upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Make the default value of module-config "validator iterator"

Browse source 
regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
This commit is contained in:
Yorgos Thessalonikefs 2025-01-29 12:08:28 +01:00
parent 911509fd59
commit 35dbbcb2f5
3 changed files with 23 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
doc/Changelog
View file

@ -1,3 +1,9 @@
29 January 2025: Yorgos
- Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
change the value to enable the subnetcache module by default in the
past.
24 January 2025: Yorgos
- Merge #1220 from Petr Menšík, Add unbound members group access to
control key.

28
doc/unbound.conf.5.in
View file

@ -1260,9 +1260,6 @@ Adding \fIrespip\fR to the front will cause RPZ processing to be done on
all queries.
The default is "\fIvalidator iterator\fR".
.IP
When the server is built with
EDNS client subnet support the default is "\fIsubnetcache validator
iterator\fR".
Most modules that need to be listed here have to be listed at the beginning
of the line. The subnetcachedb module has to be listed just before
the iterator.
@ -2511,8 +2508,8 @@ The dynamic library file to load. Repeat this option for every dynlib module
instance added to the \fBmodule\-config:\fR option.
.SS "DNS64 Module Options"
.LP
The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
validator iterator" directive and be compiled into the daemon to be
The dns64 module must be configured in the \fBmodule\-config:\fR directive
e.g., "dns64 validator iterator" and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
.TP
.B dns64\-prefix: \fI<IPv6 prefix>\fR
@ -2612,8 +2609,8 @@ in the dnscrypt nonce cache. Close to the number of cpus is
a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
validator iterator" directive and be compiled into the daemon to be
The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
"subnetcache validator iterator" and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
.LP
If the destination address is allowed in the configuration Unbound will add the
@ -2634,6 +2631,15 @@ configuration file. On top of that, for each query only 100 different subnets
are allowed to be stored for each address family. Exceeding that number, older
entries will be purged from cache.
.LP
Note that due to the nature of how EDNS Client Subnet works, by segregating the
client IP space in order to try and have tailored responses for prefixes of
unknown sizes, resolution and cache response performance are impacted as a
result.
Usage of the subnetcache module should only be enabled in installations that
require such functionality where the resolver and the clients belong to
different networks.
An example of that is an open resolver installation.
.LP
This module does not interact with the \fBserve\-expired*\fR and
\fBprefetch:\fR options.
.TP
@ -2684,8 +2690,8 @@ Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
.SS "Opportunistic IPsec Support Module Options"
.LP
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
validator iterator" directive and be compiled into Unbound by using
The IPsec module must be configured in the \fBmodule\-config:\fR directive
e.g., "ipsecmod validator iterator" and be compiled into Unbound by using
\fB\-\-enable\-ipsecmod\fR to be enabled.
These settings go in the \fBserver:\fR section.
.LP
@ -2754,8 +2760,8 @@ not specified, all domains are treated as being allowed (default).
Alternate syntax for \fBipsecmod\-allow\fR.
.SS "Cache DB Module Options"
.LP
The Cache DB module must be configured in the \fBmodule\-config:\fR
"validator cachedb iterator" directive and be compiled into the daemon
The Cache DB module must be configured in the \fBmodule\-config:\fR directive
e.g., "validator cachedb iterator" and be compiled into the daemon
with \fB\-\-enable\-cachedb\fR.
If this module is enabled and configured, the specified backend database
works as a second level cache:

4
util/config_file.c
View file

@ -329,11 +329,7 @@ config_create(void)
if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem")))
goto error_exit;
#ifdef CLIENT_SUBNET
if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit;
#else
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
#endif
if(!(cfg->val_nsec3_key_iterations =
strdup("1024 150 2048 150 4096 150"))) goto error_exit;
#if defined(DNSTAP_SOCKET_PATH)