The default is "", turned off.
-Enabling or disabling this service requires a restart (a reload is not enough),
-because the key is read while root permissions are held and before chroot (if any).
-The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
-\fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
-compiled with libnghttp2 in order to provide DNS-over-HTTPS.
-.TP
-.B ssl\-service\-key: \fI<file>
-Alternate syntax for \fBtls\-service\-key\fR.
-.TP
-.B tls\-service\-pem: \fI<file>
-The public key certificate pem file for the tls service. Default is "",
-turned off.
-.TP
-.B ssl\-service\-pem: \fI<file>
-Alternate syntax for \fBtls\-service\-pem\fR.
-.TP
-.B tls\-port: \fI<number>
-The port number on which to provide TCP TLS service, default 853, only
-interfaces configured with that port number as @number get the TLS service.
-.TP
-.B ssl\-port: \fI<number>
-Alternate syntax for \fBtls\-port\fR.
-.TP
-.B tls\-cert\-bundle: \fI<file>
-If null or "", no file is used. Set it to the certificate bundle file,
-for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
-for authenticating connections made to outside peers. For example auth\-zone
-urls, and also DNS over TLS connections. It is read at start up before
-permission drop and chroot.
-.TP
-.B ssl\-cert\-bundle: \fI<file>
-Alternate syntax for \fBtls\-cert\-bundle\fR.
-.TP
-.B tls\-win\-cert: \fI<yes or no>
-Add the system certificates to the cert bundle certificates for authentication.
-If no cert bundle, it uses only these certificates. Default is no.
-On windows this option uses the certificates from the cert store. Use
-the tls\-cert\-bundle option on other systems. On other systems, this option
-enables the system certificates.
-.TP
-.B tls\-system\-cert: \fI<yes or no>
-This the same setting as the tls\-win\-cert setting, under a different name.
+Useful in tunneling scenarios.
+The TLS contains plain DNS in TCP wireformat.
+The other server must support this (see
+\fI\%tls\-service\-key\fP).
+.sp
+If you enable this, also configure a
+\fI\%tls\-cert\-bundle\fP or use
+\fI\%tls\-win\-cert\fP or
+\fI\%tls\-system\-cert\fP to load CA certs,
+otherwise the connections cannot be authenticated.
+.sp
+This option enables TLS for all of them, but if you do not set this you can
+configure TLS specifically for some forward zones with
+\fI\%forward\-tls\-upstream\fP\&.
+And also with
+\fI\%stub\-tls\-upstream\fP\&.
+If the
+\fI\%tls\-upstream\fP
+option is enabled, it is for all the forwards and stubs, where the
+\fI\%forward\-tls\-upstream\fP
+and
+\fI\%stub\-tls\-upstream\fP
+options are ignored, as if they had been set to yes.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ssl\-upstream: \fI<yes or no>\fP
+Alternate syntax for \fI\%tls\-upstream\fP\&.
+If both are present in the config file the last is used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-service\-key: \fI<file>\fP
+If enabled, the server provides DNS\-over\-TLS or DNS\-over\-HTTPS service on
+the TCP ports marked implicitly or explicitly for these services with
+\fI\%tls\-port\fP or
+\fI\%https\-port\fP\&.
+The file must contain the private key for the TLS session, the public
+certificate is in the \fI\%tls\-service\-pem\fP
+file and it must also be specified if
+\fI\%tls\-service\-key\fP is specified.
+Enabling or disabling this service requires a restart (a reload is not
+enough), because the key is read while root permissions are held and before
+chroot (if any).
+The ports enabled implicitly or explicitly via
+\fI\%tls\-port\fP and
+\fI\%https\-port\fP do not provide normal DNS TCP
+service.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Unbound needs to be compiled with libnghttp2 in order to provide
+DNS\-over\-HTTPS.
+.UNINDENT
+.UNINDENT
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ssl\-service\-key: \fI<file>\fP
+Alternate syntax for \fI\%tls\-service\-key\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-service\-pem: \fI<file>\fP
+The public key certificate pem file for the tls service.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ssl\-service\-pem: \fI<file>\fP
+Alternate syntax for \fI\%tls\-service\-pem\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-port: \fI<number>\fP
+The port number on which to provide TCP TLS service.
+Only interfaces configured with that port number as @number get the TLS
+service.
+.sp
+Default: 853
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ssl\-port: \fI<number>\fP
+Alternate syntax for \fI\%tls\-port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-cert\-bundle: \fI<file>\fP
+If null or \fB\(dq\(dq\fP, no file is used.
+Set it to the certificate bundle file, for example
+\fB/etc/pki/tls/certs/ca\-bundle.crt\fP\&.
+These certificates are used for authenticating connections made to outside
+peers.
+For example \fI\%auth\-zone urls\fP, and also
+DNS\-over\-TLS connections.
+It is read at start up before permission drop and chroot.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ssl\-cert\-bundle: \fI<file>\fP
+Alternate syntax for \fI\%tls\-cert\-bundle\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-win\-cert: \fI<yes or no>\fP
+Add the system certificates to the cert bundle certificates for
+authentication.
+If no cert bundle, it uses only these certificates.
+On windows this option uses the certificates from the cert store.
+Use the \fI\%tls\-cert\-bundle\fP option on
+other systems.
+On other systems, this option enables the system certificates.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-system\-cert: \fI<yes or no>\fP
+This the same attribute as the
+\fI\%tls\-win\-cert\fP attribute, under a
+different name.
Because it is not windows specific.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-additional\-port: \fI<portnr>\fP
+List port numbers as
+\fI\%tls\-additional\-port\fP, and when
+interfaces are defined, eg. with the @port suffix, as this port number,
+they provide DNS\-over\-TLS service.
+Can list multiple, each on a new statement.
+.UNINDENT
+.INDENT 0.0
.TP
-.B tls\-additional\-port: \fI<portnr>
-List portnumbers as tls\-additional\-port, and when interfaces are defined,
-eg. with the @port suffix, as this port number, they provide dns over TLS
-service. Can list multiple, each on a new statement.
-.TP
-.B tls-session-ticket-keys: \fI<file>
-If not "", lists files with 80 bytes of random contents that are used to
-perform TLS session resumption for clients using the Unbound server.
+.B tls\-session\-ticket\-keys: \fI<file>\fP
+If not \fB\(dq\(dq\fP, lists files with 80 bytes of random contents that are used
+to perform TLS session resumption for clients using the Unbound server.
These files contain the secret key for the TLS session tickets.
First key use to encrypt and decrypt TLS session tickets.
-Other keys use to decrypt only. With this you can roll over to new keys,
-by generating a new first file and allowing decrypt of the old file by
-listing it after the first file for some time, after the wait clients are not
-using the old key any more and the old key can be removed.
-One way to create the file is dd if=/dev/random bs=1 count=80 of=ticket.dat
-The first 16 bytes should be different from the old one if you create a second key, that is the name used to identify the key. Then there is 32 bytes random
-data for an AES key and then 32 bytes random data for the HMAC key.
-.TP
-.B tls\-ciphers: \fI<string with cipher list>
-Set the list of ciphers to allow when serving TLS. Use "" for defaults,
-and that is the default.
-.TP
-.B tls\-ciphersuites: \fI<string with ciphersuites list>
-Set the list of ciphersuites to allow when serving TLS. This is for newer
-TLS 1.3 connections. Use "" for defaults, and that is the default.
+Other keys use to decrypt only.
+.sp
+With this you can roll over to new keys, by generating a new first file and
+allowing decrypt of the old file by listing it after the first file for
+some time, after the wait clients are not using the old key any more and
+the old key can be removed.
+One way to create the file is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dd if=/dev/random bs=1 count=80 of=ticket.dat
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The first 16 bytes should be different from the old one if you create a
+second key, that is the name used to identify the key.
+Then there is 32 bytes random data for an AES key and then 32 bytes random
+data for the HMAC key.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-ciphers: \fI<string with cipher list>\fP
+Set the list of ciphers to allow when serving TLS.
+Use \fB\(dq\(dq\fP for default ciphers.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tls\-ciphersuites: \fI<string with ciphersuites list>\fP
+Set the list of ciphersuites to allow when serving TLS.
+This is for newer TLS 1.3 connections.
+Use \fB\(dq\(dq\fP for default ciphersuites.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
.TP
-.B pad\-responses: \fI<yes or no>
+.B pad\-responses: \fI<yes or no>\fP
If enabled, TLS serviced queries that contained an EDNS Padding option will
cause responses padded to the closest multiple of the size specified in
-\fBpad\-responses\-block\-size\fR.
-Default is yes.
-.TP
-.B pad\-responses\-block\-size: \fI<number>
-The block size with which to pad responses serviced over TLS. Only responses
-to padded queries will be padded.
-Default is 468.
-.TP
-.B pad\-queries: \fI<yes or no>
-If enabled, all queries sent over TLS upstreams will be padded to the closest
-multiple of the size specified in \fBpad\-queries\-block\-size\fR.
-Default is yes.
+\fI\%pad\-responses\-block\-size\fP\&.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B pad\-responses\-block\-size: \fI<number>\fP
+The block size with which to pad responses serviced over TLS.
+Only responses to padded queries will be padded.
+.sp
+Default: 468
+.UNINDENT
+.INDENT 0.0
+.TP
+.B pad\-queries: \fI<yes or no>\fP
+If enabled, all queries sent over TLS upstreams will be padded to the
+closest multiple of the size specified in
+\fI\%pad\-queries\-block\-size\fP\&.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B pad\-queries\-block\-size: \fI<number>
+.B pad\-queries\-block\-size: \fI<number>\fP
The block size with which to pad queries sent over TLS upstreams.
-Default is 128.
+.sp
+Default: 128
+.UNINDENT
+.INDENT 0.0
.TP
-.B tls\-use\-sni: \fI<yes or no>
+.B tls\-use\-sni: \fI<yes or no>\fP
Enable or disable sending the SNI extension on TLS connections.
-Default is yes.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
Changing the value requires a reload.
+.UNINDENT
+.UNINDENT
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B https\-port: \fI<number>\fP
+The port number on which to provide DNS\-over\-HTTPS service.
+Only interfaces configured with that port number as @number get the HTTPS
+service.
+.sp
+Default: 443
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-endpoint: \fI<endpoint string>\fP
+The HTTP endpoint to provide DNS\-over\-HTTPS service on.
+.sp
+Default: /dns\-query
+.UNINDENT
+.INDENT 0.0
.TP
-.B https\-port: \fI<number>
-The port number on which to provide DNS-over-HTTPS service, default 443, only
-interfaces configured with that port number as @number get the HTTPS service.
-.TP
-.B http\-endpoint: \fI<endpoint string>
-The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
-.TP
-.B http\-max\-streams: \fI<number of streams>
+.B http\-max\-streams: \fI<number of streams>\fP
Number used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in the HTTP/2
-SETTINGS frame for DNS-over-HTTPS connections. Default 100.
-.TP
-.B http\-query\-buffer\-size: \fI<size in bytes>
-Maximum number of bytes used for all HTTP/2 query buffers combined. These
-buffers contain (partial) DNS queries waiting for request stream completion.
-An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
-megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
-megabytes or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B http\-response\-buffer\-size: \fI<size in bytes>
-Maximum number of bytes used for all HTTP/2 response buffers combined. These
-buffers contain DNS responses waiting to be written back to the clients.
-An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
-megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
-megabytes or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B http\-nodelay: \fI<yes or no>
-Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
-Ignored if the option is not available. Default is yes.
-.TP
-.B http\-notls\-downstream: \fI<yes or no>
-Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
-local back end servers. Default is no.
-.TP
-.B proxy\-protocol\-port: \fI<portnr>
-List port numbers as proxy\-protocol\-port, and when interfaces are defined,
-eg. with the @port suffix, as this port number, they support and expect PROXYv2.
-In this case the proxy address will only be used for the network communication
-and initial ACL (check if the proxy itself is denied/refused by configuration).
-The proxied address (if any) will then be used as the true client address and
-will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting.
+SETTINGS frame for DNS\-over\-HTTPS connections.
+.sp
+Default: 100
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-query\-buffer\-size: \fI<size in bytes>\fP
+Maximum number of bytes used for all HTTP/2 query buffers combined.
+These buffers contain (partial) DNS queries waiting for request stream
+completion.
+An RST_STREAM frame will be send to streams exceeding this limit.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-response\-buffer\-size: \fI<size in bytes>\fP
+Maximum number of bytes used for all HTTP/2 response buffers combined.
+These buffers contain DNS responses waiting to be written back to the
+clients.
+An RST_STREAM frame will be send to streams exceeding this limit.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-nodelay: \fI<yes or no>\fP
+Set TCP_NODELAY socket option on sockets used to provide DNS\-over\-HTTPS
+service.
+Ignored if the option is not available.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-notls\-downstream: \fI<yes or no>\fP
+Disable use of TLS for the downstream DNS\-over\-HTTP connections.
+Useful for local back end servers.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B proxy\-protocol\-port: \fI<portnr>\fP
+List port numbers as
+\fI\%proxy\-protocol\-port\fP, and when
+interfaces are defined, eg. with the @port suffix, as this port number,
+they support and expect PROXYv2.
+.sp
+In this case the proxy address will only be used for the network
+communication and initial ACL (check if the proxy itself is denied/refused
+by configuration).
+.sp
+The proxied address (if any) will then be used as the true client address
+and will be used where applicable for logging, ACL, DNSTAP, RPZ and IP
+ratelimiting.
+.sp
PROXYv2 is supported for UDP and TCP/TLS listening interfaces.
+.sp
There is no support for PROXYv2 on a DoH, DoQ or DNSCrypt listening interface.
+.sp
Can list multiple, each on a new statement.
+.UNINDENT
+.INDENT 0.0
.TP
-.B quic\-port: \fI<number>
-The port number on which to provide DNS-over-QUIC service, default 853, only
-interfaces configured with that port number as @number get the QUIC service.
+.B quic\-port: \fI<number>\fP
+The port number on which to provide DNS\-over\-QUIC service.
+Only interfaces configured with that port number as @number get the QUIC
+service.
The interface uses QUIC for the UDP traffic on that port number.
+.sp
+Default: 853
+.UNINDENT
+.INDENT 0.0
+.TP
+.B quic\-size: \fI<size in bytes>\fP
+Maximum number of bytes for all QUIC buffers and data combined.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+New connections receive connection refused when the limit is exceeded.
+New streams are reset when the limit is exceeded.
+.sp
+Default: 8m
+.UNINDENT
+.INDENT 0.0
.TP
-.B quic\-size: \fI<size in bytes>
-Maximum number of bytes for all QUIC buffers and data combined. Default is 8
-megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
-megabytes or gigabytes (1024*1024 bytes in a megabyte). New connections receive
-connection refused when the limit is exceeded. New streams are reset when the
-limit is exceeded.
-.TP
-.B use\-systemd: \fI<yes or no>
+.B use\-systemd: \fI<yes or no>\fP
Enable or disable systemd socket activation.
-Default is no.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-daemonize: \fI<yes or no>\fP
+Enable or disable whether the Unbound server forks into the background as a
+daemon.
+Set the value to no when Unbound runs as systemd service.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B do\-daemonize: \fI<yes or no>
-Enable or disable whether the Unbound server forks into the background as
-a daemon. Set the value to \fIno\fR when Unbound runs as systemd service.
-Default is yes.
-.TP
-.B tcp\-connection\-limit: \fI<IP netblock> <limit>
-Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock.
+.B tcp\-connection\-limit: \fI<IP netblock> <limit>\fP
+Allow up to limit simultaneous TCP connections from the given netblock.
When at the limit, further connections are accepted but closed immediately.
This option is experimental at this time.
+.sp
+Default: (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B access\-control: \fI<IP netblock> <action>
+.B access\-control: \fI<IP netblock> <action>\fP
Specify treatment of incoming queries from their originating IP address.
Queries can be allowed to have access to this server that gives DNS
-answers, or refused, with other actions possible. The IP address range
-can be specified as a netblock, it is possible to give the statement
-several times in order to specify the treatment of different netblocks.
-.IP
-The netblock is given as an IP4 or IP6 address with /size appended for a
-classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR,
-\fIdeny_non_local\fR or \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIrefuse\fR is used.
+answers, or refused, with other actions possible.
+The IP address range can be specified as a netblock, it is possible to give
+the statement several times in order to specify the treatment of different
+netblocks.
+The netblock is given as an IPv4 or IPv6 address with /size appended for a
+classless network block.
+The most specific netblock match is used, if none match
+\fI\%refuse\fP is used.
The order of the access\-control statements therefore does not matter.
-.IP
-The \fIdeny\fR action stops queries from hosts from that netblock.
-.IP
-The \fIrefuse\fR action stops queries too, but sends a DNS rcode REFUSED
-error message back.
-.IP
-The \fIallow\fR action gives access to clients from that netblock.
-It gives only access for recursion clients (which is
-what almost all clients need). Nonrecursive queries are refused.
-.IP
-The \fIallow\fR action does allow nonrecursive queries to access the
-local\-data that is configured. The reason is that this does not involve
-the Unbound server recursive lookup algorithm, and static data is served
-in the reply. This supports normal operations where nonrecursive queries
-are made for the authoritative data. For nonrecursive queries any replies
-from the dynamic cache are refused.
-.IP
-The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
-treats all requests as if the recursion desired bit is set. Note that this
-behavior violates RFC 1034 which states that a name server should never perform
-recursive service unless asked via the RD bit since this interferes with
-trouble shooting of name servers and their databases. This prohibited behavior
-may be useful if another DNS server must forward requests for specific
-zones to a resolver DNS server, but only supports stub domains and
-sends queries to the resolver DNS server with the RD bit cleared.
-.IP
-The \fIallow_snoop\fR action gives nonrecursive access too. This give
-both recursive and non recursive access. The name \fIallow_snoop\fR refers
-to cache snooping, a technique to use nonrecursive queries to examine
-the cache contents (for malicious acts). However, nonrecursive queries can
-also be a valuable debugging tool (when you want to examine the cache
-contents). In that case use \fIallow_snoop\fR for your administration host.
-.IP
-The \fIallow_cookie\fR action allows access only to UDP queries that contain a
-valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
-\fBanswer\-cookie\fR option is enabled.
-UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
-invalid DNS Cookie, will receive a BADCOOKIE response including a newly
-generated DNS Cookie, allowing clients to retry with that DNS Cookie.
-The \fIallow_cookie\fR action will also accept requests over stateful
-transports, regardless of the presence of an DNS Cookie and regardless of the
-\fBanswer\-cookie\fR setting.
-UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
-that may trigger fall back to TCP for those clients.
-.IP
+The action can be
+\fI\%deny\fP,
+\fI\%refuse\fP,
+\fI\%allow\fP,
+\fI\%allow_setrd\fP,
+\fI\%allow_snoop\fP,
+\fI\%allow_cookie\fP,
+\fI\%deny_non_local\fP or
+\fI\%refuse_non_local\fP\&.
+.INDENT 7.0
+.TP
+.B deny
+Stops queries from hosts from that netblock.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B refuse
+Stops queries too, but sends a DNS rcode REFUSED error message back.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B allow
+Gives access to clients from that netblock.
+It gives only access for recursion clients (which is what almost all
+clients need).
+Non\-recursive queries are refused.
+.sp
+The \fI\%allow\fP action does
+allow non\-recursive queries to access the local\-data that is
+configured.
+The reason is that this does not involve the Unbound server recursive
+lookup algorithm, and static data is served in the reply.
+This supports normal operations where non\-recursive queries are made
+for the authoritative data.
+For non\-recursive queries any replies from the dynamic cache are
+refused.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B allow_setrd
+Ignores the recursion desired (RD) bit and treats all requests as if
+the recursion desired bit is set.
+.sp
+Note that this behavior violates \fI\%RFC 1034\fP which states that a name
+server should never perform recursive service unless asked via the RD
+bit since this interferes with trouble shooting of name servers and
+their databases.
+This prohibited behavior may be useful if another DNS server must
+forward requests for specific zones to a resolver DNS server, but only
+supports stub domains and sends queries to the resolver DNS server with
+the RD bit cleared.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B allow_snoop
+Gives non\-recursive access too.
+This gives both recursive and non recursive access.
+The name \fIallow_snoop\fP refers to cache snooping, a technique to use
+non\-recursive queries to examine the cache contents (for malicious
+acts).
+However, non\-recursive queries can also be a valuable debugging tool
+(when you want to examine the cache contents).
+.sp
+In that case use
+\fI\%allow_snoop\fP for
+your administration host.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B allow_cookie
+Allows access only to UDP queries that contain a valid DNS Cookie as
+specified in RFC 7873 and RFC 9018, when the
+\fI\%answer\-cookie\fP option is enabled.
+UDP queries containing only a DNS Client Cookie and no Server Cookie,
+or an invalid DNS Cookie, will receive a BADCOOKIE response including a
+newly generated DNS Cookie, allowing clients to retry with that DNS
+Cookie.
+The \fIallow_cookie\fP action will also accept requests over stateful
+transports, regardless of the presence of an DNS Cookie and regardless
+of the \fI\%answer\-cookie\fP setting.
+UDP queries without a DNS Cookie receive REFUSED responses with the TC
+flag set, that may trigger fall back to TCP for those clients.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B deny_non_local
+The
+\fI\%deny_non_local\fP
+action is for hosts that are only allowed to query for the
+authoritative \fI\%local\-data\fP, they are not
+allowed full recursion but only the static data.
+Messages that are disallowed are dropped.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B refuse_non_local
+The
+\fI\%refuse_non_local\fP
+action is for hosts that are only allowed to query for the
+authoritative \fI\%local\-data\fP, they are not
+allowed full recursion but only the static data.
+Messages that are disallowed receive error code REFUSED.
+.UNINDENT
+.sp
By default only localhost (the 127.0.0.0/8 IP netblock, not the loopback
-interface) is implicitly \fIallow\fRed, the rest is \fIrefuse\fRd.
-The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
-protocol is not designed to handle dropped packets due to policy, and
-dropping may result in (possibly excessive) retried queries.
-.IP
-The deny_non_local and refuse_non_local settings are for hosts that are
-only allowed to query for the authoritative local\-data, they are not
-allowed full recursion but only the static data. With deny_non_local,
-messages that are disallowed are dropped, with refuse_non_local they
-receive error code REFUSED.
-.TP
-.B access\-control\-tag: \fI<IP netblock> <"list of tags">
-Assign tags to access-control elements. Clients using this access control
-element use localzones that are tagged with one of these tags. Tags must be
-defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
-spaces between tags. If access\-control\-tag is configured for a netblock that
-does not have an access\-control, an access\-control element with action
-\fIallow\fR is configured for this netblock.
-.TP
-.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
-Set action for particular tag for given access control element. If you have
-multiple tag values, the tag used to lookup the action is the first tag match
-between access\-control\-tag and local\-zone\-tag where "first" comes from the
-order of the define-tag values.
+interface) is implicitly \fIallowed\fP, the rest is refused.
+The default is \fIrefused\fP, because that is protocol\-friendly.
+The DNS protocol is not designed to handle dropped packets due to policy,
+and dropping may result in (possibly excessive) retried queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B access\-control\-tag: \fI<IP netblock> \(dq<list of tags>\(dq\fP
+Assign tags to \fI\%access\-control\fP
+elements.
+Clients using this access control element use localzones that are tagged
+with one of these tags.
+.sp
+Tags must be defined in \fI\%define\-tag\fP\&.
+Enclose list of tags in quotes (\fB\(dq\(dq\fP) and put spaces between tags.
+.sp
+If \fI\%access\-control\-tag\fP is
+configured for a netblock that does not have an
+\fI\%access\-control\fP, an access\-control
+element with action \fI\%allow\fP
+is configured for this netblock.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>\fP
+Set action for particular tag for given access control element.
+If you have multiple tag values, the tag used to lookup the action is the
+first tag match between
+\fI\%access\-control\-tag\fP and
+\fI\%local\-zone\-tag\fP where \(dqfirst\(dq comes
+from the order of the \fI\%define\-tag\fP values.
+.UNINDENT
+.INDENT 0.0
.TP
-.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
+.B access\-control\-tag\-data: \fI<IP netblock> <tag> \(dq<resource record string>\(dq\fP
Set redirect data for particular tag for given access control element.
+.UNINDENT
+.INDENT 0.0
.TP
-.B access\-control\-view: \fI<IP netblock> <view name>
+.B access\-control\-view: \fI<IP netblock> <view name>\fP
Set view for given access control element.
+.UNINDENT
+.INDENT 0.0
.TP
-.B interface\-action: \fI<ip address or interface name [@port]> <action>
-Similar to \fBaccess\-control:\fR but for interfaces.
-.IP
-The action is the same as the ones defined under \fBaccess\-control:\fR.
-Interfaces are \fIrefuse\fRd by default.
+.B interface\-action: \fI<ip address or interface name [@port]> <action>\fP
+Similar to \fI\%access\-control\fP but for
+interfaces.
+.sp
+The action is the same as the ones defined under
+\fI\%access\-control\fP\&.
+.sp
+Default action for interfaces is
+\fI\%refuse\fP\&.
By default only localhost (the 127.0.0.0/8 IP netblock, not the loopback
-interface) is implicitly \fIallow\fRed through the default
-\fBaccess\-control:\fR behavior.
-This also means that any attempt to use the \fBinterface-*:\fR options for the
-loopback interface will not work as they will be overridden by the implicit
-default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
-.IP
-Note that the interface needs to be already specified with \fBinterface:\fR
-and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
-settings for targeted clients.
-.TP
-.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
-Similar to \fBaccess\-control-tag:\fR but for interfaces.
-.IP
-Note that the interface needs to be already specified with \fBinterface:\fR
-and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
-settings for targeted clients.
-.TP
-.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
-Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
-.IP
-Note that the interface needs to be already specified with \fBinterface:\fR
-and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
-settings for targeted clients.
-.TP
-.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
-Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
-.IP
-Note that the interface needs to be already specified with \fBinterface:\fR
-and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
-settings for targeted clients.
-.TP
-.B interface\-view: \fI<ip address or interface name [@port]> <view name>
-Similar to \fBaccess\-control-view:\fR but for interfaces.
-.IP
-Note that the interface needs to be already specified with \fBinterface:\fR
-and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
-settings for targeted clients.
-.TP
-.B chroot: \fI<directory>
-If chroot is enabled, you should pass the configfile (from the
-commandline) as a full path from the original root. After the
-chroot has been performed the now defunct portion of the config
+interface) is implicitly allowed through the default
+\fI\%access\-control\fP behavior.
+This also means that any attempt to use the \fBinterface\-*:\fP options for
+the loopback interface will not work as they will be overridden by the
+implicit default \(dqaccess\-control: 127.0.0.0/8 allow\(dq option.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The interface needs to be already specified with
+\fI\%interface\fP and that any
+\fBaccess\-control*:\fP attribute overrides all \fBinterface\-*:\fP
+attributes for targeted clients.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface\-tag: \fI<ip address or interface name [@port]> <\(dqlist of tags\(dq>\fP
+Similar to \fI\%access\-control\-tag\fP but
+for interfaces.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The interface needs to be already specified with
+\fI\%interface\fP and that any
+\fBaccess\-control*:\fP attribute overrides all \fBinterface\-*:\fP
+attributes for targeted clients.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>\fP
+Similar to
+\fI\%access\-control\-tag\-action\fP
+but for interfaces.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The interface needs to be already specified with
+\fI\%interface\fP and that any
+\fBaccess\-control*:\fP attribute overrides all \fBinterface\-*:\fP
+attributes for targeted clients.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <\(dqresource record string\(dq>\fP
+Similar to
+\fI\%access\-control\-tag\-data\fP but
+for interfaces.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The interface needs to be already specified with
+\fI\%interface\fP and that any
+\fBaccess\-control*:\fP attribute overrides all \fBinterface\-*:\fP
+attributes for targeted clients.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B interface\-view: \fI<ip address or interface name [@port]> <view name>\fP
+Similar to \fI\%access\-control\-view\fP
+but for interfaces.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The interface needs to be already specified with
+\fI\%interface\fP and that any
+\fBaccess\-control*:\fP attribute overrides all \fBinterface\-*:\fP
+attributes for targeted clients.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B chroot: \fI<directory>\fP
+If \fI\%chroot\fP is enabled, you should pass the
+configfile (from the commandline) as a full path from the original root.
+After the chroot has been performed the now defunct portion of the config
file path is removed to be able to reread the config after a reload.
-.IP
-All other file paths (working dir, logfile, roothints, and
-key files) can be specified in several ways:
-as an absolute path relative to the new root,
-as a relative path to the working directory, or
-as an absolute path relative to the original root.
+.sp
+All other file paths (working dir, logfile, roothints, and key files) can
+be specified in several ways: as an absolute path relative to the new root,
+as a relative path to the working directory, or as an absolute path
+relative to the original root.
In the last case the path is adjusted to remove the unused portion.
-.IP
-The pidfile can be either a relative path to the working directory, or
-an absolute path relative to the original root. It is written just prior
-to chroot and dropping permissions. This allows the pidfile to be
-/var/run/unbound.pid and the chroot to be /var/unbound, for example. Note that
-Unbound is not able to remove the pidfile after termination when it is located
-outside of the chroot directory.
-.IP
-Additionally, Unbound may need to access /dev/urandom (for entropy)
+.sp
+The pidfile can be either a relative path to the working directory, or an
+absolute path relative to the original root.
+It is written just prior to chroot and dropping permissions.
+This allows the pidfile to be \fB/var/run/unbound.pid\fP and the chroot
+to be \fB/var/unbound\fP, for example.
+Note that Unbound is not able to remove the pidfile after termination when
+it is located outside of the chroot directory.
+.sp
+Additionally, Unbound may need to access \fB/dev/urandom\fP (for entropy)
from inside the chroot.
-.IP
-If given a chroot is done to the given directory. The chroot is by default
-set to "@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
-.TP
-.B username: \fI<name>
-If given, after binding the port the user privileges are dropped. Default is
-"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
-.IP
-If this user is not capable of binding the
-port, reloads (by signal HUP) will still retain the opened ports.
+.sp
+If given, a \fIchroot(2)\fP is done to the given directory.
+If you give \fB\(dq\(dq\fP no \fIchroot(2)\fP is performed.
+.sp
+Default: @UNBOUND_CHROOT_DIR@
+.UNINDENT
+.INDENT 0.0
+.TP
+.B username: \fI<name>\fP
+If given, after binding the port the user privileges are dropped.
+If you give username: \fB\(dq\(dq\fP no user change is performed.
+.sp
+If this user is not capable of binding the port, reloads (by signal HUP)
+will still retain the opened ports.
If you change the port number in the config file, and that new port number
requires privileges, then a reload will fail; a restart is needed.
+.sp
+Default: @UNBOUND_USERNAME@
+.UNINDENT
+.INDENT 0.0
+.TP
+.B directory: \fI<directory>\fP
+Sets the working directory for the program.
+On Windows the string \(dq%EXECUTABLE%\(dq tries to change to the directory that
+\fBunbound.exe\fP resides in.
+If you give a \fI\%server: directory:
+<directory>\fP before
+\fI\%include\fP file statements then those includes
+can be relative to the working directory.
+.sp
+Default: @UNBOUND_RUN_DIR@
+.UNINDENT
+.INDENT 0.0
.TP
-.B directory: \fI<directory>
-Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
-On Windows the string "%EXECUTABLE%" tries to change to the directory
-that unbound.exe resides in.
-If you give a server: directory: dir before include: file statements
-then those includes can be relative to the working directory.
-.TP
-.B logfile: \fI<filename>
-If "" is given, logging goes to stderr, or nowhere once daemonized.
+.B logfile: \fI<filename>\fP
+If \fB\(dq\(dq\fP is given, logging goes to stderr, or nowhere once daemonized.
The logfile is appended to, in the following format:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
+.ft C
[seconds since 1970] unbound[pid:tid]: type: message.
+.ft P
.fi
-If this option is given, the use\-syslog is option is set to "no".
+.UNINDENT
+.UNINDENT
+.sp
+If this option is given, the \fI\%use\-syslog\fP
+attribute is internally set to \fBno\fP\&.
+.sp
The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
-.TP
-.B use\-syslog: \fI<yes or no>
-Sets Unbound to send log messages to the syslogd, using
-\fIsyslog\fR(3).
-The log facility LOG_DAEMON is used, with identity "unbound".
-The logfile setting is overridden when use\-syslog is turned on.
-The default is to log to syslog.
-.TP
-.B log\-identity: \fI<string>
-If "" is given (default), then the name of the executable, usually "unbound"
-is used to report to the log. Enter a string to override it
-with that, which is useful on systems that run more than one instance of
-Unbound, with different configurations, so that the logs can be easily
-distinguished against.
-.TP
-.B log\-time\-ascii: \fI<yes or no>
-Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
-prints the seconds since 1970 in brackets. No effect if using syslog, in
-that case syslog formats the timestamp printed into the log files.
-.TP
-.B log\-time\-iso:\fR <yes or no>
-Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
-Default is no.
-.TP
-.B log\-queries: \fI<yes or no>
-Prints one line per query to the log, with the log timestamp and IP address,
-name, type and class. Default is no. Note that it takes time to print these
-lines which makes the server (significantly) slower. Odd (nonprintable)
-characters in names are printed as '?'.
-.TP
-.B log\-replies: \fI<yes or no>
-Prints one line per reply to the log, with the log timestamp and IP address,
-name, type, class, return code, time to resolve, from cache and response size.
-Default is no. Note that it takes time to print these
-lines which makes the server (significantly) slower. Odd (nonprintable)
-characters in names are printed as '?'.
-.TP
-.B log\-tag\-queryreply: \fI<yes or no>
-Prints the word 'query' and 'reply' with log\-queries and log\-replies.
-This makes filtering logs easier. The default is off (for backwards
-compatibility).
-.TP
-.B log\-destaddr: \fI<yes or no>
-Prints the destination address, port and type in the log\-replies output.
-This disambiguates what type of traffic, eg. udp or tcp, and to what local
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B use\-syslog: \fI<yes or no>\fP
+Sets Unbound to send log messages to the syslogd, using \fIsyslog(3)\fP\&.
+The log facility LOG_DAEMON is used, with identity \(dqunbound\(dq.
+The logfile setting is overridden when
+\fI\%use\-syslog: yes\fP is set.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-identity: \fI<string>\fP
+If \fB\(dq\(dq\fP is given, then the name of the executable, usually
+\(dqunbound\(dq is used to report to the log.
+Enter a string to override it with that, which is useful on systems that
+run more than one instance of Unbound, with different configurations, so
+that the logs can be easily distinguished against.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-time\-ascii: \fI<yes or no>\fP
+Sets logfile lines to use a timestamp in UTC ASCII.
+No effect if using syslog, in that case syslog formats the timestamp
+printed into the log files.
+.sp
+Default: no (prints the seconds since 1970 in brackets)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-time\-iso: \fI<yes or no>\fP
+Log time in ISO8601 format, if
+\fI\%log\-time\-ascii: yes\fP
+is also set.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-queries: \fI<yes or no>\fP
+Prints one line per query to the log, with the log timestamp and IP
+address, name, type and class.
+Note that it takes time to print these lines which makes the server
+(significantly) slower.
+Odd (nonprintable) characters in names are printed as \fB\(aq?\(aq\fP\&.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-replies: \fI<yes or no>\fP
+Prints one line per reply to the log, with the log timestamp and IP
+address, name, type, class, return code, time to resolve, from cache and
+response size.
+Note that it takes time to print these lines which makes the server
+(significantly) slower.
+Odd (nonprintable) characters in names are printed as \fB\(aq?\(aq\fP\&.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-tag\-queryreply: \fI<yes or no>\fP
+Prints the word \(aqquery\(aq and \(aqreply\(aq with
+\fI\%log\-queries\fP and
+\fI\%log\-replies\fP\&.
+This makes filtering logs easier.
+.sp
+Default: no (backwards compatible)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-destaddr: \fI<yes or no>\fP
+Prints the destination address, port and type in the
+\fI\%log\-replies\fP output.
+This disambiguates what type of traffic, eg. UDP or TCP, and to what local
port the traffic was sent to.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B log\-local\-actions: \fI<yes or no>\fP
+Print log lines to inform about local zone actions.
+These lines are like the \fI\%local\-zone type
+inform\fP print outs, but they are also
+printed for the other types of local zones.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B log\-local\-actions: \fI<yes or no>
-Print log lines to inform about local zone actions. These lines are like the
-local\-zone type inform prints out, but they are also printed for the other
-types of local zones.
-.TP
-.B log\-servfail: \fI<yes or no>
+.B log\-servfail: \fI<yes or no>\fP
Print log lines that say why queries return SERVFAIL to clients.
This is separate from the verbosity debug logs, much smaller, and printed
at the error level, not the info level of debug info from verbosity.
-.TP
-.B pidfile: \fI<filename>
-The process id is written to the file. Default is to not write to a file.
-.TP
-.B root\-hints: \fI<filename>
-Read the root hints from this file. Default is nothing, using builtin hints
-for the IN class. The file has the format of zone files, with root
-nameserver names and addresses only. The default may become outdated,
-when servers change, therefore it is good practice to use a root\-hints file.
-.TP
-.B hide\-identity: \fI<yes or no>
-If enabled id.server and hostname.bind queries are refused.
-.TP
-.B identity: \fI<string>
-Set the identity to report. If set to "", the default, then the hostname
-of the server is returned.
-.TP
-.B hide\-version: \fI<yes or no>
-If enabled version.server and version.bind queries are refused.
-.TP
-.B version: \fI<string>
-Set the version to report. If set to "", the default, then the package
-version is returned.
-.TP
-.B hide\-http\-user\-agent: \fI<yes or no>
-If enabled the HTTP header User-Agent is not set. Use with caution as some
-webserver configurations may reject HTTP requests lacking this header.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B pidfile: \fI<filename>\fP
+The process id is written to the file.
+Default is to not write to a file.
+.TP
+.B root\-hints: \fI<filename>\fP
+Read the root hints from this file.
+Default is nothing, using builtin hints for the IN class.
+The file has the format of zone files, with root nameserver names and
+addresses only.
+The default may become outdated, when servers change, therefore it is good
+practice to use a root hints file.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B hide\-identity: \fI<yes or no>\fP
+If enabled \(aqid.server\(aq and \(aqhostname.bind\(aq queries are REFUSED.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B identity: \fI<string>\fP
+Set the identity to report.
+If set to \fB\(dq\(dq\fP, then the hostname of the server is returned.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B hide\-version: \fI<yes or no>\fP
+If enabled \(aqversion.server\(aq and \(aqversion.bind\(aq queries are REFUSED.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B version: \fI<string>\fP
+Set the version to report.
+If set to \fB\(dq\(dq\fP, then the package version is returned.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B hide\-http\-user\-agent: \fI<yes or no>\fP
+If enabled the HTTP header User\-Agent is not set.
+Use with caution as some webserver configurations may reject HTTP requests
+lacking this header.
If needed, it is better to explicitly set the
-.B http\-user\-agent
-below.
-.TP
-.B http\-user\-agent: \fI<string>
-Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
-the default, then the package name and version are used.
-.TP
-.B nsid:\fR <string>
-Add the specified nsid to the EDNS section of the answer when queried
-with an NSID EDNS enabled packet. As a sequence of hex characters or
-with ascii_ prefix and then an ascii string.
-.TP
-.B hide\-trustanchor: \fI<yes or no>
-If enabled trustanchor.unbound queries are refused.
+\fI\%http\-user\-agent\fP below.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B http\-user\-agent: \fI<string>\fP
+Set the HTTP User\-Agent header for outgoing HTTP requests.
+If set to \fB\(dq\(dq\fP, then the package name and version are used.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B nsid: \fI<string>\fP
+Add the specified nsid to the EDNS section of the answer when queried with
+an NSID EDNS enabled packet.
+As a sequence of hex characters or with \(aqascii_\(aq prefix and then an ASCII
+string.
+.sp
+Default: (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B hide\-trustanchor: \fI<yes or no>\fP
+If enabled \(aqtrustanchor.unbound\(aq queries are REFUSED.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B target\-fetch\-policy: \fI<"list of numbers">
+.B target\-fetch\-policy: \fI<\(dqlist of numbers\(dq>\fP
Set the target fetch policy used by Unbound to determine if it should fetch
-nameserver target addresses opportunistically. The policy is described per
+nameserver target addresses opportunistically.
+The policy is described per dependency depth.
+.sp
+The number of values determines the maximum dependency depth that Unbound
+will pursue in answering a query.
+A value of \-1 means to fetch all targets opportunistically for that
dependency depth.
-.IP
-The number of values determines the maximum dependency depth
-that Unbound will pursue in answering a query.
-A value of \-1 means to fetch all targets opportunistically for that dependency
-depth. A value of 0 means to fetch on demand only. A positive value fetches
-that many targets opportunistically.
-.IP
-Enclose the list between quotes ("") and put spaces between numbers.
-The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
-closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
-rumoured to be closer to that of BIND 8.
-.TP
-.B harden\-short\-bufsize: \fI<yes or no>
-Very small EDNS buffer sizes from queries are ignored. Default is yes, as
-described in the standard.
-.TP
-.B harden\-large\-queries: \fI<yes or no>
-Very large queries are ignored. Default is no, since it is legal protocol
-wise to send these, and could be necessary for operation if TSIG or EDNS
-payload is very large.
-.TP
-.B harden\-glue: \fI<yes or no>
-Will trust glue only if it is within the servers authority. Default is yes.
-.TP
-.B harden\-unverified\-glue: \fI<yes or no>
-Will trust only in-zone glue. Will try to resolve all out of zone
-(\fI<unverfied>) glue. Will fallback to the original glue if unable to resolve.
-Default is no.
-.TP
-.B harden\-dnssec\-stripped: \fI<yes or no>
-Require DNSSEC data for trust\-anchored zones, if such data is absent,
-the zone becomes bogus. If turned off, and no DNSSEC data is received
-(or the DNSKEY data fails to validate), then the zone is made insecure,
-this behaves like there is no trust anchor. You could turn this off if
-you are sometimes behind an intrusive firewall (of some sort) that
-removes DNSSEC data from packets, or a zone changes from signed to
-unsigned to badly signed often. If turned off you run the risk of a
-downgrade attack that disables security for a zone. Default is yes.
-.TP
-.B harden\-below\-nxdomain: \fI<yes or no>
-From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
-returns nxdomain to queries for a name
-below another name that is already known to be nxdomain. DNSSEC mandates
-noerror for empty nonterminals, hence this is possible. Very old software
-might return nxdomain for empty nonterminals (that usually happen for reverse
-IP address lookups), and thus may be incompatible with this. To try to avoid
-this only DNSSEC-secure nxdomains are used, because the old software does not
-have DNSSEC. Default is yes.
-The nxdomain must be secure, this means nsec3 with optout is insufficient.
+A value of 0 means to fetch on demand only.
+A positive value fetches that many targets opportunistically.
+.sp
+Enclose the list between quotes (\fB\(dq\(dq\fP) and put spaces between numbers.
+Setting all zeroes, \(dq0 0 0 0 0\(dq gives behaviour closer to that of BIND 9,
+while setting \(dq\-1 \-1 \-1 \-1 \-1\(dq gives behaviour rumoured to be closer to
+that of BIND 8.
+.sp
+Default: \(dq3 2 1 0 0\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-short\-bufsize: \fI<yes or no>\fP
+Very small EDNS buffer sizes from queries are ignored.
+.sp
+Default: yes (as described in the standard)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-large\-queries: \fI<yes or no>\fP
+Very large queries are ignored.
+Default is no, since it is legal protocol wise to send these, and could be
+necessary for operation if TSIG or EDNS payload is very large.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-glue: \fI<yes or no>\fP
+Will trust glue only if it is within the servers authority.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-unverified\-glue: \fI<yes or no>\fP
+Will trust only in\-zone glue.
+Will try to resolve all out of zone (\fIunverified\fP) glue.
+Will fallback to the original glue if unable to resolve.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-dnssec\-stripped: \fI<yes or no>\fP
+Require DNSSEC data for trust\-anchored zones, if such data is absent, the
+zone becomes bogus.
+If turned off, and no DNSSEC data is received (or the DNSKEY data fails to
+validate), then the zone is made insecure, this behaves like there is no
+trust anchor.
+You could turn this off if you are sometimes behind an intrusive firewall
+(of some sort) that removes DNSSEC data from packets, or a zone changes
+from signed to unsigned to badly signed often.
+If turned off you run the risk of a downgrade attack that disables security
+for a zone.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-below\-nxdomain: \fI<yes or no>\fP
+From \fI\%RFC 8020\fP (with title \(dqNXDOMAIN: There Really Is Nothing
+Underneath\(dq), returns NXDOMAIN to queries for a name below another name
+that is already known to be NXDOMAIN.
+DNSSEC mandates NOERROR for empty nonterminals, hence this is possible.
+Very old software might return NXDOMAIN for empty nonterminals (that
+usually happen for reverse IP address lookups), and thus may be
+incompatible with this.
+To try to avoid this only DNSSEC\-secure NXDOMAINs are used, because the old
+software does not have DNSSEC.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The NXDOMAIN must be secure, this means NSEC3 with optout is
+insufficient.
+.UNINDENT
+.UNINDENT
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B harden\-referral\-path: \fI<yes or no>
+.B harden\-referral\-path: \fI<yes or no>\fP
Harden the referral path by performing additional queries for
-infrastructure data. Validates the replies if trust anchors are configured
-and the zones are signed. This enforces DNSSEC validation on nameserver
-NS sets and the nameserver addresses that are encountered on the referral
-path to the answer.
-Default no, because it burdens the authority servers, and it is
-not RFC standard, and could lead to performance problems because of the
-extra query load that is generated. Experimental option.
-If you enable it consider adding more numbers after the target\-fetch\-policy
-to increase the max depth that is checked to.
-.TP
-.B harden\-algo\-downgrade: \fI<yes or no>
-Harden against algorithm downgrade when multiple algorithms are
-advertised in the DS record.
-This works by first choosing only the strongest DS digest type as per RFC 4509
-(Unbound treats the highest algorithm as the strongest) and then
-expecting signatures from all the advertised signing algorithms from the chosen
-DS(es) to be present.
-If no, allows any one supported algorithm to validate the zone, even if other advertised algorithms are broken.
-Default is no.
-RFC 6840 mandates that zone signers must produce zones signed with all
+infrastructure data.
+Validates the replies if trust anchors are configured and the zones are
+signed.
+This enforces DNSSEC validation on nameserver NS sets and the nameserver
+addresses that are encountered on the referral path to the answer.
+Default is off, because it burdens the authority servers, and it is not RFC
+standard, and could lead to performance problems because of the extra query
+load that is generated.
+Experimental option.
+If you enable it consider adding more numbers after the
+\fI\%target\-fetch\-policy\fP to increase
+the max depth that is checked to.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B harden\-algo\-downgrade: \fI<yes or no>\fP
+Harden against algorithm downgrade when multiple algorithms are advertised
+in the DS record.
+This works by first choosing only the strongest DS digest type as per
+\fI\%RFC 4509\fP (Unbound treats the highest algorithm as the strongest) and
+then expecting signatures from all the advertised signing algorithms from
+the chosen DS(es) to be present.
+If no, allows any one supported algorithm to validate the zone, even if
+other advertised algorithms are broken.
+\fI\%RFC 6840\fP mandates that zone signers must produce zones signed with all
advertised algorithms, but sometimes they do not.
-RFC 6840 also clarifies that this requirement is not for validators and
+\fI\%RFC 6840\fP also clarifies that this requirement is not for validators and
validators should accept any single valid path.
-It should thus be explicitly noted that this option violates RFC 6840 for
-DNSSEC validation and should only be used to perform a signature
+It should thus be explicitly noted that this option violates \fI\%RFC 6840\fP
+for DNSSEC validation and should only be used to perform a signature
completeness test to support troubleshooting.
-Using this option may break DNSSEC resolution with non-RFC6840-conforming
-signers and/or in multi-signer configurations that don't send all the
-advertised signatures.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using this option may break DNSSEC resolution with non \fI\%RFC 6840\fP
+conforming signers and/or in multi\-signer configurations that don\(aqt
+send all the advertised signatures.
+.UNINDENT
+.UNINDENT
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B harden\-unknown\-additional: \fI<yes or no>
+.B harden\-unknown\-additional: \fI<yes or no>\fP
Harden against unknown records in the authority section and additional
-section. Default is no. If no, such records are copied from the upstream
-and presented to the client together with the answer. If yes, it could
-hamper future protocol developments that want to add records.
+section.
+If no, such records are copied from the upstream and presented to the
+client together with the answer.
+If yes, it could hamper future protocol developments that want to add
+records.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B use\-caps\-for\-id: \fI<yes or no>
+.B use\-caps\-for\-id: \fI<yes or no>\fP
Use 0x20\-encoded random bits in the query to foil spoof attempts.
-This perturbs the lowercase and uppercase of query names sent to
-authority servers and checks if the reply still has the correct casing.
-Disabled by default.
+This perturbs the lowercase and uppercase of query names sent to authority
+servers and checks if the reply still has the correct casing.
This feature is an experimental implementation of draft dns\-0x20.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B caps\-exempt: \fI<domain>
+.B caps\-exempt: \fI<domain>\fP
Exempt the domain so that it does not receive caps\-for\-id perturbed
-queries. For domains that do not support 0x20 and also fail with fallback
-because they keep sending different answers, like some load balancers.
+queries.
+For domains that do not support 0x20 and also fail with fallback because
+they keep sending different answers, like some load balancers.
Can be given multiple times, for different domains.
+.UNINDENT
+.INDENT 0.0
.TP
-.B caps\-whitelist: \fI<domain>
-Alternate syntax for \fBcaps\-exempt\fR.
+.B caps\-whitelist: \fI<domain>\fP
+Alternate syntax for \fI\%caps\-exempt\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
-.B qname\-minimisation: \fI<yes or no>
+.B qname\-minimisation: \fI<yes or no>\fP
Send minimum amount of information to upstream servers to enhance privacy.
Only send minimum required labels of the QNAME and set QTYPE to A when
-possible. Best effort approach; full QNAME and original QTYPE will be sent when
+possible.
+Best effort approach; full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is yes.
+NXDOMAIN from a DNSSEC signed zone.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B qname\-minimisation\-strict: \fI<yes or no>\fP
+QNAME minimisation in strict mode.
+Do not fall\-back to sending full QNAME to potentially broken nameservers.
+A lot of domains will not be resolvable when this option in enabled.
+Only use if you know what you are doing.
+This option only has effect when
+\fI\%qname\-minimisation\fP is enabled.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B aggressive\-nsec: \fI<yes or no>\fP
+Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other
+denials, using information from previous NXDOMAINs answers.
+It helps to reduce the query rate towards targets that get a very high
+nonexistent name lookup rate.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B private\-address: \fI<IP address or subnet>\fP
+Give IPv4 of IPv6 addresses or classless subnets.
+These are addresses on your private network, and are not allowed to be
+returned for public internet names.
+Any occurrence of such addresses are removed from DNS answers.
+Additionally, the DNSSEC validator may mark the answers bogus.
+This protects against so\-called DNS Rebinding, where a user browser is
+turned into a network proxy, allowing remote access through the browser to
+other parts of your private network.
+.sp
+Some names can be allowed to contain your private addresses, by default all
+the \fI\%local\-data\fP that you configured is
+allowed to, and you can specify additional names using
+\fI\%private\-domain\fP\&.
+No private addresses are enabled by default.
+.sp
+We consider to enable this for the \fI\%RFC 1918\fP private IP address space by
+default in later releases.
+That would enable private addresses for \fB10.0.0.0/8\fP, \fB172.16.0.0/12\fP,
+\fB192.168.0.0/16\fP, \fB169.254.0.0/16\fP, \fBfd00::/8\fP and \fBfe80::/10\fP,
+since the RFC standards say these addresses should not be visible on the
+public internet.
+.sp
+Turning on \fB127.0.0.0/8\fP would hinder many spamblocklists as they use
+that.
+Adding \fB::ffff:0:0/96\fP stops IPv4\-mapped IPv6 addresses from bypassing
+the filter.
+.UNINDENT
+.INDENT 0.0
.TP
-.B qname\-minimisation\-strict: \fI<yes or no>
-QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
-potentially broken nameservers. A lot of domains will not be resolvable when
-this option in enabled. Only use if you know what you are doing.
-This option only has effect when qname-minimisation is enabled. Default is no.
-.TP
-.B aggressive\-nsec: \fI<yes or no>
-Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
-and other denials, using information from previous NXDOMAINs answers.
-Default is yes. It helps to reduce the query rate towards targets that get
-a very high nonexistent name lookup rate.
-.TP
-.B private\-address: \fI<IP address or subnet>
-Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for
-public internet names. Any occurrence of such addresses are removed
-from DNS answers. Additionally, the DNSSEC validator may mark the
-answers bogus. This protects against so\-called DNS Rebinding, where
-a user browser is turned into a network proxy, allowing remote access
-through the browser to other parts of your private network. Some names
-can be allowed to contain your private addresses, by default all the
-\fBlocal\-data\fR that you configured is allowed to, and you can specify
-additional names using \fBprivate\-domain\fR. No private addresses are
-enabled by default. We consider to enable this for the RFC1918 private
-IP address space by default in later releases. That would enable private
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
-fd00::/8 and fe80::/10, since the RFC standards say these addresses
-should not be visible on the public internet. Turning on 127.0.0.0/8
-would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
-stops IPv4-mapped IPv6 addresses from bypassing the filter.
-.TP
-.B private\-domain: \fI<domain name>
+.B private\-domain: \fI<domain name>\fP
Allow this domain, and all its subdomains to contain private addresses.
Give multiple times to allow multiple domain names to contain private
-addresses. Default is none.
-.TP
-.B unwanted\-reply\-threshold: \fI<number>
-If set, a total number of unwanted replies is kept track of in every thread.
-When it reaches the threshold, a defensive action is taken and a warning
-is printed to the log. The defensive action is to clear the rrset and
-message caches, hopefully flushing away any poison. A value of 10 million
-is suggested. Default is 0 (turned off).
-.TP
-.B do\-not\-query\-address: \fI<IP address>
-Do not query the given IP address. Can be IP4 or IP6. Append /num to
-indicate a classless delegation netblock, for example like
-10.2.3.4/24 or 2001::11/64.
-.TP
-.B do\-not\-query\-localhost: \fI<yes or no>
-If yes, localhost is added to the do\-not\-query\-address entries, both
-IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
-queries to. Default is yes.
-.TP
-.B prefetch: \fI<yes or no>
-If yes, cache hits on message cache elements that are on their last 10 percent
-of their TTL value trigger a prefetch to keep the cache up to date.
-Default is no.
-Turning it on gives about 10 percent more traffic and load on the machine, but
-popular items do not expire from the cache.
+addresses.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B unwanted\-reply\-threshold: \fI<number>\fP
+If set, a total number of unwanted replies is kept track of in every
+thread.
+When it reaches the threshold, a defensive action is taken and a warning is
+printed to the log.
+The defensive action is to clear the rrset and message caches, hopefully
+flushing away any poison.
+A value of 10 million is suggested.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-not\-query\-address: \fI<IP address>\fP
+Do not query the given IP address.
+Can be IPv4 or IPv6.
+Append /num to indicate a classless delegation netblock, for example like
+\fB10.2.3.4/24\fP or \fB2001::11/64\fP\&.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B do\-not\-query\-localhost: \fI<yes or no>\fP
+If yes, localhost is added to the
+\fI\%do\-not\-query\-address\fP entries,
+both IPv6 \fB::1\fP and IPv4 \fB127.0.0.1/8\fP\&.
+If no, then localhost can be used to send queries to.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B prefetch: \fI<yes or no>\fP
+If yes, cache hits on message cache elements that are on their last 10
+percent of their TTL value trigger a prefetch to keep the cache up to date.
+Turning it on gives about 10 percent more traffic and load on the machine,
+but popular items do not expire from the cache.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B prefetch\-key: \fI<yes or no>
+.B prefetch\-key: \fI<yes or no>\fP
If yes, fetch the DNSKEYs earlier in the validation process, when a DS
-record is encountered. This lowers the latency of requests. It does use
-a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
+record is encountered.
+This lowers the latency of requests.
+It does use a little more CPU.
+Also if the cache is set to 0, it is no use.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B deny\-any: \fI<yes or no>
-If yes, deny queries of type ANY with an empty response. Default is no.
+.B deny\-any: \fI<yes or no>\fP
+If yes, deny queries of type ANY with an empty response.
If disabled, Unbound responds with a short list of resource records if some
can be found in the cache and makes the upstream type ANY query if there
are none.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B rrset\-roundrobin: \fI<yes or no>
+.B rrset\-roundrobin: \fI<yes or no>\fP
If yes, Unbound rotates RRSet order in response (the random number is taken
-from the query ID, for speed and thread safety). Default is yes.
+from the query ID, for speed and thread safety).
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B minimal-responses: \fI<yes or no>
+.B minimal\-responses: \fI<yes or no>\fP
If yes, Unbound does not insert authority/additional sections into response
-messages when those sections are not required. This reduces response
-size significantly, and may avoid TCP fallback for some responses which may
-cause a slight speedup. The default is yes, even though the DNS
-protocol RFCs mandate these sections, and the additional content could
-save roundtrips for clients that use the additional content.
+messages when those sections are not required.
+This reduces response size significantly, and may avoid TCP fallback for
+some responses which may cause a slight speedup.
+The default is yes, even though the DNS protocol RFCs mandate these
+sections, and the additional content could save roundtrips for clients that
+use the additional content.
However these sections are hardly used by clients.
Enabling prefetch can benefit clients that need the additional content
by trying to keep that content fresh in the cache.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B disable\-dnssec\-lame\-check: \fI<yes or no>\fP
+If yes, disables the DNSSEC lameness check in the iterator.
+This check sees if RRSIGs are present in the answer, when DNSSEC is
+expected, and retries another authority if RRSIGs are unexpectedly missing.
+The validator will insist in RRSIGs for DNSSEC signed domains regardless of
+this setting, if a trust anchor is loaded.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B disable-dnssec-lame-check: \fI<yes or no>
-If true, disables the DNSSEC lameness check in the iterator. This check
-sees if RRSIGs are present in the answer, when dnssec is expected,
-and retries another authority if RRSIGs are unexpectedly missing.
-The validator will insist in RRSIGs for DNSSEC signed domains regardless
-of this setting, if a trust anchor is loaded.
-.TP
-.B module\-config: \fI<"module names">
+.B module\-config: \fI\(dq<module names>\(dq\fP
Module configuration, a list of module names separated by spaces, surround
-the string with quotes (""). The modules can be \fIrespip\fR,
-\fIvalidator\fR, or \fIiterator\fR (and possibly more, see below).
-Setting this to just "\fIiterator\fR" will result in a non\-validating
-server.
-Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
-The ordering of the modules is significant, the order decides the
-order of processing.
-You must also set \fItrust\-anchors\fR for validation to be useful.
-Adding \fIrespip\fR to the front will cause RPZ processing to be done on
-all queries.
-The default is "\fIvalidator iterator\fR".
-.IP
+the string with quotes (\fB\(dq\(dq\fP).
+The modules can be \fBrespip\fP, \fBvalidator\fP, or \fBiterator\fP (and possibly
+more, see below).
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The ordering of the modules is significant, the order decides the order
+of processing.
+.UNINDENT
+.UNINDENT
+.sp
+Setting this to just \(dqiterator\(dq will result in a non\-validating server.
+Setting this to \(dqvalidator iterator\(dq will turn on DNSSEC validation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+You must also set trust\-anchors for validation to be useful.
+.UNINDENT
+.UNINDENT
+.sp
+Adding \fBrespip\fP to the front will cause RPZ processing to be done on all
+queries.
+.sp
Most modules that need to be listed here have to be listed at the beginning
-of the line. The subnetcachedb module has to be listed just before
-the iterator.
-The python module can be listed in different places, it then processes the
-output of the module it is just before. The dynlib module can be listed pretty
-much anywhere, it is only a very thin wrapper that allows dynamic libraries to
-run in its place.
-.TP
-.B trust\-anchor\-file: \fI<filename>
-File with trusted keys for validation. Both DS and DNSKEY entries can appear
-in the file. The format of the file is the standard DNS Zone file format.
-Default is "", or no trust anchor file.
-.TP
-.B auto\-trust\-anchor\-file: \fI<filename>
-File with trust anchor for one zone, which is tracked with RFC5011 probes.
+of the line.
+.sp
+The \fBsubnetcache\fP module has to be listed just before the iterator.
+.sp
+The \fBpython\fP module can be listed in different places, it then processes
+the output of the module it is just before.
+.sp
+The \fBdynlib\fP module can be listed pretty much anywhere, it is only a very
+thin wrapper that allows dynamic libraries to run in its place.
+.sp
+Default: \(dqvalidator iterator\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B trust\-anchor\-file: \fI<filename>\fP
+File with trusted keys for validation.
+Both DS and DNSKEY entries can appear in the file.
+The format of the file is the standard DNS Zone file format.
+.sp
+Default: \(dq\(dq (no trust anchor file)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B auto\-trust\-anchor\-file: \fI<filename>\fP
+File with trust anchor for one zone, which is tracked with \fI\%RFC 5011\fP
+probes.
The probes are run several times per month, thus the machine must be online
-frequently. The initial file can be one with contents as described in
-\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
-so the Unbound user must have write permission. Write permission to the file,
-but also to the directory it is in (to create a temporary file, which is
-necessary to deal with filesystem full events), it must also be inside the
-chroot (if that is used).
-.TP
-.B trust\-anchor: \fI<"Resource Record">
-A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
-given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
-The resource record is entered in the same format as 'dig' or 'drill' prints
-them, the same format as in the zone file. Has to be on a single line, with
-"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
+frequently.
+The initial file can be one with contents as described in
+\fI\%trust\-anchor\-file\fP\&.
+The file is written to when the anchor is updated, so the Unbound user must
+have write permission.
+Write permission to the file, but also to the directory it is in (to create
+a temporary file, which is necessary to deal with filesystem full events),
+it must also be inside the \fI\%chroot\fP (if that is
+used).
+.sp
+Default: \(dq\(dq (no auto trust anchor file)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B trust\-anchor: \fI\(dq<Resource Record>\(dq\fP
+A DS or DNSKEY RR for a key to use for validation.
+Multiple entries can be given to specify multiple trusted keys, in addition
+to the \fI\%trust\-anchor\-file\fP\&.
+The resource record is entered in the same format as \fIdig(1)\fP or \fIdrill(1)\fP
+prints them, the same format as in the zone file.
+Has to be on a single line, with \fB\(dq\(dq\fP around it.
+A TTL can be specified for ease of cut and paste, but is ignored.
A class can be specified, but class IN is default.
-.TP
-.B trusted\-keys\-file: \fI<filename>
-File with trusted keys for validation. Specify more than one file
-with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
-but has a different file format. Format is BIND\-9 style format,
-the trusted\-keys { name flag proto algo "key"; }; clauses are read.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B trusted\-keys\-file: \fI<filename>\fP
+File with trusted keys for validation.
+Specify more than one file with several entries, one file per entry.
+Like \fI\%trust\-anchor\-file\fP but has a
+different file format.
+Format is BIND\-9 style format, the \fBtrusted\-keys { name flag proto algo
+\(dqkey\(dq; };\fP clauses are read.
It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
-.TP
-.B trust\-anchor\-signaling: \fI<yes or no>
-Send RFC8145 key tag query after trust anchor priming. Default is no.
-.TP
-.B root\-key\-sentinel: \fI<yes or no>
-Root key trust anchor sentinel. Default is yes.
-.TP
-.B domain\-insecure: \fI<domain name>
-Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
-the domain name. So a trust anchor above the domain name can not make the
-domain secure with a DS record, such a DS record is then ignored.
-Can be given multiple times
-to specify multiple domains that are treated as if unsigned. If you set
-trust anchors for the domain they override this setting (and the domain
-is secured).
-.IP
+.sp
+Default: \(dq\(dq (no trusted keys file)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B trust\-anchor\-signaling: \fI<yes or no>\fP
+Send \fI\%RFC 8145\fP key tag query after trust anchor priming.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B root\-key\-sentinel: \fI<yes or no>\fP
+Root key trust anchor sentinel.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B domain\-insecure: \fI<domain name>\fP
+Sets \fI<domain name>\fP to be insecure, DNSSEC chain of trust is ignored
+towards the \fI<domain name>\fP\&.
+So a trust anchor above the domain name can not make the domain secure with
+a DS record, such a DS record is then ignored.
+Can be given multiple times to specify multiple domains that are treated as
+if unsigned.
+If you set trust anchors for the domain they override this setting (and the
+domain is secured).
+.sp
This can be useful if you want to make sure a trust anchor for external
-lookups does not affect an (unsigned) internal domain. A DS record
-externally can create validation failures for that internal domain.
+lookups does not affect an (unsigned) internal domain.
+A DS record externally can create validation failures for that internal
+domain.
+.sp
+Default: (none)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B val\-override\-date: \fI<rrsig\-style date spec>\fP
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Debugging feature!
+.UNINDENT
+.UNINDENT
+.sp
+If enabled by giving a RRSIG style date, that date is used for verifying
+RRSIG inception and expiration dates, instead of the current date.
+Do not set this unless you are debugging signature inception and
+expiration.
+The value \-1 ignores the date altogether, useful for some special
+applications.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B val\-override\-date: \fI<rrsig\-style date spec>
-Default is "" or "0", which disables this debugging feature. If enabled by
-giving a RRSIG style date, that date is used for verifying RRSIG inception
-and expiration dates, instead of the current date. Do not set this unless
-you are debugging signature inception and expiration. The value \-1 ignores
-the date altogether, useful for some special applications.
-.TP
-.B val\-sig\-skew\-min: \fI<seconds>
+.B val\-sig\-skew\-min: \fI<seconds>\fP
Minimum number of seconds of clock skew to apply to validated signatures.
-A value of 10% of the signature lifetime (expiration \- inception) is
-used, capped by this setting. Default is 3600 (1 hour) which allows for
-daylight savings differences. Lower this value for more strict checking
-of short lived signatures.
+A value of 10% of the signature lifetime (expiration \- inception) is used,
+capped by this setting.
+Default is 3600 (1 hour) which allows for daylight savings differences.
+Lower this value for more strict checking of short lived signatures.
+.sp
+Default: 3600 (1 hour)
+.UNINDENT
+.INDENT 0.0
.TP
-.B val\-sig\-skew\-max: \fI<seconds>
+.B val\-sig\-skew\-max: \fI<seconds>\fP
Maximum number of seconds of clock skew to apply to validated signatures.
-A value of 10% of the signature lifetime (expiration \- inception)
-is used, capped by this setting. Default is 86400 (24 hours) which
-allows for timezone setting problems in stable domains. Setting both
-min and max very low disables the clock skew allowances. Setting both
-min and max very high makes the validator check the signature timestamps
-less strictly.
-.TP
-.B val\-max\-restart: \fI<number>
-The maximum number the validator should restart validation with
-another authority in case of failed validation. Default is 5.
-.TP
-.B val\-bogus\-ttl: \fI<number>
-The time to live for bogus data. This is data that has failed validation;
-due to invalid signatures or other checks. The TTL from that data cannot be
-trusted, and this value is used instead. The value is in seconds, default 60.
+A value of 10% of the signature lifetime (expiration \- inception) is used,
+capped by this setting.
+Default is 86400 (24 hours) which allows for timezone setting problems in
+stable domains.
+Setting both min and max very low disables the clock skew allowances.
+Setting both min and max very high makes the validator check the signature
+timestamps less strictly.
+.sp
+Default: 86400 (24 hours)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B val\-max\-restart: \fI<number>\fP
+The maximum number the validator should restart validation with another
+authority in case of failed validation.
+.sp
+Default: 5
+.UNINDENT
+.INDENT 0.0
+.TP
+.B val\-bogus\-ttl: \fI<seconds>\fP
+The time to live for bogus data.
+This is data that has failed validation; due to invalid signatures or other
+checks.
+The TTL from that data cannot be trusted, and this value is used instead.
The time interval prevents repeated revalidation of bogus data.
+.sp
+Default: 60
+.UNINDENT
+.INDENT 0.0
.TP
-.B val\-clean\-additional: \fI<yes or no>
+.B val\-clean\-additional: \fI<yes or no>\fP
Instruct the validator to remove data from the additional section of secure
-messages that are not signed properly. Messages that are insecure, bogus,
-indeterminate or unchecked are not affected. Default is yes. Use this setting
-to protect the users that rely on this validator for authentication from
-potentially bad data in the additional section.
-.TP
-.B val\-log\-level: \fI<number>
-Have the validator print validation failures to the log. Regardless of
-the verbosity setting. Default is 0, off. At 1, for every user query
-that fails a line is printed to the logs. This way you can monitor what
-happens with validation. Use a diagnosis tool, such as dig or drill,
-to find out why validation is failing for these queries. At 2, not only
-the query that failed is printed but also the reason why Unbound thought
-it was wrong and which server sent the faulty data.
-.TP
-.B val\-permissive\-mode: \fI<yes or no>
-Instruct the validator to mark bogus messages as indeterminate. The security
-checks are performed, but if the result is bogus (failed security), the
-reply is not withheld from the client with SERVFAIL as usual. The client
-receives the bogus data. For messages that are found to be secure the AD bit
-is set in replies. Also logging is performed as for full validation.
-The default value is "no".
-.TP
-.B ignore\-cd\-flag: \fI<yes or no>
-Instruct Unbound to ignore the CD flag from clients and refuse to
-return bogus answers to them. Thus, the CD (Checking Disabled) flag
-does not disable checking any more. This is useful if legacy (w2008)
-servers that set the CD flag but cannot validate DNSSEC themselves are
-the clients, and then Unbound provides them with DNSSEC protection.
-The default value is "no".
+messages that are not signed properly.
+Messages that are insecure, bogus, indeterminate or unchecked are not
+affected.
+Use this setting to protect the users that rely on this validator for
+authentication from potentially bad data in the additional section.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B val\-log\-level: \fI<number>\fP
+Have the validator print validation failures to the log.
+Regardless of the verbosity setting.
+.sp
+At 1, for every user query that fails a line is printed to the logs.
+This way you can monitor what happens with validation.
+Use a diagnosis tool, such as dig or drill, to find out why validation is
+failing for these queries.
+.sp
+At 2, not only the query that failed is printed but also the reason why
+Unbound thought it was wrong and which server sent the faulty data.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B val\-permissive\-mode: \fI<yes or no>\fP
+Instruct the validator to mark bogus messages as indeterminate.
+The security checks are performed, but if the result is bogus (failed
+security), the reply is not withheld from the client with SERVFAIL as
+usual.
+The client receives the bogus data.
+For messages that are found to be secure the AD bit is set in replies.
+Also logging is performed as for full validation.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ignore\-cd\-flag: \fI<yes or no>\fP
+Instruct Unbound to ignore the CD flag from clients and refuse to return
+bogus answers to them.
+Thus, the CD (Checking Disabled) flag does not disable checking any more.
+This is useful if legacy (w2008) servers that set the CD flag but cannot
+validate DNSSEC themselves are the clients, and then Unbound provides them
+with DNSSEC protection.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B disable\-edns\-do: \fI<yes or no>
+.B disable\-edns\-do: \fI<yes or no>\fP
Disable the EDNS DO flag in upstream requests.
-It breaks DNSSEC validation for Unbound's clients.
+It breaks DNSSEC validation for Unbound\(aqs clients.
This results in the upstream name servers to not include DNSSEC records in
their replies and could be helpful for devices that cannot handle DNSSEC
information.
@@ -1354,1255 +2467,2187 @@ If this option is enabled but Unbound is
validation (i.e., the validator module is enabled; default) this option is
implicitly turned off with a warning as to not break DNSSEC validation in
Unbound.
-Default is no.
-.TP
-.B serve\-expired: \fI<yes or no>
-If enabled, Unbound attempts to serve old responses from cache with a
-TTL of \fBserve\-expired\-reply\-ttl\fR in the response.
-By default the expired answer will be used after a resolution attempt errored
-out or is taking more than serve\-expired\-client\-timeout to resolve.
-Default is "no".
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B serve\-expired: \fI<yes or no>\fP
+If enabled, Unbound attempts to serve old responses from cache with a TTL
+of \fI\%serve\-expired\-reply\-ttl\fP in
+the response.
+By default the expired answer will be used after a resolution attempt
+errored out or is taking more than
+\fI\%serve\-expired\-client\-timeout\fP
+to resolve.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B serve\-expired\-ttl: \fI<seconds>
+.B serve\-expired\-ttl: \fI<seconds>\fP
Limit serving of expired responses to configured seconds after expiration.
-0 disables the limit.
-This option only applies when \fBserve\-expired\fR is enabled.
+\fB0\fP disables the limit.
+This option only applies when
+\fI\%serve\-expired\fP is enabled.
A suggested value per RFC 8767 is between 86400 (1 day) and 259200 (3 days).
The default is 86400.
+.sp
+Default: 86400
+.UNINDENT
+.INDENT 0.0
+.TP
+.B serve\-expired\-ttl\-reset: \fI<yes or no>\fP
+Set the TTL of expired records to the
+\fI\%serve\-expired\-ttl\fP value after a
+failed attempt to retrieve the record from upstream.
+This makes sure that the expired records will be served as long as there
+are queries for it.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B serve\-expired\-reply\-ttl: \fI<seconds>\fP
+TTL value to use when replying with expired data.
+If
+\fI\%serve\-expired\-client\-timeout\fP
+is also used then it is RECOMMENDED to use 30 as the value (\fI\%RFC 8767\fP).
+.sp
+Default: 30
+.UNINDENT
+.INDENT 0.0
.TP
-.B serve\-expired\-ttl\-reset: \fI<yes or no>
-Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
-failed attempt to retrieve the record from upstream. This makes sure that the
-expired records will be served as long as there are queries for it. Default is
-"no".
-.TP
-.B serve\-expired\-reply\-ttl: \fI<seconds>
-TTL value to use when replying with expired data. If
-\fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
-use 30 as the value (RFC 8767). The default is 30.
-.TP
-.B serve\-expired\-client\-timeout: \fI<msec>
+.B serve\-expired\-client\-timeout: \fI<msec>\fP
Time in milliseconds before replying to the client with expired data.
-This essentially enables the serve-stale behavior as specified in
-RFC 8767 that first tries to resolve before immediately
-responding with expired data.
-Setting this to 0 will disable this behavior and instead serve the expired
-record immediately from the cache before attempting to refresh it via
-resolution.
-Default is 1800.
+This essentially enables the serve\-stale behavior as specified in
+\fI\%RFC 8767\fP that first tries to resolve before immediately responding with
+expired data.
+Setting this to \fB0\fP will disable this behavior and instead serve the
+expired record immediately from the cache before attempting to refresh it
+via resolution.
+.sp
+Default: 1800
+.UNINDENT
+.INDENT 0.0
.TP
-.B serve\-original\-ttl: \fI<yes or no>
+.B serve\-original\-ttl: \fI<yes or no>\fP
If enabled, Unbound will always return the original TTL as received from
-the upstream name server rather than the decrementing TTL as
-stored in the cache. This feature may be useful if Unbound serves as a
-front-end to a hidden authoritative name server. Enabling this feature does
-not impact cache expiry, it only changes the TTL Unbound embeds in responses to
-queries. Note that enabling this feature implicitly disables enforcement of
-the configured minimum and maximum TTL, as it is assumed users who enable this
-feature do not want Unbound to change the TTL obtained from an upstream server.
-Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
-ignored.
-Default is "no".
+the upstream name server rather than the decrementing TTL as stored in the
+cache.
+This feature may be useful if Unbound serves as a front\-end to a hidden
+authoritative name server.
+.sp
+Enabling this feature does not impact cache expiry, it only changes the TTL
+Unbound embeds in responses to queries.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Enabling this feature implicitly disables enforcement of the configured
+minimum and maximum TTL, as it is assumed users who enable this feature
+do not want Unbound to change the TTL obtained from an upstream server.
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The values set using \fI\%cache\-min\-ttl\fP
+and \fI\%cache\-max\-ttl\fP are ignored.
+.UNINDENT
+.UNINDENT
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
+.B val\-nsec3\-keysize\-iterations: <\(dqlist of values\(dq>
List of keysize and iteration count values, separated by spaces, surrounded
-by quotes. Default is "1024 150 2048 150 4096 150". This determines the
-maximum allowed NSEC3 iteration count before a message is simply marked
-insecure instead of performing the many hashing iterations. The list must
-be in ascending order and have at least one entry. If you set it to
-"1024 65535" there is no restriction to NSEC3 iteration values.
-This table must be kept short; a very long list could cause slower operation.
-.TP
-.B zonemd\-permissive\-mode: \fI<yes or no>
-If enabled the ZONEMD verification failures are only logged and do not cause
-the zone to be blocked and only return servfail. Useful for testing out
-if it works, or if the operator only wants to be notified of a problem without
-disrupting service. Default is no.
-.TP
-.B add\-holddown: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to add new trust anchors only after they have been
-visible for this time. Default is 30 days as per the RFC.
-.TP
-.B del\-holddown: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to remove revoked trust anchors after they have been
-kept in the revoked list for this long. Default is 30 days as per
-the RFC.
-.TP
-.B keep\-missing: \fI<seconds>
-Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
-autotrust updates to remove missing trust anchors after they have been
-unseen for this long. This cleans up the state file if the target zone
-does not perform trust anchor revocation, so this makes the auto probe
-mechanism work with zones that perform regular (non\-5011) rollovers.
-The default is 366 days. The value 0 does not remove missing anchors,
-as per the RFC.
-.TP
-.B permit\-small\-holddown: \fI<yes or no>
-Debug option that allows the autotrust 5011 rollover timers to assume
-very small values. Default is no.
-.TP
-.B key\-cache\-size: \fI<number>
-Number of bytes size of the key cache. Default is 4 megabytes.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+by quotes.
+This determines the maximum allowed NSEC3 iteration count before a message
+is simply marked insecure instead of performing the many hashing
+iterations.
+The list must be in ascending order and have at least one entry.
+If you set it to \(dq1024 65535\(dq there is no restriction to NSEC3 iteration
+values.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+This table must be kept short; a very long list could cause slower
+operation.
+.UNINDENT
+.UNINDENT
+.sp
+Default: \(dq1024 150 2048 150 4096 150\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B zonemd\-permissive\-mode: \fI<yes or no>\fP
+If enabled the ZONEMD verification failures are only logged and do not
+cause the zone to be blocked and only return servfail.
+Useful for testing out if it works, or if the operator only wants to be
+notified of a problem without disrupting service.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B add\-holddown: \fI<seconds>\fP
+Instruct the
+\fI\%auto\-trust\-anchor\-file\fP probe
+mechanism for \fI\%RFC 5011\fP autotrust updates to add new trust anchors only
+after they have been visible for this time.
+.sp
+Default: 2592000 (30 days as per the RFC)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B del\-holddown: \fI<seconds>\fP
+Instruct the
+\fI\%auto\-trust\-anchor\-file\fP probe
+mechanism for \fI\%RFC 5011\fP autotrust updates to remove revoked trust anchors
+after they have been kept in the revoked list for this long.
+.sp
+Default: 2592000 (30 days as per the RFC)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B keep\-missing: \fI<seconds>\fP
+Instruct the
+\fI\%auto\-trust\-anchor\-file\fP probe
+mechanism for \fI\%RFC 5011\fP autotrust updates to remove missing trust anchors
+after they have been unseen for this long.
+This cleans up the state file if the target zone does not perform trust
+anchor revocation, so this makes the auto probe mechanism work with zones
+that perform regular (non\-5011) rollovers.
+The value 0 does not remove missing anchors, as per the RFC.
+.sp
+Default: 31622400 (366 days)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B permit\-small\-holddown: \fI<yes or no>\fP
+Debug option that allows the autotrust 5011 rollover timers to assume very
+small values.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B key\-cache\-size: \fI<number>\fP
+Number of bytes size of the key cache.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
or gigabytes (1024*1024 bytes in a megabyte).
-.TP
-.B key\-cache\-slabs: \fI<number>
-Number of slabs in the key cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
-reasonable guess.
-.TP
-.B neg\-cache\-size: \fI<number>
-Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
-A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B key\-cache\-slabs: \fI<number>\fP
+Number of slabs in the key cache.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B neg\-cache\-size: \fI<number>\fP
+Number of bytes size of the aggressive negative cache.
+A plain number is in bytes, append \(aqk\(aq, \(aqm\(aq or \(aqg\(aq for kilobytes, megabytes
or gigabytes (1024*1024 bytes in a megabyte).
+.sp
+Default: 1m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B unblock\-lan\-zones: \fI<yes or no>\fP
+If enabled, then for private address space, the reverse lookups are no
+longer filtered.
+This allows Unbound when running as dns service on a host where it provides
+service for that host, to put out all of the queries for the \(aqlan\(aq
+upstream.
+When enabled, only localhost, \fB127.0.0.1\fP reverse and \fB::1\fP reverse
+zones are configured with default local zones.
+Disable the option when Unbound is running as a (DHCP\-) DNS network
+resolver for a group of machines, where such lookups should be filtered
+(RFC compliance), this also stops potential data leakage about the local
+network to the upstream DNS servers.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B insecure\-lan\-zones: \fI<yes or no>\fP
+If enabled, then reverse lookups in private address space are not
+validated.
+This is usually required whenever
+\fI\%unblock\-lan\-zones\fP is used.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-zone: \fI<zone> <type>\fP
+Configure a local zone.
+The type determines the answer to give if there is no match from
+\fI\%local\-data\fP\&.
+The types are
+\fI\%deny\fP,
+\fI\%refuse\fP,
+\fI\%static\fP,
+\fI\%transparent\fP,
+\fI\%redirect\fP,
+\fI\%nodefault\fP,
+\fI\%typetransparent\fP,
+\fI\%inform\fP,
+\fI\%inform_deny\fP,
+\fI\%inform_redirect\fP,
+\fI\%always_transparent\fP,
+\fI\%block_a\fP,
+\fI\%always_refuse\fP,
+\fI\%always_nxdomain\fP,
+\fI\%always_null\fP,
+\fI\%noview\fP,
+and are explained below.
+After that the default settings are listed.
+Use \fI\%local\-data\fP to enter data into the
+local zone.
+Answers for local zones are authoritative DNS answers.
+By default the zones are class IN.
+.sp
+If you need more complicated authoritative data, with referrals,
+wildcards, CNAME/DNAME support, or DNSSEC authoritative service,
+setup a \fI\%stub\-zone\fP for it as detailed in the
+stub zone section below.
+A \fI\%stub\-zone\fP can be used to have unbound
+send queries to another server, an authoritative server, to fetch the
+information.
+With a \fI\%forward\-zone\fP, unbound sends
+queries to a server that is a recursive server to fetch the information.
+With an \fI\%auth\-zone\fP a zone can be loaded from
+file and used, it can be used like a local zone for users downstream, or
+the \fI\%auth\-zone\fP information can be used to fetch
+information from when resolving like it is an upstream server.
+The \fI\%forward\-zone\fP and
+\fI\%auth\-zone\fP options are described in their
+sections below.
+If you want to perform filtering of the information that the users can
+fetch, the \fI\%local\-zone\fP and
+\fI\%local\-data\fP statements allow for this, but
+also the \fI\%rpz\fP functionality can be used, described
+in the RPZ section.
+.INDENT 7.0
.TP
-.B unblock\-lan\-zones: \fI<yes or no>
-Default is disabled. If enabled, then for private address space,
-the reverse lookups are no longer filtered. This allows Unbound when
-running as dns service on a host where it provides service for that host,
-to put out all of the queries for the 'lan' upstream. When enabled,
-only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
-with default local zones. Disable the option when Unbound is running
-as a (DHCP-) DNS network resolver for a group of machines, where such
-lookups should be filtered (RFC compliance), this also stops potential
-data leakage about the local network to the upstream DNS servers.
-.TP
-.B insecure\-lan\-zones: \fI<yes or no>
-Default is disabled. If enabled, then reverse lookups in private
-address space are not validated. This is usually required whenever
-\fIunblock\-lan\-zones\fR is used.
-.TP
-.B local\-zone: \fI<zone> <type>
-Configure a local zone. The type determines the answer to give if
-there is no match from local\-data. The types are deny, refuse, static,
-transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-inform_redirect, always_transparent, block_a, always_refuse, always_nxdomain,
-always_null, noview, and are explained below. After that the default settings
-are listed. Use local\-data: to enter data into the local zone. Answers for
-local zones are authoritative DNS answers. By default the zones are class IN.
-.IP
-If you need more complicated authoritative data, with referrals, wildcards,
-CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
-it as detailed in the stub zone section below. A stub\-zone can be used to
-have unbound send queries to another server, an authoritative server, to
-fetch the information. With a forward\-zone, unbound sends queries to a server
-that is a recursive server to fetch the information. With an auth\-zone a
-zone can be loaded from file and used, it can be used like a local\-zone
-for users downstream, or the auth\-zone information can be used to fetch
-information from when resolving like it is an upstream server. The
-forward\-zone and auth\-zone options are described in their sections below.
-If you want to perform filtering of the information that the users can fetch,
-the local\-zone and local\-data statements allow for this, but also the
-rpz functionality can be used, described in the RPZ section.
-.TP 10
-\h'5'\fIdeny\fR
+.B deny
Do not send an answer, drop the query.
If there is a match from local data, the query is answered.
-.TP 10
-\h'5'\fIrefuse\fR
+.UNINDENT
+.INDENT 7.0
+.TP
+.B refuse
Send an error message reply, with rcode REFUSED.
If there is a match from local data, the query is answered.
-.TP 10
-\h'5'\fIstatic\fR
-If there is a match from local data, the query is answered.
-Otherwise, the query is answered with nodata or nxdomain.
-For a negative answer a SOA is included in the answer if present
-as local\-data for the zone apex domain.
-.TP 10
-\h'5'\fItransparent\fR
+.UNINDENT
+.INDENT 7.0
+.TP
+.B static
If there is a match from local data, the query is answered.
-Otherwise if the query has a different name, the query is resolved normally.
-If the query is for a name given in localdata but no such type of data is
-given in localdata, then a noerror nodata answer is returned.
-If no local\-zone is given local\-data causes a transparent zone
+Otherwise, the query is answered with NODATA or NXDOMAIN.
+For a negative answer a SOA is included in the answer if present as
+\fI\%local\-data\fP for the zone apex domain.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B transparent
+If there is a match from \fI\%local\-data\fP,
+the query is answered.
+Otherwise if the query has a different name, the query is resolved
+normally.
+If the query is for a name given in
+\fI\%local\-data\fP but no such type of data is
+given in localdata, then a NOERROR NODATA answer is returned.
+If no \fI\%local\-zone\fP is given
+\fI\%local\-data\fP causes a transparent zone
to be created by default.
-.TP 10
-\h'5'\fItypetransparent\fR
-If there is a match from local data, the query is answered. If the query
-is for a different name, or for the same name but for a different type,
-the query is resolved normally. So, similar to transparent but types
-that are not listed in local data are resolved normally, so if an A record
-is in the local data that does not cause a nodata reply for AAAA queries.
-.TP 10
-\h'5'\fIredirect\fR
+.UNINDENT
+.INDENT 7.0
+.TP
+.B typetransparent
+If there is a match from local data, the query is answered.
+If the query is for a different name, or for the same name but for a
+different type, the query is resolved normally.
+So, similar to
+\fI\%transparent\fP but types
+that are not listed in local data are resolved normally, so if an A
+record is in the local data that does not cause a NODATA reply for AAAA
+queries.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B redirect
The query is answered from the local data for the zone name.
There may be no local data beneath the zone name.
-This answers queries for the zone, and all subdomains of the zone
-with the local data for the zone.
-It can be used to redirect a domain to return a different address record
-to the end user, with
-local\-zone: "example.com." redirect and
-local\-data: "example.com. A 127.0.0.1"
-queries for www.example.com and www.foo.example.com are redirected, so
-that users with web browsers cannot access sites with suffix example.com.
-.TP 10
-\h'5'\fIinform\fR
-The query is answered normally, same as transparent. The client IP
-address (@portnumber) is printed to the logfile. The log message is:
-timestamp, unbound-pid, info: zonename inform IP@port queryname type
-class. This option can be used for normal resolution, but machines
-looking up infected names are logged, eg. to run antivirus on them.
-.TP 10
-\h'5'\fIinform_deny\fR
-The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
-infected machines without answering the queries.
-.TP 10
-\h'5'\fIinform_redirect\fR
-The query is redirected, like 'redirect', and logged, like 'inform'.
+This answers queries for the zone, and all subdomains of the zone with
+the local data for the zone.
+It can be used to redirect a domain to return a different address
+record to the end user, with:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+local\-zone: \(dqexample.com.\(dq redirect
+local\-data: \(dqexample.com. A 127.0.0.1\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+queries for \fBwww.example.com\fP and \fBwww.foo.example.com\fP are
+redirected, so that users with web browsers cannot access sites with
+suffix example.com.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B inform
+The query is answered normally, same as
+\fI\%transparent\fP\&.
+The client IP address (@portnumber) is printed to the logfile.
+The log message is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+timestamp, unbound\-pid, info: zonename inform IP@port queryname type class.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+This option can be used for normal resolution, but machines looking up
+infected names are logged, eg. to run antivirus on them.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B inform_deny
+The query is dropped, like
+\fI\%deny\fP, and logged, like
+\fI\%inform\fP\&.
+Ie. find infected machines without answering the queries.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B inform_redirect
+The query is redirected, like
+\fI\%redirect\fP, and logged,
+like \fI\%inform\fP\&.
Ie. answer queries with fixed data and also log the machines that ask.
-.TP 10
-\h'5'\fIalways_transparent\fR
-Like transparent, but ignores local data and resolves normally.
-.TP 10
-\h'5'\fIblock_a\fR
-Like transparent, but ignores local data and resolves normally all query
-types excluding A. For A queries it unconditionally returns NODATA.
-Useful in cases when there is a need to explicitly force all apps to use
-IPv6 protocol and avoid any queries to IPv4.
-.TP 10
-\h'5'\fIalways_refuse\fR
-Like refuse, but ignores local data and refuses the query.
-.TP 10
-\h'5'\fIalways_nxdomain\fR
-Like static, but ignores local data and returns nxdomain for the query.
-.TP 10
-\h'5'\fIalways_nodata\fR
-Like static, but ignores local data and returns nodata for the query.
-.TP 10
-\h'5'\fIalways_deny\fR
-Like deny, but ignores local data and drops the query.
-.TP 10
-\h'5'\fIalways_null\fR
-Always returns 0.0.0.0 or ::0 for every name in the zone. Like redirect
-with zero data for A and AAAA. Ignores local data in the zone. Used for
-some block lists.
-.TP 10
-\h'5'\fInoview\fR
-Breaks out of that view and moves towards the global local zones for answer
-to the query. If the view first is no, it'll resolve normally. If view first
-is enabled, it'll break perform that step and check the global answers.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_transparent
+Like \fI\%transparent\fP, but
+ignores local data and resolves normally.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B block_a
+Like \fI\%transparent\fP, but
+ignores local data and resolves normally all query types excluding A.
+For A queries it unconditionally returns NODATA.
+Useful in cases when there is a need to explicitly force all apps to
+use IPv6 protocol and avoid any queries to IPv4.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_refuse
+Like \fI\%refuse\fP, but ignores
+local data and refuses the query.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_nxdomain
+Like \fI\%static\fP, but ignores
+local data and returns NXDOMAIN for the query.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_nodata
+Like \fI\%static\fP, but ignores
+local data and returns NODATA for the query.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_deny
+Like \fI\%deny\fP, but ignores local
+data and drops the query.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B always_null
+Always returns \fB0.0.0.0\fP or \fB::0\fP for every name in the zone.
+Like \fI\%redirect\fP with zero
+data for A and AAAA.
+Ignores local data in the zone.
+Used for some block lists.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B noview
+Breaks out of that view and moves towards the global local zones for
+answer to the query.
+If the \fI\%view\-first\fP is no, it\(aqll
+resolve normally.
+If \fI\%view\-first\fP is enabled, it\(aqll
+break perform that step and check the global answers.
For when the view has view specific overrides but some zone has to be
answered from global local zone contents.
-.TP 10
-\h'5'\fInodefault\fR
-Used to turn off default contents for AS112 zones. The other types
-also turn off default contents for the zone. The 'nodefault' option
-has no other effect than turning off default contents for the
-given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
-use a subzone, use \fItransparent\fR.
-.P
-The default zones are localhost, reverse 127.0.0.1 and ::1, the home.arpa,
-the resolver.arpa, the service.arpa,
-the onion, test, invalid and the AS112 zones. The AS112 zones are reverse
-DNS zones for private use and reserved IP addresses for which the servers
-on the internet cannot provide correct answers. They are configured by
-default to give nxdomain (no reverse information) answers. The defaults
-can be turned off by specifying your own local\-zone of that name, or
-using the 'nodefault' type. Below is a list of the default zone contents.
-.TP 10
-\h'5'\fIlocalhost\fR
-The IP4 and IP6 localhost information is given. NS and SOA records are provided
-for completeness and to satisfy some DNS update tools. Default content:
-.nf
-local\-zone: "localhost." redirect
-local\-data: "localhost. 10800 IN NS localhost."
-local\-data: "localhost. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "localhost. 10800 IN A 127.0.0.1"
-local\-data: "localhost. 10800 IN AAAA ::1"
-.fi
-.TP 10
-\h'5'\fIreverse IPv4 loopback\fR
+.UNINDENT
+.INDENT 7.0
+.TP
+.B nodefault
+Used to turn off default contents for AS112 zones.
+The other types also turn off default contents for the zone.
+The \fI\%nodefault\fP option has
+no other effect than turning off default contents for the given zone.
+Use \fI\%nodefault\fP if you use
+exactly that zone, if you want to use a subzone, use
+\fI\%transparent\fP\&.
+.UNINDENT
+.sp
+The default zones are localhost, reverse \fB127.0.0.1\fP and \fB::1\fP, the
+\fBhome.arpa\fP, \fBresolver.arpa\fP, \fBservice.arpa\fP, \fBonion\fP, \fBtest\fP,
+\fBinvalid\fP and the AS112 zones.
+The AS112 zones are reverse DNS zones for private use and reserved IP
+addresses for which the servers on the internet cannot provide correct
+answers.
+They are configured by default to give NXDOMAIN (no reverse information)
+answers.
+.sp
+The defaults can be turned off by specifying your own
+\fI\%local\-zone\fP of that name, or using the
+\fI\%nodefault\fP type.
+Below is a list of the default zone contents.
+.INDENT 7.0
+.TP
+.B localhost
+The IPv4 and IPv6 localhost information is given.
+NS and SOA records are provided for completeness and to satisfy some
+DNS update tools.
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "127.in\-addr.arpa." static
-local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
-local\-data: "127.in\-addr.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
- PTR localhost."
+.ft C
+local\-zone: \(dqlocalhost.\(dq redirect
+local\-data: \(dqlocalhost. 10800 IN NS localhost.\(dq
+local\-data: \(dqlocalhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+local\-data: \(dqlocalhost. 10800 IN A 127.0.0.1\(dq
+local\-data: \(dqlocalhost. 10800 IN AAAA ::1\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIreverse IPv6 loopback\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+.B reverse IPv4 loopback
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- NS localhost."
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
- PTR localhost."
+.ft C
+local\-zone: \(dq127.in\-addr.arpa.\(dq static
+local\-data: \(dq127.in\-addr.arpa. 10800 IN NS localhost.\(dq
+local\-data: \(dq127.in\-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+local\-data: \(dq1.0.0.127.in\-addr.arpa. 10800 IN PTR localhost.\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIhome.arpa (RFC 8375)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+.B reverse IPv6 loopback
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "home.arpa." static
-local\-data: "home.arpa. 10800 IN NS localhost."
-local\-data: "home.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.ft C
+local\-zone: \(dq1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.\(dq static
+local\-data: \(dq1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN NS localhost.\(dq
+local\-data: \(dq1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+local\-data: \(dq1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN PTR localhost.\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIresolver.arpa (RFC 9462)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+home.arpa (\fI\%RFC 8375\fP)
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "resolver.arpa." static
-local\-data: "resolver.arpa. 10800 IN NS localhost."
-local\-data: "resolver.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.ft C
+local\-zone: \(dqhome.arpa.\(dq static
+local\-data: \(dqhome.arpa. 10800 IN NS localhost.\(dq
+local\-data: \(dqhome.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIservice.arpa (draft-ietf-dnssd-srp-25)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+resolver.arpa (\fI\%RFC 9462\fP)
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "service.arpa." static
-local\-data: "service.arpa. 10800 IN NS localhost."
-local\-data: "service.arpa. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.ft C
+local\-zone: \(dqresolver.arpa.\(dq static
+local\-data: \(dqresolver.arpa. 10800 IN NS localhost.\(dq
+local\-data: \(dqresolver.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIonion (RFC 7686)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+.B service.arpa (draft\-ietf\-dnssd\-srp\-25)
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "onion." static
-local\-data: "onion. 10800 IN NS localhost."
-local\-data: "onion. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.ft C
+local\-zone: \(dqservice.arpa.\(dq static
+local\-data: \(dqservice.arpa. 10800 IN NS localhost.\(dq
+local\-data: \(dqservice.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fItest (RFC 6761)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+onion (\fI\%RFC 7686\fP)
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "test." static
-local\-data: "test. 10800 IN NS localhost."
-local\-data: "test. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.ft C
+local\-zone: \(dqonion.\(dq static
+local\-data: \(dqonion. 10800 IN NS localhost.\(dq
+local\-data: \(dqonion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIinvalid (RFC 6761)\fR
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+test (\fI\%RFC 6761\fP)
Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-local\-zone: "invalid." static
-local\-data: "invalid. 10800 IN NS localhost."
-local\-data: "invalid. 10800 IN
- SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-.fi
-.TP 10
-\h'5'\fIreverse RFC1918 local use zones\fR
-Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
-31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
-The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
-records are provided.
-.TP 10
-\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
-Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
-2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
-113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
-And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
-.TP 10
-\h'5'\fIreverse RFC4291 IP6 unspecified\fR
-Reverse data for zone
+.ft C
+local\-zone: \(dqtest.\(dq static
+local\-data: \(dqtest. 10800 IN NS localhost.\(dq
+local\-data: \(dqtest. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+invalid (\fI\%RFC 6761\fP)
+Default content:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
-0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
-0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
+.ft C
+local\-zone: \(dqinvalid.\(dq static
+local\-data: \(dqinvalid. 10800 IN NS localhost.\(dq
+local\-data: \(dqinvalid. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800\(dq
+.ft P
.fi
-.TP 10
-\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
-Reverse data for zone D.F.ip6.arpa.
-.TP 10
-\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
-Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
-.TP 10
-\h'5'\fIreverse IPv6 Example Prefix\fR
-Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
-tutorials and examples. You can remove the block on this zone with:
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+reverse local use zones (\fI\%RFC 1918\fP)
+Reverse data for zones \fB10.in\-addr.arpa\fP, \fB16.172.in\-addr.arpa\fP to
+\fB31.172.in\-addr.arpa\fP, \fB168.192.in\-addr.arpa\fP\&.
+The \fI\%local\-zone\fP is set static and as
+\fI\%local\-data\fP SOA and NS records are
+provided.
+.UNINDENT
+.INDENT 7.0
+.TP
+special\-use IPv4 Addresses (\fI\%RFC 3330\fP)
+Reverse data for zones \fB0.in\-addr.arpa\fP (this), \fB254.169.in\-addr.arpa\fP (link\-local),
+\fB2.0.192.in\-addr.arpa\fP (TEST NET 1), \fB100.51.198.in\-addr.arpa\fP
+(TEST NET 2), \fB113.0.203.in\-addr.arpa\fP (TEST NET 3),
+\fB255.255.255.255.in\-addr.arpa\fP (broadcast).
+And from \fB64.100.in\-addr.arpa\fP to \fB127.100.in\-addr.arpa\fP (Shared
+Address Space).
+.UNINDENT
+.INDENT 7.0
+.TP
+reverse IPv6 unspecified (\fI\%RFC 4291\fP)
+Reverse data for zone
+\fB0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.\fP
+.UNINDENT
+.INDENT 7.0
+.TP
+reverse IPv6 Locally Assigned Local Addresses (\fI\%RFC 4193\fP)
+Reverse data for zone \fBD.F.ip6.arpa\fP\&.
+.UNINDENT
+.INDENT 7.0
+.TP
+reverse IPv6 Link Local Addresses (\fI\%RFC 4291\fP)
+Reverse data for zones \fB8.E.F.ip6.arpa\fP to \fBB.E.F.ip6.arpa\fP\&.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B reverse IPv6 Example Prefix
+Reverse data for zone \fB8.B.D.0.1.0.0.2.ip6.arpa\fP\&.
+This zone is used for tutorials and examples.
+You can remove the block on this zone with:
+.INDENT 7.0
+.INDENT 3.5
+.sp
.nf
- local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
+.ft C
+local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
+.ft P
.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
You can also selectively unblock a part of the zone by making that part
-transparent with a local\-zone statement.
+transparent with a \fI\%local\-zone\fP statement.
This also works with the other default zones.
-.\" End of local-zone listing.
-.TP 5
-.B local\-data: \fI"<resource record string>"
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-data: \fI\(dq<resource record string>\(dq\fP
Configure local data, which is served in reply to queries for it.
-The query has to match exactly unless you configure the local\-zone as
-redirect. If not matched exactly, the local\-zone type determines
-further processing. If local\-data is configured that is not a subdomain of
-a local\-zone, a transparent local\-zone is configured.
-For record types such as TXT, use single quotes, as in
-local\-data: 'example. TXT "text"'.
-.IP
-If you need more complicated authoritative data, with referrals, wildcards,
-CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
-it as detailed in the stub zone section below.
-.TP 5
-.B local\-data\-ptr: \fI"IPaddr name"
+The query has to match exactly unless you configure the
+\fI\%local\-zone\fP as redirect.
+If not matched exactly, the \fI\%local\-zone\fP
+type determines further processing.
+If \fI\%local\-data\fP is configured that is not a
+subdomain of a \fI\%local\-zone\fP, a
+\fI\%transparent local\-zone\fP is
+configured.
+For record types such as TXT, use single quotes, as in:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+local\-data: \(aqexample. TXT \(dqtext\(dq\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If you need more complicated authoritative data, with referrals,
+wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup
+a \fI\%stub\-zone\fP for it as detailed in the stub
+zone section below.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-data\-ptr: \fI\(dqIPaddr name\(dq\fP
Configure local data shorthand for a PTR record with the reversed IPv4 or
-IPv6 address and the host name. For example "192.0.2.4 www.example.com".
-TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
-.TP 5
-.B local\-zone\-tag: \fI<zone> <"list of tags">
-Assign tags to localzones. Tagged localzones will only be applied when the
-used access-control element has a matching tag. Tags must be defined in
-\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
-tags. When there are multiple tags it checks if the intersection of the
-list of tags for the query and local\-zone\-tag is non-empty.
-.TP 5
-.B local\-zone\-override: \fI<zone> <IP netblock> <type>
-Override the localzone type for queries from addresses matching netblock.
-Use this localzone type, regardless the type configured for the local-zone
+IPv6 address and the host name.
+For example \fB\(dq192.0.2.4 www.example.com\(dq\fP\&.
+TTL can be inserted like this: \fB\(dq2001:DB8::4 7200 www.example.com\(dq\fP
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-zone\-tag: \fI<zone> <\(dqlist of tags\(dq>\fP
+Assign tags to local zones.
+Tagged localzones will only be applied when the used
+\fI\%access\-control\fP element has a matching
+tag.
+Tags must be defined in \fI\%define\-tag\fP\&.
+Enclose list of tags in quotes (\fB\(dq\(dq\fP) and put spaces between tags.
+When there are multiple tags it checks if the intersection of the list of
+tags for the query and \fI\%local\-zone\-tag\fP
+is non\-empty.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-zone\-override: \fI<zone> <IP netblock> <type>\fP
+Override the local zone type for queries from addresses matching netblock.
+Use this localzone type, regardless the type configured for the local zone
(both tagged and untagged) and regardless the type configured using
-access\-control\-tag\-action.
-.TP 5
-.B response\-ip: \fI<IP-netblock> <action>
-This requires use of the "respip" module.
-.IP
-If the IP address in an AAAA or A RR in the answer section of a
-response matches the specified IP netblock, the specified action will
-apply.
-\fI<action>\fR has generally the same semantics as that for
-\fIaccess-control-tag-action\fR, but there are some exceptions.
-.IP
-Actions for \fIresponse-ip\fR are different from those for
-\fIlocal-zone\fR in that in case of the former there is no point of
-such conditions as "the query matches it but there is no local data".
-Because of this difference, the semantics of \fIresponse-ip\fR actions
-are modified or simplified as follows: The \fIstatic, refuse,
-transparent, typetransparent,\fR and \fInodefault\fR actions are
-invalid for \fIresponse-ip\fR.
-Using any of these will cause the configuration to be rejected as
-faulty. The \fIdeny\fR action is non-conditional, i.e. it always
-results in dropping the corresponding query.
-The resolution result before applying the deny action is still cached
-and can be used for other queries.
-.TP 5
-.B response-ip-data: \fI<IP-netblock> <"resource record string">
-This requires use of the "respip" module.
-.IP
-This specifies the action data for \fIresponse-ip\fR with action being
-to redirect as specified by "\fIresource record string\fR". "Resource
-record string" is similar to that of \fIaccess-control-tag-action\fR,
+\fI\%access\-control\-tag\-action\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B response\-ip: \fI<IP\-netblock> <action>\fP
+This requires use of the \fBrespip\fP module.
+.sp
+If the IP address in an AAAA or A RR in the answer section of a response
+matches the specified IP netblock, the specified action will apply.
+\fI<action>\fP has generally the same semantics as that for
+\fI\%access\-control\-tag\-action\fP,
+but there are some exceptions.
+.sp
+Actions for \fI\%response\-ip\fP are different
+from those for \fI\%local\-zone\fP in that in case
+of the former there is no point of such conditions as \(dqthe query matches it
+but there is no local data\(dq.
+Because of this difference, the semantics of
+\fI\%response\-ip\fP actions are modified or
+simplified as follows: The \fIstatic\fP, \fIrefuse\fP, \fItransparent\fP,
+\fItypetransparent\fP, and \fInodefault\fP actions are invalid for \fIresponse\-ip\fP\&.
+Using any of these will cause the configuration to be rejected as faulty.
+The \fIdeny\fP action is non\-conditional, i.e. it always results in dropping
+the corresponding query.
+The resolution result before applying the \fIdeny\fP action is still cached and
+can be used for other queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B response\-ip\-data: \fI<IP\-netblock> <\(dqresource record string\(dq>\fP
+This requires use of the \fBrespip\fP module.
+.sp
+This specifies the action data for
+\fI\%response\-ip\fP with action being to redirect
+as specified by \fI<\(dqresource record string\(dq>\fP\&.
+\fI<\(dqResource record string\(dq>\fP is similar to that of
+\fI\%access\-control\-tag\-action\fP,
but it must be of either AAAA, A or CNAME types.
-If the IP-netblock is an IPv6/IPv4 prefix, the record
-must be AAAA/A respectively, unless it is a CNAME (which can be used
-for both versions of IP netblocks). If it is CNAME there must not be
-more than one \fIresponse-ip-data\fR for the same IP-netblock.
+If the \fI<IP\-netblock>\fP is an IPv6/IPv4 prefix, the record must be AAAA/A
+respectively, unless it is a CNAME (which can be used for both versions of
+IP netblocks).
+If it is CNAME there must not be more than one
+\fI\%response\-ip\-data\fP for the same
+\fI<IP\-netblock>\fP\&.
Also, CNAME and other types of records must not coexist for the same
-IP-netblock, following the normal rules for CNAME records.
+\fI<IP\-netblock>\fP, following the normal rules for CNAME records.
The textual domain name for the CNAME does not have to be explicitly
-terminated with a dot ("."); the root name is assumed to be the origin
+terminated with a dot (\fB\(dq.\(dq\fP); the root name is assumed to be the origin
for the name.
-.TP 5
-.B response-ip-tag: \fI<IP-netblock> <"list of tags">
-This requires use of the "respip" module.
-.IP
-Assign tags to response IP-netblocks. If the IP address in an AAAA or
-A RR in the answer section of a response matches the specified
-IP-netblock, the specified tags are assigned to the IP address.
-Then, if an \fIaccess-control-tag\fR is defined for the client and it
-includes one of the tags for the response IP, the corresponding
-\fIaccess-control-tag-action\fR will apply.
-Tag matching rule is the same as that for \fIaccess-control-tag\fR and
-\fIlocal-zones\fR.
-Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
-an IP-netblock even if no \fIresponse-ip\fR is defined for that
-netblock.
-If multiple \fIresponse-ip-tag\fR options are specified for the same
-IP-netblock in different statements, all but the first will be
-ignored.
-However, this will not be flagged as a configuration error, but the
-result is probably not what was intended.
-.IP
+.UNINDENT
+.INDENT 0.0
+.TP
+.B response\-ip\-tag: \fI<IP\-netblock> <\(dqlist of tags\(dq>\fP
+This requires use of the \fBrespip\fP module.
+.sp
+Assign tags to response \fI<IP\-netblock>\fP\&.
+If the IP address in an AAAA or A RR in the answer section of a response
+matches the specified \fI<IP\-netblock>\fP, the specified tags are assigned to
+the IP address.
+Then, if an \fI\%access\-control\-tag\fP is
+defined for the client and it includes one of the tags for the response IP,
+the corresponding
+\fI\%access\-control\-tag\-action\fP
+will apply.
+Tag matching rule is the same as that for
+\fI\%access\-control\-tag\fP and
+\fI\%local\-zone\fP\&.
+Unlike \fI\%local\-zone\-tag\fP,
+\fI\%response\-ip\-tag\fP can be defined for an
+\fI<IP\-netblock>\fP even if no \fI\%response\-ip\fP is
+defined for that netblock.
+If multiple \fI\%response\-ip\-tag\fP options
+are specified for the same \fI<IP\-netblock>\fP in different statements, all but
+the first will be ignored.
+However, this will not be flagged as a configuration error, but the result
+is probably not what was intended.
+.sp
Actions specified in an
-\fIaccess-control-tag-action\fR that has a matching tag with
-\fIresponse-ip-tag\fR can be those that are "invalid" for
-\fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
+\fI\%access\-control\-tag\-action\fP
+that has a matching tag with
+\fI\%response\-ip\-tag\fP can be those that are
+\(dqinvalid\(dq for \fI\%response\-ip\fP listed above,
+since
+\fI\%access\-control\-tag\-action\fP
can be shared with local zones.
-For these actions, if they behave differently depending on whether
-local data exists or not in case of local zones, the behavior for
-\fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
-of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
-specific, and non-existence of data does not indicate anything about
-the existence or non-existence of the qname itself.
-For example, if the matching tag action is \fIstatic\fR but there is
-no data for the corresponding \fIresponse-ip\fR configuration, then
-the result will be NOERROR/NODATA.
+For these actions, if they behave differently depending on whether local
+data exists or not in case of local zones, the behavior for
+\fI\%response\-ip\-data\fP will generally
+result in NOERROR/NODATA instead of NXDOMAIN, since the
+\fI\%response\-ip\fP data are inherently type
+specific, and non\-existence of data does not indicate anything about the
+existence or non\-existence of the qname itself.
+For example, if the matching tag action is static but there is no data for
+the corresponding \fI\%response\-ip\fP
+configuration, then the result will be NOERROR/NODATA.
The only case where NXDOMAIN is returned is when an
-\fIalways_nxdomain\fR action applies.
-.TP 5
-.B ratelimit: \fI<number or 0>
+\fI\%always_nxdomain\fP
+action applies.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit: \fI<number or 0>\fP
Enable ratelimiting of queries sent to nameserver for performing recursion.
-If 0, the default, it is disabled. This option is experimental at this time.
-The ratelimit is in queries per second that are allowed. More queries are
-turned away with an error (servfail). This stops recursive floods, eg. random
-query names, but not spoofed reflection floods. Cached responses are not
-ratelimited by this setting. The zone of the query is determined by examining
-the nameservers for it, the zone name is used to keep track of the rate.
+0 disables the feature.
+This option is experimental at this time.
+.sp
+The ratelimit is in queries per second that are allowed.
+More queries are turned away with an error (SERVFAIL).
+Cached responses are not ratelimited by this setting.
+.sp
+This stops recursive floods, eg. random query names, but not spoofed
+reflection floods.
+The zone of the query is determined by examining the nameservers for it,
+the zone name is used to keep track of the rate.
For example, 1000 may be a suitable value to stop the server from being
-overloaded with random names, and keeps Unbound from sending traffic to the
-nameservers for those zones. Configured forwarders are excluded from
-ratelimiting.
-.TP 5
-.B ratelimit\-size: \fI<memory size>
+overloaded with random names, and keeps unbound from sending traffic to the
+nameservers for those zones.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Configured forwarders are excluded from ratelimiting.
+.UNINDENT
+.UNINDENT
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-size: \fI<memory size>\fP
Give the size of the data structure in which the current ongoing rates are
-kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The ratelimit structure is small, so this data structure likely does
-not need to be large.
-.TP 5
-.B ratelimit\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the ratelimit tracking data structure. Close to the number of cpus is
-a fairly good setting.
-.TP 5
-.B ratelimit\-factor: \fI<number>
+kept track in.
+In bytes or use m(mega), k(kilo), g(giga).
+The ratelimit structure is small, so this data structure likely does not
+need to be large.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-slabs: \fI<number>\fP
+Number of slabs in the ratelimit tracking data structure.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-factor: \fI<number>\fP
Set the amount of queries to rate limit when the limit is exceeded.
If set to 0, all queries are dropped for domains where the limit is
-exceeded. If set to another value, 1 in that number is allowed through
-to complete. Default is 10, allowing 1/10 traffic to flow normally.
-This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigating the traffic flow by the
-factor given.
-.TP 5
-.B ratelimit\-backoff: \fI<yes or no>
-If enabled, the ratelimit is treated as a hard failure instead of the default
-maximum allowed constant rate. When the limit is reached, traffic is
-ratelimited and demand continues to be kept track of for a 2 second rate
-window. No traffic is allowed, except for ratelimit\-factor, until demand
-decreases below the configured ratelimit for a 2 second rate window. Useful to
-set ratelimit to a suspicious rate to aggressively limit unusually high
-traffic. Default is off.
-.TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
-Override the global ratelimit for an exact match domain name with the listed
-number. You can give this for any number of names. For example, for
-a top\-level\-domain you may want to have a higher limit than other names.
+exceeded.
+If set to another value, 1 in that number is allowed through to complete.
+Default is 10, allowing 1/10 traffic to flow normally.
+This can make ordinary queries complete (if repeatedly queried for), and
+enter the cache, whilst also mitigating the traffic flow by the factor
+given.
+.sp
+Default: 10
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-backoff: \fI<yes or no>\fP
+If enabled, the ratelimit is treated as a hard failure instead of the
+default maximum allowed constant rate.
+When the limit is reached, traffic is ratelimited and demand continues to
+be kept track of for a 2 second rate window.
+No traffic is allowed, except for
+\fI\%ratelimit\-factor\fP, until demand
+decreases below the configured ratelimit for a 2 second rate window.
+Useful to set \fI\%ratelimit\fP to a suspicious
+rate to aggressively limit unusually high traffic.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>\fP
+Override the global \fI\%ratelimit\fP for an exact
+match domain name with the listed number.
+You can give this for any number of names.
+For example, for a top\-level\-domain you may want to have a higher limit
+than other names.
A value of 0 will disable ratelimiting for that domain.
-.TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
-Override the global ratelimit for a domain name that ends in this name.
-You can give this multiple times, it then describes different settings
-in different parts of the namespace. The closest matching suffix is used
-to determine the qps limit. The rate for the exact matching domain name
-is not changed, use ratelimit\-for\-domain to set that, you might want
-to use different settings for a top\-level\-domain and subdomains.
-A value of 0 will disable ratelimiting for domain names that end in this name.
-.TP 5
-.B ip\-ratelimit: \fI<number or 0>
-Enable global ratelimiting of queries accepted per IP address.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>\fP
+Override the global \fI\%ratelimit\fP for a domain
+name that ends in this name.
+You can give this multiple times, it then describes different settings in
+different parts of the namespace.
+The closest matching suffix is used to determine the qps limit.
+The rate for the exact matching domain name is not changed, use
+\fI\%ratelimit\-for\-domain\fP to set
+that, you might want to use different settings for a top\-level\-domain and
+subdomains.
+A value of 0 will disable ratelimiting for domain names that end in this
+name.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit: \fI<number or 0>\fP
+Enable global ratelimiting of queries accepted per ip address.
This option is experimental at this time.
-The ratelimit is in queries per second that are allowed. More queries are
-completely dropped and will not receive a reply, SERVFAIL or otherwise.
-IP ratelimiting happens before looking in the cache. This may be useful for
-mitigating amplification attacks.
+The ratelimit is in queries per second that are allowed.
+More queries are completely dropped and will not receive a reply, SERVFAIL
+or otherwise.
+IP ratelimiting happens before looking in the cache.
+This may be useful for mitigating amplification attacks.
Clients with a valid DNS Cookie will bypass the ratelimit.
-If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
+If a ratelimit for such clients is still needed,
+\fI\%ip\-ratelimit\-cookie\fP
can be used instead.
-Default is 0 (disabled).
-.TP 5
-.B ip\-ratelimit\-cookie: \fI<number or 0>
-Enable global ratelimiting of queries accepted per IP address with a valid DNS
-Cookie.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit\-cookie: \fI<number or 0>\fP
+Enable global ratelimiting of queries accepted per IP address with a valid
+DNS Cookie.
This option is experimental at this time.
The ratelimit is in queries per second that are allowed.
-More queries are completely dropped and will not receive a reply, SERVFAIL or
-otherwise.
+More queries are completely dropped and will not receive a reply, SERVFAIL
+or otherwise.
IP ratelimiting happens before looking in the cache.
-This option could be useful in combination with \fIallow_cookie\fR in an
+This option could be useful in combination with
+\fI\%allow_cookie\fP, in an
attempt to mitigate other amplification attacks than UDP reflections (e.g.,
-attacks targeting Unbound itself) which are already handled with DNS Cookies.
-If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
-tenfold.
-Default is 0 (disabled).
-.TP 5
-.B ip\-ratelimit\-size: \fI<memory size>
+attacks targeting Unbound itself) which are already handled with DNS
+Cookies.
+If used, the value is suggested to be higher than
+\fI\%ip\-ratelimit\fP e.g., tenfold.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit\-size: \fI<memory size>\fP
Give the size of the data structure in which the current ongoing rates are
-kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The ip ratelimit structure is small, so this data structure likely does
-not need to be large.
-.TP 5
-.B ip\-ratelimit\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the ip ratelimit tracking data structure. Close to the number of cpus is
-a fairly good setting.
-.TP 5
-.B ip\-ratelimit\-factor: \fI<number>
+kept track in.
+In bytes or use m(mega), k(kilo), g(giga).
+The IP ratelimit structure is small, so this data structure likely does not
+need to be large.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit\-slabs: \fI<number>\fP
+Number of slabs in the ip ratelimit tracking data structure.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit\-factor: \fI<number>\fP
Set the amount of queries to rate limit when the limit is exceeded.
If set to 0, all queries are dropped for addresses where the limit is
-exceeded. If set to another value, 1 in that number is allowed through
-to complete. Default is 10, allowing 1/10 traffic to flow normally.
-This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigating the traffic flow by the
-factor given.
-.TP 5
-.B ip\-ratelimit\-backoff: \fI<yes or no>
-If enabled, the ratelimit is treated as a hard failure instead of the default
-maximum allowed constant rate. When the limit is reached, traffic is
-ratelimited and demand continues to be kept track of for a 2 second rate
-window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
-decreases below the configured ratelimit for a 2 second rate window. Useful to
-set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
-traffic. Default is off.
-.TP 5
-.B outbound\-msg\-retry: \fI<number>
-The number of retries, per upstream nameserver in a delegation, that Unbound
-will attempt in case a throwaway response is received.
+exceeded.
+If set to another value, 1 in that number is allowed through to complete.
+Default is 10, allowing 1/10 traffic to flow normally.
+This can make ordinary queries complete (if repeatedly queried for), and
+enter the cache, whilst also mitigating the traffic flow by the factor
+given.
+.sp
+Default: 10
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ip\-ratelimit\-backoff: \fI<yes or no>\fP
+If enabled, the rate limit is treated as a hard failure instead of the
+default maximum allowed constant rate.
+When the limit is reached, traffic is ratelimited and demand continues to
+be kept track of for a 2 second rate window.
+No traffic is allowed, except for
+\fI\%ip\-ratelimit\-factor\fP, until demand
+decreases below the configured ratelimit for a 2 second rate window.
+Useful to set \fI\%ip\-ratelimit\fP to a
+suspicious rate to aggressively limit unusually high traffic.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B outbound\-msg\-retry: \fI<number>\fP
+The number of retries, per upstream nameserver in a delegation, that
+Unbound will attempt in case a throwaway response is received.
No response (timeout) contributes to the retry counter.
-If a forward/stub zone is used, this is the number of retries per nameserver in
-the zone.
-Default is 5.
-.TP 5
-.B max\-sent\-count: \fI<number>
-Hard limit on the number of outgoing queries Unbound will make while resolving
-a name, making sure large NS sets do not loop.
+If a forward/stub zone is used, this is the number of retries per
+nameserver in the zone.
+.sp
+Default: 5
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-sent\-count: \fI<number>\fP
+Hard limit on the number of outgoing queries Unbound will make while
+resolving a name, making sure large NS sets do not loop.
Results in SERVFAIL when reached.
It resets on query restarts (e.g., CNAME) and referrals.
-Default is 32.
-.TP 5
-.B max\-query\-restarts: \fI<number>
-Hard limit on the number of times Unbound is allowed to restart a query upon
-encountering a CNAME record.
+.sp
+Default: 32
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-query\-restarts: \fI<number>\fP
+Hard limit on the number of times Unbound is allowed to restart a query
+upon encountering a CNAME record.
Results in SERVFAIL when reached.
Changing this value needs caution as it can allow long CNAME chains to be
accepted, where Unbound needs to verify (resolve) each link individually.
-Default is 11.
-.TP 5
-.B iter\-scrub\-ns: \fI<number>
+.sp
+Default: 11
+.UNINDENT
+.INDENT 0.0
+.TP
+.B iter\-scrub\-ns: \fI<number>\fP
Limit on the number of NS records allowed in an rrset of type NS, from the
-iterator scrubber. This protects the internals of the resolver from overly
-large NS sets. Default is 20.
-.TP 5
-.B iter\-scrub\-cname: \fI<number>
+iterator scrubber.
+This protects the internals of the resolver from overly large NS sets.
+.sp
+Default: 20
+.UNINDENT
+.INDENT 0.0
+.TP
+.B iter\-scrub\-cname: \fI<number>\fP
Limit on the number of CNAME, DNAME records in an answer, from the iterator
-scrubber. This protects the internals of the resolver from overly long
-indirection chains. Clips off the remainder of the reply packet at that point.
-Default is 11.
-.TP 5
-.B max\-global\-quota: \fI<number>
+scrubber.
+This protects the internals of the resolver from overly long indirection
+chains.
+Clips off the remainder of the reply packet at that point.
+.sp
+Default: 11
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-global\-quota: \fI<number>\fP
Limit on the number of upstream queries sent out for an incoming query and
-its subqueries from recursion. It is not reset during the resolution. When
-it is exceeded the query is failed and the lookup process stops.
-Default is 200.
-.TP 5
-.B fast\-server\-permil: \fI<number>
+its subqueries from recursion.
+It is not reset during the resolution.
+When it is exceeded the query is failed and the lookup process stops.
+.sp
+Default: 200
+.UNINDENT
+.INDENT 0.0
+.TP
+.B fast\-server\-permil: \fI<number>\fP
Specify how many times out of 1000 to pick from the set of fastest servers.
-0 turns the feature off. A value of 900 would pick from the fastest
-servers 90 percent of the time, and would perform normal exploration of random
-servers for the remaining time. When prefetch is enabled (or serve\-expired),
-such prefetches are not sped up, because there is no one waiting for it, and it
-presents a good moment to perform server exploration. The
-\fBfast\-server\-num\fR option can be used to specify the size of the fastest
-servers set. The default for fast\-server\-permil is 0.
-.TP 5
-.B fast\-server\-num: \fI<number>
-Set the number of servers that should be used for fast server selection. Only
-use the fastest specified number of servers with the fast\-server\-permil
-option, that turns this on or off. The default is to use the fastest 3 servers.
-.TP 5
-.B answer\-cookie: \fI<yes or no>
+0 turns the feature off.
+A value of 900 would pick from the fastest servers 90 percent of the time,
+and would perform normal exploration of random servers for the remaining
+time.
+When \fI\%prefetch\fP is enabled (or
+\fI\%serve\-expired\fP), such prefetches are not
+sped up, because there is no one waiting for it, and it presents a good
+moment to perform server exploration.
+The \fI\%fast\-server\-num\fP option can be
+used to specify the size of the fastest servers set.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B fast\-server\-num: \fI<number>\fP
+Set the number of servers that should be used for fast server selection.
+Only use the fastest specified number of servers with the
+\fI\%fast\-server\-permil\fP option, that
+turns this on or off.
+.sp
+Default: 3
+.UNINDENT
+.INDENT 0.0
+.TP
+.B answer\-cookie: \fI<yes or no>\fP
If enabled, Unbound will answer to requests containing DNS Cookies as
specified in RFC 7873 and RFC 9018.
-Default is no.
-.TP 5
-.B cookie\-secret: \fI<128 bit hex string>
-Server's secret for DNS Cookie generation.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cookie\-secret: \fI\(dq<128 bit hex string>\(dq\fP
+Server\(aqs secret for DNS Cookie generation.
Useful to explicitly set for servers in an anycast deployment that need to
-share the secret in order to verify each other's Server Cookies.
-An example hex string would be "000102030405060708090a0b0c0d0e0f".
-Default is a 128 bits random secret generated at startup time.
-This option is ignored if a \fBcookie\-secret\-file\fR is
-present. In that case the secrets from that file are used in DNS Cookie
+share the secret in order to verify each other\(aqs Server Cookies.
+An example hex string would be \(dq000102030405060708090a0b0c0d0e0f\(dq.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+This option is ignored if a
+\fI\%cookie\-secret\-file\fP is present.
+In that case the secrets from that file are used in DNS Cookie
calculations.
-.TP 5
-.B cookie\-secret\-file: \fI<filename>
-File from which the secrets are read used in DNS Cookie calculations. When this
-file exists, the secrets in this file are used and the secret specified by the
-\fBcookie-secret\fR option is ignored.
-Enable it by setting a filename, like "/usr/local/etc/unbound_cookiesecrets.txt".
-The content of this file must be manipulated with the \fBadd_cookie_secret\fR,
-\fBdrop_cookie_secret\fR and \fBactivate_cookie_secret\fR commands to the
-\fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
-safe cookie secret rollover.
-Default is "" (disabled).
-.TP 5
-.B edns\-client\-string: \fI<IP netblock> <string>
-Include an EDNS0 option containing configured ascii string in queries with
-destination address matching the configured IP netblock. This configuration
-option can be used multiple times. The most specific match will be used.
-.TP 5
-.B edns\-client\-string\-opcode: \fI<opcode>
-EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
-A value from the `Reserved for Local/Experimental` range (65001-65534) should
-be used. Default is 65001.
-.TP 5
-.B ede: \fI<yes or no>
-If enabled, Unbound will respond with Extended DNS Error codes (RFC8914).
-These EDEs provide additional information with a response mainly for, but not
-limited to, DNS and DNSSEC errors.
-
-When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
-Extended DNS Errors concerning DNSSEC failures will also contain a descriptive
-text message about the reason for the failure.
-Default is "no".
-.TP 5
-.B ede\-serve\-expired: \fI<yes or no>
-If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
-Answer as EDNS0 option to the expired response.
-The \fBede\fR option needs to be enabled as well for this to work.
-Default is "no".
-.TP 5
-.B dns\-error\-reporting: \fI<yes or no>
-If enabled, Unbound will send DNS Error Reports (RFC9567).
-The name servers need to express support by attaching the Report-Channel EDNS0
-option on their replies specifying the reporting agent for the zone.
+.UNINDENT
+.UNINDENT
+.sp
+Default: 128 bits random secret generated at startup time
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cookie\-secret\-file: \fI<filename>\fP
+File from which the secrets are read used in DNS Cookie calculations.
+When this file exists, the secrets in this file are used and the secret
+specified by the
+\fI\%cookie\-secret\fP option is ignored.
+Enable it by setting a filename, like
+\(dq/usr/local/etc/unbound_cookiesecrets.txt\(dq.
+The content of this file must be manipulated with the
+\fI\%add_cookie_secret\fP,
+\fI\%drop_cookie_secret\fP and
+\fI\%activate_cookie_secret\fP
+commands to the \fI\%unbound\-control(8)\fP tool.
+Please see that manpage on how to perform a safe cookie secret rollover.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B edns\-client\-string: \fI<IP netblock> <string>\fP
+Include an EDNS0 option containing configured ASCII string in queries with
+destination address matching the configured \fI<IP netblock>\fP\&.
+This configuration option can be used multiple times.
+The most specific match will be used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B edns\-client\-string\-opcode: \fI<opcode>\fP
+EDNS0 option code for the
+\fI\%edns\-client\-string\fP option, from 0
+to 65535.
+A value from the \(aqReserved for Local/Experimental\(aq range (65001\-65534)
+should be used.
+.sp
+Default: 65001
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ede: \fI<yes or no>\fP
+If enabled, Unbound will respond with Extended DNS Error codes
+(\fI\%RFC 8914\fP).
+These EDEs provide additional information with a response mainly for, but
+not limited to, DNS and DNSSEC errors.
+.sp
+When the \fI\%val\-log\-level\fP option is also
+set to \fB2\fP, responses with Extended DNS Errors concerning DNSSEC failures
+will also contain a descriptive text message about the reason for the
+failure.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ede\-serve\-expired: \fI<yes or no>\fP
+If enabled, Unbound will attach an Extended DNS Error (\fI\%RFC 8914\fP) \fICode 3
+\- Stale Answer\fP as EDNS0 option to the expired response.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%ede: yes\fP needs to be set as well for this to
+work.
+.UNINDENT
+.UNINDENT
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dns\-error\-reporting: \fI<yes or no>\fP
+If enabled, Unbound will send DNS Error Reports (\fI\%RFC 9567\fP).
+The name servers need to express support by attaching the Report\-Channel
+EDNS0 option on their replies specifying the reporting agent for the zone.
Any errors encountered during resolution that would result in Unbound
-generating an Extended DNS Error (RFC8914) will be reported to the zone's
-reporting agent.
-The \fBede\fR option does not need to be enabled for this to work.
-It is advised that the \fBqname\-minimisation\fR option is also enabled to
-increase privacy on the outgoing reports.
-Default is "no".
-.SS "Remote Control Options"
-In the
-.B remote\-control:
-clause are the declarations for the remote control facility. If this is
-enabled, the \fIunbound\-control\fR(8) utility can be used to send
-commands to the running Unbound server. The server uses these clauses
-to setup TLSv1 security for the connection. The
-\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
-section for options. To setup the correct self\-signed certificates use the
-\fIunbound\-control\-setup\fR(8) utility.
-.TP 5
-.B control\-enable: \fI<yes or no>
-The option is used to enable remote control, default is "no".
+generating an Extended DNS Error (\fI\%RFC 8914\fP) will be reported to the
+zone\(aqs reporting agent.
+.sp
+The \fI\%ede\fP option does not need to be enabled for
+this to work.
+.sp
+It is advised that the
+\fI\%qname\-minimisation\fP option is also
+enabled to increase privacy on the outgoing reports.
+.sp
+Default: no
+.UNINDENT
+.SS Remote Control Options
+.sp
+In the \fBremote\-control:\fP clause are the declarations for the remote control
+facility.
+If this is enabled, the \fI\%unbound\-control(8)\fP
+utility can be used to send commands to the running Unbound server.
+The server uses these clauses to setup TLSv1 security for the connection.
+The \fI\%unbound\-control(8)\fP utility also reads the
+\fBremote\-control:\fP section for options.
+To setup the correct self\-signed certificates use the
+\fIunbound\-control\-setup(8)\fP utility.
+.INDENT 0.0
+.TP
+.B control\-enable: \fI<yes or no>\fP
+The option is used to enable remote control.
If turned off, the server does not listen for control commands.
-.TP 5
-.B control\-interface: \fI<ip address or interface name or path>
-Give IPv4 or IPv6 addresses or local socket path to listen on for
-control commands.
-If an interface name is used instead of an ip address, the list of ip addresses
-on that interface are used.
-By default localhost (127.0.0.1 and ::1) is listened to.
-Use 0.0.0.0 and ::0 to listen to all interfaces.
-If you change this and permissions have been dropped, you must restart
-the server for the change to take effect.
-.IP
-If you set it to an absolute path, a unix domain socket is used. This socket
-does not use the certificates and keys, so those files need not be present.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B control\-interface: \fI<IP address or interface name or path>\fP
+Give IPv4 or IPv6 addresses or local socket path to listen on for control
+commands.
+If an interface name is used instead of an IP address, the list of IP
+addresses on that interface are used.
+.sp
+By default localhost (\fB127.0.0.1\fP and \fB::1\fP) is listened to.
+Use \fB0.0.0.0\fP and \fB::0\fP to listen to all interfaces.
+If you change this and permissions have been dropped, you must restart the
+server for the change to take effect.
+.sp
+If you set it to an absolute path, a unix domain socket is used.
+This socket does not use the certificates and keys, so those files need not
+be present.
To restrict access, Unbound sets permissions on the file to the user and
-group that is configured, the access bits are set to allow the group members
-to access the control socket file. Put users that need to access the socket
-in the that group. To restrict access further, create a directory to put
-the control socket in and restrict access to that directory.
-.TP 5
-.B control\-port: \fI<port number>
-The port number to listen on for IPv4 or IPv6 control interfaces,
-default is 8953.
+group that is configured, the access bits are set to allow the group
+members to access the control socket file.
+Put users that need to access the socket in the that group.
+To restrict access further, create a directory to put the control socket in
+and restrict access to that directory.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B control\-port: \fI<port number>\fP
+The port number to listen on for IPv4 or IPv6 control interfaces.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
If you change this and permissions have been dropped, you must restart
the server for the change to take effect.
-.TP 5
-.B control\-use\-cert: \fI<yes or no>
-For localhost control-interface you can disable the use of TLS by setting
-this option to "no", default is "yes". For local sockets, TLS is disabled
-and the value of this option is ignored.
-.TP 5
-.B server\-key\-file: \fI<private key file>
-Path to the server private key, by default unbound_server.key.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the Unbound server, but not by \fIunbound\-control\fR.
-.TP 5
-.B server\-cert\-file: \fI<certificate file.pem>
-Path to the server self signed certificate, by default unbound_server.pem.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by the Unbound server, and also by \fIunbound\-control\fR.
-.TP 5
-.B control\-key\-file: \fI<private key file>
-Path to the control client private key, by default unbound_control.key.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by \fIunbound\-control\fR.
-.TP 5
-.B control\-cert\-file: \fI<certificate file.pem>
-Path to the control client certificate, by default unbound_control.pem.
+.UNINDENT
+.UNINDENT
+.sp
+Default: 8953
+.UNINDENT
+.INDENT 0.0
+.TP
+.B control\-use\-cert: \fI<yes or no>\fP
+For localhost
+\fI\%control\-interface\fP you can
+disable the use of TLS by setting this option to \(dqno\(dq.
+For local sockets, TLS is disabled and the value of this option is ignored.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B server\-key\-file: \fI<private key file>\fP
+Path to the server private key.
+This file is generated by the
+\fI\%unbound\-control\-setup(8)\fP utility.
+This file is used by the Unbound server, but not by
+\fI\%unbound\-control(8)\fP\&.
+.sp
+Default: unbound_server.key
+.UNINDENT
+.INDENT 0.0
+.TP
+.B server\-cert\-file: \fI<certificate file.pem>\fP
+Path to the server self signed certificate.
+This file is generated by the
+\fI\%unbound\-control\-setup(8)\fP utility.
+This file is used by the Unbound server, and also by
+\fI\%unbound\-control(8)\fP\&.
+.sp
+Default: unbound_server.pem
+.UNINDENT
+.INDENT 0.0
+.TP
+.B control\-key\-file: \fI<private key file>\fP
+Path to the control client private key.
+This file is generated by the
+\fI\%unbound\-control\-setup(8)\fP utility.
+This file is used by \fI\%unbound\-control(8)\fP\&.
+.sp
+Default: unbound_control.key
+.UNINDENT
+.INDENT 0.0
+.TP
+.B control\-cert\-file: \fI<certificate file.pem>\fP
+Path to the control client certificate.
This certificate has to be signed with the server certificate.
-This file is generated by the \fIunbound\-control\-setup\fR utility.
-This file is used by \fIunbound\-control\fR.
-.SS "Stub Zone Options"
-.LP
-There may be multiple
-.B stub\-zone:
-clauses. Each with a name: and zero or more hostnames or IP addresses.
-For the stub zone this list of nameservers is used. Class IN is assumed.
-The servers should be authority servers, not recursors; Unbound performs
-the recursive processing itself for stub zones.
-.P
-The stub zone can be used to configure authoritative data to be used
-by the resolver that cannot be accessed using the public internet servers.
-This is useful for company\-local data or private zones. Setup an
-authoritative server on a different host (or different port). Enter a config
-entry for Unbound with
-.B stub\-addr:
-<ip address of host[@port]>.
-The Unbound resolver can then access the data, without referring to the
-public internet for it.
-.P
-This setup allows DNSSEC signed zones to be served by that
-authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that Unbound can validate the data and set the AD
-bit on replies for the private zone (authoritative servers do not set the
-AD bit). This setup makes Unbound capable of answering queries for the
-private zone, and can even set the AD bit ('authentic'), but the AA
-('authoritative') bit is not set on these replies.
-.P
-Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
-for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
-served zone. The insecure clause stops DNSSEC from invalidating the
-zone. The local zone nodefault (or \fItransparent\fR) clause makes the
-(reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
-.TP
-.B name: \fI<domain name>
-Name of the stub zone. This is the full domain name of the zone.
-.TP
-.B stub\-host: \fI<domain name>
-Name of stub zone nameserver. Is itself resolved before it is used.
-To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check the
-tls authentication certificates with that name. If you combine the '@'
-and '#', the '@' comes first. If only '#' is used the default port is the
-configured tls\-port.
-.TP
-.B stub\-addr: \fI<IP address>
-IP address of stub zone nameserver. Can be IP 4 or IP 6.
-To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check the
-tls authentication certificates with that name. If you combine the '@'
-and '#', the '@' comes first. If only '#' is used the default port is the
-configured tls\-port.
-.TP
-.B stub\-prime: \fI<yes or no>
-This option is by default no. If enabled it performs NS set priming,
-which is similar to root hints, where it starts using the list of nameservers
-currently published by the zone. Thus, if the hint list is slightly outdated,
-the resolver picks up a correct list online.
+This file is generated by the
+\fI\%unbound\-control\-setup(8)\fP utility.
+This file is used by \fI\%unbound\-control(8)\fP\&.
+.sp
+Default: unbound_control.pem
+.UNINDENT
+.SS Stub Zone Options
+.sp
+There may be multiple \fBstub\-zone:\fP clauses.
+Each with a \fI\%name\fP and zero or more hostnames or
+IP addresses.
+For the stub zone this list of nameservers is used.
+Class IN is assumed.
+The servers should be authority servers, not recursors; Unbound performs the
+recursive processing itself for stub zones.
+.sp
+The stub zone can be used to configure authoritative data to be used by the
+resolver that cannot be accessed using the public internet servers.
+This is useful for company\-local data or private zones.
+Setup an authoritative server on a different host (or different port).
+Enter a config entry for Unbound with:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+stub\-addr: <ip address of host[@port]>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The Unbound resolver can then access the data, without referring to the public
+internet for it.
+.sp
+This setup allows DNSSEC signed zones to be served by that authoritative
+server, in which case a trusted key entry with the public key can be put in
+config, so that Unbound can validate the data and set the AD bit on replies for
+the private zone (authoritative servers do not set the AD bit).
+This setup makes Unbound capable of answering queries for the private zone, and
+can even set the AD bit (\(aqauthentic\(aq), but the AA (\(aqauthoritative\(aq) bit is not
+set on these replies.
+.sp
+Consider adding \fI\%server\fP statements for
+\fI\%domain\-insecure\fP and for
+\fI\%local\-zone: <name> nodefault\fP
+for the zone if it is a locally served zone.
+The insecure clause stops DNSSEC from invalidating the zone.
+The \fI\%local\-zone: nodefault\fP (or
+\fI\%transparent\fP) clause makes the
+(reverse\-) zone bypass Unbound\(aqs filtering of \fI\%RFC 1918\fP zones.
+.INDENT 0.0
+.TP
+.B name: \fI<domain name>\fP
+Name of the stub zone.
+This is the full domain name of the zone.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-host: \fI<domain name>\fP
+Name of stub zone nameserver.
+Is itself resolved before it is used.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+If TLS is enabled, then you can append a \fB\(aq#\(aq\fP and a name, then it\(aqll
+check the TLS authentication certificates with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If only \fB\(aq#\(aq\fP is used the default port is the configured
+\fI\%tls\-port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-addr: \fI<IP address>\fP
+IP address of stub zone nameserver.
+Can be IPv4 or IPv6.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+If TLS is enabled, then you can append a \fB\(aq#\(aq\fP and a name, then it\(aqll
+check the tls authentication certificates with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If only \fB\(aq#\(aq\fP is used the default port is the configured
+\fI\%tls\-port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-prime: \fI<yes or no>\fP
+If enabled it performs NS set priming, which is similar to root hints,
+where it starts using the list of nameservers currently published by the
+zone.
+Thus, if the hint list is slightly outdated, the resolver picks up a
+correct list online.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B stub\-first: \fI<yes or no>
+.B stub\-first: \fI<yes or no>\fP
If enabled, a query is attempted without the stub clause if it fails.
-The data could not be retrieved and would have caused SERVFAIL because
-the servers are unreachable, instead it is tried without this clause.
-The default is no.
+The data could not be retrieved and would have caused SERVFAIL because the
+servers are unreachable, instead it is tried without this clause.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B stub\-tls\-upstream: \fI<yes or no>
+.B stub\-tls\-upstream: \fI<yes or no>\fP
Enabled or disable whether the queries to this stub use TLS for transport.
-Default is no.
-.TP
-.B stub\-ssl\-upstream: \fI<yes or no>
-Alternate syntax for \fBstub\-tls\-upstream\fR.
-.TP
-.B stub\-tcp\-upstream: \fI<yes or no>
-If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
-Default is no.
-.TP
-.B stub\-no\-cache: \fI<yes or no>
-Default is no. If enabled, data inside the stub is not cached. This is
-useful when you want immediate changes to be visible.
-.SS "Forward Zone Options"
-.LP
-There may be multiple
-.B forward\-zone:
-clauses. Each with a \fBname:\fR and zero or more hostnames or IP
-addresses. For the forward zone this list of nameservers is used to
-forward the queries to. The servers listed as \fBforward\-host:\fR and
-\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
-those servers are not authority servers, but are (just like Unbound is)
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-ssl\-upstream: \fI<yes or no>\fP
+Alternate syntax for
+\fI\%stub\-tls\-upstream\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-tcp\-upstream: \fI<yes or no>\fP
+If it is set to \(dqyes\(dq then upstream queries use TCP only for transport
+regardless of global flag \fI\%tcp\-upstream\fP\&.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B stub\-no\-cache: \fI<yes or no>\fP
+If enabled, data inside the stub is not cached.
+This is useful when you want immediate changes to be visible.
+.sp
+Default: no
+.UNINDENT
+.SS Forward Zone Options
+.sp
+There may be multiple \fBforward\-zone:\fP clauses.
+Each with a \fI\%name\fP and zero or more hostnames
+or IP addresses.
+For the forward zone this list of nameservers is used to forward the queries
+to.
+The servers listed as \fI\%forward\-host\fP
+and \fI\%forward\-addr\fP have to handle
+further recursion for the query.
+Thus, those servers are not authority servers, but are (just like Unbound is)
recursive servers too; Unbound does not perform recursion itself for the
-forward zone, it lets the remote server do it. Class IN is assumed.
-CNAMEs are chased by Unbound itself, asking the remote server for every
-name in the indirection chain, to protect the local cache from illegal
-indirect referenced items.
-A forward\-zone entry with name "." and a forward\-addr target will
-forward all queries to that other server (unless it can answer from
-the cache).
-.TP
-.B name: \fI<domain name>
-Name of the forward zone. This is the full domain name of the zone.
-.TP
-.B forward\-host: \fI<domain name>
-Name of server to forward to. Is itself resolved before it is used.
-To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check the
-tls authentication certificates with that name. If you combine the '@'
-and '#', the '@' comes first. If only '#' is used the default port is the
-configured tls\-port.
-.TP
-.B forward\-addr: \fI<IP address>
-IP address of server to forward to. Can be IP 4 or IP 6.
-To use a nondefault port for DNS communication append '@' with the port number.
-If tls is enabled, then you can append a '#' and a name, then it'll check the
-tls authentication certificates with that name. If you combine the '@'
-and '#', the '@' comes first. If only '#' is used the default port is the
-configured tls\-port.
-.IP
+forward zone, it lets the remote server do it.
+Class IN is assumed.
+CNAMEs are chased by Unbound itself, asking the remote server for every name in
+the indirection chain, to protect the local cache from illegal indirect
+referenced items.
+A \fI\%forward\-zone\fP entry with name
+\fB\(dq.\(dq\fP and a \fI\%forward\-addr\fP target
+will forward all queries to that other server (unless it can answer from the
+cache).
+.INDENT 0.0
+.TP
+.B name: \fI<domain name>\fP
+Name of the forward zone.
+This is the full domain name of the zone.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-host: \fI<domain name>\fP
+Name of server to forward to.
+Is itself resolved before it is used.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+If TLS is enabled, then you can append a \fB\(aq#\(aq\fP and a name, then it\(aqll
+check the TLS authentication certificates with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If only \fB\(aq#\(aq\fP is used the default port is the configured
+\fI\%tls\-port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-addr: \fI<IP address>\fP
+IP address of server to forward to.
+Can be IPv4 or IPv6.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+If TLS is enabled, then you can append a \fB\(aq#\(aq\fP and a name, then it\(aqll
+check the tls authentication certificates with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If only \fB\(aq#\(aq\fP is used the default port is the configured
+\fI\%tls\-port\fP\&.
+.sp
At high verbosity it logs the TLS certificate, with TLS enabled.
-If you leave out the '#' and auth name from the forward\-addr, any
-name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
+If you leave out the \fB\(aq#\(aq\fP and auth name from the
+\fI\%forward\-addr\fP, any name is
+accepted.
+The cert must also match a CA from the
+\fI\%tls\-cert\-bundle\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
-.B forward\-first: \fI<yes or no>
+.B forward\-first: \fI<yes or no>\fP
If a forwarded query is met with a SERVFAIL error, and this option is
enabled, Unbound will fall back to normal recursive resolution for this
-query as if no query forwarding had been specified. The default is "no".
-.TP
-.B forward\-tls\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this forwarder use TLS for transport.
-Default is no.
-If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
-load CA certs, otherwise the connections cannot be authenticated.
-.TP
-.B forward\-ssl\-upstream: \fI<yes or no>
-Alternate syntax for \fBforward\-tls\-upstream\fR.
-.TP
-.B forward\-tcp\-upstream: \fI<yes or no>
-If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
-Default is no.
-.TP
-.B forward\-no\-cache: \fI<yes or no>
-Default is no. If enabled, data inside the forward is not cached. This is
-useful when you want immediate changes to be visible.
-.SS "Authority Zone Options"
-.LP
-Authority zones are configured with \fBauth\-zone:\fR, and each one must
-have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
+query as if no query forwarding had been specified.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-tls\-upstream: \fI<yes or no>\fP
+Enabled or disable whether the queries to this forwarder use TLS for
+transport.
+If you enable this, also configure a
+\fI\%tls\-cert\-bundle\fP or use
+\fI\%tls\-win\-cert\fP to load CA certs, otherwise
+the connections cannot be authenticated.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-ssl\-upstream: \fI<yes or no>\fP
+Alternate syntax for
+\fI\%forward\-tls\-upstream\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-tcp\-upstream: \fI<yes or no>\fP
+If it is set to \(dqyes\(dq then upstream queries use TCP only for transport
+regardless of global flag \fI\%tcp\-upstream\fP\&.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B forward\-no\-cache: \fI<yes or no>\fP
+If enabled, data inside the forward is not cached.
+This is useful when you want immediate changes to be visible.
+.sp
+Default: no
+.UNINDENT
+.SS Authority Zone Options
+.sp
+Authority zones are configured with \fBauth\-zone:\fP, and each one must have a
+\fI\%name\fP\&.
+There can be multiple ones, by listing multiple auth\-zone clauses, each with a
+different name, pertaining to that part of the namespace.
The authority zone with the name closest to the name looked up is used.
-Authority zones can be processed on two distinct, non-exclusive, configurable
+Authority zones can be processed on two distinct, non\-exclusive, configurable
stages.
-.LP
-With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
-after \fBlocal\-zones\fR and before cache.
+.sp
+With \fI\%for\-downstream: yes\fP (default),
+authority zones are processed after \fBlocal\-zones\fP and before cache.
When used in this manner, Unbound responds like an authority server with no
further processing other than returning an answer from the zone contents.
A notable example, in this case, is CNAME records which are returned verbatim
to downstream clients without further resolution.
-.LP
-With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
-after the cache lookup, just before going to the network to fetch
-information for recursion.
+.sp
+With \fI\%for\-upstream: yes\fP (default),
+authority zones are processed after the cache lookup, just before going to the
+network to fetch information for recursion.
When used in this manner they provide a local copy of an authority server
that speeds up lookups for that data during resolving.
-.LP
+.sp
If both options are enabled (default), client queries for an authority zone are
answered authoritatively from Unbound, while internal queries that require data
from the authority zone consult the local zone data instead of going to the
network.
-.LP
-An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
-\fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
-client and internal queries consult the local zone data while resolving.
+.sp
+An interesting configuration is
+\fI\%for\-downstream: no\fP,
+\fI\%for\-upstream: yes\fP
+that allows for hyperlocal behavior where both client and internal queries
+consult the local zone data while resolving.
In this case, the aforementioned CNAME example will result in a thoroughly
resolved answer.
-.LP
-Authority zones can be read from zonefile. And can be kept updated via
-AXFR and IXFR. After update the zonefile is rewritten. The update mechanism
-uses the SOA timer values and performs SOA UDP queries to detect zone changes.
-.LP
+.sp
+Authority zones can be read from zonefile.
+And can be kept updated via AXFR and IXFR.
+After update the zonefile is rewritten.
+The update mechanism uses the SOA timer values and performs SOA UDP queries to
+detect zone changes.
+.sp
If the update fetch fails, the timers in the SOA record are used to time
-another fetch attempt. Until the SOA expiry timer is reached. Then the
-zone is expired. When a zone is expired, queries are SERVFAIL, and
-any new serial number is accepted from the primary (even if older), and if
-fallback is enabled, the fallback activates to fetch from the upstream instead
-of the SERVFAIL.
+another fetch attempt.
+Until the SOA expiry timer is reached.
+Then the zone is expired.
+When a zone is expired, queries are SERVFAIL, and any new serial number is
+accepted from the primary (even if older), and if fallback is enabled, the
+fallback activates to fetch from the upstream instead of the SERVFAIL.
+.INDENT 0.0
.TP
-.B name: \fI<zone name>
+.B name: \fI<zone name>\fP
Name of the authority zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.B primary: \fI<IP address or host name>
-Where to download a copy of the zone from, with AXFR and IXFR. Multiple
-primaries can be specified. They are all tried if one fails.
-To use a nondefault port for DNS communication append '@' with the port number.
-You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
-the '@' and '#', the '@' comes first.
-If you point it at another Unbound instance, it would not work because
-that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
-the zonefile as a text file from a webserver that would work.
+.B primary: \fI<IP address or host name>\fP
+Where to download a copy of the zone from, with AXFR and IXFR.
+Multiple primaries can be specified.
+They are all tried if one fails.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+You can append a \fB\(aq#\(aq\fP and a name, then AXFR over TLS can be used and the
+TLS authentication certificates will be checked with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If you point it at another Unbound instance, it would not work because that
+does not support AXFR/IXFR for the zone, but if you used
+\fI\%url\fP to download the zonefile as a text file
+from a webserver that would work.
+.sp
If you specify the hostname, you cannot use the domain from the zonefile,
because it may not have that when retrieving that data, instead use a plain
IP address to avoid a circular dependency on retrieving that IP address.
+.UNINDENT
+.INDENT 0.0
.TP
-.B master: \fI<IP address or host name>
-Alternate syntax for \fBprimary\fR.
-.TP
-.B url: \fI<url to zonefile>
-Where to download a zonefile for the zone. With http or https. An example
-for the url is "http://www.example.com/example.org.zone". Multiple url
-statements can be given, they are tried in turn. If only urls are given
-the SOA refresh timer is used to wait for making new downloads. If also
-primaries are listed, the primaries are first probed with UDP SOA queries to
-see if the SOA serial number has changed, reducing the number of downloads.
+.B master: \fI<IP address or host name>\fP
+Alternate syntax for \fI\%primary\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B url: \fI<URL to zone file>\fP
+Where to download a zonefile for the zone.
+With HTTP or HTTPS.
+An example for the url is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+http://www.example.com/example.org.zone
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Multiple url statements can be given, they are tried in turn.
+.sp
+If only urls are given the SOA refresh timer is used to wait for making new
+downloads.
+If also primaries are listed, the primaries are first probed with UDP SOA
+queries to see if the SOA serial number has changed, reducing the number of
+downloads.
If none of the urls work, the primaries are tried with IXFR and AXFR.
-For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
-to authenticate the connection.
+.sp
+For HTTPS, the \fI\%tls\-cert\-bundle\fP and
+the hostname from the url are used to authenticate the connection.
+.sp
If you specify a hostname in the URL, you cannot use the domain from the
zonefile, because it may not have that when retrieving that data, instead
use a plain IP address to avoid a circular dependency on retrieving that IP
-address. Avoid dependencies on name lookups by using a notation like
-"http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
-.TP
-.B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
-With allow\-notify you can specify additional sources of notifies.
+address.
+.sp
+Avoid dependencies on name lookups by using a notation like
+\fB\(dqhttp://192.0.2.1/unbound\-primaries/example.com.zone\(dq\fP, with an explicit
+IP address.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B allow\-notify: \fI<IP address or host name or netblockIP/prefix>\fP
+With \fI\%allow\-notify\fP you can specify
+additional sources of notifies.
When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a primary, it first attempts that primary. Otherwise
-other primaries are attempted. If there are no primaries, but only urls, the
-file is downloaded when notified. The primaries from primary: and url:
-statements are allowed notify by default.
-.TP
-.B fallback\-enabled: \fI<yes or no>
-Default no. If enabled, Unbound falls back to querying the internet as
-a resolver for this zone when lookups fail. For example for DNSSEC
-validation failures.
-.TP
-.B for\-downstream: \fI<yes or no>
-Default yes. If enabled, Unbound serves authority responses to
-downstream clients for this zone. This option makes Unbound behave, for
-the queries with names in this zone, like one of the authority servers for
-that zone. Turn it off if you want Unbound to provide recursion for the
-zone but have a local copy of zone data. If for\-downstream is no and
-for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
-zone before serving the zone contents to clients and store validation
-results in the cache.
-.TP
-.B for\-upstream: \fI<yes or no>
-Default yes. If enabled, Unbound fetches data from this data collection
-for answering recursion queries. Instead of sending queries over the internet
-to the authority servers for this zone, it'll fetch the data directly from
-the zone data. Turn it on when you want Unbound to provide recursion for
-downstream clients, and use the zone data as a local copy to speed up lookups.
-.TP
-.B zonemd\-check: \fI<yes or no>
-Enable this option to check ZONEMD records in the zone. Default is disabled.
-The ZONEMD record is a checksum over the zone data. This includes glue in
-the zone and data from the zone file, and excludes comments from the zone file.
+If the notify is from a primary, it first attempts that primary.
+Otherwise other primaries are attempted.
+If there are no primaries, but only urls, the file is downloaded when
+notified.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The primaries from \fI\%primary\fP and
+\fI\%url\fP statements are allowed notify by
+default.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B fallback\-enabled: \fI<yes or no>\fP
+If enabled, Unbound falls back to querying the internet as a resolver for
+this zone when lookups fail.
+For example for DNSSEC validation failures.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B for\-downstream: \fI<yes or no>\fP
+If enabled, Unbound serves authority responses to downstream clients for
+this zone.
+This option makes Unbound behave, for the queries with names in this zone,
+like one of the authority servers for that zone.
+.sp
+Turn it off if you want Unbound to provide recursion for the zone but have
+a local copy of zone data.
+.sp
+If \fI\%for\-downstream: no\fP and
+\fI\%for\-upstream: yes\fP are set, then
+Unbound will DNSSEC validate the contents of the zone before serving the
+zone contents to clients and store validation results in the cache.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B for\-upstream: \fI<yes or no>\fP
+If enabled, Unbound fetches data from this data collection for answering
+recursion queries.
+Instead of sending queries over the internet to the authority servers for
+this zone, it\(aqll fetch the data directly from the zone data.
+.sp
+Turn it on when you want Unbound to provide recursion for downstream
+clients, and use the zone data as a local copy to speed up lookups.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B zonemd\-check: \fI<yes or no>\fP
+Enable this option to check ZONEMD records in the zone.
+The ZONEMD record is a checksum over the zone data.
+This includes glue in the zone and data from the zone file, and excludes
+comments from the zone file.
When there is a DNSSEC chain of trust, DNSSEC signatures are checked too.
-.TP
-.B zonemd\-reject\-absence: \fI<yes or no>
-Enable this option to reject the absence of the ZONEMD record. Without it,
-when zonemd is not there it is not checked. It is useful to enable for a
-nonDNSSEC signed zone where the operator wants to require the verification
-of a ZONEMD, hence a missing ZONEMD is a failure. The action upon
-failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
-log only or also block the zone. The default is no.
-.IP
-Without the option absence of a ZONEMD is only a failure when the zone is
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B zonemd\-reject\-absence: \fI<yes or no>\fP
+Enable this option to reject the absence of the ZONEMD record.
+Without it, when ZONEMD is not there it is not checked.
+.sp
+It is useful to enable for a non\-DNSSEC signed zone where the operator
+wants to require the verification of a ZONEMD, hence a missing ZONEMD is a
+failure.
+.sp
+The action upon failure is controlled by the
+\fI\%zonemd\-permissive\-mode\fP option,
+for log only or also block the zone.
+.sp
+Without the option, absence of a ZONEMD is only a failure when the zone is
DNSSEC signed, and we have a trust anchor, and the DNSSEC verification of
-the absence of the ZONEMD fails. With the option enabled, the absence of
-a ZONEMD is always a failure, also for nonDNSSEC signed zones.
-.TP
-.B zonefile: \fI<filename>
-The filename where the zone is stored. If not given then no zonefile is used.
+the absence of the ZONEMD fails.
+With the option enabled, the absence of a ZONEMD is always a failure, also
+for nonDNSSEC signed zones.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B zonefile: \fI<filename>\fP
+The filename where the zone is stored.
+If not given then no zonefile is used.
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
-.SS "View Options"
-.LP
-There may be multiple
-.B view:
-clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. Views can also contain view\-first,
-response\-ip, response\-ip\-data and local\-data\-ptr elements.
-View can be mapped to requests by specifying the
-view name in an \fBaccess\-control\-view\fR element. Options from matching
-views will override global options. Global options will be used if no matching
-view is found, or when the matching view does not have the option specified.
-.TP
-.B name: \fI<view name>
-Name of the view. Must be unique. This name is used in access\-control\-view
-elements.
-.TP
-.B local\-zone: \fI<zone> <type>
-View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements. When there is at least one local\-zone specified
-and view\-first is no, the default local-zones will be added to this view.
-Defaults can be disabled using the nodefault type. When view\-first is yes or
-when a view does not have a local\-zone, the global local\-zone will be used
-including it's default zones.
-.TP
-.B local\-data: \fI"<resource record string>"
-View specific local\-data elements. Has the same behaviour as the global
-local\-data elements.
-.TP
-.B local\-data\-ptr: \fI"IPaddr name"
-View specific local\-data\-ptr elements. Has the same behaviour as the global
-local\-data\-ptr elements.
-.TP
-.B view\-first: \fI<yes or no>
-If enabled, it attempts to use the global local\-zone and local\-data if there
-is no match in the view specific options.
-The default is no.
-.SS "Python Module Options"
-.LP
-The
-.B python:
-clause gives the settings for the \fIpython\fR(1) script module. This module
-acts like the iterator and validator modules do, on queries and answers.
-To enable the script module it has to be compiled into the daemon,
-and the word "python" has to be put in the \fBmodule\-config:\fR option
-(usually first, or between the validator and iterator). Multiple instances of
-the python module are supported by adding the word "python" more than once.
-.LP
-If the \fBchroot:\fR option is enabled, you should make sure Python's
-library directory structure is bind mounted in the new root environment, see
-\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
-absolute path relative to the new root, or as a relative path to the working
+.UNINDENT
+.SS View Options
+.sp
+There may be multiple \fBview:\fP clauses.
+Each with a \fI\%name\fP and zero or more
+\fI\%local\-zone\fP and
+\fI\%local\-data\fP attributes.
+Views can also contain \fI\%view\-first\fP,
+\fI\%response\-ip\fP,
+\fI\%response\-ip\-data\fP and
+\fI\%local\-data\-ptr\fP attributes.
+View can be mapped to requests by specifying the view name in an
+\fI\%access\-control\-view\fP attribute.
+Options from matching views will override global options.
+Global options will be used if no matching view is found, or when the matching
+view does not have the option specified.
+.INDENT 0.0
+.TP
+.B name: \fI<view name>\fP
+Name of the view.
+Must be unique.
+This name is used in the
+\fI\%access\-control\-view\fP attribute.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-zone: \fI<zone> <type>\fP
+View specific local zone elements.
+Has the same types and behaviour as the global
+\fI\%local\-zone\fP elements.
+When there is at least one \fIlocal\-zone:\fP specified and \fI\%view\-first:
+no\fP is set, the default local\-zones will be
+added to this view.
+Defaults can be disabled using the nodefault type.
+When \fI\%view\-first: yes\fP is set or when a
+view does not have a \fI\%local\-zone\fP, the
+global \fI\%local\-zone\fP will be used including
+it\(aqs default zones.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-data: \fI\(dq<resource record string>\(dq\fP
+View specific local data elements.
+Has the same behaviour as the global
+\fI\%local\-data\fP elements.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B local\-data\-ptr: \fI\(dqIPaddr name\(dq\fP
+View specific local\-data\-ptr elements.
+Has the same behaviour as the global
+\fI\%local\-data\-ptr\fP elements.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B view\-first: \fI<yes or no>\fP
+If enabled, it attempts to use the global
+\fI\%local\-zone\fP and
+\fI\%local\-data\fP if there is no match in the
+view specific options.
+.sp
+Default: no
+.UNINDENT
+.SS Python Module Options
+.sp
+The \fBpython:\fP clause gives the settings for the \fIpython(1)\fP script module.
+This module acts like the iterator and validator modules do, on queries and
+answers.
+To enable the script module it has to be compiled into the daemon, and the word
+\fBpython\fP has to be put in the
+\fI\%module\-config\fP option (usually first, or
+between the validator and iterator).
+Multiple instances of the python module are supported by adding the word
+\fBpython\fP more than once.
+.sp
+If the \fI\%chroot\fP option is enabled, you should make
+sure Python\(aqs library directory structure is bind mounted in the new root
+environment, see \fImount(8)\fP\&.
+Also the \fI\%python\-script\fP path should
+be specified as an absolute path relative to the new root, or as a relative
+path to the working directory.
+.INDENT 0.0
+.TP
+.B python\-script: \fI<python file>\fP
+The script file to load.
+Repeat this option for every python module instance added to the
+\fI\%module\-config\fP option.
+.UNINDENT
+.SS Dynamic Library Module Options
+.sp
+The \fBdynlib:\fP clause gives the settings for the \fBdynlib\fP module.
+This module is only a very small wrapper that allows dynamic modules to be
+loaded on runtime instead of being compiled into the application.
+To enable the dynlib module it has to be compiled into the daemon, and the word
+\fBdynlib\fP has to be put in the
+\fI\%module\-config\fP attribute.
+Multiple instances of dynamic libraries are supported by adding the word
+\fBdynlib\fP more than once.
+.sp
+The \fI\%dynlib\-file\fP path should be
+specified as an absolute path relative to the new path set by
+\fI\%chroot\fP, or as a relative path to the working
directory.
+.INDENT 0.0
.TP
-.B python\-script: \fI<python file>\fR
-The script file to load. Repeat this option for every python module instance
-added to the \fBmodule\-config:\fR option.
-.SS "Dynamic Library Module Options"
-.LP
-The
-.B dynlib:
-clause gives the settings for the \fIdynlib\fR module. This module is only
-a very small wrapper that allows dynamic modules to be loaded on runtime
-instead of being compiled into the application. To enable the dynlib module it
-has to be compiled into the daemon, and the word "dynlib" has to be put in the
-\fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
-supported by adding the word "dynlib" more than once.
-.LP
-The \fBdynlib\-file:\fR path should be specified as an absolute path relative
-to the new path set by \fBchroot:\fR option, or as a relative path to the
-working directory.
-.TP
-.B dynlib\-file: \fI<dynlib file>\fR
-The dynamic library file to load. Repeat this option for every dynlib module
-instance added to the \fBmodule\-config:\fR option.
-.SS "DNS64 Module Options"
-.LP
-The dns64 module must be configured in the \fBmodule\-config:\fR directive
-e.g., "dns64 validator iterator" and be compiled into the daemon to be
-enabled. These settings go in the \fBserver:\fR section.
+.B dynlib\-file: \fI<dynlib file>\fP
+The dynamic library file to load.
+Repeat this option for every dynlib module instance added to the
+\fI\%module\-config\fP option.
+.UNINDENT
+.SS DNS64 Module Options
+.sp
+The \fBdns64\fP module must be configured in the
+\fI\%module\-config\fP directive, e.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module\-config: \(dqdns64 validator iterator\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+and be compiled into the daemon to be enabled.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+These settings go in the \fI\%server:\fP section.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
.TP
-.B dns64\-prefix: \fI<IPv6 prefix>\fR
+.B dns64\-prefix: \fI<IPv6 prefix>\fP
This sets the DNS64 prefix to use to synthesize AAAA records with.
-It must be /96 or shorter. The default prefix is 64:ff9b::/96.
-.TP
-.B dns64\-synthall: \fI<yes or no>\fR
-Debug option, default no. If enabled, synthesize all AAAA records
-despite the presence of actual AAAA records.
-.TP
-.B dns64\-ignore\-aaaa: \fI<name>\fR
-List domain for which the AAAA records are ignored and the A record is
-used by dns64 processing instead. Can be entered multiple times, list a
-new domain for which it applies, one per line. Applies also to names
-underneath the name given.
-.SS "NAT64 Operation"
-.LP
-NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
-servers. It is controlled by two options in the \fBserver:\fR section:
-.TP
-.B do\-nat64: \fI<yes or no>\fR
-Use NAT64 to reach IPv4-only servers.
-Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
-nameservers.
-Default no.
-.TP
-.B nat64\-prefix: \fI<IPv6 prefix>\fR
-Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
-the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
-64:ff9b::/96. The prefix length must be one of /32, /40, /48, /56, /64 or /96.
-.SS "DNSCrypt Options"
-.LP
-The
-.B dnscrypt:
-clause gives the settings of the dnscrypt channel. While those options are
-available, they are only meaningful if Unbound was compiled with
-\fB\-\-enable\-dnscrypt\fR.
+It must be /96 or shorter.
+.sp
+Default: 64:ff9b::/96
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dns64\-synthall: \fI<yes or no>\fP
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Debugging feature!
+.UNINDENT
+.UNINDENT
+.sp
+If enabled, synthesize all AAAA records despite the presence of actual AAAA
+records.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dns64\-ignore\-aaaa: \fI<domain name>\fP
+List domain for which the AAAA records are ignored and the A record is used
+by DNS64 processing instead.
+Can be entered multiple times, list a new domain for which it applies, one
+per line.
+Applies also to names underneath the name given.
+.UNINDENT
+.SS NAT64 Operation
+.sp
+NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4\-only
+servers.
+It is controlled by two options in the
+\fI\%server:\fP section:
+.INDENT 0.0
+.TP
+.B do\-nat64: \fI<yes or no>\fP
+Use NAT64 to reach IPv4\-only servers.
+Consider also enabling \fI\%prefer\-ip6\fP
+to prefer native IPv6 connections to nameservers.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B nat64\-prefix: \fI<IPv6 prefix>\fP
+Use a specific NAT64 prefix to reach IPv4\-only servers.
+The prefix length must be one of /32, /40, /48, /56, /64 or /96.
+.sp
+Default: 64:ff9b::/96 (same as \fI\%dns64\-prefix\fP)
+.UNINDENT
+.SS DNSCrypt Options
+.sp
+The \fBdnscrypt:\fP clause gives the settings of the dnscrypt channel.
+While those options are available, they are only meaningful if Unbound was
+compiled with \fB\-\-enable\-dnscrypt\fP\&.
Currently certificate and secret/public keys cannot be generated by Unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
-dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt\-wrapper to generate those:
+\fI\%https://github.com/cofyc/dnscrypt\-wrapper/blob/master/README.md#usage\fP
+.INDENT 0.0
+.TP
+.B dnscrypt\-enable: \fI<yes or no>\fP
+Whether or not the dnscrypt config should be enabled.
+You may define configuration but not activate it.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt\-port: \fI<port number>\fP
+On which port should dnscrypt should be activated.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+There should be a matching interface option defined in the
+\fI\%server:\fP section for this port.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt\-provider: \fI<provider name>\fP
+The provider name to use to distribute certificates.
+This is of the form:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+2.dnscrypt\-cert.example.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The name \fIMUST\fP end with a dot.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnscrypt\-enable: \fI<yes or no>\fR
-Whether or not the \fBdnscrypt\fR config should be enabled. You may define
-configuration but not activate it.
-The default is no.
-.TP
-.B dnscrypt\-port: \fI<port number>
-On which port should \fBdnscrypt\fR should be activated. Note that you should
-have a matching \fBinterface\fR option defined in the \fBserver\fR section for
-this port.
-.TP
-.B dnscrypt\-provider: \fI<provider name>\fR
-The provider name to use to distribute certificates. This is of the form:
-\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
-.TP
-.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
-Path to the time limited secret key file. This option may be specified multiple
-times.
+.B dnscrypt\-secret\-key: \fI<path to secret key file>\fP
+Path to the time limited secret key file.
+This option may be specified multiple times.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+.B dnscrypt\-provider\-cert: \fI<path to cert file>\fP
+Path to the certificate related to the
+\fI\%dnscrypt\-secret\-key\fP\&.
This option may be specified multiple times.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
-Path to a certificate that we should be able to serve existing connection from
-but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
-distribution.
-A typical use case is when rotating certificates, existing clients may still use
-the client magic from the old cert in their queries until they fetch and update
-the new cert. Likewise, it would allow one to prime the new cert/key without
-distributing the new cert yet, this can be useful when using a network of
-servers using anycast and on which the configuration may not get updated at the
-exact same time. By priming the cert, the servers can handle both old and new
-certs traffic while distributing only one.
+.B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fP
+Path to a certificate that we should be able to serve existing connection
+from but do not want to advertise over
+\fI\%dnscrypt\-provider\fP \(aqs TXT
+record certs distribution.
+.sp
+A typical use case is when rotating certificates, existing clients may
+still use the client magic from the old cert in their queries until they
+fetch and update the new cert.
+Likewise, it would allow one to prime the new cert/key without distributing
+the new cert yet, this can be useful when using a network of servers using
+anycast and on which the configuration may not get updated at the exact
+same time.
+.sp
+By priming the cert, the servers can handle both old and new certs traffic
+while distributing only one.
+.sp
This option may be specified multiple times.
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
-Give the size of the data structure in which the shared secret keys are kept
-in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The shared secret cache is used when a same client is making multiple queries
-using the same public key. It saves a substantial amount of CPU.
-.TP
-.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the dnscrypt shared secrets cache. Close to the number of cpus is
-a fairly good setting.
+.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>\fP
+Give the size of the data structure in which the shared secret keys are
+kept in.
+In bytes or use m(mega), k(kilo), g(giga).
+The shared secret cache is used when a same client is making multiple
+queries using the same public key.
+It saves a substantial amount of CPU.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>\fP
+Number of slabs in the dnscrypt shared secrets cache.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
+.B dnscrypt\-nonce\-cache\-size: \fI<memory size>\fP
Give the size of the data structure in which the client nonces are kept in.
-Default 4m. In bytes or use m(mega), k(kilo), g(giga).
-The nonce cache is used to prevent dnscrypt message replaying. Client nonce
-should be unique for any pair of client pk/server sk.
-.TP
-.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
-Give power of 2 number of slabs, this is used to reduce lock contention
-in the dnscrypt nonce cache. Close to the number of cpus is
-a fairly good setting.
-.SS "EDNS Client Subnet Module Options"
-.LP
-The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
-"subnetcache validator iterator" and be compiled into the daemon to be
-enabled. These settings go in the \fBserver:\fR section.
-.LP
+In bytes or use m(mega), k(kilo), g(giga).
+The nonce cache is used to prevent dnscrypt message replaying.
+Client nonce should be unique for any pair of client pk/server sk.
+.sp
+Default: 4m
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnscrypt\-nonce\-cache\-slabs: \fI<number>\fP
+Number of slabs in the dnscrypt nonce cache.
+Slabs reduce lock contention by threads.
+Must be set to a power of 2.
+Setting (close) to the number of cpus is a fairly good setting.
+If left unconfigured, it will be configured automatically to be a power of
+2 close to the number of configured threads in multi\-threaded environments.
+.sp
+Default: (unconfigured)
+.UNINDENT
+.SS EDNS Client Subnet Module Options
+.sp
+The ECS module must be configured in the
+\fI\%module\-config\fP directive, e.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module\-config: \(dqsubnetcache validator iterator\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+and be compiled into the daemon to be enabled.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+These settings go in the \fI\%server:\fP section.
+.UNINDENT
+.UNINDENT
+.sp
If the destination address is allowed in the configuration Unbound will add the
-EDNS0 option to the query containing the relevant part of the client's address.
-When an answer contains the ECS option the response and the option are placed in
-a specialized cache. If the authority indicated no support, the response is
-stored in the regular cache.
-.LP
+EDNS0 option to the query containing the relevant part of the client\(aqs address.
+When an answer contains the ECS option the response and the option are placed
+in a specialized cache.
+If the authority indicated no support, the response is stored in the regular
+cache.
+.sp
Additionally, when a client includes the option in its queries, Unbound will
forward the option when sending the query to addresses that are explicitly
-allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
-always be forwarded, regardless the allowed addresses, if
-\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
-the regular cache is skipped.
-.LP
-The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
-configuration file. On top of that, for each query only 100 different subnets
-are allowed to be stored for each address family. Exceeding that number, older
-entries will be purged from cache.
-.LP
+allowed in the configuration using
+\fI\%send\-client\-subnet\fP\&.
+The option will always be forwarded, regardless the allowed addresses, when
+\fI\%client\-subnet\-always\-forward: yes\fP
+is set.
+In this case the lookup in the regular cache is skipped.
+.sp
+The maximum size of the ECS cache is controlled by
+\fI\%msg\-cache\-size\fP in the configuration file.
+On top of that, for each query only 100 different subnets are allowed to be
+stored for each address family.
+Exceeding that number, older entries will be purged from cache.
+.sp
Note that due to the nature of how EDNS Client Subnet works, by segregating the
client IP space in order to try and have tailored responses for prefixes of
unknown sizes, resolution and cache response performance are impacted as a
@@ -2611,416 +4656,706 @@ Usage of the subnetcache module should o
require such functionality where the resolver and the clients belong to
different networks.
An example of that is an open resolver installation.
-.LP
-This module does not interact with the \fBserve\-expired*\fR and
-\fBprefetch:\fR options.
-.TP
-.B send\-client\-subnet: \fI<IP address>\fR
-Send client source address to this authority. Append /num to indicate a
-classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
-be given multiple times. Authorities not listed will not receive edns-subnet
-information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
-.TP
-.B client\-subnet\-zone: \fI<domain>\fR
-Send client source address in queries for this domain and its subdomains. Can be
-given multiple times. Zones not listed will not receive edns-subnet information,
-unless hosted by authority specified in \fBsend\-client\-subnet\fR.
+.sp
+This module does not interact with the
+\fI\%serve\-expired*\fP and
+\fI\%prefetch\fP options.
+.INDENT 0.0
+.TP
+.B send\-client\-subnet: \fI<IP address>\fP
+Send client source address to this authority.
+Append /num to indicate a classless delegation netblock, for example like
+\fB10.2.3.4/24\fP or \fB2001::11/64\fP\&.
+Can be given multiple times.
+Authorities not listed will not receive edns\-subnet information, unless
+domain in query is specified in
+\fI\%client\-subnet\-zone\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B client\-subnet\-zone: \fI<domain>\fP
+Send client source address in queries for this domain and its subdomains.
+Can be given multiple times.
+Zones not listed will not receive edns\-subnet information, unless hosted by
+authority specified in
+\fI\%send\-client\-subnet\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
-.B client\-subnet\-always\-forward: \fI<yes or no>\fR
+.B client\-subnet\-always\-forward: \fI<yes or no>\fP
Specify whether the ECS address check (configured using
-\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
-query contains an ECS record, or only for queries for which the ECS record is
-generated using the querier address (and therefore did not contain ECS data in
-the client query). If enabled, the address check is skipped when the client
-query contains an ECS record. And the lookup in the regular cache is skipped.
-Default is no.
-.TP
-.B max\-client\-subnet\-ipv6: \fI<number>\fR
-Specifies the maximum prefix length of the client source address we are willing
-to expose to third parties for IPv6. Defaults to 56.
-.TP
-.B max\-client\-subnet\-ipv4: \fI<number>\fR
-Specifies the maximum prefix length of the client source address we are willing
-to expose to third parties for IPv4. Defaults to 24.
-.TP
-.B min\-client\-subnet\-ipv6: \fI<number>\fR
-Specifies the minimum prefix length of the IPv6 source mask we are willing to
-accept in queries. Shorter source masks result in REFUSED answers. Source mask
-of 0 is always accepted. Default is 0.
-.TP
-.B min\-client\-subnet\-ipv4: \fI<number>\fR
-Specifies the minimum prefix length of the IPv4 source mask we are willing to
-accept in queries. Shorter source masks result in REFUSED answers. Source mask
-of 0 is always accepted. Default is 0.
-.TP
-.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
-Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
-This number applies for each qname/qclass/qtype tuple. Defaults to 100.
-.TP
-.B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
-Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
-This number applies for each qname/qclass/qtype tuple. Defaults to 100.
-.SS "Opportunistic IPsec Support Module Options"
-.LP
-The IPsec module must be configured in the \fBmodule\-config:\fR directive
-e.g., "ipsecmod validator iterator" and be compiled into Unbound by using
-\fB\-\-enable\-ipsecmod\fR to be enabled.
-These settings go in the \fBserver:\fR section.
-.LP
+\fI\%send\-client\-subnet\fP) is applied
+for all queries, even if the triggering query contains an ECS record, or
+only for queries for which the ECS record is generated using the querier
+address (and therefore did not contain ECS data in the client query).
+If enabled, the address check is skipped when the client query contains an
+ECS record.
+And the lookup in the regular cache is skipped.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-client\-subnet\-ipv6: \fI<number>\fP
+Specifies the maximum prefix length of the client source address we are
+willing to expose to third parties for IPv6.
+.sp
+Default: 56
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-client\-subnet\-ipv4: \fI<number>\fP
+Specifies the maximum prefix length of the client source address we are
+willing to expose to third parties for IPv4.
+.sp
+Default: 24
+.UNINDENT
+.INDENT 0.0
+.TP
+.B min\-client\-subnet\-ipv6: \fI<number>\fP
+Specifies the minimum prefix length of the IPv6 source mask we are willing
+to accept in queries.
+Shorter source masks result in REFUSED answers.
+Source mask of 0 is always accepted.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B min\-client\-subnet\-ipv4: \fI<number>\fP
+Specifies the minimum prefix length of the IPv4 source mask we are willing
+to accept in queries.
+Shorter source masks result in REFUSED answers.
+Source mask of 0 is always accepted.
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fP
+Specifies the maximum number of subnets ECS answers kept in the ECS radix
+tree.
+This number applies for each qname/qclass/qtype tuple.
+.sp
+Default: 100
+.UNINDENT
+.INDENT 0.0
+.TP
+.B max\-ecs\-tree\-size\-ipv6: \fI<number>\fP
+Specifies the maximum number of subnets ECS answers kept in the ECS radix
+tree.
+This number applies for each qname/qclass/qtype tuple.
+.sp
+Default: 100
+.UNINDENT
+.SS Opportunistic IPsec Support Module Options
+.sp
+The IPsec module must be configured in the
+\fI\%module\-config\fP directive, e.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module\-config: \(dqipsecmod validator iterator\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+and be compiled into Unbound by using \fB\-\-enable\-ipsecmod\fP to be enabled.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+These settings go in the \fI\%server:\fP section.
+.UNINDENT
+.UNINDENT
+.sp
When Unbound receives an A/AAAA query that is not in the cache and finds a
valid answer, it will withhold returning the answer and instead will generate
-an IPSECKEY subquery for the same domain name. If an answer was found, Unbound
-will call an external hook passing the following arguments:
-.TP 10
-\h'5'\fIQNAME\fR
-Domain name of the A/AAAA and IPSECKEY query. In string format.
-.TP 10
-\h'5'\fIIPSECKEY TTL\fR
+an IPSECKEY subquery for the same domain name.
+If an answer was found, Unbound will call an external hook passing the
+following arguments:
+.INDENT 0.0
+.TP
+.B QNAME
+Domain name of the A/AAAA and IPSECKEY query.
+In string format.
+.TP
+.B IPSECKEY TTL
TTL of the IPSECKEY RRset.
-.TP 10
-\h'5'\fIA/AAAA\fR
-String of space separated IP addresses present in the A/AAAA RRset. The IP
-addresses are in string format.
-.TP 10
-\h'5'\fIIPSECKEY\fR
-String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The
-IPSECKEY RDATA are in DNS presentation format.
-.LP
-The A/AAAA answer is then cached and returned to the client. If the external
-hook was called the TTL changes to ensure it doesn't surpass
-\fBipsecmod-max-ttl\fR.
-.LP
-The same procedure is also followed when \fBprefetch:\fR is used, but the
-A/AAAA answer is given to the client before the hook is called.
-\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
-relevant for opportunistic IPsec.
-.TP
-.B ipsecmod-enabled: \fI<yes or no>\fR
-Specifies whether the IPsec module is enabled or not. The IPsec module still
-needs to be defined in the \fBmodule\-config:\fR directive. This option
-facilitates turning on/off the module without restarting/reloading Unbound.
-Defaults to yes.
-.TP
-.B ipsecmod\-hook: \fI<filename>\fR
-Specifies the external hook that Unbound will call with \fIsystem\fR(3). The
-file can be specified as an absolute/relative path. The file needs the proper
-permissions to be able to be executed by the same user that runs Unbound. It
-must be present when the IPsec module is defined in the \fBmodule\-config:\fR
-directive.
-.TP
-.B ipsecmod-strict: \fI<yes or no>\fR
-If enabled Unbound requires the external hook to return a success value of 0.
-Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also
-not be cached. Defaults to no.
-.TP
-.B ipsecmod\-max-ttl: \fI<seconds>\fR
-Time to live maximum for A/AAAA cached records after calling the external hook.
-Defaults to 3600.
-.TP
-.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
-Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set
-to yes, the hook will be called and the A/AAAA answer will be returned to the
-client. If set to no, the hook will not be called and the answer to the
-A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
-.TP
-.B ipsecmod\-allow: \fI<domain>\fR
-Allow the ipsecmod functionality for the domain so that the module logic will be
-executed. Can be given multiple times, for different domains. If the option is
-not specified, all domains are treated as being allowed (default).
-.TP
-.B ipsecmod\-whitelist: \fI<domain>
-Alternate syntax for \fBipsecmod\-allow\fR.
-.SS "Cache DB Module Options"
-.LP
-The Cache DB module must be configured in the \fBmodule\-config:\fR directive
-e.g., "validator cachedb iterator" and be compiled into the daemon
-with \fB\-\-enable\-cachedb\fR.
-If this module is enabled and configured, the specified backend database
-works as a second level cache:
-When Unbound cannot find an answer to a query in its built-in in-memory
-cache, it consults the specified backend.
-If it finds a valid answer in the backend, Unbound uses it to respond
-to the query without performing iterative DNS resolution.
-If Unbound cannot even find an answer in the backend, it resolves the
-query as usual, and stores the answer in the backend.
-.P
-This module interacts with the \fBserve\-expired\-*\fR options and will reply
-with expired data if Unbound is configured for that.
-.P
-If Unbound was built with
-\fB\-\-with\-libhiredis\fR
-on a system that has installed the hiredis C client library of Redis,
-then the "redis" backend can be used.
-This backend communicates with the specified Redis server over a TCP
-connection to store and retrieve cache data.
+.TP
+.B A/AAAA
+String of space separated IP addresses present in the A/AAAA RRset.
+The IP addresses are in string format.
+.TP
+.B IPSECKEY
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset.
+The IPSECKEY RDATA are in DNS presentation format.
+.UNINDENT
+.sp
+The A/AAAA answer is then cached and returned to the client.
+If the external hook was called the TTL changes to ensure it doesn\(aqt surpass
+\fI\%ipsecmod\-max\-ttl\fP\&.
+.sp
+The same procedure is also followed when
+\fI\%prefetch: yes\fP is set, but the A/AAAA answer is
+given to the client before the hook is called.
+\fI\%ipsecmod\-max\-ttl\fP ensures that the A/AAAA
+answer given from cache is still relevant for opportunistic IPsec.
+.INDENT 0.0
+.TP
+.B ipsecmod\-enabled: \fI<yes or no>\fP
+Specifies whether the IPsec module is enabled or not.
+The IPsec module still needs to be defined in the
+\fI\%module\-config\fP directive.
+This option facilitates turning on/off the module without
+restarting/reloading Unbound.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-hook: \fI<filename>\fP
+Specifies the external hook that Unbound will call with \fIsystem(3)\fP\&.
+The file can be specified as an absolute/relative path.
+The file needs the proper permissions to be able to be executed by the same
+user that runs Unbound.
+It must be present when the IPsec module is defined in the
+\fI\%module\-config\fP directive.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-strict: \fI<yes or no>\fP
+If enabled Unbound requires the external hook to return a success value of
+0.
+Failing to do so Unbound will reply with SERVFAIL.
+The A/AAAA answer will also not be cached.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-max\-ttl: \fI<seconds>\fP
+Time to live maximum for A/AAAA cached records after calling the external
+hook.
+.sp
+Default: 3600
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-ignore\-bogus: \fI<yes or no>\fP
+Specifies the behaviour of Unbound when the IPSECKEY answer is bogus.
+If set to yes, the hook will be called and the A/AAAA answer will be
+returned to the client.
+If set to no, the hook will not be called and the answer to the A/AAAA
+query will be SERVFAIL.
+Mainly used for testing.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-allow: \fI<domain>\fP
+Allow the IPsec module functionality for the domain so that the module
+logic will be executed.
+Can be given multiple times, for different domains.
+If the option is not specified, all domains are treated as being allowed
+(default).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fP
+Alternate syntax for \fI\%ipsecmod\-allow\fP\&.
+.UNINDENT
+.SS Cache DB Module Options
+.sp
+The Cache DB module must be configured in the
+\fI\%module\-config\fP directive, e.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module\-config: \(dqvalidator cachedb iterator\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+and be compiled into the daemon with \fB\-\-enable\-cachedb\fP\&.
+.sp
+If this module is enabled and configured, the specified backend database works
+as a second level cache; when Unbound cannot find an answer to a query in its
+built\-in in\-memory cache, it consults the specified backend.
+If it finds a valid answer in the backend, Unbound uses it to respond to the
+query without performing iterative DNS resolution.
+If Unbound cannot even find an answer in the backend, it resolves the query as
+usual, and stores the answer in the backend.
+.sp
+This module interacts with the \fIserve\-expired\-*\fP options and will reply with
+expired data if Unbound is configured for that.
+.sp
+If Unbound was built with \fB\-\-with\-libhiredis\fP on a system that has installed
+the hiredis C client library of Redis, then the \fBredis\fP backend can be used.
+This backend communicates with the specified Redis server over a TCP connection
+to store and retrieve cache data.
It can be used as a persistent and/or shared cache backend.
-It should be noted that Unbound never removes data stored in the Redis server,
-even if some data have expired in terms of DNS TTL or the Redis server has
-cached too much data;
-if necessary the Redis server must be configured to limit the cache size,
-preferably with some kind of least-recently-used eviction policy.
-Additionally, the \fBredis\-expire\-records\fR option can be used in order to
-set the relative DNS TTL of the message as timeout to the Redis records; keep
-in mind that some additional memory is used per key and that the expire
-information is stored as absolute Unix timestamps in Redis (computer time must
-be stable).
-This backend uses synchronous communication with the Redis server
-based on the assumption that the communication is stable and sufficiently
-fast.
-The thread waiting for a response from the Redis server cannot handle
-other DNS queries.
-Although the backend has the ability to reconnect to the server when
-the connection is closed unexpectedly and there is a configurable timeout
-in case the server is overly slow or hangs up, these cases are assumed
-to be very rare.
-If connection close or timeout happens too often, Unbound will be
-effectively unusable with this backend.
-It's the administrator's responsibility to make the assumption hold.
-.P
-The
-.B cachedb:
-clause gives custom settings of the cache DB module.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Unbound never removes data stored in the Redis server, even if some data
+have expired in terms of DNS TTL or the Redis server has cached too much
+data; if necessary the Redis server must be configured to limit the cache
+size, preferably with some kind of least\-recently\-used eviction policy.
+.UNINDENT
+.UNINDENT
+.sp
+Additionally, the
+\fI\%redis\-expire\-records\fP option
+can be used in order to set the relative DNS TTL of the message as timeout to
+the Redis records; keep in mind that some additional memory is used per key and
+that the expire information is stored as absolute Unix timestamps in Redis
+(computer time must be stable).
+.sp
+This backend uses synchronous communication with the Redis server based on the
+assumption that the communication is stable and sufficiently fast.
+The thread waiting for a response from the Redis server cannot handle other DNS
+queries.
+Although the backend has the ability to reconnect to the server when the
+connection is closed unexpectedly and there is a configurable timeout in case
+the server is overly slow or hangs up, these cases are assumed to be very rare.
+If connection close or timeout happens too often, Unbound will be effectively
+unusable with this backend.
+It\(aqs the administrator\(aqs responsibility to make the assumption hold.
+.sp
+The \fBcachedb:\fP clause gives custom settings of the cache DB module.
+.INDENT 0.0
.TP
-.B backend: \fI<backend name>\fR
+.B backend: \fI<backend name>\fP
Specify the backend database name.
-The default database is the in-memory backend named "testframe", which,
+The default database is the in\-memory backend named \fBtestframe\fP, which,
as the name suggests, is not of any practical use.
-Depending on the build-time configuration, "redis" backend may also be
+Depending on the build\-time configuration, \fBredis\fP backend may also be
used as described above.
+.sp
+Default: testframe
+.UNINDENT
+.INDENT 0.0
.TP
-.B secret-seed: \fI<"secret string">\fR
+.B secret\-seed: \fI\(dq<secret string>\(dq\fP
Specify a seed to calculate a hash value from query information.
This value will be used as the key of the corresponding answer for the
-backend database and can be customized if the hash should not be predictable
-operationally.
-If the backend database is shared by multiple Unbound instances,
-all instances must use the same secret seed.
-This option defaults to "default".
-.TP
-.B cachedb-no-store: \fI<yes or no>\fR
-If the backend should be read from, but not written to. This makes this
-instance not store dns messages in the backend. But if data is available it
-is retrieved. The default is no.
+backend database and can be customized if the hash should not be
+predictable operationally.
+If the backend database is shared by multiple Unbound instances, all
+instances must use the same secret seed.
+.sp
+Default: \(dqdefault\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cachedb\-no\-store: \fI<yes or no>\fP
+If the backend should be read from, but not written to.
+This makes this instance not store dns messages in the backend.
+But if data is available it is retrieved.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B cachedb-check-when-serve-expired: \fI<yes or no>\fR
+.B cachedb\-check\-when\-serve\-expired: \fI<yes or no>\fP
If enabled, the cachedb is checked before an expired response is returned.
-When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
-does not immediately respond with an expired response from cache, but instead
-first checks the cachedb for valid contents, and if so returns it. If the
-cachedb also has no valid contents, the serve expired response is sent.
-If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
-is delayed until the timeout expires. Unless the lookup succeeds within the
-timeout. The default is yes.
-.P
-The following
-.B cachedb
-options are specific to the redis backend.
+When
+\fI\%serve\-expired\fP
+is enabled, without
+\fI\%serve\-expired\-client\-timeout\fP
+, it then does not immediately respond with an expired response from cache,
+but instead first checks the cachedb for valid contents, and if so returns it.
+If the cachedb also has no valid contents, the serve expired response is sent.
+If also
+\fI\%serve\-expired\-client\-timeout\fP
+is enabled, the expired response is delayed until the timeout expires.
+Unless the lookup succeeds within the timeout.
+.sp
+Default: yes
+.UNINDENT
+.sp
+The following \fBcachedb:\fP options are specific to the \fBredis\fP backend.
+.INDENT 0.0
.TP
-.B redis-server-host: \fI<server address or name>\fR
+.B redis\-server\-host: \fI<server address or name>\fP
The IP (either v6 or v4) address or domain name of the Redis server.
-In general an IP address should be specified as otherwise Unbound will have to
-resolve the name of the server every time it establishes a connection
-to the server.
-This option defaults to "127.0.0.1".
+In general an IP address should be specified as otherwise Unbound will have
+to resolve the name of the server every time it establishes a connection to
+the server.
+.sp
+Default: 127.0.0.1
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-server-port: \fI<port number>\fR
+.B redis\-server\-port: \fI<port number>\fP
The TCP port number of the Redis server.
-This option defaults to 6379.
-.TP
-.B redis-server-path: \fI<unix socket path>\fR
-The unix socket path to connect to the Redis server. Off by default, and it
-can be set to "" to turn this off. Unix sockets may have better throughput
-than the IP address option.
+.sp
+Default: 6379
+.UNINDENT
+.INDENT 0.0
+.TP
+.B redis\-server\-path: \fI<unix socket path>\fP
+The unix socket path to connect to the Redis server.
+Unix sockets may have better throughput than the IP address option.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-server-password: \fI"<password>"\fR
+.B redis\-server\-password: \fI\(dq<password>\(dq\fP
The Redis AUTH password to use for the Redis server.
Only relevant if Redis is configured for client password authorisation.
-Off by default, and it can be set to "" to turn this off.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
+.TP
+.B redis\-timeout: \fI<msec>\fP
+The period until when Unbound waits for a response from the Redis server.
+If this timeout expires Unbound closes the connection, treats it as if the
+Redis server does not have the requested data, and will try to re\-establish
+a new connection later.
+.sp
+Default: 100
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-timeout: \fI<msec>\fR
-The period until when Unbound waits for a response from the Redis sever.
-If this timeout expires Unbound closes the connection, treats it as
-if the Redis server does not have the requested data, and will try to
-re-establish a new connection later.
-This option defaults to 100 milliseconds.
-.TP
-.B redis-command-timeout: \fI<msec>\fR
+.B redis\-command\-timeout: \fI<msec>\fP
The timeout to use for Redis commands, in milliseconds.
-If 0, it uses the \fBredis\-timeout\fR value.
-The default is 0.
+If \fB0\fP, it uses the
+\fI\%redis\-timeout\fP
+value.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-connect-timeout: \fI<msec>\fR
+.B redis\-connect\-timeout: \fI<msec>\fP
The timeout to use for Redis connection set up, in milliseconds.
-If 0, it uses the \fBredis\-timeout\fR value.
-The default is 0.
-.TP
-.B redis-expire-records: \fI<yes or no>
-If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis
-records so that Redis can evict keys that have expired automatically. If
-Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
-this option is internally reverted to "no". Redis SETEX support is required
-for this option (Redis >= 2.0.0).
-This option defaults to no.
+If \fB0\fP, it uses the
+\fI\%redis\-timeout\fP
+value.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B redis\-expire\-records: \fI<yes or no>\fP
+If Redis record expiration is enabled.
+If yes, Unbound sets timeout for Redis records so that Redis can evict keys
+that have expired automatically.
+If Unbound is configured with
+\fI\%serve\-expired\fP and
+\fI\%serve\-expired\-ttl: 0\fP, this option is
+internally reverted to \(dqno\(dq.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Redis \(dqSET ... EX\(dq support is required for this option (Redis >= 2.6.12).
+.UNINDENT
+.UNINDENT
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-logical-db: \fI<logical database index>
+.B redis\-logical\-db: \fI<logical database index>\fP
The logical database in Redis to use.
-These are databases in the same Redis instance sharing the same configuration
-and persisted in the same RDB/AOF file.
+These are databases in the same Redis instance sharing the same
+configuration and persisted in the same RDB/AOF file.
If unsure about using this option, Redis documentation
-(https://redis.io/commands/select/) suggests not to use a single Redis instance
-for multiple unrelated applications.
+(\fI\%https://redis.io/commands/select/\fP) suggests not to use a single Redis
+instance for multiple unrelated applications.
The default database in Redis is 0 while other logical databases need to be
-explicitly SELECT'ed upon connecting.
-This option defaults to 0.
+explicitly SELECT\(aqed upon connecting.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-server-host: \fI<server address or name>\fR
-The IP (either v6 or v4) address or domain name of the Redis replica server.
-In general an IP address should be specified as otherwise Unbound will have to
-resolve the name of the server every time it establishes a connection
-to the server.
-This server is treated as a read-only replica server
-(https://redis.io/docs/management/replication/#read-only-replica).
+.B redis\-replica\-server\-host: \fI<server address or name>\fP
+The IP (either v6 or v4) address or domain name of the Redis server.
+In general an IP address should be specified as otherwise Unbound will have
+to resolve the name of the server every time it establishes a connection to
+the server.
+.sp
+This server is treated as a read\-only replica server
+(\fI\%https://redis.io/docs/management/replication/#read\-only\-replica\fP).
If specified, all Redis read commands will go to this replica server, while
-the write commands will go to the \fBredis-server-host\fR.
-This option defaults to "" (disabled).
+the write commands will go to the
+\fI\%redis\-server\-host\fP\&.
+.sp
+Default: \(dq\(dq (disabled).
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-server-port: \fI<port number>\fR
+.B redis\-replica\-server\-port: \fI<port number>\fP
The TCP port number of the Redis replica server.
-This option defaults to 6379.
+.sp
+Default: 6379
+.UNINDENT
+.INDENT 0.0
+.TP
+.B redis\-replica\-server\-path: \fI<unix socket path>\fP
+The unix socket path to connect to the Redis replica server.
+Unix sockets may have better throughput than the IP address option.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-server-path: \fI<unix socket path>\fR
-The unix socket path to connect to the Redis server. Off by default, and it
-can be set to "" to turn this off. Unix sockets may have better throughput
-than the IP address option.
-.TP
-.B redis-replica-server-password: \fI"<password>"\fR
-The Redis AUTH password to use for the Redis replica server.
+.B redis\-replica\-server\-password: \fI\(dq<password>\(dq\fP
+The Redis AUTH password to use for the Redis server.
Only relevant if Redis is configured for client password authorisation.
-Off by default, and it can be set to "" to turn this off.
+.sp
+Default: \(dq\(dq (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-timeout: \fI<msec>\fR
-The period until when Unbound waits for a response from the Redis replica sever.
-If this timeout expires Unbound closes the connection, treats it as
-if the Redis replica server does not have the requested data, and will try to
-re-establish a new connection later.
-This option defaults to 100 milliseconds.
+.B redis\-replica\-timeout: \fI<msec>\fP
+The period until when Unbound waits for a response from the Redis replica
+server.
+If this timeout expires Unbound closes the connection, treats it as if the
+Redis server does not have the requested data, and will try to re\-establish
+a new connection later.
+.sp
+Default: 100
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-command-timeout: \fI<msec>\fR
+.B redis\-replica\-command\-timeout: \fI<msec>\fP
The timeout to use for Redis replica commands, in milliseconds.
-If 0, it uses the \fBredis\-replica\-timeout\fR value.
-The default is 0.
+If \fB0\fP, it uses the
+\fI\%redis\-replica\-timeout\fP
+value.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
.TP
-.B redis-replica-connect-timeout: \fI<msec>\fR
+.B redis\-replica\-connect\-timeout: \fI<msec>\fP
The timeout to use for Redis replica connection set up, in milliseconds.
-If 0, it uses the \fBredis\-replica\-timeout\fR value.
-The default is 0.
-.TP
-.B redis-replica-logical-db: \fI<logical database index>
-Same as \fBredis-logical-db\fR but for the Redis replica server.
-This option defaults to 0.
+If \fB0\fP, it uses the
+\fI\%redis\-replica\-timeout\fP
+value.
+.sp
+Default: 0
+.UNINDENT
+.INDENT 0.0
+.TP
+.B redis\-replica\-logical\-db: \fI<logical database index>\fP
+Same as \fI\%redis\-logical\-db\fP but
+for the Redis replica server.
+.sp
+Default: 0
+.UNINDENT
.SS DNSTAP Logging Options
-DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
-in the \fBdnstap:\fR section.
-This starts an extra thread (when compiled with threading) that writes
-the log information to the destination. If Unbound is compiled without
-threading it does not spawn a thread, but connects per-process to the
-destination.
-.TP
-.B dnstap-enable: \fI<yes or no>
-If dnstap is enabled. Default no. If yes, it connects to the dnstap server
-and if any of the dnstap-log-..-messages options is enabled it sends logs
-for those messages to the server.
-.TP
-.B dnstap-bidirectional: \fI<yes or no>
-Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is
-yes.
+.sp
+DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fP, is enabled in
+the \fBdnstap:\fP section.
+This starts an extra thread (when compiled with threading) that writes the log
+information to the destination.
+If Unbound is compiled without threading it does not spawn a thread, but
+connects per\-process to the destination.
+.INDENT 0.0
+.TP
+.B dnstap\-enable: \fI<yes or no>\fP
+If dnstap is enabled.
+If yes, it connects to the DNSTAP server and if any of the
+\fIdnstap\-log\-..\-messages:\fP options is enabled it sends logs for those
+messages to the server.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-bidirectional: \fI<yes or no>\fP
+Use frame streams in bidirectional mode to transfer DNSTAP messages.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-socket-path: \fI<file name>
+.B dnstap\-socket\-path: \fI<file name>\fP
Sets the unix socket file name for connecting to the server that is
-listening on that socket. Default is "@DNSTAP_SOCKET_PATH@".
-.TP
-.B dnstap-ip: \fI<IPaddress[@port]>
-If "", the unix socket is used, if set with an IP address (IPv4 or IPv6)
-that address is used to connect to the server.
+listening on that socket.
+.sp
+Default: @DNSTAP_SOCKET_PATH@
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-ip: \fI<IPaddress[@port]>\fP
+If \fB\(dq\(dq\fP, the unix socket is used, if set with an IP address (IPv4 or
+IPv6) that address is used to connect to the server.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-tls: \fI<yes or no>\fP
+Set this to use TLS to connect to the server specified in
+\fI\%dnstap\-ip\fP\&.
+If set to no, TCP is used to connect to the server.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-tls\-server\-name: \fI<name of TLS authentication>\fP
+The TLS server name to authenticate the server with.
+Used when \fI\%dnstap\-tls: yes\fP is set.
+If \fB\(dq\(dq\fP it is ignored.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-tls\-cert\-bundle: \fI<file name of cert bundle>\fP
+The pem file with certs to verify the TLS server certificate.
+If \fB\(dq\(dq\fP the server default cert bundle is used, or the windows cert
+bundle on windows.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-tls\-client\-key\-file: \fI<file name>\fP
+The client key file for TLS client authentication.
+If \fB\(dq\(dq\fP client authentication is not used.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-tls\-client\-cert\-file: \fI<file name>\fP
+The client cert file for TLS client authentication.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-tls: \fI<yes or no>
-Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
-The default is yes. If set to no, TCP is used to connect to the server.
-.TP
-.B dnstap-tls-server-name: \fI<name of TLS authentication>
-The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "".
-.TP
-.B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
-The pem file with certs to verify the TLS server certificate. If "" the
-server default cert bundle is used, or the windows cert bundle on windows.
-Default is "".
-.TP
-.B dnstap-tls-client-key-file: \fI<file name>
-The client key file for TLS client authentication. If "" client
-authentication is not used. Default is "".
-.TP
-.B dnstap-tls-client-cert-file: \fI<file name>
-The client cert file for TLS client authentication. Default is "".
-.TP
-.B dnstap-send-identity: \fI<yes or no>
+.B dnstap\-send\-identity: \fI<yes or no>\fP
If enabled, the server identity is included in the log messages.
-Default is no.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-send-version: \fI<yes or no>
+.B dnstap\-send\-version: \fI<yes or no>\fP
If enabled, the server version if included in the log messages.
-Default is no.
-.TP
-.B dnstap-identity: \fI<string>
-The identity to send with messages, if "" the hostname is used.
-Default is "".
-.TP
-.B dnstap-version: \fI<string>
-The version to send with messages, if "" the package version is used.
-Default is "".
-.TP
-.B dnstap-sample-rate: \fI<number>
-The sample rate for log of messages, it logs only 1/N messages. With 0 it
-is disabled. Default is 0. This is useful in a high volume environment,
-where log functionality would otherwise not be reliable. For example 10
-would spend only 1/10th time on logging, and 100 would only spend a
-hundredth of the time on logging.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-identity: \fI<string>\fP
+The identity to send with messages, if \fB\(dq\(dq\fP the hostname is used.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-version: \fI<string>\fP
+The version to send with messages, if \fB\(dq\(dq\fP the package version is used.
+.sp
+Default: \(dq\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-sample\-rate: \fI<number>\fP
+The sample rate for log of messages, it logs only 1/N messages.
+With 0 it is disabled.
+This is useful in a high volume environment, where log functionality would
+otherwise not be reliable.
+For example 10 would spend only 1/10th time on logging, and 100 would only
+spend a hundredth of the time on logging.
+.sp
+Default: 0 (disabled)
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-log-resolver-query-messages: \fI<yes or no>
-Enable to log resolver query messages. Default is no.
+.B dnstap\-log\-resolver\-query\-messages: \fI<yes or no>\fP
+Enable to log resolver query messages.
These are messages from Unbound to upstream servers.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-log-resolver-response-messages: \fI<yes or no>
-Enable to log resolver response messages. Default is no.
+.B dnstap\-log\-resolver\-response\-messages: \fI<yes or no>\fP
+Enable to log resolver response messages.
These are replies from upstream servers to Unbound.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-log-client-query-messages: \fI<yes or no>
-Enable to log client query messages. Default is no.
+.B dnstap\-log\-client\-query\-messages: \fI<yes or no>\fP
+Enable to log client query messages.
These are client queries to Unbound.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B dnstap-log-client-response-messages: \fI<yes or no>
-Enable to log client response messages. Default is no.
+.B dnstap\-log\-client\-response\-messages: \fI<yes or no>\fP
+Enable to log client response messages.
These are responses from Unbound to clients.
-.TP
-.B dnstap-log-forwarder-query-messages: \fI<yes or no>
-Enable to log forwarder query messages. Default is no.
-.TP
-.B dnstap-log-forwarder-response-messages: \fI<yes or no>
-Enable to log forwarder response messages. Default is no.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-log\-forwarder\-query\-messages: \fI<yes or no>\fP
+Enable to log forwarder query messages.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dnstap\-log\-forwarder\-response\-messages: \fI<yes or no>\fP
+Enable to log forwarder response messages.
+.sp
+Default: no
+.UNINDENT
.SS Response Policy Zone Options
-.LP
-Response Policy Zones are configured with \fBrpz:\fR, and each one must have a
-\fBname:\fR. There can be multiple ones, by listing multiple RPZ clauses, each
-with a different name. RPZ clauses are applied in order of configuration and
-any match from an earlier RPZ zone will terminate the RPZ lookup. Note that a
-PASSTHRU action is still considered a match.
-The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
-\fBmodule-config: "respip validator iterator"\fR.
-.P
+.sp
+Response Policy Zones are configured with \fBrpz:\fP, and each one must have a
+\fI\%name\fP attribute.
+There can be multiple ones, by listing multiple RPZ clauses, each with a
+different name.
+RPZ clauses are applied in order of configuration and any match from an earlier
+RPZ zone will terminate the RPZ lookup.
+Note that a PASSTHRU action is still considered a match.
+The respip module needs to be added to the
+\fI\%module\-config\fP, e.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module\-config: \(dqrespip validator iterator\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported.
Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
-and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
-before \fBauth\-zones\fR.
-.P
+and drop.
+RPZ QNAME triggers are applied after any
+\fI\%local\-zone\fP and before any
+\fI\%auth\-zone\fP\&.
+.sp
The RPZ zone is a regular DNS zone formatted with a SOA start record as usual.
The items in the zone are entries, that specify what to act on (the trigger)
and what to do (the action).
@@ -3028,164 +5363,275 @@ The trigger to act on is recorded in the
the resource record.
The names all end in the zone name, so you could type the trigger names without
a trailing dot in the zonefile.
-.P
-An example RPZ record, that answers example.com with NXDOMAIN
+.sp
+An example RPZ record, that answers \fBexample.com\fP with \fBNXDOMAIN\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- example.com CNAME .
+.ft C
+example.com CNAME .
+.ft P
.fi
-.P
+.UNINDENT
+.UNINDENT
+.sp
The triggers are encoded in the name on the left
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- name query name
- netblock.rpz-client-ip client IP address
- netblock.rpz-ip response IP address in the answer
- name.rpz-nsdname nameserver name
- netblock.rpz-nsip nameserver IP address
-.fi
-The netblock is written as <netblocklen>.<ip address in reverse>.
-For IPv6 use 'zz' for '::'. Specify individual addresses with scope length
-of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
-32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
-.P
+.ft C
+name query name
+netblock.rpz\-client\-ip client IP address
+netblock.rpz\-ip response IP address in the answer
+name.rpz\-nsdname nameserver name
+netblock.rpz\-nsip nameserver IP address
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The netblock is written as \fB<netblocklen>.<ip address in reverse>\fP\&.
+For IPv6 use \fB\(aqzz\(aq\fP for \fB\(aq::\(aq\fP\&.
+Specify individual addresses with scope length of 32 or 128.
+For example, \fB24.10.100.51.198.rpz\-ip\fP is \fB198.51.100.10/24\fP and
+\fB32.10.zz.db8.2001.rpz\-ip\fP is \fB2001:db8:0:0:0:0:0:10/32\fP\&.
+.sp
The actions are specified with the record on the right
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
- CNAME . nxdomain reply
- CNAME *. nodata reply
- CNAME rpz-passthru. do nothing, allow to continue
- CNAME rpz-drop. the query is dropped
- CNAME rpz-tcp-only. answer over TCP
- A 192.0.2.1 answer with this IP address
+.ft C
+CNAME . nxdomain reply
+CNAME *. nodata reply
+CNAME rpz\-passthru. do nothing, allow to continue
+CNAME rpz\-drop. the query is dropped
+CNAME rpz\-tcp\-only. answer over TCP
+A 192.0.2.1 answer with this IP address
+.ft P
.fi
-Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
+.UNINDENT
+.UNINDENT
+.sp
+Other records like AAAA, TXT and other CNAMEs (not rpz\-..) can also be used to
answer queries with that content.
-.P
-The RPZ zones can be configured in the config file with these settings in the \fBrpz:\fR block.
+.sp
+The RPZ zones can be configured in the config file with these settings in the
+\fBrpz:\fP block.
+.INDENT 0.0
.TP
-.B name: \fI<zone name>
+.B name: \fI<zone name>\fP
Name of the authority zone.
+.UNINDENT
+.INDENT 0.0
.TP
-.B primary: \fI<IP address or host name>
-Where to download a copy of the zone from, with AXFR and IXFR. Multiple
-primaries can be specified. They are all tried if one fails.
-To use a nondefault port for DNS communication append '@' with the port number.
-You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
-the '@' and '#', the '@' comes first.
-If you point it at another Unbound instance, it would not work because
-that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
-the zonefile as a text file from a webserver that would work.
+.B primary: \fI<IP address or host name>\fP
+Where to download a copy of the zone from, with AXFR and IXFR.
+Multiple primaries can be specified.
+They are all tried if one fails.
+.sp
+To use a non\-default port for DNS communication append \fB\(aq@\(aq\fP with the
+port number.
+.sp
+You can append a \fB\(aq#\(aq\fP and a name, then AXFR over TLS can be used and the
+TLS authentication certificates will be checked with that name.
+.sp
+If you combine the \fB\(aq@\(aq\fP and \fB\(aq#\(aq\fP, the \fB\(aq@\(aq\fP comes first.
+If you point it at another Unbound instance, it would not work because that
+does not support AXFR/IXFR for the zone, but if you used
+\fI\%url\fP to download the zonefile as a text file
+from a webserver that would work.
+.sp
If you specify the hostname, you cannot use the domain from the zonefile,
because it may not have that when retrieving that data, instead use a plain
IP address to avoid a circular dependency on retrieving that IP address.
+.UNINDENT
+.INDENT 0.0
.TP
-.B master: \fI<IP address or host name>
-Alternate syntax for \fBprimary\fR.
-.TP
-.B url: \fI<url to zonefile>
-Where to download a zonefile for the zone. With http or https. An example
-for the url is "http://www.example.com/example.org.zone". Multiple url
-statements can be given, they are tried in turn. If only urls are given
-the SOA refresh timer is used to wait for making new downloads. If also
-primaries are listed, the primaries are first probed with UDP SOA queries to
-see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the primaries are tried with IXFR and AXFR.
-For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
-to authenticate the connection.
-.TP
-.B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
-With allow\-notify you can specify additional sources of notifies.
+.B master: \fI<IP address or host name>\fP
+Alternate syntax for \fI\%primary\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B url: \fI<url to zonefile>\fP
+Where to download a zonefile for the zone.
+With HTTP or HTTPS.
+An example for the url is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+http://www.example.com/example.org.zone
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Multiple url statements can be given, they are tried in turn.
+.sp
+If only urls are given the SOA refresh timer is used to wait for making new
+downloads.
+If also primaries are listed, the primaries are first probed with UDP SOA
+queries to see if the SOA serial number has changed, reducing the number of
+downloads.
+If none of the URLs work, the primaries are tried with IXFR and AXFR.
+.sp
+For HTTPS, the \fI\%tls\-cert\-bundle\fP and
+the hostname from the url are used to authenticate the connection.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B allow\-notify: \fI<IP address or host name or netblockIP/prefix>\fP
+With \fI\%allow\-notify\fP you can specify
+additional sources of notifies.
When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a primary, it first attempts that primary. Otherwise
-other primaries are attempted. If there are no primaries, but only urls, the
-file is downloaded when notified. The primaries from primary: and url:
-statements are allowed notify by default.
-.TP
-.B zonefile: \fI<filename>
-The filename where the zone is stored. If not given then no zonefile is used.
+If the notify is from a primary, it first attempts that primary.
+Otherwise other primaries are attempted.
+If there are no primaries, but only urls, the file is downloaded when
+notified.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The primaries from \fI\%primary\fP and
+\fI\%url\fP statements are allowed notify by
+default.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B zonefile: \fI<filename>\fP
+The filename where the zone is stored.
+If not given then no zonefile is used.
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz\-action\-override: \fI<action>
-Always use this RPZ action for matching triggers from this zone. Possible action
-are: nxdomain, nodata, passthru, drop, disabled and cname.
+.B rpz\-action\-override: \fI<action>\fP
+Always use this RPZ action for matching triggers from this zone.
+Possible actions are: \fInxdomain\fP, \fInodata\fP, \fIpassthru\fP, \fIdrop\fP, \fIdisabled\fP
+and \fIcname\fP\&.
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz\-cname\-override: \fI<domain>
+.B rpz\-cname\-override: \fI<domain>\fP
The CNAME target domain to use if the cname action is configured for
-\fBrpz\-action\-override\fR.
-.TP
-.B rpz\-log: \fI<yes or no>
-Log all applied RPZ actions for this RPZ zone. Default is no.
+\fI\%rpz\-action\-override\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B rpz\-log: \fI<yes or no>\fP
+Log all applied RPZ actions for this RPZ zone.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz\-log\-name: \fI<name>
+.B rpz\-log\-name: \fI<name>\fP
Specify a string to be part of the log line, for easy referencing.
+.UNINDENT
+.INDENT 0.0
.TP
-.B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
-Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag.
+.B rpz\-signal\-nxdomain\-ra: \fI<yes or no>\fP
+Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA
+flag.
This allows certain clients, like dnsmasq, to infer that the domain is
-externally blocked. Default is no.
+externally blocked.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
.TP
-.B for\-downstream: \fI<yes or no>
+.B for\-downstream: \fI<yes or no>\fP
If enabled the zone is authoritatively answered for and queries for the RPZ
-zone information are answered to downstream clients. This is useful for
-monitoring scripts, that can then access the SOA information to check if
-the RPZ information is up to date. Default is no.
-.TP
-.B tags: \fI<list of tags>
-Limit the policies from this RPZ clause to clients with a matching tag. Tags
-need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
-using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
-spaces between tags. If no tags are specified the policies from this clause will
-be applied for all clients.
-.SH "MEMORY CONTROL EXAMPLE"
-In the example config settings below memory usage is reduced. Some service
-levels are lower, notable very large data and a high TCP load are no longer
-supported. Very large data and high TCP loads are exceptional for the DNS.
+zone information are answered to downstream clients.
+This is useful for monitoring scripts, that can then access the SOA
+information to check if the RPZ information is up to date.
+.sp
+Default: no
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tags: \fI\(dq<list of tags>\(dq\fP
+Limit the policies from this RPZ clause to clients with a matching tag.
+.sp
+Tags need to be defined in \fI\%define\-tag\fP and
+can be assigned to client addresses using
+\fI\%access\-control\-tag\fP or
+\fI\%interface\-tag\fP\&.
+Enclose list of tags in quotes (\fB\(dq\(dq\fP) and put spaces between tags.
+.sp
+If no tags are specified the policies from this clause will be applied for
+all clients.
+.UNINDENT
+.SH MEMORY CONTROL EXAMPLE
+.sp
+In the example config settings below memory usage is reduced.
+Some service levels are lower, notable very large data and a high TCP load are
+no longer supported.
+Very large data and high TCP loads are exceptional for the DNS.
DNSSEC validation is enabled, just add trust anchors.
-If you do not have to worry about programs using more than 3 Mb of memory,
-the below example is not for you. Use the defaults to receive full service,
-which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
-.P
+If you do not have to worry about programs using more than 3 Mb of memory, the
+below example is not for you.
+Use the defaults to receive full service, which on BSD\-32bit tops out at 30\-40
+Mb after heavy usage.
+.INDENT 0.0
+.INDENT 3.5
+.sp
.nf
+.ft C
# example settings that reduce memory usage
server:
- num\-threads: 1
- outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
- incoming\-num\-tcp: 1
- outgoing\-range: 60 # uses less memory, but less performance.
- msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
- msg\-cache\-size: 100k
- msg\-cache\-slabs: 1
- rrset\-cache\-size: 100k
- rrset\-cache\-slabs: 1
- infra\-cache\-numhosts: 200
- infra\-cache\-slabs: 1
- key\-cache\-size: 100k
- key\-cache\-slabs: 1
- neg\-cache\-size: 10k
- num\-queries\-per\-thread: 30
- target\-fetch\-policy: "2 1 0 0 0 0"
- harden\-large\-queries: "yes"
- harden\-short\-bufsize: "yes"
+ num\-threads: 1
+ outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
+ incoming\-num\-tcp: 1
+ outgoing\-range: 60 # uses less memory, but less performance.
+ msg\-buffer\-size: 8192 # note this limits service, \(aqno huge stuff\(aq.
+ msg\-cache\-size: 100k
+ msg\-cache\-slabs: 1
+ rrset\-cache\-size: 100k
+ rrset\-cache\-slabs: 1
+ infra\-cache\-numhosts: 200
+ infra\-cache\-slabs: 1
+ key\-cache\-size: 100k
+ key\-cache\-slabs: 1
+ neg\-cache\-size: 10k
+ num\-queries\-per\-thread: 30
+ target\-fetch\-policy: \(dq2 1 0 0 0 0\(dq
+ harden\-large\-queries: \(dqyes\(dq
+ harden\-short\-bufsize: \(dqyes\(dq
+.ft P
.fi
-.SH "FILES"
+.UNINDENT
+.UNINDENT
+.SH FILES
+.INDENT 0.0
.TP
-.I @UNBOUND_RUN_DIR@
+.B @UNBOUND_RUN_DIR@
default Unbound working directory.
.TP
-.I @UNBOUND_CHROOT_DIR@
-default
-\fIchroot\fR(2)
-location.
+.B @UNBOUND_CHROOT_DIR@
+default \fIchroot(2)\fP location.
.TP
-.I @ub_conf_file@
+.B @ub_conf_file@
Unbound configuration file.
.TP
-.I unbound.log
-Unbound log file. default is to log to
-\fIsyslog\fR(3).
-.SH "SEE ALSO"
-\fIunbound\fR(8),
-\fIunbound\-checkconf\fR(8).
-.SH "AUTHORS"
-.B Unbound
-was written by NLnet Labs. Please see CREDITS file
-in the distribution for further details.
+.B unbound.log
+Unbound log file.
+Default is to log to \fIsyslog(3)\fP\&.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%unbound(8)\fP,
+\fI\%unbound\-checkonf(8)\fP\&.
+.SH AUTHOR
+Unbound developers are mentioned in the CREDITS file in the distribution.
+.SH COPYRIGHT
+1999-2025, NLnet Labs
+.\" Generated by docutils manpage writer.
+.
Index: edns-subnet/addrtree.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/edns-subnet/addrtree.h,v
diff -u -p -r1.4 addrtree.h
--- edns-subnet/addrtree.h 20 Oct 2022 08:26:14 -0000 1.4
+++ edns-subnet/addrtree.h 22 Sep 2025 21:08:23 -0000
@@ -116,7 +116,7 @@ struct addredge {
addrlen_t len;
/** child node this edge is connected to */
struct addrnode *node;
- /** Parent node this ege is connected to */
+ /** Parent node this edge is connected to */
struct addrnode *parent_node;
/** Index of this edge in parent_node */
int parent_index;
Index: edns-subnet/subnetmod.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/edns-subnet/subnetmod.c,v
diff -u -p -r1.18 subnetmod.c
--- edns-subnet/subnetmod.c 31 Aug 2025 21:41:09 -0000 1.18
+++ edns-subnet/subnetmod.c 22 Sep 2025 21:08:23 -0000
@@ -154,6 +154,21 @@ int ecs_whitelist_check(struct query_inf
return 1;
sn_env = (struct subnet_env*)qstate->env->modinfo[id];
+ if(sq->is_subquery_nonsubnet) {
+ if(sq->is_subquery_scopezero) {
+ /* Check if the result can be stored in the global cache,
+ * this is okay if the address and name are not configured
+ * as subnet address and subnet zone. */
+ if(!ecs_is_whitelisted(sn_env->whitelist,
+ addr, addrlen, qinfo->qname, qinfo->qname_len,
+ qinfo->qclass)) {
+ verbose(VERB_ALGO, "subnet store subquery global, name and addr have no subnet treatment.");
+ qstate->no_cache_store = 0;
+ }
+ }
+ return 1;
+ }
+
/* Cache by default, might be disabled after parsing EDNS option
* received from nameserver. */
if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL, NULL, 0)
@@ -234,13 +249,13 @@ subnetmod_init(struct module_env *env, i
HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size,
msg_cache_sizefunc, query_info_compare, query_entry_delete,
subnet_data_delete, NULL);
- slabhash_setmarkdel(sn_env->subnet_msg_cache, &subnet_markdel);
if(!sn_env->subnet_msg_cache) {
log_err("subnetcache: could not create cache");
free(sn_env);
env->modinfo[id] = NULL;
return 0;
}
+ slabhash_setmarkdel(sn_env->subnet_msg_cache, &subnet_markdel);
/* whitelist for edns subnet capable servers */
sn_env->whitelist = ecs_whitelist_create();
if(!sn_env->whitelist ||
@@ -527,11 +542,12 @@ common_prefix(uint8_t *a, uint8_t *b, ui
/**
* Create sub request that looks up the query.
* @param qstate: query state
+ * @param id: module id.
* @param sq: subnet qstate
* @return false on failure.
*/
static int
-generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq)
+generate_sub_request(struct module_qstate *qstate, int id, struct subnet_qstate* sq)
{
struct module_qstate* subq = NULL;
uint16_t qflags = 0; /* OPCODE QUERY, no flags */
@@ -557,10 +573,22 @@ generate_sub_request(struct module_qstat
}
if(subq) {
/* It is possible to access the subquery module state. */
+ struct subnet_qstate* subsq;
+ if(!subnet_new_qstate(subq, id)) {
+ verbose(VERB_ALGO, "Could not allocate new subnet qstate");
+ return 0;
+ }
+ subsq = (struct subnet_qstate*)subq->minfo[id];
+ subsq->is_subquery_nonsubnet = 1;
+
+ /* When the client asks 0.0.0.0/0 and the name is not treated
+ * as subnet, it is to be stored in the global cache.
+ * Store that the client asked for that, if so. */
if(sq->ecs_client_in.subnet_source_mask == 0 &&
edns_opt_list_find(qstate->edns_opts_front_in,
qstate->env->cfg->client_subnet_opcode)) {
subq->no_cache_store = 1;
+ subsq->is_subquery_scopezero = 1;
}
}
return 1;
@@ -569,17 +597,18 @@ generate_sub_request(struct module_qstat
/**
* Perform the query without subnet
* @param qstate: query state
+ * @param id: module id.
* @param sq: subnet qstate
* @return module state
*/
static enum module_ext_state
-generate_lookup_without_subnet(struct module_qstate *qstate,
+generate_lookup_without_subnet(struct module_qstate *qstate, int id,
struct subnet_qstate* sq)
{
verbose(VERB_ALGO, "subnetcache: make subquery to look up without subnet");
- if(!generate_sub_request(qstate, sq)) {
+ if(!generate_sub_request(qstate, id, sq)) {
verbose(VERB_ALGO, "Could not generate sub query");
- qstate->return_rcode = LDNS_RCODE_FORMERR;
+ qstate->return_rcode = LDNS_RCODE_SERVFAIL;
qstate->return_msg = NULL;
return module_finished;
}
@@ -622,7 +651,7 @@ eval_response(struct module_qstate *qsta
* is still useful to put it in the edns subnet cache for
* when a client explicitly asks for subnet specific answer. */
verbose(VERB_QUERY, "subnetcache: Authority indicates no support");
- return generate_lookup_without_subnet(qstate, sq);
+ return generate_lookup_without_subnet(qstate, id, sq);
}
/* Purposefully there was no sent subnet, and there is consequently
@@ -654,7 +683,7 @@ eval_response(struct module_qstate *qsta
qstate->env->cfg->client_subnet_opcode);
sq->subnet_sent = 0;
sq->subnet_sent_no_subnet = 0;
- return generate_lookup_without_subnet(qstate, sq);
+ return generate_lookup_without_subnet(qstate, id, sq);
}
lock_rw_wrlock(&sne->biglock);
@@ -945,7 +974,7 @@ subnetmod_operate(struct module_qstate *
/* aggregated this deaggregated state */
qstate->ext_state[id] =
generate_lookup_without_subnet(
- qstate, sq);
+ qstate, id, sq);
return;
}
verbose(VERB_ALGO, "subnetcache: pass to next module");
@@ -993,7 +1022,7 @@ subnetmod_operate(struct module_qstate *
qstate->env->cfg->client_subnet_opcode)) {
/* client asked for resolution without edns subnet */
qstate->ext_state[id] = generate_lookup_without_subnet(
- qstate, sq);
+ qstate, id, sq);
return;
}
Index: edns-subnet/subnetmod.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/edns-subnet/subnetmod.h,v
diff -u -p -r1.9 subnetmod.h
--- edns-subnet/subnetmod.h 31 Aug 2025 21:41:09 -0000 1.9
+++ edns-subnet/subnetmod.h 22 Sep 2025 21:08:23 -0000
@@ -106,6 +106,10 @@ struct subnet_qstate {
int wait_subquery;
/** The subquery waited for is done. */
int wait_subquery_done;
+ /** The subnet state is a subquery state for nonsubnet lookup. */
+ int is_subquery_nonsubnet;
+ /** This is a subquery, and it is made due to a scope zero request. */
+ int is_subquery_scopezero;
};
void subnet_data_delete(void* d, void* ATTR_UNUSED(arg));
Index: iterator/iter_delegpt.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/iterator/iter_delegpt.h,v
diff -u -p -r1.11 iter_delegpt.h
--- iterator/iter_delegpt.h 5 Sep 2023 11:12:10 -0000 1.11
+++ iterator/iter_delegpt.h 22 Sep 2025 21:08:23 -0000
@@ -79,6 +79,16 @@ struct delegpt {
* Also true if the delegationpoint was created from a delegation
* message and thus contains the parent-side-info already. */
uint8_t has_parent_side_NS;
+ /** if true, the delegation point has reached last resort processing
+ * and the parent side information has been possibly added to the
+ * delegation point.
+ * For now this signals that further target lookups will ignore
+ * the configured target-fetch-policy and only resolve on
+ * demand to try and avoid triggering limits at this stage (.i.e, it
+ * is very likely that the A/AAAA queries for the newly added name
+ * servers will not yield new IP addresses and trigger NXNS
+ * countermeasures. */
+ uint8_t fallback_to_parent_side_NS;
/** for assertions on type of delegpt */
uint8_t dp_type_mlc;
/** use SSL for upstream query */
Index: iterator/iter_fwd.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/iterator/iter_fwd.c,v
diff -u -p -r1.10 iter_fwd.c
--- iterator/iter_fwd.c 31 Aug 2025 21:41:09 -0000 1.10
+++ iterator/iter_fwd.c 22 Sep 2025 21:08:23 -0000
@@ -139,6 +139,17 @@ forwards_insert_data(struct iter_forward
return 1;
}
+static struct iter_forward_zone*
+fwd_zone_find(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
+{
+ struct iter_forward_zone key;
+ key.node.key = &key;
+ key.dclass = c;
+ key.name = nm;
+ key.namelabs = dname_count_size_labels(nm, &key.namelen);
+ return (struct iter_forward_zone*)rbtree_search(fwd->tree, &key);
+}
+
/** insert new info into forward structure given dp */
static int
forwards_insert(struct iter_forwards* fwd, uint16_t c, struct delegpt* dp)
@@ -321,6 +332,11 @@ make_stub_holes(struct iter_forwards* fw
log_err("cannot parse stub name '%s'", s->name);
return 0;
}
+ if(fwd_zone_find(fwd, LDNS_RR_CLASS_IN, dname) != NULL) {
+ /* Already a forward zone there. */
+ free(dname);
+ continue;
+ }
if(!fwd_add_stub_hole(fwd, LDNS_RR_CLASS_IN, dname)) {
free(dname);
log_err("out of memory");
@@ -345,6 +361,11 @@ make_auth_holes(struct iter_forwards* fw
log_err("cannot parse auth name '%s'", a->name);
return 0;
}
+ if(fwd_zone_find(fwd, LDNS_RR_CLASS_IN, dname) != NULL) {
+ /* Already a forward zone there. */
+ free(dname);
+ continue;
+ }
if(!fwd_add_stub_hole(fwd, LDNS_RR_CLASS_IN, dname)) {
free(dname);
log_err("out of memory");
@@ -535,17 +556,6 @@ forwards_get_mem(struct iter_forwards* f
}
lock_rw_unlock(&fwd->lock);
return s;
-}
-
-static struct iter_forward_zone*
-fwd_zone_find(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
-{
- struct iter_forward_zone key;
- key.node.key = &key;
- key.dclass = c;
- key.name = nm;
- key.namelabs = dname_count_size_labels(nm, &key.namelen);
- return (struct iter_forward_zone*)rbtree_search(fwd->tree, &key);
}
int
Index: iterator/iterator.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/iterator/iterator.c,v
diff -u -p -r1.40 iterator.c
--- iterator/iterator.c 31 Aug 2025 21:41:09 -0000 1.40
+++ iterator/iterator.c 22 Sep 2025 21:08:23 -0000
@@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate*
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ iq->dp->fallback_to_parent_side_NS = 1;
if(qstate->env->cfg->harden_unverified_glue) {
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE))
@@ -2180,6 +2181,10 @@ processLastResort(struct module_qstate*
a->lame, a->tls_auth_name, -1, NULL);
}
lock_rw_unlock(&qstate->env->hints->lock);
+ /* copy over some configuration since we update the
+ * delegation point in place */
+ iq->dp->tcp_upstream = dp->tcp_upstream;
+ iq->dp->ssl_upstream = dp->ssl_upstream;
}
iq->dp->has_parent_side_NS = 1;
} else if(!iq->dp->has_parent_side_NS) {
@@ -2768,7 +2773,8 @@ processQueryTargets(struct module_qstate
}
/* if the mesh query list is full, then do not waste cpu and sockets to
* fetch promiscuous targets. They can be looked up when needed. */
- if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
+ if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc
+ && !mesh_jostle_exceeded(qstate->env->mesh)) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
@@ -3247,13 +3253,19 @@ processQueryResponse(struct module_qstat
}
}
if(type == RESPONSE_TYPE_CNAME &&
- iq->qchase.qtype == LDNS_RR_TYPE_CNAME &&
+ (iq->qchase.qtype == LDNS_RR_TYPE_CNAME ||
+ iq->qchase.qtype == LDNS_RR_TYPE_ANY) &&
iq->minimisation_state == MINIMISE_STATE &&
query_dname_compare(iq->qchase.qname, iq->qinfo_out.qname) == 0) {
/* The minimised query for full QTYPE and hidden QTYPE can be
* classified as CNAME response type, even when the original
* QTYPE=CNAME. This should be treated as answer response type.
*/
+ /* For QTYPE=ANY, it is also considered the response, that
+ * is what the classifier would say, if it saw qtype ANY,
+ * and this same response was returned for that. The response
+ * can already be treated as such an answer, without having
+ * to send another query with a new qtype. */
type = RESPONSE_TYPE_ANSWER;
}
@@ -3510,6 +3522,15 @@ processQueryResponse(struct module_qstat
iq->num_target_queries = 0;
return processDSNSFind(qstate, iq, id);
}
+ if(iq->minimisation_state == MINIMISE_STATE &&
+ query_dname_compare(iq->qchase.qname,
+ iq->qinfo_out.qname) != 0) {
+ verbose(VERB_ALGO, "continue query minimisation, "
+ "downwards, after CNAME response for "
+ "intermediate label");
+ /* continue query minimisation, downwards */
+ return next_state(iq, QUERYTARGETS_STATE);
+ }
/* Process the CNAME response. */
if(!handle_cname_response(qstate, iq, iq->response,
&sname, &snamelen)) {
@@ -3572,10 +3593,7 @@ processQueryResponse(struct module_qstat
iq->auth_zone_response = 0;
iq->sent_count = 0;
iq->dp_target_count = 0;
- if(iq->minimisation_state != MINIMISE_STATE)
- /* Only count as query restart when it is not an extra
- * query as result of qname minimisation. */
- iq->query_restart_count++;
+ iq->query_restart_count++;
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
@@ -4147,7 +4165,7 @@ processFinished(struct module_qstate* qs
/* store message with the finished prepended items,
* but only if we did recursion. The nonrecursion referral
* from cache does not need to be stored in the msg cache. */
- if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
+ if(!qstate->no_cache_store && (qstate->query_flags&BIT_RD)) {
iter_dns_store(qstate->env, &qstate->qinfo,
iq->response->rep, 0, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS,
Index: libunbound/libworker.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/libworker.c,v
diff -u -p -r1.35 libworker.c
--- libunbound/libworker.c 31 Aug 2025 21:41:09 -0000 1.35
+++ libunbound/libworker.c 22 Sep 2025 21:08:23 -0000
@@ -630,8 +630,9 @@ int libworker_fg(struct ub_ctx* ctx, str
free(qinfo.qname);
return UB_NOERROR;
}
- if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
- w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
+ if(ctx->env->auth_zones && auth_zones_downstream_answer(
+ ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
+ w->back->udp_buff, w->env->scratch)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
w->back->udp_buff, sec_status_insecure, NULL, 0);
@@ -709,8 +710,9 @@ int libworker_attach_mesh(struct ub_ctx*
w->back->udp_buff, sec_status_insecure, NULL, 0);
return UB_NOERROR;
}
- if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
- w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
+ if(ctx->env->auth_zones && auth_zones_downstream_answer(
+ ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
+ w->back->udp_buff, w->env->scratch)) {
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
@@ -847,8 +849,9 @@ handle_newq(struct libworker* w, uint8_t
free(qinfo.qname);
return;
}
- if(w->ctx->env->auth_zones && auth_zones_answer(w->ctx->env->auth_zones,
- w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
+ if(w->ctx->env->auth_zones && auth_zones_downstream_answer(
+ w->ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
+ w->back->udp_buff, w->env->scratch)) {
regional_free_all(w->env->scratch);
q->msg_security = sec_status_insecure;
add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL, 0);
Index: libunbound/unbound.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/unbound.h,v
diff -u -p -r1.17 unbound.h
--- libunbound/unbound.h 31 Aug 2025 21:41:09 -0000 1.17
+++ libunbound/unbound.h 22 Sep 2025 21:08:23 -0000
@@ -772,6 +772,8 @@ struct ub_server_stats {
long long ans_bogus;
/** rrsets marked bogus by validator */
long long rrset_bogus;
+ /** number of signature validation operations performed by validator */
+ long long val_ops;
/** number of queries that have been ratelimited by domain recursion. */
long long queries_ratelimited;
/** unwanted traffic received on server-facing ports */
Index: respip/respip.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/respip/respip.h,v
diff -u -p -r1.6 respip.h
--- respip/respip.h 31 Aug 2025 21:41:09 -0000 1.6
+++ respip/respip.h 22 Sep 2025 21:08:23 -0000
@@ -276,7 +276,7 @@ void respip_inform_print(struct respip_a
* @param addrlen: length of addr.
* @param net: netblock to lookup.
* @param create: create node if it does not exist when 1.
- * @param ipstr: human redable ip string, for logging.
+ * @param ipstr: human readable ip string, for logging.
* @return newly created of found node, not holding lock.
*/
struct resp_addr*
Index: services/authzone.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/authzone.c,v
diff -u -p -r1.30 authzone.c
--- services/authzone.c 31 Aug 2025 21:41:09 -0000 1.30
+++ services/authzone.c 22 Sep 2025 21:08:23 -0000
@@ -2413,14 +2413,12 @@ az_find_wildcard(struct auth_zone* z, st
if(!dname_subdomain_c(nm, z->name))
return NULL; /* out of zone */
while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
- /* see if we can go up to find the wildcard */
if(nmlen == z->namelen)
return NULL; /* top of zone reached */
if(ce && nmlen == ce->namelen)
return NULL; /* ce reached */
- if(dname_is_root(nm))
- return NULL; /* cannot go up */
- dname_remove_label(&nm, &nmlen);
+ if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
+ return NULL; /* can't go up */
}
return node;
}
@@ -2442,9 +2440,8 @@ az_find_candidate_ce(struct auth_zone* z
n = az_find_name(z, nm, nmlen);
/* delete labels and go up on name */
while(!n) {
- if(dname_is_root(nm))
- return NULL; /* cannot go up */
- dname_remove_label(&nm, &nmlen);
+ if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
+ return NULL; /* can't go up */
n = az_find_name(z, nm, nmlen);
}
return n;
@@ -2456,8 +2453,7 @@ az_domain_go_up(struct auth_zone* z, str
{
uint8_t* nm = n->name;
size_t nmlen = n->namelen;
- while(!dname_is_root(nm)) {
- dname_remove_label(&nm, &nmlen);
+ while(dname_remove_label_limit_len(&nm, &nmlen, z->namelen)) {
if((n=az_find_name(z, nm, nmlen)) != NULL)
return n;
}
@@ -2771,26 +2767,23 @@ az_change_dnames(struct dns_msg* msg, ui
}
}
-/** find NSEC record covering the query */
+/** find NSEC record covering the query, with the given node in the zone */
static struct auth_rrset*
az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
{
- uint8_t* nm = (*node)->name;
- size_t nmlen = (*node)->namelen;
+ uint8_t* nm;
+ size_t nmlen;
struct auth_rrset* rrset;
+ log_assert(*node); /* we already have a node when calling this */
+ nm = (*node)->name;
+ nmlen = (*node)->namelen;
/* find the NSEC for the smallest-or-equal node */
- /* if node == NULL, we did not find a smaller name. But the zone
- * name is the smallest name and should have an NSEC. So there is
- * no NSEC to return (for a properly signed zone) */
- /* for empty nonterminals, the auth-data node should not exist,
- * and thus we don't need to go rbtree_previous here to find
- * a domain with an NSEC record */
- /* but there could be glue, and if this is node, then it has no NSEC.
+ /* But there could be glue, and then it has no NSEC.
* Go up to find nonglue (previous) NSEC-holding nodes */
while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
- if(dname_is_root(nm)) return NULL;
if(nmlen == z->namelen) return NULL;
- dname_remove_label(&nm, &nmlen);
+ if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
+ return NULL; /* can't go up */
/* adjust *node for the nsec rrset to find in */
*node = az_find_name(z, nm, nmlen);
}
@@ -3018,12 +3011,9 @@ az_nsec3_find_ce(struct auth_zone* z, ui
struct auth_data* node;
while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
algo, iter, salt, saltlen)) == NULL) {
- if(*cenmlen == z->namelen) {
- /* next step up would take us out of the zone. fail */
- return NULL;
- }
+ if(!dname_remove_label_limit_len(cenm, cenmlen, z->namelen))
+ return NULL; /* can't go up */
*no_exact_ce = 1;
- dname_remove_label(cenm, cenmlen);
}
return node;
}
@@ -3340,7 +3330,8 @@ az_generate_wildcard_answer(struct auth_
} else if(ce) {
uint8_t* wildup = wildcard->name;
size_t wilduplen= wildcard->namelen;
- dname_remove_label(&wildup, &wilduplen);
+ if(!dname_remove_label_limit_len(&wildup, &wilduplen, z->namelen))
+ return 0; /* can't go up */
if(!az_add_nsec3_proof(z, region, msg, wildup,
wilduplen, msg->qinfo.qname,
msg->qinfo.qname_len, 0, insert_ce, 1, 0))
@@ -3399,7 +3390,7 @@ az_generate_answer_with_node(struct auth
}
/** Generate answer without an existing-node that we can use.
- * So it'll be a referral, DNAME or nxdomain */
+ * So it'll be a referral, DNAME, notype, wildcard or nxdomain */
static int
az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
struct regional* region, struct dns_msg* msg, struct auth_data* ce,
@@ -3565,14 +3556,17 @@ auth_error_encode(struct query_info* qin
sldns_buffer_read_u16_at(buf, 2), edns);
}
-int auth_zones_answer(struct auth_zones* az, struct module_env* env,
+int auth_zones_downstream_answer(struct auth_zones* az, struct module_env* env,
struct query_info* qinfo, struct edns_data* edns,
- struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp)
+ struct comm_reply* repinfo, struct sldns_buffer* buf,
+ struct regional* temp)
{
struct dns_msg* msg = NULL;
struct auth_zone* z;
int r;
int fallback = 0;
+ /* Copy the qinfo in case of cname aliasing from local-zone */
+ struct query_info zqinfo = *qinfo;
lock_rw_rdlock(&az->lock);
if(!az->have_downstream) {
@@ -3580,6 +3574,7 @@ int auth_zones_answer(struct auth_zones*
lock_rw_unlock(&az->lock);
return 0;
}
+
if(qinfo->qtype == LDNS_RR_TYPE_DS) {
uint8_t* delname = qinfo->qname;
size_t delnamelen = qinfo->qname_len;
@@ -3587,8 +3582,14 @@ int auth_zones_answer(struct auth_zones*
z = auth_zones_find_zone(az, delname, delnamelen,
qinfo->qclass);
} else {
- z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len,
- qinfo->qclass);
+ if(zqinfo.local_alias && !local_alias_shallow_copy_qname(
+ zqinfo.local_alias, &zqinfo.qname,
+ &zqinfo.qname_len)) {
+ lock_rw_unlock(&az->lock);
+ return 0;
+ }
+ z = auth_zones_find_zone(az, zqinfo.qname, zqinfo.qname_len,
+ zqinfo.qclass);
}
if(!z) {
/* no zone above it */
@@ -3614,7 +3615,7 @@ int auth_zones_answer(struct auth_zones*
}
/* answer it from zone z */
- r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
+ r = auth_zone_generate_answer(z, &zqinfo, temp, &msg, &fallback);
lock_rw_unlock(&z->lock);
if(!r && fallback) {
/* fallback to regular answering (recursive) */
@@ -5023,6 +5024,7 @@ apply_axfr(struct auth_xfer* xfr, struct
xfr->have_zone = 0;
xfr->serial = 0;
+ xfr->soa_zone_acquired = 0;
/* insert all RRs in to the zone */
/* insert the SOA only once, skip the last one */
@@ -5124,6 +5126,7 @@ apply_http(struct auth_xfer* xfr, struct
xfr->have_zone = 0;
xfr->serial = 0;
+ xfr->soa_zone_acquired = 0;
chunk = xfr->task_transfer->chunks_first;
chunk_pos = 0;
@@ -5334,6 +5337,8 @@ xfr_process_chunk_list(struct auth_xfer*
" (or malformed RR)", xfr->task_transfer->master->host);
return 0;
}
+ z->soa_zone_acquired = *env->now;
+ xfr->soa_zone_acquired = *env->now;
/* release xfr lock while verifying zonemd because it may have
* to spawn lookups in the state machines */
@@ -7003,13 +7008,23 @@ xfr_set_timeout(struct auth_xfer* xfr, s
comm_timer_set(xfr->task_nextprobe->timer, &tv);
}
+void auth_zone_pickup_initial_zone(struct auth_zone* z, struct module_env* env)
+{
+ /* Set the time, because we now have timestamp in env,
+ * (not earlier during startup and apply_cfg), and this
+ * notes the start time when the data was acquired. */
+ z->soa_zone_acquired = *env->now;
+}
+
void auth_xfer_pickup_initial_zone(struct auth_xfer* x, struct module_env* env)
{
/* set lease_time, because we now have timestamp in env,
* (not earlier during startup and apply_cfg), and this
* notes the start time when the data was acquired */
- if(x->have_zone)
+ if(x->have_zone) {
x->lease_time = *env->now;
+ x->soa_zone_acquired = *env->now;
+ }
if(x->task_nextprobe && x->task_nextprobe->worker == NULL) {
xfr_set_timeout(x, env, 0, 1);
}
@@ -7020,7 +7035,13 @@ void
auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env)
{
struct auth_xfer* x;
+ struct auth_zone* z;
lock_rw_wrlock(&az->lock);
+ RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
+ lock_rw_wrlock(&z->lock);
+ auth_zone_pickup_initial_zone(z, env);
+ lock_rw_unlock(&z->lock);
+ }
RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
lock_basic_lock(&x->lock);
auth_xfer_pickup_initial_zone(x, env);
@@ -7105,6 +7126,7 @@ auth_xfer_new(struct auth_zone* z)
lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial));
lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired));
lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone));
+ lock_protect(&xfr->lock, &xfr->soa_zone_acquired, sizeof(xfr->soa_zone_acquired));
lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial));
lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry));
lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh));
Index: services/authzone.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/authzone.h,v
diff -u -p -r1.14 authzone.h
--- services/authzone.h 31 Aug 2025 21:41:09 -0000 1.14
+++ services/authzone.h 22 Sep 2025 21:08:23 -0000
@@ -118,6 +118,8 @@ struct auth_zone {
char* zonefile;
/** fallback to the internet on failure or ttl-expiry of auth zone */
int fallback_enabled;
+ /** the time when zone was transferred from upstream */
+ time_t soa_zone_acquired;
/** the zone has expired (enabled by the xfer worker), fallback
* happens if that option is enabled. */
int zone_expired;
@@ -261,6 +263,8 @@ struct auth_xfer {
int zone_expired;
/** do we have a zone (if 0, no zone data at all) */
int have_zone;
+ /** the time when zone was transferred from upstream */
+ time_t soa_zone_acquired;
/** current serial (from SOA), if we have no zone, 0 */
uint32_t serial;
@@ -550,9 +554,10 @@ int auth_zones_lookup(struct auth_zones*
* @param temp: temporary storage region.
* @return false if not answered
*/
-int auth_zones_answer(struct auth_zones* az, struct module_env* env,
+int auth_zones_downstream_answer(struct auth_zones* az, struct module_env* env,
struct query_info* qinfo, struct edns_data* edns,
- struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp);
+ struct comm_reply* repinfo, struct sldns_buffer* buf,
+ struct regional* temp);
/**
* Find the auth zone that is above the given qname.
@@ -797,6 +802,14 @@ size_t auth_zones_get_mem(struct auth_zo
* @param env: environment of the worker that picks up the task.
*/
void auth_xfer_pickup_initial_zone(struct auth_xfer* x,
+ struct module_env* env);
+
+/**
+ * Initial pick up of the auth zone, it sets the acquired time.
+ * @param z: the zone, write locked by caller.
+ * @param env: environment of the worker, with current time.
+ */
+void auth_zone_pickup_initial_zone(struct auth_zone* z,
struct module_env* env);
/**
Index: services/listen_dnsport.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/listen_dnsport.c,v
diff -u -p -r1.39 listen_dnsport.c
--- services/listen_dnsport.c 31 Aug 2025 21:41:09 -0000 1.39
+++ services/listen_dnsport.c 22 Sep 2025 21:08:23 -0000
@@ -90,10 +90,13 @@
#ifdef HAVE_NGTCP2
#include <ngtcp2/ngtcp2.h>
#include <ngtcp2/ngtcp2_crypto.h>
-#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
+#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
+#include <ngtcp2/ngtcp2_crypto_ossl.h>
+#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H)
#include <ngtcp2/ngtcp2_crypto_quictls.h>
-#else
+#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H)
#include <ngtcp2/ngtcp2_crypto_openssl.h>
+#define MAKE_QUIC_METHOD 1
#endif
#endif
@@ -447,7 +450,7 @@ create_udp_sock(int family, int socktype
* /proc/sys/net/core/wmem_max or sysctl net.core.wmem_max */
if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd,
(socklen_t)sizeof(snd)) < 0) {
- if(errno != EPERM) {
+ if(errno != EPERM && errno != ENOBUFS) {
log_err("setsockopt(..., SO_SNDBUFFORCE, "
"...) failed: %s", sock_strerror(errno));
sock_close(s);
@@ -455,15 +458,23 @@ create_udp_sock(int family, int socktype
*inuse = 0;
return -1;
}
+ if(errno != EPERM) {
+ verbose(VERB_ALGO, "setsockopt(..., SO_SNDBUFFORCE, "
+ "...) was not granted: %s", sock_strerror(errno));
+ }
# endif /* SO_SNDBUFFORCE */
if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd,
(socklen_t)sizeof(snd)) < 0) {
- log_err("setsockopt(..., SO_SNDBUF, "
- "...) failed: %s", sock_strerror(errno));
- sock_close(s);
- *noproto = 0;
- *inuse = 0;
- return -1;
+ if(errno != ENOSYS && errno != ENOBUFS) {
+ log_err("setsockopt(..., SO_SNDBUF, "
+ "...) failed: %s", sock_strerror(errno));
+ sock_close(s);
+ *noproto = 0;
+ *inuse = 0;
+ return -1;
+ }
+ log_warn("setsockopt(..., SO_SNDBUF, "
+ "...) was not granted: %s", sock_strerror(errno));
}
/* check if we got the right thing or if system
* reduced to some system max. Warn if so */
@@ -473,7 +484,8 @@ create_udp_sock(int family, int socktype
"Got %u. To fix: start with "
"root permissions(linux) or sysctl "
"bigger net.core.wmem_max(linux) or "
- "kern.ipc.maxsockbuf(bsd) values.",
+ "kern.ipc.maxsockbuf(bsd) values. or "
+ "set so-sndbuf: 0 (use system value).",
(unsigned)snd, (unsigned)got);
}
# ifdef SO_SNDBUFFORCE
@@ -902,7 +914,7 @@ create_tcp_accept_sock(struct addrinfo *
against IP spoofing attacks as suggested in RFC7413 */
#ifdef __APPLE__
/* OS X implementation only supports qlen of 1 via this call. Actual
- value is configured by the net.inet.tcp.fastopen_backlog kernel parm. */
+ value is configured by the net.inet.tcp.fastopen_backlog kernel param. */
qlen = 1;
#else
/* 5 is recommended on linux */
@@ -1179,6 +1191,15 @@ set_recvtimestamp(int s)
return 0;
}
return 1;
+#elif defined(SO_TIMESTAMP) && defined(SCM_TIMESTAMP)
+ int on = 1;
+ /* FreeBSD and also Linux. */
+ if (setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, (void*)&on, (socklen_t)sizeof(on)) < 0) {
+ log_err("setsockopt(..., SO_TIMESTAMP, ...) failed: %s",
+ strerror(errno));
+ return 0;
+ }
+ return 1;
#else
log_err("packets timestamping is not supported on this platform");
(void)s;
@@ -1598,7 +1619,7 @@ listen_create(struct comm_base* base, st
front->udp_buff, ports->pp2_enabled, cb,
cb_arg, ports->socket);
#else
- log_warn("This system does not support UDP ancilliary data.");
+ log_warn("This system does not support UDP ancillary data.");
#endif
}
if(!cp) {
@@ -3099,7 +3120,7 @@ static int http2_req_header_cb(nghttp2_s
return 0;
}
/* Content type is a SHOULD (rfc7231#section-3.1.1.5) when using POST,
- * and not needed when using GET. Don't enfore.
+ * and not needed when using GET. Don't enforce.
* If set only allow lowercase "application/dns-message".
*
* Clients SHOULD (rfc8484#section-4.1) set an accept header, but MUST
@@ -3161,7 +3182,7 @@ static int http2_req_data_chunk_recv_cb(
qlen = h2_stream->content_length;
} else if(len <= h2_session->c->http2_stream_max_qbuffer_size) {
/* setting this to msg-buffer-size can result in a lot
- * of memory consuption. Most queries should fit in a
+ * of memory consumption. Most queries should fit in a
* single DATA frame, and most POST queries will
* contain content-length which does not impose this
* limit. */
@@ -3187,7 +3208,7 @@ static int http2_req_data_chunk_recv_cb(
if(!h2_stream->qbuffer ||
sldns_buffer_remaining(h2_stream->qbuffer) < len) {
- verbose(VERB_ALGO, "http2 data_chunck_recv failed. Not enough "
+ verbose(VERB_ALGO, "http2 data_chunk_recv failed. Not enough "
"buffer space for POST query. Can happen on multi "
"frame requests without content-length header");
h2_stream->query_too_large = 1;
@@ -3257,6 +3278,21 @@ doq_table_create(struct config_file* cfg
struct doq_table* table = calloc(1, sizeof(*table));
if(!table)
return NULL;
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ /* Initialize the ossl crypto, it is harmless to call twice,
+ * and this is before use of doq connections. */
+ if(ngtcp2_crypto_ossl_init() != 0) {
+ log_err("ngtcp2_crypto_oss_init failed");
+ free(table);
+ return NULL;
+ }
+#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_INIT)
+ if(ngtcp2_crypto_quictls_init() != 0) {
+ log_err("ngtcp2_crypto_quictls_init failed");
+ free(table);
+ return NULL;
+ }
+#endif
table->idle_timeout = ((uint64_t)cfg->tcp_idle_timeout)*
NGTCP2_MILLISECONDS;
table->sv_scidlen = 16;
@@ -3596,12 +3632,18 @@ doq_conn_delete(struct doq_conn* conn, s
lock_rw_wrlock(&conn->table->conid_lock);
doq_conn_clear_conids(conn);
lock_rw_unlock(&conn->table->conid_lock);
- ngtcp2_conn_del(conn->conn);
+ /* Remove the app data from ngtcp2 before SSL_free of conn->ssl,
+ * because the ngtcp2 conn is deleted. */
+ SSL_set_app_data(conn->ssl, NULL);
if(conn->stream_tree.count != 0) {
traverse_postorder(&conn->stream_tree, stream_tree_del, table);
}
free(conn->key.dcid);
SSL_free(conn->ssl);
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_crypto_ossl_ctx_del(conn->ossl_ctx);
+#endif
+ ngtcp2_conn_del(conn->conn);
free(conn->close_pkt);
free(conn);
}
@@ -4459,7 +4501,7 @@ doq_log_printf_cb(void* ATTR_UNUSED(user
va_end(ap);
}
-#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
+#ifdef MAKE_QUIC_METHOD
/** the doq application tx key callback, false on failure */
static int
doq_application_tx_key_cb(struct doq_conn* conn)
@@ -4493,7 +4535,9 @@ doq_set_encryption_secrets(SSL *ssl, OSS
ngtcp2_crypto_level
#endif
level =
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_crypto_ossl_from_ossl_encryption_level(ossl_level);
+#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL)
ngtcp2_crypto_quictls_from_ossl_encryption_level(ossl_level);
#else
ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level);
@@ -4539,7 +4583,9 @@ doq_add_handshake_data(SSL *ssl, OSSL_EN
ngtcp2_crypto_level
#endif
level =
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_crypto_ossl_from_ossl_encryption_level(ossl_level);
+#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL)
ngtcp2_crypto_quictls_from_ossl_encryption_level(ossl_level);
#else
ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level);
@@ -4574,7 +4620,7 @@ doq_send_alert(SSL *ssl, enum ssl_encryp
doq_conn->tls_alert = alert;
return 1;
}
-#endif /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT */
+#endif /* MAKE_QUIC_METHOD */
/** ALPN select callback for the doq SSL context */
static int
@@ -4596,7 +4642,7 @@ void* quic_sslctx_create(char* key, char
{
#ifdef HAVE_NGTCP2
char* sid_ctx = "unbound server";
-#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
+#ifdef MAKE_QUIC_METHOD
SSL_QUIC_METHOD* quic_method;
#endif
SSL_CTX* ctx = SSL_CTX_new(TLS_server_method());
@@ -4669,7 +4715,7 @@ void* quic_sslctx_create(char* key, char
SSL_CTX_free(ctx);
return NULL;
}
-#else /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT */
+#elif defined(MAKE_QUIC_METHOD)
/* The quic_method needs to remain valid during the SSL_CTX
* lifetime, so we allocate it. It is freed with the
* doq_server_socket. */
@@ -4704,12 +4750,29 @@ static ngtcp2_conn* doq_conn_ref_get_con
static SSL*
doq_ssl_server_setup(SSL_CTX* ctx, struct doq_conn* conn)
{
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ int ret;
+#endif
SSL* ssl = SSL_new(ctx);
if(!ssl) {
log_crypto_err("doq: SSL_new failed");
return NULL;
}
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ if((ret=ngtcp2_crypto_ossl_ctx_new(&conn->ossl_ctx, NULL)) != 0) {
+ log_err("doq: ngtcp2_crypto_ossl_ctx_new failed: %s",
+ ngtcp2_strerror(ret));
+ SSL_free(ssl);
+ return NULL;
+ }
+ ngtcp2_crypto_ossl_ctx_set_ssl(conn->ossl_ctx, ssl);
+ if(ngtcp2_crypto_ossl_configure_server_session(ssl) != 0) {
+ log_err("doq: ngtcp2_crypto_ossl_configure_server_session failed");
+ SSL_free(ssl);
+ return NULL;
+ }
+#endif
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT)
conn->conn_ref.get_conn = &doq_conn_ref_get_conn;
conn->conn_ref.user_data = conn;
SSL_set_app_data(ssl, &conn->conn_ref);
@@ -4717,7 +4780,11 @@ doq_ssl_server_setup(SSL_CTX* ctx, struc
SSL_set_app_data(ssl, conn);
#endif
SSL_set_accept_state(ssl);
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ SSL_set_quic_tls_early_data_enabled(ssl, 1);
+#else
SSL_set_quic_early_data_enabled(ssl, 1);
+#endif
return ssl;
}
@@ -4838,7 +4905,11 @@ doq_conn_setup(struct doq_conn* conn, ui
log_err("doq_ssl_server_setup failed");
return 0;
}
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_conn_set_tls_native_handle(conn->conn, conn->ossl_ctx);
+#else
ngtcp2_conn_set_tls_native_handle(conn->conn, conn->ssl);
+#endif
doq_conn_write_enable(conn);
return 1;
}
Index: services/listen_dnsport.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/listen_dnsport.h,v
diff -u -p -r1.22 listen_dnsport.h
--- services/listen_dnsport.h 31 Aug 2025 21:41:09 -0000 1.22
+++ services/listen_dnsport.h 22 Sep 2025 21:08:23 -0000
@@ -52,6 +52,9 @@
#ifdef HAVE_NGTCP2
#include <ngtcp2/ngtcp2.h>
#include <ngtcp2/ngtcp2_crypto.h>
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+struct ngtcp2_crypto_ossl_ctx;
+#endif
#endif
struct listen_list;
struct config_file;
@@ -606,9 +609,13 @@ struct doq_conn {
uint8_t tls_alert;
/** the ssl context, SSL* */
void* ssl;
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT)
/** the connection reference for ngtcp2_conn and userdata in ssl */
struct ngtcp2_crypto_conn_ref conn_ref;
+#endif
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ /** the per-connection state for ngtcp2_crypto_ossl */
+ struct ngtcp2_crypto_ossl_ctx* ossl_ctx;
#endif
/** closure packet, if any */
uint8_t* close_pkt;
Index: services/mesh.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/mesh.c,v
diff -u -p -r1.32 mesh.c
--- services/mesh.c 31 Aug 2025 21:41:09 -0000 1.32
+++ services/mesh.c 22 Sep 2025 21:08:23 -0000
@@ -2265,6 +2265,7 @@ mesh_stats_clear(struct mesh_area* mesh)
timehist_clear(mesh->histogram);
mesh->ans_secure = 0;
mesh->ans_bogus = 0;
+ mesh->val_ops = 0;
mesh->ans_expired = 0;
mesh->ans_cachedb = 0;
memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);
Index: services/mesh.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/mesh.h,v
diff -u -p -r1.14 mesh.h
--- services/mesh.h 31 Aug 2025 21:41:09 -0000 1.14
+++ services/mesh.h 22 Sep 2025 21:08:23 -0000
@@ -131,6 +131,8 @@ struct mesh_area {
size_t ans_secure;
/** (extended stats) bogus replies */
size_t ans_bogus;
+ /** (extended stats) number of validation operations */
+ size_t val_ops;
/** (extended stats) rcodes in replies */
size_t ans_rcode[UB_STATS_RCODE_NUM];
/** (extended stats) rcode nodata in replies */
Index: services/modstack.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/modstack.c,v
diff -u -p -r1.10 modstack.c
--- services/modstack.c 21 Feb 2025 13:20:40 -0000 1.10
+++ services/modstack.c 22 Sep 2025 21:08:23 -0000
@@ -138,8 +138,8 @@ modstack_config(struct module_stack* sta
if(strchr(s, ' ')) *(strchr(s, ' ')) = 0;
if(strchr(s, '\t')) *(strchr(s, '\t')) = 0;
log_err("Unknown value in module-config, module: '%s'."
- " This module is not present (not compiled in),"
- " See the list of linked modules with unbound -V", s);
+ " This module is not present (not compiled in);"
+ " see the list of linked modules with unbound -V", s);
return 0;
}
}
Index: services/modstack.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/modstack.h,v
diff -u -p -r1.3 modstack.h
--- services/modstack.h 4 Sep 2024 09:36:40 -0000 1.3
+++ services/modstack.h 22 Sep 2025 21:08:23 -0000
@@ -67,7 +67,7 @@ void modstack_init(struct module_stack*
void modstack_free(struct module_stack* stack);
/**
- * Initialises modules and assignes ids. Calls module_startup().
+ * Initialises modules and assigns ids. Calls module_startup().
* @param stack: Expected empty, filled according to module_conf
* @param module_conf: string what modules to initialize
* @param env: module environment which is inited by the modules.
Index: services/outside_network.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/outside_network.c,v
diff -u -p -r1.32 outside_network.c
--- services/outside_network.c 31 Aug 2025 21:41:09 -0000 1.32
+++ services/outside_network.c 22 Sep 2025 21:08:23 -0000
@@ -2827,7 +2827,7 @@ serviced_perturb_qname(struct ub_randsta
random = ub_random(rnd);
bits = 30;
}
- if(random & 0x1) {
+ if((random & 0x1)) {
*d = (uint8_t)toupper((unsigned char)*d);
} else {
*d = (uint8_t)tolower((unsigned char)*d);
@@ -2890,9 +2890,9 @@ serviced_encode(struct serviced_query* s
edns.opt_list_inplace_cb_out = NULL;
edns.udp_size = serviced_query_udp_size(sq, sq->status);
edns.bits = 0;
- if(sq->dnssec & EDNS_DO)
+ if((sq->dnssec & EDNS_DO))
edns.bits = EDNS_DO;
- if(sq->dnssec & BIT_CD)
+ if((sq->dnssec & BIT_CD))
LDNS_CD_SET(sldns_buffer_begin(buff));
if (sq->ssl_upstream && sq->padding_block_size) {
padding_option.opt_code = LDNS_EDNS_PADDING;
Index: services/rpz.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/rpz.c,v
diff -u -p -r1.1.1.15 rpz.c
--- services/rpz.c 31 Aug 2025 21:36:33 -0000 1.1.1.15
+++ services/rpz.c 22 Sep 2025 21:08:23 -0000
@@ -2121,8 +2121,17 @@ rpz_synthesize_nsdname_localdata(struct
rpz_log_dname("nsdname local data", key.name, key.namelen);
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+ if(ld == NULL && dname_is_wild(z->name)) {
+ key.name = z->name;
+ key.namelen = z->namelen;
+ key.namelabs = z->namelabs;
+ ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+ /* rpz_synthesize_localdata_from_rrset is going to make
+ * the rrset source name equal to the query name. So no need
+ * to make the wildcard rrset here. */
+ }
if(ld == NULL) {
- verbose(VERB_ALGO, "rpz: nsdname: impossible: qname not found");
+ verbose(VERB_ALGO, "rpz: nsdname: qname not found");
return NULL;
}
@@ -2148,6 +2157,15 @@ rpz_synthesize_qname_localdata_msg(struc
key.namelen = qinfo->qname_len;
key.namelabs = dname_count_labels(qinfo->qname);
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+ if(ld == NULL && dname_is_wild(z->name)) {
+ key.name = z->name;
+ key.namelen = z->namelen;
+ key.namelabs = z->namelabs;
+ ld = (struct local_data*)rbtree_search(&z->data, &key.node);
+ /* rpz_synthesize_localdata_from_rrset is going to make
+ * the rrset source name equal to the query name. So no need
+ * to make the wildcard rrset here. */
+ }
if(ld == NULL) {
verbose(VERB_ALGO, "rpz: qname: name not found");
return NULL;
Index: services/cache/rrset.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/cache/rrset.c,v
diff -u -p -r1.9 rrset.c
--- services/cache/rrset.c 21 Feb 2025 13:20:40 -0000 1.9
+++ services/cache/rrset.c 22 Sep 2025 21:08:23 -0000
@@ -68,6 +68,8 @@ struct rrset_cache* rrset_cache_create(s
struct rrset_cache *r = (struct rrset_cache*)slabhash_create(slabs,
startarray, maxmem, ub_rrset_sizefunc, ub_rrset_compare,
ub_rrset_key_delete, rrset_data_delete, alloc);
+ if(!r)
+ return NULL;
slabhash_setmarkdel(&r->table, &rrset_markdel);
return r;
}
Index: sldns/keyraw.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/keyraw.c,v
diff -u -p -r1.10 keyraw.c
--- sldns/keyraw.c 31 Aug 2025 21:41:10 -0000 1.10
+++ sldns/keyraw.c 22 Sep 2025 21:08:23 -0000
@@ -124,7 +124,7 @@ uint16_t sldns_calc_keytag_raw(uint8_t*
size_t i;
uint32_t ac32 = 0;
for (i = 0; i < keysize; ++i) {
- ac32 += (i & 1) ? key[i] : key[i] << 8;
+ ac32 += ((i & 1)) ? key[i] : key[i] << 8;
}
ac32 += (ac32 >> 16) & 0xFFFF;
return (uint16_t) (ac32 & 0xFFFF);
@@ -272,7 +272,7 @@ sldns_key_buf2dsa_raw(unsigned char* key
return NULL;
}
if (!DSA_set0_key(dsa, Y, NULL)) {
- /* QPG attached, cleaned up by DSA_fre() */
+ /* QPG attached, cleaned up by DSA_free() */
DSA_free(dsa);
BN_free(Y);
return NULL;
Index: sldns/str2wire.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/str2wire.c,v
diff -u -p -r1.18 str2wire.c
--- sldns/str2wire.c 31 Aug 2025 21:41:10 -0000 1.18
+++ sldns/str2wire.c 22 Sep 2025 21:08:23 -0000
@@ -857,7 +857,7 @@ rrinternal_parse_rdata(sldns_buffer* str
while (rdata_len && *rdata != 0) {
uint8_t label_len;
- if (*rdata & 0xC0)
+ if ((*rdata & 0xC0))
return LDNS_WIREPARSE_ERR_OK;
label_len = *rdata + 1;
Index: sldns/wire2str.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/wire2str.h,v
diff -u -p -r1.9 wire2str.h
--- sldns/wire2str.h 31 Aug 2025 21:41:10 -0000 1.9
+++ sldns/wire2str.h 22 Sep 2025 21:08:23 -0000
@@ -262,7 +262,7 @@ int sldns_wire2str_rdata_unknown_scan(ui
* @param pkt: packet for decompression, if NULL no decompression.
* @param pktlen: length of packet buffer.
* @param comprloop: inout bool, that is set true if compression loop failure
- * happens. Pass in 0, if passsed in as true, a lower bound is set
+ * happens. Pass in 0, if passed in as true, a lower bound is set
* on compression loops to stop arbitrary long packet parse times.
* This is meant so you can set it to 0 at the start of a list of dnames,
* and then scan all of them in sequence, if a loop happens, it becomes
Index: smallapp/unbound-anchor.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-anchor.c,v
diff -u -p -r1.21 unbound-anchor.c
--- smallapp/unbound-anchor.c 4 Sep 2024 09:36:40 -0000 1.21
+++ smallapp/unbound-anchor.c 22 Sep 2025 21:08:23 -0000
@@ -386,7 +386,7 @@ read_cert_file(const char* file)
STACK_OF(X509)* sk;
FILE* in;
int content = 0;
- char buf[128];
+ long flen;
if(file == NULL || strcmp(file, "") == 0) {
return NULL;
}
@@ -403,6 +403,11 @@ read_cert_file(const char* file)
#endif
return NULL;
}
+ if(fseek(in, 0, SEEK_END) < 0)
+ printf("%s fseek: %s\n", file, strerror(errno));
+ flen = ftell(in);
+ if(fseek(in, 0, SEEK_SET) < 0)
+ printf("%s fseek: %s\n", file, strerror(errno));
while(!feof(in)) {
X509* x = PEM_read_X509(in, NULL, NULL, NULL);
if(x == NULL) {
@@ -418,8 +423,9 @@ read_cert_file(const char* file)
exit(0);
}
content = 1;
- /* read away newline after --END CERT-- */
- if(!fgets(buf, (int)sizeof(buf), in))
+ /* feof may not be true yet, but if the position is
+ * at end of file, stop reading more certificates. */
+ if(ftell(in) == flen)
break;
}
fclose(in);
Index: smallapp/unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
diff -u -p -r1.25 unbound-checkconf.c
--- smallapp/unbound-checkconf.c 31 Aug 2025 21:41:10 -0000 1.25
+++ smallapp/unbound-checkconf.c 22 Sep 2025 21:08:23 -0000
@@ -294,7 +294,8 @@ view_and_respipchecks(struct config_file
{
struct views* views = NULL;
struct respip_set* respip = NULL;
- int ignored = 0;
+ int have_view_respip_cfg = 0;
+ int use_response_ip = 0;
if(!(views = views_create()))
fatal_exit("Could not create views: out of memory");
if(!(respip = respip_set_create()))
@@ -303,8 +304,11 @@ view_and_respipchecks(struct config_file
fatal_exit("Could not set up views");
if(!respip_global_apply_cfg(respip, cfg))
fatal_exit("Could not setup respip set");
- if(!respip_views_apply_cfg(views, cfg, &ignored))
+ if(!respip_views_apply_cfg(views, cfg, &have_view_respip_cfg))
fatal_exit("Could not setup per-view respip sets");
+ use_response_ip = !respip_set_is_empty(respip) || have_view_respip_cfg;
+ if(use_response_ip && !strstr(cfg->module_conf, "respip"))
+ fatal_exit("response-ip options require respip module");
acl_view_tag_checks(cfg, views);
views_delete(views);
respip_set_delete(respip);
@@ -450,6 +454,39 @@ ifautomaticportschecks(char* ifautomatic
}
}
+/** check control interface strings */
+static void
+controlinterfacechecks(struct config_file* cfg)
+{
+ struct config_strlist* p;
+ for(p = cfg->control_ifs.first; p; p = p->next) {
+ struct sockaddr_storage a;
+ socklen_t alen;
+ char** rcif = NULL;
+ int i, num_rcif = 0;
+ /* See if it is a local socket, starts with a '/'. */
+ if(p->str && p->str[0] == '/')
+ continue;
+ if(!resolve_interface_names(&p->str, 1, NULL, &rcif,
+ &num_rcif)) {
+ fatal_exit("could not resolve interface names, for control-interface: %s",
+ p->str);
+ }
+ for(i=0; i<num_rcif; i++) {
+ if(!extstrtoaddr(rcif[i], &a, &alen,
+ cfg->control_port)) {
+ if(strcmp(p->str, rcif[i])!=0)
+ fatal_exit("cannot parse control-interface address '%s' from the control-interface specified as '%s'",
+ rcif[i], p->str);
+ else
+ fatal_exit("cannot parse control-interface specified as '%s'",
+ p->str);
+ }
+ }
+ config_del_strarray(rcif, num_rcif);
+ }
+}
+
/** check acl ips */
static void
aclchecks(struct config_file* cfg)
@@ -636,8 +673,10 @@ check_modules_exist(const char* module_c
}
n[j] = s[j];
}
- fatal_exit("module_conf lists module '%s' but that "
- "module is not available.", n);
+ fatal_exit("Unknown value in module-config, module: "
+ "'%s'. This module is not present (not "
+ "compiled in); see the list of linked modules "
+ "with unbound -V", n);
}
s += strlen(names[i]);
}
@@ -930,6 +969,8 @@ morechecks(struct config_file* cfg)
fatal_exit("control-cert-file: \"%s\" does not exist",
cfg->control_cert_file);
}
+ if(cfg->remote_control_enable)
+ controlinterfacechecks(cfg);
donotquerylocalhostcheck(cfg);
localzonechecks(cfg);
@@ -970,6 +1011,8 @@ check_auth(struct config_file* cfg)
if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz, NULL, NULL)) {
fatal_exit("Could not setup authority zones");
}
+ if(is_rpz && !strstr(cfg->module_conf, "respip"))
+ fatal_exit("RPZ requires the respip module");
auth_zones_delete(az);
}
Index: smallapp/unbound-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-control.c,v
diff -u -p -r1.30 unbound-control.c
--- smallapp/unbound-control.c 31 Aug 2025 21:41:10 -0000 1.30
+++ smallapp/unbound-control.c 22 Sep 2025 21:08:23 -0000
@@ -143,6 +143,8 @@ usage(void)
printf(" load_cache load cache from stdin\n");
printf(" (not supported in remote unbounds in\n");
printf(" multi-process operation)\n");
+ printf(" cache_lookup [+t] <names> print rrsets and msgs at or under the names\n");
+ printf(" +t allow tld and root names.\n");
printf(" lookup <name> print nameservers for name\n");
printf(" flush [+c] <name> flushes common types for name from cache\n");
printf(" types: A, AAAA, MX, PTR, NS,\n");
@@ -409,6 +411,7 @@ static void print_extended(struct ub_sta
PR_UL("num.answer.secure", s->svr.ans_secure);
PR_UL("num.answer.bogus", s->svr.ans_bogus);
PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
+ PR_UL("num.valops", s->svr.val_ops);
PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
/* threat detection */
Index: testcode/dohclient.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/dohclient.c,v
diff -u -p -r1.1.1.7 dohclient.c
--- testcode/dohclient.c 12 Apr 2024 15:44:27 -0000 1.1.1.7
+++ testcode/dohclient.c 22 Sep 2025 21:08:23 -0000
@@ -388,7 +388,7 @@ static int http2_frame_recv_cb(nghttp2_s
}
if(((frame->hd.type != NGHTTP2_DATA &&
frame->hd.type != NGHTTP2_HEADERS) ||
- frame->hd.flags & NGHTTP2_FLAG_END_STREAM) &&
+ (frame->hd.flags & NGHTTP2_FLAG_END_STREAM)) &&
h2_stream->res_status == 200) {
char* pktstr;
sldns_buffer_flip(h2_stream->buf);
Index: testcode/doqclient.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/doqclient.c,v
diff -u -p -r1.1.1.2 doqclient.c
--- testcode/doqclient.c 31 Aug 2025 21:36:34 -0000 1.1.1.2
+++ testcode/doqclient.c 22 Sep 2025 21:08:23 -0000
@@ -48,10 +48,13 @@
#ifdef HAVE_NGTCP2
#include <ngtcp2/ngtcp2.h>
#include <ngtcp2/ngtcp2_crypto.h>
-#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
+#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
+#include <ngtcp2/ngtcp2_crypto_ossl.h>
+#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H)
#include <ngtcp2/ngtcp2_crypto_quictls.h>
-#else
+#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H)
#include <ngtcp2/ngtcp2_crypto_openssl.h>
+#define MAKE_QUIC_METHOD 1
#endif
#include <openssl/ssl.h>
#include <openssl/rand.h>
@@ -107,10 +110,14 @@ struct doq_client_data {
SSL_CTX* ctx;
/** SSL object */
SSL* ssl;
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
/** the connection reference for ngtcp2_conn and userdata in ssl */
struct ngtcp2_crypto_conn_ref conn_ref;
#endif
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ /** the per-connection state for ngtcp2_crypto_ossl */
+ struct ngtcp2_crypto_ossl_ctx* ossl_ctx;
+#endif
/** the quic version to use */
uint32_t quic_version;
/** the last error */
@@ -197,11 +204,12 @@ struct doq_client_stream {
int query_is_done;
};
-#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#ifdef MAKE_QUIC_METHOD
/** the quic method struct, must remain valid during the QUIC connection. */
static SSL_QUIC_METHOD quic_method;
#endif
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
/** Get the connection ngtcp2_conn from the ssl app data
* ngtcp2_crypto_conn_ref */
static ngtcp2_conn* conn_ref_get_conn(ngtcp2_crypto_conn_ref* conn_ref)
@@ -210,11 +218,12 @@ static ngtcp2_conn* conn_ref_get_conn(ng
conn_ref->user_data;
return data->conn;
}
+#endif
static void
set_app_data(SSL* ssl, struct doq_client_data* data)
{
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
data->conn_ref.get_conn = &conn_ref_get_conn;
data->conn_ref.user_data = data;
SSL_set_app_data(ssl, &data->conn_ref);
@@ -227,7 +236,7 @@ static struct doq_client_data*
get_app_data(SSL* ssl)
{
struct doq_client_data* data;
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
data = (struct doq_client_data*)((struct ngtcp2_crypto_conn_ref*)
SSL_get_app_data(ssl))->user_data;
#else
@@ -893,7 +902,7 @@ handshake_completed(ngtcp2_conn* ATTR_UN
verbose(1, "early data was accepted by the server");
}
}
-#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
if(data->transport_file) {
early_data_write_transport(data);
}
@@ -1207,7 +1216,7 @@ early_data_write_transport(struct doq_cl
#endif
}
-#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
+#ifdef MAKE_QUIC_METHOD
/** applicatation rx key callback, this is where the rx key is set,
* and streams can be opened, like http3 unidirectional streams, like
* the http3 control and http3 qpack encode and decoder streams. */
@@ -1317,7 +1326,7 @@ send_alert(SSL *ssl, enum ssl_encryption
data->tls_alert = alert;
return 1;
}
-#endif /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT */
+#endif /* MAKE_QUIC_METHOD */
/** new session callback. We can write it to file for resumption later. */
static int
@@ -1357,7 +1366,7 @@ ctx_client_setup(void)
log_err("ngtcp2_crypto_quictls_configure_client_context failed");
exit(1);
}
-#else
+#elif defined(MAKE_QUIC_METHOD)
memset(&quic_method, 0, sizeof(quic_method));
quic_method.set_encryption_secrets = &set_encryption_secrets;
quic_method.add_handshake_data = &add_handshake_data;
@@ -1373,22 +1382,39 @@ ctx_client_setup(void)
static SSL*
ssl_client_setup(struct doq_client_data* data)
{
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ int ret;
+#endif
SSL* ssl = SSL_new(data->ctx);
if(!ssl) {
log_crypto_err("Could not SSL_new");
exit(1);
}
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ if((ret=ngtcp2_crypto_ossl_ctx_new(&data->ossl_ctx, NULL)) != 0) {
+ log_err("ngtcp2_crypto_ossl_ctx_new failed: %s",
+ ngtcp2_strerror(ret));
+ exit(1);
+ }
+ ngtcp2_crypto_ossl_ctx_set_ssl(data->ossl_ctx, ssl);
+ if(ngtcp2_crypto_ossl_configure_client_session(ssl) != 0) {
+ log_err("ngtcp2_crypto_ossl_configure_client_session failed");
+ exit(1);
+ }
+#endif
set_app_data(ssl, data);
SSL_set_connect_state(ssl);
if(!SSL_set_fd(ssl, data->fd)) {
log_crypto_err("Could not SSL_set_fd");
exit(1);
}
+#ifndef USE_NGTCP2_CRYPTO_OSSL
if((data->quic_version & 0xff000000) == 0xff000000) {
SSL_set_quic_use_legacy_codepoint(ssl, 1);
} else {
SSL_set_quic_use_legacy_codepoint(ssl, 0);
}
+#endif
SSL_set_alpn_protos(ssl, (const unsigned char *)"\x03""doq", 4);
/* send the SNI host name */
SSL_set_tlsext_host_name(ssl, "localhost");
@@ -2072,7 +2098,11 @@ early_data_setup_session(struct doq_clie
SSL_SESSION_free(session);
return 0;
}
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ SSL_set_quic_tls_early_data_enabled(data->ssl, 1);
+#else
SSL_set_quic_early_data_enabled(data->ssl, 1);
+#endif
SSL_SESSION_free(session);
return 1;
}
@@ -2221,6 +2251,15 @@ create_doq_client_data(const char* svr,
data = calloc(1, sizeof(*data));
if(!data) fatal_exit("calloc failed: out of memory");
data->base = base;
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ /* Initialize the ossl crypto, it is harmless to call twice,
+ * and this is before use of doq connections. */
+ if(ngtcp2_crypto_ossl_init() != 0)
+ fatal_exit("ngtcp2_crypto_oss_init failed");
+#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_INIT)
+ if(ngtcp2_crypto_quictls_init() != 0)
+ fatal_exit("ngtcp2_crypto_quictls_init failed");
+#endif
data->rnd = ub_initstate(NULL);
if(!data->rnd) fatal_exit("ub_initstate failed: out of memory");
data->svr = svr;
@@ -2255,7 +2294,11 @@ create_doq_client_data(const char* svr,
SSL_CTX_sess_set_new_cb(data->ctx, new_session_cb);
}
data->ssl = ssl_client_setup(data);
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_conn_set_tls_native_handle(data->conn, data->ossl_ctx);
+#else
ngtcp2_conn_set_tls_native_handle(data->conn, data->ssl);
+#endif
if(data->early_data_enabled)
early_data_setup(data);
@@ -2301,8 +2344,14 @@ delete_doq_client_data(struct doq_client
}
}
#endif
- ngtcp2_conn_del(data->conn);
+ /* Remove the app data from ngtcp2 before SSL_free of conn->ssl,
+ * because the ngtcp2 conn is deleted. */
+ SSL_set_app_data(data->ssl, NULL);
SSL_free(data->ssl);
+#ifdef USE_NGTCP2_CRYPTO_OSSL
+ ngtcp2_crypto_ossl_ctx_del(data->ossl_ctx);
+#endif
+ ngtcp2_conn_del(data->conn);
sldns_buffer_free(data->pkt_buf);
sldns_buffer_free(data->blocked_pkt);
if(data->fd != -1)
Index: testcode/fake_event.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/fake_event.c,v
diff -u -p -r1.1.1.18 fake_event.c
--- testcode/fake_event.c 31 Aug 2025 21:36:34 -0000 1.1.1.18
+++ testcode/fake_event.c 22 Sep 2025 21:08:23 -0000
@@ -188,6 +188,22 @@ delete_replay_answer(struct replay_answe
free(a);
}
+/** Log the packet for a reply_packet from testpkts. */
+static void
+log_testpkt_reply_pkt(const char* txt, struct reply_packet* reppkt)
+{
+ if(!reppkt) {
+ log_info("%s <null>", txt);
+ return;
+ }
+ if(reppkt->reply_from_hex) {
+ log_pkt(txt, sldns_buffer_begin(reppkt->reply_from_hex),
+ sldns_buffer_limit(reppkt->reply_from_hex));
+ return;
+ }
+ log_pkt(txt, reppkt->reply_pkt, reppkt->reply_len);
+}
+
/**
* return: true if pending query matches the now event.
*/
@@ -240,9 +256,8 @@ pending_find_match(struct replay_runtime
p->start_step, p->end_step, (*entry)->lineno);
if(p->addrlen != 0)
log_addr(0, "matched ip", &p->addr, p->addrlen);
- log_pkt("matched pkt: ",
- (*entry)->reply_list->reply_pkt,
- (*entry)->reply_list->reply_len);
+ log_testpkt_reply_pkt("matched pkt: ",
+ (*entry)->reply_list);
return 1;
}
p = p->next_range;
@@ -330,7 +345,7 @@ fill_buffer_with_reply(sldns_buffer* buf
while(reppkt && i--)
reppkt = reppkt->next;
if(!reppkt) fatal_exit("extra packet read from TCP stream but none is available");
- log_pkt("extra_packet ", reppkt->reply_pkt, reppkt->reply_len);
+ log_testpkt_reply_pkt("extra packet ", reppkt);
}
if(reppkt->reply_from_hex) {
c = sldns_buffer_begin(reppkt->reply_from_hex);
@@ -462,8 +477,7 @@ fake_front_query(struct replay_runtime*
repinfo.c->type = comm_udp;
fill_buffer_with_reply(repinfo.c->buffer, todo->match, NULL, 0, 0);
log_info("testbound: incoming QUERY");
- log_pkt("query pkt", todo->match->reply_list->reply_pkt,
- todo->match->reply_list->reply_len);
+ log_testpkt_reply_pkt("query pkt ", todo->match->reply_list);
/* call the callback for incoming queries */
if((*runtime->callback_query)(repinfo.c, runtime->cb_arg,
NETEVENT_NOERROR, &repinfo)) {
@@ -900,8 +914,10 @@ run_scenario(struct replay_runtime* runt
runtime->now->evt_type == repevt_front_reply) {
answer_check_it(runtime);
advance_moment(runtime);
- } else if(pending_matches_range(runtime, &entry, &pending)) {
- answer_callback_from_entry(runtime, entry, pending);
+ } else if(runtime->now && pending_matches_range(runtime,
+ &entry, &pending)) {
+ if(entry)
+ answer_callback_from_entry(runtime, entry, pending);
} else {
do_moment_and_advance(runtime);
}
@@ -1254,7 +1270,7 @@ struct serviced_query* outnet_serviced_q
struct query_info* qinfo, uint16_t flags, int dnssec,
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
int ATTR_UNUSED(check_ratelimit),
- int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
+ int tcp_upstream, int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct module_qstate* qstate, comm_point_callback_type* callback,
@@ -1274,7 +1290,7 @@ struct serviced_query* outnet_serviced_q
(flags&~(BIT_RD|BIT_CD))?" MORE":"", (dnssec)?" DO":"");
/* create packet with EDNS */
- pend->buffer = sldns_buffer_new(512);
+ pend->buffer = sldns_buffer_new(4096);
log_assert(pend->buffer);
sldns_buffer_write_u16(pend->buffer, 0); /* id */
sldns_buffer_write_u16(pend->buffer, flags);
@@ -1334,7 +1350,13 @@ struct serviced_query* outnet_serviced_q
edns.opt_list_in = NULL;
edns.opt_list_out = per_upstream_opt_list;
edns.opt_list_inplace_cb_out = NULL;
- attach_edns_record(pend->buffer, &edns);
+ if(sldns_buffer_capacity(pend->buffer) >=
+ sldns_buffer_limit(pend->buffer)
+ +calc_edns_field_size(&edns)) {
+ attach_edns_record(pend->buffer, &edns);
+ } else {
+ verbose(VERB_ALGO, "edns field too large to fit");
+ }
}
memcpy(&pend->addr, addr, addrlen);
pend->addrlen = addrlen;
@@ -1345,7 +1367,7 @@ struct serviced_query* outnet_serviced_q
pend->callback = callback;
pend->cb_arg = callback_arg;
pend->timeout = UDP_AUTH_QUERY_TIMEOUT/1000;
- pend->transport = transport_udp; /* pretend UDP */
+ pend->transport = tcp_upstream?transport_tcp:transport_udp;
pend->pkt = NULL;
pend->runtime = runtime;
pend->serviced = 1;
Index: testcode/petal.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/petal.c,v
diff -u -p -r1.1.1.8 petal.c
--- testcode/petal.c 4 Sep 2024 09:35:36 -0000 1.1.1.8
+++ testcode/petal.c 22 Sep 2025 21:08:23 -0000
@@ -256,7 +256,7 @@ setup_ctx(char* key, char* cert)
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
if (!SSL_CTX_set_ecdh_auto(ctx,1))
if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
-#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH)
+#elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
Index: testcode/replay.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/replay.c,v
diff -u -p -r1.1.1.7 replay.c
--- testcode/replay.c 13 Jun 2024 14:29:33 -0000 1.1.1.7
+++ testcode/replay.c 22 Sep 2025 21:08:23 -0000
@@ -795,7 +795,7 @@ macro_expand(rbtree_type* store, struct
char buf[10240];
char* at = *text;
size_t len = macro_length(at);
- int dofunc = 0;
+ int tries = 0, dofunc = 0;
char* arithstart = NULL;
if(len >= sizeof(buf))
return NULL; /* too long */
@@ -834,6 +834,8 @@ macro_expand(rbtree_type* store, struct
/* actual macro text expansion */
while(*at) {
size_t remain = sizeof(buf)-strlen(buf);
+ if(tries++ > 10000)
+ return NULL; /* looks like got into an infinite loop, bail out */
if(strncmp(at, "${", 2) == 0) {
at = do_macro_recursion(store, runtime, at, remain);
} else if(*at == '$') {
Index: testcode/testbound.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/testbound.c,v
diff -u -p -r1.1.1.13 testbound.c
--- testcode/testbound.c 31 Aug 2025 21:36:34 -0000 1.1.1.13
+++ testcode/testbound.c 22 Sep 2025 21:08:23 -0000
@@ -293,6 +293,16 @@ setup_config(FILE* in, int* lineno, int*
fclose(cfg);
return;
}
+ if(strncmp(parse, "fake-sha1: yes", 14) == 0) {
+ /* Allow the use of SHA1 signatures for the test,
+ * in case that OpenSSL disallows use of RSASHA1
+ * with rh-allow-sha1-signatures disabled. */
+#ifndef UB_ON_WINDOWS
+ setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", 0);
+#else
+ _putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
+#endif
+ }
fputs(line, cfg);
}
fatal_exit("No CONFIG_END in input file");
@@ -333,6 +343,35 @@ static void remove_configfile(void)
cfgfiles = NULL;
}
+/** perform the playback on the playback_file with the args. */
+static int
+perform_playback(char* playback_file, int pass_argc, char** pass_argv)
+{
+ struct replay_scenario* scen = NULL;
+ int c, res;
+
+ /* setup test environment */
+ scen = setup_playback(playback_file, &pass_argc, pass_argv);
+ /* init fake event backend */
+ fake_event_init(scen);
+
+ pass_argv[pass_argc] = NULL;
+ echo_cmdline(pass_argc, pass_argv);
+
+ /* run the normal daemon */
+ res = daemon_main(pass_argc, pass_argv);
+
+ fake_event_cleanup();
+ for(c=1; c<pass_argc; c++)
+ free(pass_argv[c]);
+ return res;
+}
+
+/* For fuzzing the main routine is replaced with
+ * LLVMFuzzerTestOneInput. */
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#define main dummy_main
+#endif
/**
* Main fake event test program. Setup, teardown and report errors.
* @param argc: arg count.
@@ -348,7 +387,6 @@ main(int argc, char* argv[])
char* playback_file = NULL;
int init_optind = optind;
char* init_optarg = optarg;
- struct replay_scenario* scen = NULL;
/* we do not want the test to depend on the timezone */
(void)putenv("TZ=UTC");
@@ -456,24 +494,11 @@ main(int argc, char* argv[])
if(atexit(&remove_configfile) != 0)
fatal_exit("atexit() failed: %s", strerror(errno));
- /* setup test environment */
- scen = setup_playback(playback_file, &pass_argc, pass_argv);
- /* init fake event backend */
- fake_event_init(scen);
-
- pass_argv[pass_argc] = NULL;
- echo_cmdline(pass_argc, pass_argv);
-
/* reset getopt processing */
optind = init_optind;
optarg = init_optarg;
- /* run the normal daemon */
- res = daemon_main(pass_argc, pass_argv);
-
- fake_event_cleanup();
- for(c=1; c<pass_argc; c++)
- free(pass_argv[c]);
+ res = perform_playback(playback_file, pass_argc, pass_argv);
if(res == 0) {
log_info("Testbound Exit Success\n");
/* remove configfile from here, the atexit() is for when
@@ -492,6 +517,101 @@ main(int argc, char* argv[])
}
return res;
}
+
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+static int delete_file(const char *pathname) {
+ int ret = unlink(pathname);
+ free((void *)pathname);
+ return ret;
+}
+
+static char *buf_to_file(const uint8_t *buf, size_t size) {
+ int fd;
+ size_t pos;
+ char *pathname = strdup("/tmp/fuzz-XXXXXX");
+ if (pathname == NULL)
+ return NULL;
+
+ fd = mkstemp(pathname);
+ if (fd == -1) {
+ log_err("mkstemp of file %s failed: %s", pathname, strerror(errno));
+ free(pathname);
+ return NULL;
+ }
+ pos = 0;
+ while (pos < size) {
+ int nbytes = write(fd, &buf[pos], size - pos);
+ if (nbytes <= 0) {
+ if (nbytes == -1 && errno == EINTR)
+ continue;
+ log_err("write to file %s failed: %s", pathname, strerror(errno));
+ goto err;
+ }
+ pos += nbytes;
+ }
+
+ if (close(fd) == -1) {
+ log_err("close of file %s failed: %s", pathname, strerror(errno));
+ goto err;
+ }
+
+ return pathname;
+err:
+ delete_file(pathname);
+ return NULL;
+}
+
+/* based on main() above, but with: hard-coded passed args, file created from fuzz input */
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
+{
+ int c, res;
+ int pass_argc = 0;
+ char* pass_argv[MAXARG];
+ char* playback_file = NULL;
+
+ /* we do not want the test to depend on the timezone */
+ (void)putenv("TZ=UTC");
+ memset(pass_argv, 0, sizeof(pass_argv));
+#ifdef HAVE_SYSTEMD
+ /* we do not want the test to use systemd daemon startup notification*/
+ (void)unsetenv("NOTIFY_SOCKET");
+#endif /* HAVE_SYSTEMD */
+
+ checklock_start();
+ log_init(NULL, 0, NULL);
+ /* determine commandline options for the daemon */
+ pass_argc = 1;
+ pass_argv[0] = "unbound";
+ add_opts("-d", &pass_argc, pass_argv);
+
+ playback_file = buf_to_file(Data, Size);
+ if (playback_file) {
+ log_info("Start of %s testbound program.", PACKAGE_STRING);
+
+ res = perform_playback(playback_file, pass_argc, pass_argv);
+ if(res == 0) {
+ log_info("Testbound Exit Success\n");
+ /* remove configfile from here, the atexit() is for when
+ * there is a crash to remove the tmpdir file.
+ * This one removes the file while alloc and log locks are
+ * still valid, and can be logged (for memory calculation),
+ * it leaves the ptr NULL so the atexit does nothing. */
+ remove_configfile();
+#ifdef HAVE_PTHREAD
+ /* dlopen frees its thread state (dlopen of gost engine) */
+ pthread_exit(NULL);
+#endif
+ }
+
+ delete_file(playback_file);
+ }
+
+ if(log_get_lock()) {
+ lock_basic_destroy((lock_basic_type*)log_get_lock());
+ }
+ return res;
+}
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
/* fake remote control */
struct listen_port* daemon_remote_open_ports(struct config_file*
Index: testcode/testpkts.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/testpkts.c,v
diff -u -p -r1.1.1.9 testpkts.c
--- testcode/testpkts.c 13 Apr 2024 12:23:45 -0000 1.1.1.9
+++ testcode/testpkts.c 22 Sep 2025 21:08:23 -0000
@@ -923,10 +923,14 @@ pkt_snip_edns_option(uint8_t* pkt, size_
if(!pkt_find_edns_opt(&opt_position, &remaining)) return 0;
if(remaining < 8) return -1; /* malformed */
rdlen = sldns_read_uint16(opt_position+6);
+ if(remaining < ((size_t)rdlen)+8)
+ return -1; /* malformed */
rdata = opt_position + 8;
while(rdlen > 0) {
if(rdlen < 4) return -1; /* malformed */
optlen = sldns_read_uint16(rdata+2);
+ if((size_t)rdlen < 4+((size_t)optlen))
+ return -1; /* malformed */
if(sldns_read_uint16(rdata) == code) {
/* save data to buf for caller inspection */
memmove(buf, rdata+4, optlen);
@@ -1134,8 +1138,9 @@ static void lowercase_dname(uint8_t** p,
while(**p != 0) {
/* compressed? */
if((**p & 0xc0) == 0xc0) {
- *p += 2;
- *remain -= 2;
+ llen = *remain < 2 ? (unsigned int)*remain : 2;
+ *p += llen;
+ *remain -= llen;
return;
}
llen = (unsigned int)**p;
@@ -1178,6 +1183,12 @@ static void lowercase_rdata(uint8_t** p,
uint8_t len;
if(rdataremain == 0) return;
len = **p;
+ if(rdataremain < ((size_t)len)+1) {
+ /* malformed LDNS_RDF_TYPE_STR, skip remainder */
+ *p += rdataremain;
+ *remain -= rdatalen;
+ return;
+ }
*p += len+1;
rdataremain -= len+1;
} else {
@@ -1206,6 +1217,12 @@ static void lowercase_rdata(uint8_t** p,
len = 16;
break;
default: error("bad rdf type in lowercase %d", (int)f);
+ }
+ if (rdataremain < (size_t)len) {
+ /* malformed RDF, skip remainder */
+ *p += rdataremain;
+ *remain -= rdatalen;
+ return;
}
*p += len;
rdataremain -= len;
Index: testcode/unitauth.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitauth.c,v
diff -u -p -r1.1.1.6 unitauth.c
--- testcode/unitauth.c 13 Apr 2024 12:23:45 -0000 1.1.1.6
+++ testcode/unitauth.c 22 Sep 2025 21:08:23 -0000
@@ -670,6 +670,7 @@ authtest_addzone(struct auth_zones* az,
auth_zone_set_zonefile(z, fname);
z->for_upstream = 1;
cfg = config_create();
+ config_auto_slab_values(cfg);
free(cfg->chrootdir);
cfg->chrootdir = NULL;
Index: testcode/unitdname.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitdname.c,v
diff -u -p -r1.1.1.3 unitdname.c
--- testcode/unitdname.c 31 Aug 2025 21:36:34 -0000 1.1.1.3
+++ testcode/unitdname.c 22 Sep 2025 21:08:23 -0000
@@ -45,6 +45,7 @@
#include "util/data/dname.h"
#include "sldns/sbuffer.h"
#include "sldns/str2wire.h"
+#include "sldns/wire2str.h"
/** put dname into buffer */
static sldns_buffer*
@@ -476,6 +477,23 @@ dname_test_removelabel(void)
unit_assert( l == 1 );
}
+/** test dname_remove_label_limit_len */
+static void
+dname_test_removelabellimitlen(void)
+{
+ uint8_t* orig = (uint8_t*)"\007example\003com\000";
+ uint8_t* n = orig;
+ size_t l = 13;
+ size_t lenlimit = 5; /* com.*/
+ unit_show_func("util/data/dname.c", "dname_remove_label_limit_len");
+ unit_assert(dname_remove_label_limit_len(&n, &l, lenlimit) == 1);
+ unit_assert( n == orig+8 );
+ unit_assert( l == 5 );
+ unit_assert(dname_remove_label_limit_len(&n, &l, lenlimit) == 0);
+ unit_assert( n == orig+8 );
+ unit_assert( l == 5 );
+}
+
/** test dname_signame_label_count */
static void
dname_test_sigcount(void)
@@ -859,6 +877,262 @@ dname_setup_bufs(sldns_buffer* loopbuf,
sldns_buffer_flip(boundbuf);
}
+/* Test strings for the test_long_names test. */
+/* Each label begins with the length of the label including the length octet. */
+
+char desc_1[] = "Domain is 1 octet too long.";
+
+uint8_t wire_dom_1[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.0007ab. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x06, 0x30, 0x30, 0x30, 0x37, 0x61, 0x62, 0x00
+};
+
+char desc_2[] = "Domain has the maximum allowed length (255).";
+
+uint8_t wire_dom_2[] = { /* Good: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.00076a. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Good: */ 0x05, 0x30, 0x30, 0x30, 0x36, 0x61, 0x00
+};
+
+char desc_3[] = "Domain has a length one label in the 255th position for a total of 257.";
+
+uint8_t wire_dom_3[] = { /* Bad: Domain: (8x(0031abcdefghijklmnopqrstuvwxyz.0006ab.1. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x05, 0x30, 0x30, 0x30, 0x36, 0x61, 0x01, 0x32, 0x00
+};
+
+char desc_4[] = "Domain has the maximum allowed length (255).";
+
+uint8_t wire_dom_4[] = { /* Good: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Good: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x00
+};
+
+char desc_5[] = "Domain has a maximum length label (63) in the 255th position.";
+
+uint8_t wire_dom_5[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03.65abc...zab...zab...ghi. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x3f, 0x36,
+ 0x33, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
+ 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
+ 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x00
+};
+
+char desc_6[] = "Domain has a too long label (65) in the 255th position.";
+
+uint8_t wire_dom_6[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03.66abc...zab...zab...ijk. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
+ 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
+ 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
+ 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
+ 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x41, 0x36,
+ 0x36, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
+ 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
+ 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x00
+};
+
+char desc_7[] = "Domain has a too long label (65) in the 187th position.";
+
+uint8_t wire_dom_7[] = { /* Bad: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.65abc..zab...zab...ijk. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a,
+ /* Bad: */ 0x41, 0x36,
+ 0x36, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
+ 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
+ 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x00
+};
+
+char desc_8[] = "Domains has the maximum allowed length and ends with a maximum length label.";
+
+uint8_t wire_dom_8[] = { /* Good: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.0004.0064abc..zab...zabcdefg. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x03, 0x30, 0x30, 0x34 ,/* Good: */ 0x3f, 0x30,
+ 0x30, 0x36, 0x34, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63,
+ 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+ 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x00
+};
+
+char desc_9[] = "Domains has 254 octets, one less than the maximum allowed length.";
+
+uint8_t wire_dom_9[] = { /* Good: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.0004.0064abc..zab...zabcdef. */
+ 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
+ 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
+ 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
+ 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
+ 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x03, 0x30, 0x30, 0x34 ,/* Good: */ 0x3e, 0x30,
+ 0x30, 0x35, 0x34, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
+ 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63,
+ 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+ 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x00
+};
+
+ /** Test dname to string with long domain names. */
+static void
+test_long_names(void)
+{
+ /* Set to 1 for verbose output, 0 turns it off. */
+ int verbtest = 0;
+
+ uint8_t* wire_doms[] = {wire_dom_1, wire_dom_2, wire_dom_3,
+ wire_dom_4, wire_dom_5, wire_dom_6, wire_dom_7, wire_dom_8,
+ wire_dom_9, 0};
+ char* descs[] = {desc_1, desc_2, desc_3, desc_4, desc_5, desc_6,
+ desc_7, desc_8, desc_9, 0};
+
+ int n;
+ char string_domain[260];
+ uint8_t** wd = wire_doms;
+ int di = 0;
+ int skip = 5; /* 0..6 */
+
+ while (*wd) {
+
+ if(verbtest)
+ printf("Test: %s\n", descs[di++]);
+
+ memset(string_domain, 0xff, sizeof(string_domain));
+ dname_str(*wd, string_domain);
+ for (n = 0 ; n < (int)sizeof(string_domain); ++n) {
+ if ((uint8_t)string_domain[n] == 0xff)
+ break;
+ }
+ if(verbtest)
+ printf("dname_str: L=%d, S=Skipping %d labels...%s\n",
+ n, skip, string_domain + skip*31);
+ unit_assert(n <= 255);
+
+ memset(string_domain, 0xff, sizeof(string_domain));
+ sldns_wire2str_dname_buf(*wd,
+ strlen((char*)*wd)+1 /* strlen works with these test strings */,
+ string_domain,
+ 255 /* for comparable result to dname_str */ );
+ for (n = 0 ; n < (int)sizeof(string_domain); ++n) {
+ if ((uint8_t)string_domain[n] == 0xff)
+ break;
+ }
+ if(verbtest)
+ printf("sldns_wire2str_dname_buf: L=%d, S=Skipping %d labels...%s\n",
+ n, skip, string_domain + skip*31);
+ unit_assert(n <= 255);
+
+ ++wd;
+ }
+}
+
static void
dname_test_str(sldns_buffer* buff)
{
@@ -1002,6 +1276,8 @@ dname_test_str(sldns_buffer* buff)
unit_assert(0);
}
}
+
+ test_long_names();
}
void dname_test(void)
@@ -1024,6 +1300,7 @@ void dname_test(void)
dname_test_subdomain();
dname_test_isroot();
dname_test_removelabel();
+ dname_test_removelabellimitlen();
dname_test_sigcount();
dname_test_iswild();
dname_test_canoncmp();
Index: testcode/unitinfra.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitinfra.c,v
diff -u -p -r1.1.1.1 unitinfra.c
--- testcode/unitinfra.c 31 Aug 2025 21:36:34 -0000 1.1.1.1
+++ testcode/unitinfra.c 22 Sep 2025 21:08:23 -0000
@@ -131,6 +131,7 @@ void infra_test(void)
unit_show_feature("infra cache");
unit_assert(ipstrtoaddr("127.0.0.1", 53, &one, &onelen));
+ config_auto_slab_values(cfg);
slab = infra_create(cfg);
/* insert new record */
unit_assert( infra_host(slab, &one, onelen, zone, zonelen, now,
Index: testcode/unitmain.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitmain.c,v
diff -u -p -r1.1.1.12 unitmain.c
--- testcode/unitmain.c 31 Aug 2025 21:36:34 -0000 1.1.1.12
+++ testcode/unitmain.c 22 Sep 2025 21:08:23 -0000
@@ -205,6 +205,8 @@ net_test(void)
unit_assert(memcmp(&a6.sin6_addr, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\000", 16) == 0);
addr_mask((struct sockaddr_storage*)&a6, l6, 64);
unit_assert(memcmp(&a6.sin6_addr, "\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000", 16) == 0);
+ /* Check that negative value in net is not problematic. */
+ addr_mask((struct sockaddr_storage*)&a6, l6, -100);
addr_mask((struct sockaddr_storage*)&a6, l6, 0);
unit_assert(memcmp(&a6.sin6_addr, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16) == 0);
}
@@ -265,6 +267,28 @@ net_test(void)
(struct sockaddr_storage*)&a6, i,
(struct sockaddr_storage*)&b6, i, l6) == i);
}
+ }
+ /* test netblockstrtoaddr */
+ unit_show_func("util/net_help.c", "netblockstrtoaddr");
+ if(1) {
+ struct sockaddr_storage a;
+ socklen_t alen = 0;
+ int net = 0, res;
+ char astr[128];
+ memset(&a, 0, sizeof(a));
+
+ res = netblockstrtoaddr("1.2.3.0/24", 53, &a, &alen, &net);
+ unit_assert(res!=0 && net == 24);
+ addr_to_str(&a, alen, astr, sizeof(astr));
+ unit_assert(strcmp(astr, "1.2.3.0") == 0);
+ unit_assert(ntohs(((struct sockaddr_in*)&a)->sin_port)==53);
+
+ res = netblockstrtoaddr("2001:DB8:33:44::/64", 53,
+ &a, &alen, &net);
+ unit_assert(res!=0 && net == 64);
+ addr_to_str(&a, alen, astr, sizeof(astr));
+ unit_assert(strcmp(astr, "2001:db8:33:44::") == 0);
+ unit_assert(ntohs(((struct sockaddr_in6*)&a)->sin6_port)==53);
}
/* test sockaddr_cmp_addr */
unit_show_func("util/net_help.c", "sockaddr_cmp_addr");
Index: testcode/unitverify.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitverify.c,v
diff -u -p -r1.4 unitverify.c
--- testcode/unitverify.c 31 Aug 2025 21:41:10 -0000 1.4
+++ testcode/unitverify.c 22 Sep 2025 21:08:23 -0000
@@ -61,6 +61,12 @@
#include "sldns/str2wire.h"
#include "sldns/wire2str.h"
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+#endif
+
/** verbose signature test */
static int vsig = 0;
@@ -509,10 +515,137 @@ nsec3_hash_test(const char* fname)
#define SRCDIRSTR xstr(SRCDIR)
+#if defined(HAVE_SSL) && defined(USE_SHA1)
+/* Detect if openssl is configured to disable RSASHA1 signatures,
+ * with the rh-allow-sha1-signatures disabled. */
+static int
+rh_allow_sha1_signatures_disabled(void)
+{
+ EVP_MD_CTX* ctx;
+ EVP_PKEY* evp_key;
+ /* This key is rdata from nlnetlabs.nl DNSKEY from 20250424005001,
+ * with id=50602 (ksk), size=2048b.
+ * A 2048 bit key is taken to avoid key too small errors. */
+ unsigned char key[] = {
+ 0x03, 0x01, 0x00, 0x01, 0xBC, 0x0B, 0xE8, 0xBB,
+ 0x97, 0x4C, 0xB5, 0xED, 0x6F, 0x6D, 0xC2, 0xB1,
+ 0x78, 0x69, 0x93, 0x1C, 0x72, 0x19, 0xB1, 0x05,
+ 0x51, 0x13, 0xA1, 0xFC, 0xBF, 0x01, 0x58, 0x0D,
+ 0x44, 0x10, 0x5F, 0x0B, 0x75, 0x0E, 0x11, 0x9A,
+ 0xC8, 0xF8, 0x0F, 0x90, 0xFC, 0xB8, 0x09, 0xD1,
+ 0x14, 0x39, 0x0D, 0x84, 0xCE, 0x97, 0x88, 0x82,
+ 0x3D, 0xC5, 0xCB, 0x1A, 0xBF, 0x00, 0x46, 0x37,
+ 0x01, 0xF1, 0xCD, 0x46, 0xA2, 0x8F, 0x83, 0x19,
+ 0x42, 0xED, 0x6F, 0xAF, 0x37, 0x1F, 0x18, 0x82,
+ 0x4B, 0x70, 0x2D, 0x50, 0xA5, 0xA6, 0x66, 0x48,
+ 0x7F, 0x56, 0xA8, 0x86, 0x05, 0x41, 0xC8, 0xBE,
+ 0x4F, 0x8B, 0x38, 0x51, 0xF0, 0xEB, 0xAD, 0x2F,
+ 0x7A, 0xC0, 0xEF, 0xC7, 0xD2, 0x72, 0x6F, 0x16,
+ 0x66, 0xAF, 0x59, 0x55, 0xFF, 0xEE, 0x9D, 0x50,
+ 0xE9, 0xDB, 0xF4, 0x02, 0xBC, 0x33, 0x5C, 0xC5,
+ 0xDA, 0x1C, 0x6A, 0xD1, 0x55, 0xD1, 0x20, 0x2B,
+ 0x63, 0x03, 0x4B, 0x77, 0x45, 0x46, 0x78, 0x31,
+ 0xE4, 0x90, 0xB9, 0x7F, 0x00, 0xFB, 0x62, 0x7C,
+ 0x07, 0xD3, 0xC1, 0x00, 0xA0, 0x54, 0x63, 0x74,
+ 0x0A, 0x17, 0x7B, 0xE7, 0xAD, 0x38, 0x07, 0x86,
+ 0x68, 0xE4, 0xFD, 0x20, 0x68, 0xD5, 0x33, 0x92,
+ 0xCA, 0x90, 0xDD, 0xA4, 0xE9, 0xF2, 0x11, 0xBD,
+ 0x9D, 0xA5, 0xF5, 0xEB, 0xB9, 0xFE, 0x8F, 0xA1,
+ 0xE4, 0xBF, 0xA4, 0xA4, 0x34, 0x5C, 0x6A, 0x95,
+ 0xB6, 0x42, 0x22, 0xF6, 0xD6, 0x10, 0x9C, 0x9B,
+ 0x0A, 0x56, 0xE7, 0x42, 0xE5, 0x7F, 0x1F, 0x4E,
+ 0xBE, 0x4F, 0x8C, 0xED, 0x30, 0x63, 0xA7, 0x88,
+ 0x93, 0xED, 0x37, 0x3C, 0x80, 0xBC, 0xD1, 0x66,
+ 0xBD, 0xB8, 0x2E, 0x65, 0xC4, 0xC8, 0x00, 0x5B,
+ 0xE7, 0x85, 0x96, 0xDD, 0xAA, 0x05, 0xE6, 0x4F,
+ 0x03, 0x64, 0xFA, 0x2D, 0xF6, 0x88, 0x14, 0x8F,
+ 0x15, 0x4D, 0xFD, 0xD3
+ };
+ size_t keylen = 260;
+
+#ifdef HAVE_EVP_MD_CTX_NEW
+ ctx = EVP_MD_CTX_new();
+#else
+ ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
+ if(ctx) EVP_MD_CTX_init(ctx);
+#endif
+ if(!ctx) return 0;
+
+ evp_key = sldns_key_rsa2pkey_raw(key, keylen);
+ if(!evp_key) {
+#ifdef HAVE_EVP_MD_CTX_NEW
+ EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
+ return 0;
+ }
+
+#ifndef HAVE_EVP_DIGESTVERIFY
+ (void)evp_key; /* not used */
+ if(EVP_DigestInit(ctx, EVP_sha1()) == 0)
+#else
+ if(EVP_DigestVerifyInit(ctx, NULL, EVP_sha1(), NULL, evp_key) == 0)
+#endif
+ {
+ unsigned long e = ERR_get_error();
+#ifdef EVP_R_INVALID_DIGEST
+ if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
+ ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
+ /* rh-allow-sha1-signatures makes use of sha1 invalid. */
+ if(vsig)
+ printf("Detected that rh-allow-sha1-signatures is off, and disables SHA1 signatures\n");
+#ifdef HAVE_EVP_MD_CTX_NEW
+ EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
+ EVP_PKEY_free(evp_key);
+ return 1;
+ }
+#endif /* EVP_R_INVALID_DIGEST */
+ /* The signature verify failed for another reason. */
+ log_crypto_err_code("EVP_DigestVerifyInit", e);
+#ifdef HAVE_EVP_MD_CTX_NEW
+ EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
+ EVP_PKEY_free(evp_key);
+ return 0;
+ }
+#ifdef HAVE_EVP_MD_CTX_NEW
+ EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
+ EVP_PKEY_free(evp_key);
+ return 0;
+}
+#endif /* HAVE_SSL && USE_SHA1 */
+
void
verify_test(void)
{
unit_show_feature("signature verify");
+
+#if defined(HAVE_SSL) && defined(USE_SHA1)
+ if(rh_allow_sha1_signatures_disabled()) {
+ /* Allow the use of SHA1 signatures for the test,
+ * in case that OpenSSL disallows use of RSASHA1
+ * with rh-allow-sha1-signatures disabled. */
+#ifndef UB_ON_WINDOWS
+ setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", 0);
+#else
+ _putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
+#endif
+ }
+#endif
+
#ifdef USE_SHA1
verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
#endif
Index: testcode/unitzonemd.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitzonemd.c,v
diff -u -p -r1.1.1.5 unitzonemd.c
--- testcode/unitzonemd.c 31 Aug 2025 21:36:34 -0000 1.1.1.5
+++ testcode/unitzonemd.c 22 Sep 2025 21:08:23 -0000
@@ -267,6 +267,7 @@ static void zonemd_verify_test(char* zna
env.cfg = config_create();
if(!env.cfg)
fatal_exit("out of memory");
+ config_auto_slab_values(env.cfg);
env.now = &now;
env.cfg->val_date_override = cfg_convert_timeval(date_override);
if(!env.cfg->val_date_override)
Index: util/config_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.c,v
diff -u -p -r1.38 config_file.c
--- util/config_file.c 31 Aug 2025 21:41:10 -0000 1.38
+++ util/config_file.c 22 Sep 2025 21:08:23 -0000
@@ -155,7 +155,7 @@ config_create(void)
# else
/* libevent can use many sockets */
cfg->outgoing_num_ports = 4096;
- cfg->num_queries_per_thread = 1024;
+ cfg->num_queries_per_thread = 2048;
# endif
cfg->outgoing_num_tcp = 10;
cfg->incoming_num_tcp = 10;
@@ -169,10 +169,10 @@ config_create(void)
cfg->edns_buffer_size = 1232; /* from DNS flagday recommendation */
cfg->msg_buffer_size = 65552; /* 64 k + a small margin */
cfg->msg_cache_size = 4 * 1024 * 1024;
- cfg->msg_cache_slabs = 4;
+ cfg->msg_cache_slabs = 0;
cfg->jostle_time = 200;
cfg->rrset_cache_size = 4 * 1024 * 1024;
- cfg->rrset_cache_slabs = 4;
+ cfg->rrset_cache_slabs = 0;
cfg->host_ttl = 900;
cfg->bogus_ttl = 60;
cfg->min_ttl = 0;
@@ -182,7 +182,7 @@ config_create(void)
cfg->prefetch = 0;
cfg->prefetch_key = 0;
cfg->deny_any = 0;
- cfg->infra_cache_slabs = 4;
+ cfg->infra_cache_slabs = 0;
cfg->infra_cache_numhosts = 10000;
cfg->infra_cache_min_rtt = 50;
cfg->infra_cache_max_rtt = 120000;
@@ -210,7 +210,7 @@ config_create(void)
cfg->if_automatic = 0;
cfg->if_automatic_ports = NULL;
cfg->so_rcvbuf = 0;
- cfg->so_sndbuf = 0;
+ cfg->so_sndbuf = 4*1024*1024;
cfg->so_reuseport = REUSEPORT_DEFAULT;
cfg->ip_transparent = 0;
cfg->ip_freebind = 0;
@@ -291,7 +291,7 @@ config_create(void)
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
cfg->permit_small_holddown = 0;
cfg->key_cache_size = 4 * 1024 * 1024;
- cfg->key_cache_slabs = 4;
+ cfg->key_cache_slabs = 0;
cfg->neg_cache_size = 1 * 1024 * 1024;
cfg->local_zones = NULL;
cfg->local_zones_nodefault = NULL;
@@ -341,8 +341,8 @@ config_create(void)
cfg->ip_ratelimit_cookie = 0;
cfg->ip_ratelimit = 0;
cfg->ratelimit = 0;
- cfg->ip_ratelimit_slabs = 4;
- cfg->ratelimit_slabs = 4;
+ cfg->ip_ratelimit_slabs = 0;
+ cfg->ratelimit_slabs = 0;
cfg->ip_ratelimit_size = 4*1024*1024;
cfg->ratelimit_size = 4*1024*1024;
cfg->ratelimit_for_domain = NULL;
@@ -367,9 +367,9 @@ config_create(void)
cfg->dnscrypt_provider_cert_rotated = NULL;
cfg->dnscrypt_secret_key = NULL;
cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
- cfg->dnscrypt_shared_secret_cache_slabs = 4;
+ cfg->dnscrypt_shared_secret_cache_slabs = 0;
cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
- cfg->dnscrypt_nonce_cache_slabs = 4;
+ cfg->dnscrypt_nonce_cache_slabs = 0;
cfg->pad_responses = 1;
cfg->pad_responses_block_size = 468; /* from RFC8467 */
cfg->pad_queries = 1;
@@ -454,6 +454,11 @@ struct config_file* config_create_forlib
cfg->val_log_squelch = 1;
cfg->minimal_responses = 0;
cfg->harden_short_bufsize = 1;
+ /* Need to explicitly define the slabs from their 0 default value */
+ cfg->ip_ratelimit_slabs = 1;
+ cfg->ratelimit_slabs = 1;
+ cfg->dnscrypt_shared_secret_cache_slabs = 1;
+ cfg->dnscrypt_nonce_cache_slabs = 1;
return cfg;
}
@@ -1448,6 +1453,41 @@ create_cfg_parser(struct config_file* cf
init_cfg_parse();
}
+void
+config_auto_slab_values(struct config_file* cfg)
+{
+#define SET_AUTO_SLAB(var, name, val) \
+do { \
+ if(cfg->var == 0) { \
+ cfg->var = val; \
+ verbose(VERB_QUERY, "setting "name": %lu", (unsigned long)val); \
+ } \
+} while(0);
+#ifdef THREADS_DISABLED
+ size_t pow_2_threads = 1;
+#else
+ size_t pow_2_threads = 4; /* pow2 start */
+ while (pow_2_threads < (size_t)(cfg->num_threads?cfg->num_threads:1) &&
+ /* 1/3 of the distance to the next pow2 value stays with the
+ * lower value */
+ (size_t)cfg->num_threads > pow_2_threads + (pow_2_threads - 1)/3) {
+ pow_2_threads <<= 1;
+ }
+ log_assert((pow_2_threads & (pow_2_threads - 1)) == 0); /* powerof2? */
+#endif /* THREADS_DISABLED */
+
+ SET_AUTO_SLAB(msg_cache_slabs, "msg-cache-slabs", pow_2_threads);
+ SET_AUTO_SLAB(rrset_cache_slabs, "rrset-cache-slabs", pow_2_threads);
+ SET_AUTO_SLAB(infra_cache_slabs, "infra-cache-slabs", pow_2_threads);
+ SET_AUTO_SLAB(key_cache_slabs, "key-cache-slabs", pow_2_threads);
+ SET_AUTO_SLAB(ip_ratelimit_slabs, "ip-ratelimit-slabs", pow_2_threads);
+ SET_AUTO_SLAB(ratelimit_slabs, "ratelimit-slabs", pow_2_threads);
+ SET_AUTO_SLAB(dnscrypt_shared_secret_cache_slabs,
+ "dnscrypt-shared-secret-cache-slabs", pow_2_threads);
+ SET_AUTO_SLAB(dnscrypt_nonce_cache_slabs,
+ "dnscrypt-nonce-cache-slabs", pow_2_threads);
+}
+
int
config_read(struct config_file* cfg, const char* filename, const char* chroot)
{
@@ -1512,6 +1552,7 @@ config_read(struct config_file* cfg, con
}
}
globfree(&g);
+ config_auto_slab_values(cfg);
return 1;
}
#endif /* HAVE_GLOB */
@@ -1535,6 +1576,7 @@ config_read(struct config_file* cfg, con
return 0;
}
+ config_auto_slab_values(cfg);
return 1;
}
Index: util/config_file.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.h,v
diff -u -p -r1.36 config_file.h
--- util/config_file.h 31 Aug 2025 21:41:10 -0000 1.36
+++ util/config_file.h 22 Sep 2025 21:08:23 -0000
@@ -967,6 +967,17 @@ struct config_file* config_create(void);
struct config_file* config_create_forlib(void);
/**
+ * If _slabs values are not explicitly configured, 0 value, put them in a
+ * pow2 value close to the number of threads used.
+ * Starts at the current default 4.
+ * If num_threads is in between two pow2 values, 1/3 of the way stays with
+ * the lower pow2 value.
+ * Exported for unit testing.
+ * @param config: where the _slabs values reside.
+ */
+void config_auto_slab_values(struct config_file* config);
+
+/**
* Read the config file from the specified filename.
* @param config: where options are stored into, must be freshly created.
* @param filename: name of configfile. If NULL nothing is done.
Index: util/configparser.y
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/configparser.y,v
diff -u -p -r1.34 configparser.y
--- util/configparser.y 31 Aug 2025 21:41:10 -0000 1.34
+++ util/configparser.y 22 Sep 2025 21:08:23 -0000
@@ -954,7 +954,7 @@ server_tcp_mss: VAR_TCP_MSS STRING_ARG
{
OUTYY(("P(server_tcp_mss:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
- yyerror("number expected");
+ yyerror("number expected");
else cfg_parser->cfg->tcp_mss = atoi($2);
free($2);
}
@@ -1168,11 +1168,13 @@ server_http_endpoint: VAR_HTTP_ENDPOINT
free(cfg_parser->cfg->http_endpoint);
if($2 && $2[0] != '/') {
cfg_parser->cfg->http_endpoint = malloc(strlen($2)+2);
- if(!cfg_parser->cfg->http_endpoint)
+ if(cfg_parser->cfg->http_endpoint) {
+ cfg_parser->cfg->http_endpoint[0] = '/';
+ memmove(cfg_parser->cfg->http_endpoint+1, $2,
+ strlen($2)+1);
+ } else {
yyerror("out of memory");
- cfg_parser->cfg->http_endpoint[0] = '/';
- memmove(cfg_parser->cfg->http_endpoint+1, $2,
- strlen($2)+1);
+ }
free($2);
} else {
cfg_parser->cfg->http_endpoint = $2;
Index: util/iana_ports.inc
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/iana_ports.inc,v
diff -u -p -r1.29 iana_ports.inc
--- util/iana_ports.inc 31 Aug 2025 21:41:10 -0000 1.29
+++ util/iana_ports.inc 22 Sep 2025 21:08:23 -0000
@@ -3873,6 +3873,7 @@
4486,
4488,
4500,
+4503,
4534,
4535,
4536,
@@ -3979,6 +3980,7 @@
4790,
4791,
4792,
+4793,
4800,
4801,
4802,
Index: util/mini_event.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/mini_event.c,v
diff -u -p -r1.6 mini_event.c
--- util/mini_event.c 23 Feb 2022 12:04:06 -0000 1.6
+++ util/mini_event.c 22 Sep 2025 21:08:23 -0000
@@ -297,10 +297,10 @@ int event_add(struct event* ev, struct t
return -1;
if( (ev->ev_events&(EV_READ|EV_WRITE)) && ev->ev_fd != -1) {
ev->ev_base->fds[ev->ev_fd] = ev;
- if(ev->ev_events&EV_READ) {
+ if((ev->ev_events&EV_READ)) {
FD_SET(FD_SET_T ev->ev_fd, &ev->ev_base->reads);
}
- if(ev->ev_events&EV_WRITE) {
+ if((ev->ev_events&EV_WRITE)) {
FD_SET(FD_SET_T ev->ev_fd, &ev->ev_base->writes);
}
FD_SET(FD_SET_T ev->ev_fd, &ev->ev_base->content);
Index: util/net_help.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/net_help.c,v
diff -u -p -r1.34 net_help.c
--- util/net_help.c 31 Aug 2025 21:41:10 -0000 1.34
+++ util/net_help.c 22 Sep 2025 21:08:23 -0000
@@ -317,6 +317,11 @@ int netblockstrtoaddr(const char* str, i
log_err("cannot parse netblock: '%s'", str);
return 0;
}
+ if(*net < 0) {
+ log_err("netblock value %d is negative in: '%s'",
+ *net, str);
+ return 0;
+ }
strlcpy(buf, str, sizeof(buf));
s = strchr(buf, '/');
if(s) *s = 0;
@@ -430,6 +435,8 @@ int netblockdnametoaddr(uint8_t* dname,
*net = atoi(buff);
if(*net == 0 && strcmp(buff, "0") != 0)
return 0;
+ if(*net < 0)
+ return 0;
dname += nlablen;
dname++;
if(!ipdnametoaddr(dname, dnamelen-1-nlablen, addr, addrlen, af))
@@ -797,7 +804,7 @@ addr_mask(struct sockaddr_storage* addr,
s = (uint8_t*)&((struct sockaddr_in*)addr)->sin_addr;
max = 32;
}
- if(net >= max)
+ if(net >= max || net < 0)
return;
for(i=net/8+1; i<max/8; i++) {
s[i] = 0;
@@ -1028,7 +1035,7 @@ void log_crypto_err_code(const char* str
}
#ifdef HAVE_SSL
-/** Print crypt erro with SSL_get_error want code and err_get_error code */
+/** Print crypt error with SSL_get_error want code and err_get_error code */
static void log_crypto_err_io_code_arg(const char* str, int r,
unsigned long err, int err_present)
{
@@ -1252,6 +1259,14 @@ listen_sslctx_setup(void* ctxt)
return 0;
}
#endif
+#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
+ /* if we have tls 1.3 disable 1.2 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
+ != SSL_OP_NO_TLSv1_2){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
+ return 0;
+ }
+#endif
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
@@ -1305,7 +1320,7 @@ listen_sslctx_setup_2(void* ctxt)
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
}
-#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH)
+#elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
Index: util/netevent.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/netevent.c,v
diff -u -p -r1.41 netevent.c
--- util/netevent.c 31 Aug 2025 21:41:10 -0000 1.41
+++ util/netevent.c 22 Sep 2025 21:08:23 -0000
@@ -1083,6 +1083,11 @@ comm_point_udp_ancil_callback(int fd, sh
} else if( cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SO_TIMESTAMP) {
memmove(&rep.c->recv_tv, CMSG_DATA(cmsg), sizeof(struct timeval));
+#elif defined(SO_TIMESTAMP) && defined(SCM_TIMESTAMP)
+ } else if( cmsg->cmsg_level == SOL_SOCKET &&
+ cmsg->cmsg_type == SCM_TIMESTAMP) {
+ /* FreeBSD and also Linux. */
+ memmove(&rep.c->recv_tv, CMSG_DATA(cmsg), sizeof(struct timeval));
#endif /* HAVE_LINUX_NET_TSTAMP_H */
}
}
@@ -3213,6 +3218,9 @@ comm_point_tcp_accept_callback(int fd, s
}
/* accept incoming connection. */
c_hdl = c->tcp_free;
+ /* Should not happen: inconsistent tcp_free state in
+ * accept_callback. */
+ log_assert(c_hdl->is_in_tcp_free);
/* clear leftover flags from previous use, and then set the
* correct event base for the event structure for libevent */
ub_event_free(c_hdl->ev->ev);
@@ -3287,10 +3295,15 @@ comm_point_tcp_accept_callback(int fd, s
#endif
}
+ /* Paranoia: Check that the state has not changed from above: */
+ /* Should not happen: tcp_free state changed within accept_callback. */
+ log_assert(c_hdl == c->tcp_free);
+ log_assert(c_hdl->is_in_tcp_free);
/* grab the tcp handler buffers */
c->cur_tcp_count++;
c->tcp_free = c_hdl->tcp_free;
c_hdl->tcp_free = NULL;
+ c_hdl->is_in_tcp_free = 0;
if(!c->tcp_free) {
/* stop accepting incoming queries for now. */
comm_point_stop_listening(c);
@@ -3311,12 +3324,14 @@ reclaim_tcp_handler(struct comm_point* c
#endif
}
comm_point_close(c);
- if(c->tcp_parent) {
- if(c != c->tcp_parent->tcp_free) {
- c->tcp_parent->cur_tcp_count--;
- c->tcp_free = c->tcp_parent->tcp_free;
- c->tcp_parent->tcp_free = c;
- }
+ if(c->tcp_parent && !c->is_in_tcp_free) {
+ /* Should not happen: bad tcp_free state in reclaim_tcp. */
+ log_assert(c->tcp_free == NULL);
+ log_assert(c->tcp_parent->cur_tcp_count > 0);
+ c->tcp_parent->cur_tcp_count--;
+ c->tcp_free = c->tcp_parent->tcp_free;
+ c->tcp_parent->tcp_free = c;
+ c->is_in_tcp_free = 1;
if(!c->tcp_free) {
/* re-enable listening on accept socket */
comm_point_start_listening(c->tcp_parent, -1, -1);
@@ -4630,7 +4645,7 @@ comm_point_tcp_handle_callback(int fd, s
}
#endif
- if(event&UB_EV_TIMEOUT) {
+ if((event&UB_EV_TIMEOUT)) {
verbose(VERB_QUERY, "tcp took too long, dropped");
reclaim_tcp_handler(c);
if(!c->tcp_do_close) {
@@ -4640,7 +4655,7 @@ comm_point_tcp_handle_callback(int fd, s
}
return;
}
- if(event&UB_EV_READ
+ if((event&UB_EV_READ)
#ifdef USE_MSG_FASTOPEN
&& !(c->tcp_do_fastopen && (event&UB_EV_WRITE))
#endif
@@ -4665,7 +4680,7 @@ comm_point_tcp_handle_callback(int fd, s
tcp_more_read_again(fd, c);
return;
}
- if(event&UB_EV_WRITE) {
+ if((event&UB_EV_WRITE)) {
int has_tcpq = (c->tcp_req_info != NULL);
int* morewrite = c->tcp_more_write_again;
if(!comm_point_tcp_handle_write(fd, c)) {
@@ -4702,12 +4717,14 @@ reclaim_http_handler(struct comm_point*
#endif
}
comm_point_close(c);
- if(c->tcp_parent) {
- if(c != c->tcp_parent->tcp_free) {
- c->tcp_parent->cur_tcp_count--;
- c->tcp_free = c->tcp_parent->tcp_free;
- c->tcp_parent->tcp_free = c;
- }
+ if(c->tcp_parent && !c->is_in_tcp_free) {
+ /* Should not happen: bad tcp_free state in reclaim_http. */
+ log_assert(c->tcp_free == NULL);
+ log_assert(c->tcp_parent->cur_tcp_count > 0);
+ c->tcp_parent->cur_tcp_count--;
+ c->tcp_free = c->tcp_parent->tcp_free;
+ c->tcp_parent->tcp_free = c;
+ c->is_in_tcp_free = 1;
if(!c->tcp_free) {
/* re-enable listening on accept socket */
comm_point_start_listening(c->tcp_parent, -1, -1);
@@ -5144,6 +5161,15 @@ ssize_t http2_recv_cb(nghttp2_session* A
log_assert(h2_session->c->type == comm_http);
log_assert(h2_session->c->h2_session);
+ if(++h2_session->reads_count > h2_session->c->http2_max_streams) {
+ /* We are somewhat arbitrarily capping the amount of
+ * consecutive reads on the HTTP2 session to the number of max
+ * allowed streams.
+ * When we reach the cap, error out with NGHTTP2_ERR_WOULDBLOCK
+ * to signal nghttp2_session_recv() to stop reading for now. */
+ h2_session->reads_count = 0;
+ return NGHTTP2_ERR_WOULDBLOCK;
+ }
#ifdef HAVE_SSL
if(h2_session->c->ssl) {
@@ -5177,7 +5203,7 @@ ssize_t http2_recv_cb(nghttp2_session* A
}
#endif /* HAVE_SSL */
- ret = recv(h2_session->c->fd, buf, len, MSG_DONTWAIT);
+ ret = recv(h2_session->c->fd, (void*)buf, len, MSG_DONTWAIT);
if(ret == 0) {
return NGHTTP2_ERR_EOF;
} else if(ret < 0) {
@@ -5505,7 +5531,7 @@ ssize_t http2_send_cb(nghttp2_session* A
}
#endif /* HAVE_SSL */
- ret = send(h2_session->c->fd, buf, len, 0);
+ ret = send(h2_session->c->fd, (void*)buf, len, 0);
if(ret == 0) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
} else if(ret < 0) {
@@ -5648,7 +5674,7 @@ comm_point_http_handle_callback(int fd,
log_assert(c->type == comm_http);
ub_comm_base_now(c->ev->base);
- if(event&UB_EV_TIMEOUT) {
+ if((event&UB_EV_TIMEOUT)) {
verbose(VERB_QUERY, "http took too long, dropped");
reclaim_http_handler(c);
if(!c->tcp_do_close) {
@@ -5658,7 +5684,7 @@ comm_point_http_handle_callback(int fd,
}
return;
}
- if(event&UB_EV_READ) {
+ if((event&UB_EV_READ)) {
if(!comm_point_http_handle_read(fd, c)) {
reclaim_http_handler(c);
if(!c->tcp_do_close) {
@@ -5670,7 +5696,7 @@ comm_point_http_handle_callback(int fd,
}
return;
}
- if(event&UB_EV_WRITE) {
+ if((event&UB_EV_WRITE)) {
if(!comm_point_http_handle_write(fd, c)) {
reclaim_http_handler(c);
if(!c->tcp_do_close) {
@@ -5691,7 +5717,7 @@ void comm_point_local_handle_callback(in
log_assert(c->type == comm_local);
ub_comm_base_now(c->ev->base);
- if(event&UB_EV_READ) {
+ if((event&UB_EV_READ)) {
if(!comm_point_tcp_handle_read(fd, c, 1)) {
fptr_ok(fptr_whitelist_comm_point(c->callback));
(void)(*c->callback)(c, c->cb_arg, NETEVENT_CLOSED,
@@ -5710,7 +5736,7 @@ void comm_point_raw_handle_callback(int
log_assert(c->type == comm_raw);
ub_comm_base_now(c->ev->base);
- if(event&UB_EV_TIMEOUT)
+ if((event&UB_EV_TIMEOUT))
err = NETEVENT_TIMEOUT;
fptr_ok(fptr_whitelist_comm_point_raw(c->callback));
(void)(*c->callback)(c, c->cb_arg, err, NULL);
@@ -5743,6 +5769,7 @@ comm_point_create_udp(struct comm_base *
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_udp;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -5807,6 +5834,7 @@ comm_point_create_udp_ancil(struct comm_
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_udp;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -5874,6 +5902,7 @@ comm_point_create_doq(struct comm_base *
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_doq;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -5974,6 +6003,7 @@ comm_point_create_tcp_handler(struct com
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_tcp;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -6011,6 +6041,7 @@ comm_point_create_tcp_handler(struct com
/* add to parent free list */
c->tcp_free = parent->tcp_free;
parent->tcp_free = c;
+ c->is_in_tcp_free = 1;
/* ub_event stuff */
evbits = UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT;
c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
@@ -6073,6 +6104,7 @@ comm_point_create_http_handler(struct co
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_http;
c->tcp_do_close = 1;
c->do_not_close = 0;
@@ -6131,6 +6163,7 @@ comm_point_create_http_handler(struct co
/* add to parent free list */
c->tcp_free = parent->tcp_free;
parent->tcp_free = c;
+ c->is_in_tcp_free = 1;
/* ub_event stuff */
evbits = UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT;
c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
@@ -6192,6 +6225,7 @@ comm_point_create_tcp(struct comm_base *
return NULL;
}
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_tcp_accept;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -6286,6 +6320,7 @@ comm_point_create_tcp_out(struct comm_ba
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_tcp;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -6350,6 +6385,7 @@ comm_point_create_http_out(struct comm_b
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_http;
c->tcp_do_close = 0;
c->do_not_close = 0;
@@ -6420,6 +6456,7 @@ comm_point_create_local(struct comm_base
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_local;
c->tcp_do_close = 0;
c->do_not_close = 1;
@@ -6483,6 +6520,7 @@ comm_point_create_raw(struct comm_base*
c->cur_tcp_count = 0;
c->tcp_handlers = NULL;
c->tcp_free = NULL;
+ c->is_in_tcp_free = 0;
c->type = comm_raw;
c->tcp_do_close = 0;
c->do_not_close = 1;
Index: util/netevent.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/netevent.h,v
diff -u -p -r1.25 netevent.h
--- util/netevent.h 31 Aug 2025 21:41:10 -0000 1.25
+++ util/netevent.h 22 Sep 2025 21:08:23 -0000
@@ -238,6 +238,8 @@ struct comm_point {
/** linked list of free tcp_handlers to use for new queries.
For tcp_accept the first entry, for tcp_handlers the next one. */
struct comm_point* tcp_free;
+ /** Whether this struct is in its parent's tcp_free list */
+ int is_in_tcp_free;
/* -------- SSL TCP DNS ------- */
/** the SSL object with rw bio (owned) or for commaccept ctx ref */
@@ -937,6 +939,8 @@ struct http2_session {
/** comm point containing buffer used to build answer in worker or
* module */
struct comm_point* c;
+ /** count the number of consecutive reads on the session */
+ uint32_t reads_count;
/** session is instructed to get dropped (comm port will be closed) */
int is_drop;
/** postpone dropping the session, can be used to prevent dropping
Index: util/random.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/random.c,v
diff -u -p -r1.7 random.c
--- util/random.c 19 Mar 2020 17:48:08 -0000 1.7
+++ util/random.c 22 Sep 2025 21:08:23 -0000
@@ -78,6 +78,37 @@
*/
#define MAX_VALUE 0x7fffffff
+/* If the build mode is for fuzzing this removes randomness from the output.
+ * This helps fuzz engines from having state increase due to the randomness. */
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+struct ub_randstate {
+ unsigned int dummy;
+};
+
+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
+{
+ struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+ if(!s) {
+ log_err("malloc failure in random init");
+ return NULL;
+ }
+ return s;
+}
+
+long int ub_random(struct ub_randstate* state)
+{
+ state->dummy++;
+ return (long int)(state->dummy & MAX_VALUE);
+}
+
+long int
+ub_random_max(struct ub_randstate* state, long int x)
+{
+ state->dummy++;
+ return ((long int)state->dummy % x);
+}
+#else /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+
#if defined(HAVE_SSL) || defined(HAVE_LIBBSD)
struct ub_randstate*
ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
@@ -199,6 +230,8 @@ ub_random_max(struct ub_randstate* state
return (v % x);
}
#endif /* HAVE_NSS or HAVE_NETTLE and !HAVE_LIBBSD */
+
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
void
ub_randfree(struct ub_randstate* s)
Index: util/data/dname.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/dname.c,v
diff -u -p -r1.8 dname.c
--- util/data/dname.c 31 Aug 2025 21:41:10 -0000 1.8
+++ util/data/dname.c 22 Sep 2025 21:08:23 -0000
@@ -57,7 +57,7 @@ query_dname_len(sldns_buffer* query)
if(sldns_buffer_remaining(query) < 1)
return 0; /* parse error, need label len */
labellen = sldns_buffer_read_u8(query);
- if(labellen&0xc0)
+ if((labellen&0xc0))
return 0; /* no compression allowed in queries */
len += labellen + 1;
if(len > LDNS_MAX_DOMAINLEN)
@@ -79,7 +79,7 @@ dname_valid(uint8_t* dname, size_t maxle
return 0; /* too short, shortest is '0' root label */
labellen = *dname++;
while(labellen) {
- if(labellen&0xc0)
+ if((labellen&0xc0))
return 0; /* no compression ptrs allowed */
len += labellen + 1;
if(len >= LDNS_MAX_DOMAINLEN)
@@ -644,20 +644,22 @@ void dname_str(uint8_t* dname, char* str
if(!dname || !*dname) {
*s++ = '.';
*s = 0;
- goto out;
+ return;
}
lablen = *dname++;
while(lablen) {
- if(lablen > LDNS_MAX_LABELLEN) {
- *s++ = '#';
- *s = 0;
- goto out;
- }
len += lablen+1;
if(len >= LDNS_MAX_DOMAINLEN) {
+ if ((s-str) >= (LDNS_MAX_DOMAINLEN-1))
+ s = str + LDNS_MAX_DOMAINLEN - 2;
*s++ = '&';
*s = 0;
- goto out;
+ return;
+ }
+ if(lablen > LDNS_MAX_LABELLEN) {
+ *s++ = '#';
+ *s = 0;
+ return;
}
while(lablen--) {
if(isalnum((unsigned char)*dname)
@@ -673,10 +675,6 @@ void dname_str(uint8_t* dname, char* str
lablen = *dname++;
}
*s = 0;
-
-out:
- log_assert(s - str < LDNS_MAX_DOMAINLEN);
- return;
}
int
@@ -728,7 +726,7 @@ dname_is_root(uint8_t* dname)
return (len == 0);
}
-void
+void
dname_remove_label(uint8_t** dname, size_t* len)
{
size_t lablen;
@@ -742,7 +740,23 @@ dname_remove_label(uint8_t** dname, size
*dname += lablen+1;
}
-void
+int
+dname_remove_label_limit_len(uint8_t** dname, size_t* len, size_t lenlimit)
+{
+ size_t lablen;
+ log_assert(dname && *dname && len);
+ lablen = (*dname)[0];
+ log_assert(!LABEL_IS_PTR(lablen));
+ log_assert(*len > lablen);
+ if(lablen == 0)
+ return 0; /* do not modify root label */
+ if(*len - (lablen + 1) < lenlimit) return 0;
+ *len -= lablen+1;
+ *dname += lablen+1;
+ return 1;
+}
+
+void
dname_remove_labels(uint8_t** dname, size_t* len, int n)
{
int i;
Index: util/data/dname.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/dname.h,v
diff -u -p -r1.7 dname.h
--- util/data/dname.h 31 Aug 2025 21:41:10 -0000 1.7
+++ util/data/dname.h 22 Sep 2025 21:08:23 -0000
@@ -262,9 +262,22 @@ int dname_is_root(uint8_t* dname);
* Snip off first label from a dname, returning the parent zone.
* @param dname: from what to strip off. uncompressed wireformat.
* @param len: length, adjusted to become less.
- * return stripped off, or "." if input was ".".
+ * return dname stripped off, or "." if input was ".".
*/
void dname_remove_label(uint8_t** dname, size_t* len);
+
+/**
+ * Same as dname_remove_label but fails if removal would surpass lenlimit.
+ * If no failure,
+ * snip off first label from a dname, returning the parent zone.
+ * @param dname: from what to strip off. uncompressed wireformat.
+ * @param len: length, adjusted to become less.
+ * @param lenlimit: length limit that we can't surpass (usually the zone apex).
+ * @return
+ * o 1, and dname stripped off, or "." if input was ".", else
+ * o 0, if going up would surpass lenlimit.
+ */
+int dname_remove_label_limit_len(uint8_t** dname, size_t* len, size_t lenlimit);
/**
* Snip off first N labels from a dname, returning the parent zone.
Index: util/data/msgencode.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgencode.c,v
diff -u -p -r1.16 msgencode.c
--- util/data/msgencode.c 7 Oct 2024 15:35:11 -0000 1.16
+++ util/data/msgencode.c 22 Sep 2025 21:08:23 -0000
@@ -365,7 +365,7 @@ compress_any_dname(uint8_t* dname, sldns
/** return true if type needs domain name compression in rdata */
static const sldns_rr_descriptor*
-type_rdata_compressable(struct ub_packed_rrset_key* key)
+type_rdata_compressible(struct ub_packed_rrset_key* key)
{
uint16_t t = ntohs(key->rk.type);
if(sldns_rr_descript(t) &&
@@ -486,7 +486,7 @@ packed_rrset_encode(struct ub_packed_rrs
adjust = SERVE_ORIGINAL_TTL ? data->ttl_add : timenow;
if(do_data) {
- const sldns_rr_descriptor* c = type_rdata_compressable(key);
+ const sldns_rr_descriptor* c = type_rdata_compressible(key);
for(i=0; i<data->count; i++) {
/* rrset roundrobin */
j = (i + rr_offset) % data->count;
@@ -1021,7 +1021,7 @@ reply_info_answer_encode(struct query_in
flags |= BIT_AA;
flags &= ~BIT_AD;
}
- log_assert(flags & BIT_QR); /* QR bit must be on in our replies */
+ log_assert((flags & BIT_QR)); /* QR bit must be on in our replies */
if(udpsize < LDNS_HEADER_SIZE)
return 0;
/* currently edns does not change during calculations;
Index: util/data/msgencode.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgencode.h,v
diff -u -p -r1.1.1.5 msgencode.h
--- util/data/msgencode.h 5 Sep 2023 11:07:49 -0000 1.1.1.5
+++ util/data/msgencode.h 22 Sep 2025 21:08:23 -0000
@@ -117,7 +117,7 @@ uint16_t calc_edns_field_size(struct edn
uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code);
/**
- * Calculate the size of the EDE option(s) in packet. Also calculate seperately
+ * Calculate the size of the EDE option(s) in packet. Also calculate separately
* the size of the EXTRA-TEXT field(s) in case we can trim them to fit.
* In this case include any LDNS_EDE_OTHER options in their entirety since they
* are useless without extra text.
Index: util/data/msgparse.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgparse.h,v
diff -u -p -r1.13 msgparse.h
--- util/data/msgparse.h 21 Feb 2025 13:20:40 -0000 1.13
+++ util/data/msgparse.h 22 Sep 2025 21:08:23 -0000
@@ -308,16 +308,16 @@ int parse_extract_edns_from_response_msg
/**
* Skip RRs from packet
* @param pkt: the packet. position at start must be right after the query
- * section. At end, right after EDNS data or no movement if failed.
+ * section. At end, right after EDNS data or partial movement if failed.
* @param num: Limit of the number of records we want to parse.
- * @return: 0 on success, 1 on failure.
+ * @return: 1 on success, 0 on failure.
*/
int skip_pkt_rrs(struct sldns_buffer* pkt, int num);
/**
* If EDNS data follows a query section, extract it and initialize edns struct.
* @param pkt: the packet. position at start must be right after the query
- * section. At end, right after EDNS data or no movement if failed.
+ * section. At end, right after EDNS data or partial movement if failed.
* @param edns: the edns data allocated by the caller. Does not have to be
* initialised.
* @param cfg: the configuration (with nsid value etc.)
Index: util/data/msgreply.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgreply.c,v
diff -u -p -r1.27 msgreply.c
--- util/data/msgreply.c 31 Aug 2025 21:41:10 -0000 1.27
+++ util/data/msgreply.c 22 Sep 2025 21:08:23 -0000
@@ -251,7 +251,7 @@ rdata_copy(sldns_buffer* pkt, struct pac
*rr_ttl = sldns_read_uint32(rr->ttl_data);
/* RFC 2181 Section 8. if msb of ttl is set treat as if zero. */
- if(*rr_ttl & 0x80000000U)
+ if((*rr_ttl & 0x80000000U))
*rr_ttl = 0;
if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) {
/* negative response. see if TTL of SOA record larger than the
@@ -984,14 +984,14 @@ log_reply_info(enum verbosity_value v, s
if(daddr->ss_family == AF_INET6) {
struct sockaddr_in6 *d = (struct sockaddr_in6 *)daddr;
if(inet_ntop(d->sin6_family, &d->sin6_addr, da,
- sizeof(*d)) == 0)
+ sizeof(da)) == 0)
snprintf(dest_buf, sizeof(dest_buf),
"(inet_ntop_error)");
port = ntohs(d->sin6_port);
} else if(daddr->ss_family == AF_INET) {
struct sockaddr_in *d = (struct sockaddr_in *)daddr;
if(inet_ntop(d->sin_family, &d->sin_addr, da,
- sizeof(*d)) == 0)
+ sizeof(da)) == 0)
snprintf(dest_buf, sizeof(dest_buf),
"(inet_ntop_error)");
port = ntohs(d->sin_port);
@@ -1129,7 +1129,7 @@ int edns_opt_list_append_ede(struct edns
prevp = list;
while(*prevp != NULL)
prevp = &((*prevp)->next);
- verbose(VERB_ALGO, "attached EDE code: %d with message: %s", code, (txt?txt:"\"\""));
+ verbose(VERB_ALGO, "attached EDE code: %d with message: '%s'", code, (txt?txt:""));
*prevp = opt;
return 1;
}
@@ -1470,4 +1470,23 @@ struct edns_option* edns_opt_list_find(s
return p;
}
return NULL;
+}
+
+int local_alias_shallow_copy_qname(struct local_rrset* local_alias, uint8_t** qname,
+ size_t* qname_len)
+{
+ struct ub_packed_rrset_key* rrset = local_alias->rrset;
+ struct packed_rrset_data* d = rrset->entry.data;
+
+ /* Sanity check: our current implementation only supports
+ * a single CNAME RRset as a local alias. */
+ if(local_alias->next ||
+ rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) ||
+ d->count != 1) {
+ log_err("assumption failure: unexpected local alias");
+ return 0;
+ }
+ *qname = d->rr_data[0] + 2;
+ *qname_len = d->rr_len[0] - 2;
+ return 1;
}
Index: util/data/msgreply.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgreply.h,v
diff -u -p -r1.17 msgreply.h
--- util/data/msgreply.h 31 Aug 2025 21:41:10 -0000 1.17
+++ util/data/msgreply.h 22 Sep 2025 21:08:23 -0000
@@ -597,7 +597,7 @@ int edns_opt_list_append(struct edns_opt
char text[sizeof(TXT) - 1]; \
} ede = { htons(CODE), TXT }; \
verbose(VERB_ALGO, "attached EDE code: %d with" \
- " message: %s", CODE, TXT); \
+ " message: '%s'", CODE, TXT); \
edns_opt_list_append((LIST), LDNS_EDNS_EDE, \
sizeof(uint16_t) + sizeof(TXT) - 1, \
(void *)&ede, (REGION)); \
@@ -800,5 +800,15 @@ int edns_opt_compare(struct edns_option*
* Compare edns option lists, also the order and contents of edns-options.
*/
int edns_opt_list_compare(struct edns_option* p, struct edns_option* q);
+
+/**
+ * Swallow copy the local_alias into the given qname and qname_len.
+ * @param local_alias: the local_alias.
+ * @param qname: the qname to copy to.
+ * @param qname_len: the qname_len to copy to.
+ * @return false on current local_alias assumptions, true otherwise.
+ */
+int local_alias_shallow_copy_qname(struct local_rrset* local_alias, uint8_t** qname,
+ size_t* qname_len);
#endif /* UTIL_DATA_MSGREPLY_H */
Index: validator/val_sigcrypt.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/val_sigcrypt.c,v
diff -u -p -r1.15 val_sigcrypt.c
--- validator/val_sigcrypt.c 4 Sep 2024 09:36:41 -0000 1.15
+++ validator/val_sigcrypt.c 22 Sep 2025 21:08:23 -0000
@@ -57,6 +57,7 @@
#include "sldns/sbuffer.h"
#include "sldns/parseutil.h"
#include "sldns/wire2str.h"
+#include "services/mesh.h"
#include <ctype.h>
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
@@ -1677,6 +1678,10 @@ dnskey_verify_rrset_sig(struct regional*
/* verify */
sec = verify_canonrrset(buf, (int)sig[2+2],
sigblock, sigblock_len, key, keylen, reason);
+
+ /* count validation operation */
+ if(qstate && qstate->env && qstate->env->mesh)
+ qstate->env->mesh->val_ops++;
if(sec == sec_status_secure) {
/* check if TTL is too high - reduce if so */
Index: validator/validator.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/validator.c,v
diff -u -p -r1.27 validator.c
--- validator/validator.c 31 Aug 2025 21:41:10 -0000 1.27
+++ validator/validator.c 22 Sep 2025 21:08:23 -0000
@@ -76,7 +76,7 @@ static void process_ds_response(struct m
struct module_qstate* sub_qstate);
-/* Updates the suplied EDE (RFC8914) code selectively so we don't lose
+/* Updates the supplied EDE (RFC8914) code selectively so we don't lose
* a more specific code */
static void
update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus)
@@ -399,7 +399,7 @@ needs_validation(struct module_qstate* q
* For DNS64 bit_cd signals no dns64 processing, but we want to
* provide validation there too */
/*
- if(qstate->query_flags & BIT_CD) {
+ if((qstate->query_flags & BIT_CD)) {
verbose(VERB_ALGO, "not validating response due to CD bit");
return 0;
}
@@ -2593,8 +2593,17 @@ processFinished(struct module_qstate* qs
/* Update rep->reason_bogus as it is the one being cached */
update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
+ if(vq->orig_msg->rep->security != sec_status_bogus &&
+ vq->orig_msg->rep->security != sec_status_secure_sentinel_fail
+ && vq->orig_msg->rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS) {
+ /* Not interested in any DNSSEC EDE here, validator by default
+ * uses LDNS_EDE_DNSSEC_BOGUS;
+ * TODO revisit default value for the module */
+ vq->orig_msg->rep->reason_bogus = LDNS_EDE_NONE;
+ }
+
/* store results in cache */
- if(qstate->query_flags&BIT_RD) {
+ if((qstate->query_flags&BIT_RD)) {
/* if secure, this will override cache anyway, no need
* to check if from parentNS */
if(!qstate->no_cache_store) {
@@ -2908,7 +2917,7 @@ ds_response_to_ke(struct module_qstate*
struct ub_packed_rrset_key* ds;
enum sec_status sec;
ds = reply_find_answer_rrset(qinfo, msg->rep);
- /* If there was no DS rrset, then we have mis-classified
+ /* If there was no DS rrset, then we have misclassified
* this message. */
if(!ds) {
log_warn("internal error: POSITIVE DS response was "
@@ -3460,7 +3469,7 @@ val_inform_super(struct module_qstate* q
if(suspend) {
/* deep copy the return_msg to vq->sub_ds_msg; it will
* be resumed later in the super state with the caveat
- * that the initial calculations will be re-caclulated
+ * that the initial calculations will be re-calculated
* and re-suspended there before continuing. */
vq->sub_ds_msg = dns_msg_deepcopy_region(
qstate->return_msg, super->region);
unbound 1.24.0