diff --git a/doc/Changelog b/doc/Changelog index b90fb75e9..e11546947 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - iana port update. - TODO update. - fix bug 201: null ptr deref on cleanup while udp pkts wait for port. + - added explanatory text for outgoing-port-permit in manpage. 30 July 2008: Wouter - fixup bug qtype DS for unsigned zone and signed parent validation. diff --git a/doc/TODO b/doc/TODO index db4d23bce..b2ceecbd1 100644 --- a/doc/TODO +++ b/doc/TODO @@ -30,35 +30,29 @@ o On Windows use CryptGenRandom() to get random seed for arc4random. o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve. o library add function to validate input from app that is signed. o add dynamic-update requests (making a dynupd request) to libunbound api. -o in an ipv6 connected only environment unbound cannot use outgoing IP6 - to send to ip4to6 mapped hosts, need ip4to6map of NS and disable - V6ONLY socket option. o SIG(0) and TSIG. o support OPT record placement on recv anywhere in the additional section. o add local-file: config with authority features. o (option) to make local-data answers be secure for libunbound (default=no) o (option) to make chroot: copy all needed files into jail (or make jail) perhaps also print reminder to link /dev/random and sysloghack. +o overhaul outside-network servicedquery to merge with udpwait and tcpwait, + to make timers in servicedquery independent of udpwait queues. +o 0x20 fallback so it can be enabled without trouble. +o check into rebinding ports for efficiency, configure time test. +o EVP hardware crypto support. + +Features soon after 1.0. +o zone name appending for local-data. Perhaps read zonefiles. Perhaps it is + too much authority feature creep. +o on windows version, implement that OS ancillary data capabilities for + interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. o (option) for extended statistics. If enabled (not by default) collect print rcode, uptime, spoofnearmisses, cache size, qtype, bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply. perhaps also see which slow auth servers cause >1sec values. stats-file possible with key: value or key=value lines in it. stats on SIGUSR1. addup stats over threads. -o overhaul outside-network servicedquery to merge with udpwait and tcpwait, - to make timers in servicedquery independent of udpwait queues. -o 0x20 fallback so it can be enabled without trouble. -o check into rebinding ports for efficiency, configure time test. -o DLV is considered. -o EVP hardware crypto support. - -Features soon after 1.0. -o zone name appending for local-data. Perhaps read zonefiles. Perhaps it is - too much authority feature creep. -o on windows version, libunbound uses a NamedPipe, examine security status - make sure the OS makes it safe like on unix. -o on windows version, implement that OS ancillary data capabilities for - interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. For 1.x; features that have been requested during the beta test. o command channel for couple of tasks. Like rndc. unbound-control diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 7ea02df63..0fed04ff8 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -137,6 +137,12 @@ A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low-high", without spaces. +.IP +The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements +are processed in the line order of the config file, adding the permitted ports +and subtracting the avoided ports from the set of allowed ports. The +processing starts with the non IANA allocated ports above 1024 in the set +of allowed ports. .TP .B outgoing\-port\-avoid: \fI Do not permit unbound to open this port or range of ports for use to send