mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
- Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past.
This commit is contained in:
Yorgos Thessalonikefs
parent
911509fd59
commit
35dbbcb2f5
3 changed files with 23 additions and 15 deletions
|
|
@ -1,3 +1,9 @@
|
||||||
|
29 January 2025: Yorgos
|
||||||
|
- Make the default value of module-config "validator iterator"
|
||||||
|
regardless of compilation options. --enable-subnet would implicitly
|
||||||
|
change the value to enable the subnetcache module by default in the
|
||||||
|
past.
|
||||||
|
|
||||||
24 January 2025: Yorgos
|
24 January 2025: Yorgos
|
||||||
- Merge #1220 from Petr Menšík, Add unbound members group access to
|
- Merge #1220 from Petr Menšík, Add unbound members group access to
|
||||||
control key.
|
control key.
|
||||||
|
|
|
||||||
|
|
@ -1260,9 +1260,6 @@ Adding \fIrespip\fR to the front will cause RPZ processing to be done on
|
||||||
all queries.
|
all queries.
|
||||||
The default is "\fIvalidator iterator\fR".
|
The default is "\fIvalidator iterator\fR".
|
||||||
.IP
|
.IP
|
||||||
When the server is built with
|
|
||||||
EDNS client subnet support the default is "\fIsubnetcache validator
|
|
||||||
iterator\fR".
|
|
||||||
Most modules that need to be listed here have to be listed at the beginning
|
Most modules that need to be listed here have to be listed at the beginning
|
||||||
of the line. The subnetcachedb module has to be listed just before
|
of the line. The subnetcachedb module has to be listed just before
|
||||||
the iterator.
|
the iterator.
|
||||||
|
|
@ -2511,8 +2508,8 @@ The dynamic library file to load. Repeat this option for every dynlib module
|
||||||
instance added to the \fBmodule\-config:\fR option.
|
instance added to the \fBmodule\-config:\fR option.
|
||||||
.SS "DNS64 Module Options"
|
.SS "DNS64 Module Options"
|
||||||
.LP
|
.LP
|
||||||
The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
|
The dns64 module must be configured in the \fBmodule\-config:\fR directive
|
||||||
validator iterator" directive and be compiled into the daemon to be
|
e.g., "dns64 validator iterator" and be compiled into the daemon to be
|
||||||
enabled. These settings go in the \fBserver:\fR section.
|
enabled. These settings go in the \fBserver:\fR section.
|
||||||
.TP
|
.TP
|
||||||
.B dns64\-prefix: \fI<IPv6 prefix>\fR
|
.B dns64\-prefix: \fI<IPv6 prefix>\fR
|
||||||
|
|
@ -2612,8 +2609,8 @@ in the dnscrypt nonce cache. Close to the number of cpus is
|
||||||
a fairly good setting.
|
a fairly good setting.
|
||||||
.SS "EDNS Client Subnet Module Options"
|
.SS "EDNS Client Subnet Module Options"
|
||||||
.LP
|
.LP
|
||||||
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
|
The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
|
||||||
validator iterator" directive and be compiled into the daemon to be
|
"subnetcache validator iterator" and be compiled into the daemon to be
|
||||||
enabled. These settings go in the \fBserver:\fR section.
|
enabled. These settings go in the \fBserver:\fR section.
|
||||||
.LP
|
.LP
|
||||||
If the destination address is allowed in the configuration Unbound will add the
|
If the destination address is allowed in the configuration Unbound will add the
|
||||||
|
|
@ -2634,6 +2631,15 @@ configuration file. On top of that, for each query only 100 different subnets
|
||||||
are allowed to be stored for each address family. Exceeding that number, older
|
are allowed to be stored for each address family. Exceeding that number, older
|
||||||
entries will be purged from cache.
|
entries will be purged from cache.
|
||||||
.LP
|
.LP
|
||||||
|
Note that due to the nature of how EDNS Client Subnet works, by segregating the
|
||||||
|
client IP space in order to try and have tailored responses for prefixes of
|
||||||
|
unknown sizes, resolution and cache response performance are impacted as a
|
||||||
|
result.
|
||||||
|
Usage of the subnetcache module should only be enabled in installations that
|
||||||
|
require such functionality where the resolver and the clients belong to
|
||||||
|
different networks.
|
||||||
|
An example of that is an open resolver installation.
|
||||||
|
.LP
|
||||||
This module does not interact with the \fBserve\-expired*\fR and
|
This module does not interact with the \fBserve\-expired*\fR and
|
||||||
\fBprefetch:\fR options.
|
\fBprefetch:\fR options.
|
||||||
.TP
|
.TP
|
||||||
|
|
@ -2684,8 +2690,8 @@ Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
|
||||||
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
||||||
.SS "Opportunistic IPsec Support Module Options"
|
.SS "Opportunistic IPsec Support Module Options"
|
||||||
.LP
|
.LP
|
||||||
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
|
The IPsec module must be configured in the \fBmodule\-config:\fR directive
|
||||||
validator iterator" directive and be compiled into Unbound by using
|
e.g., "ipsecmod validator iterator" and be compiled into Unbound by using
|
||||||
\fB\-\-enable\-ipsecmod\fR to be enabled.
|
\fB\-\-enable\-ipsecmod\fR to be enabled.
|
||||||
These settings go in the \fBserver:\fR section.
|
These settings go in the \fBserver:\fR section.
|
||||||
.LP
|
.LP
|
||||||
|
|
@ -2754,8 +2760,8 @@ not specified, all domains are treated as being allowed (default).
|
||||||
Alternate syntax for \fBipsecmod\-allow\fR.
|
Alternate syntax for \fBipsecmod\-allow\fR.
|
||||||
.SS "Cache DB Module Options"
|
.SS "Cache DB Module Options"
|
||||||
.LP
|
.LP
|
||||||
The Cache DB module must be configured in the \fBmodule\-config:\fR
|
The Cache DB module must be configured in the \fBmodule\-config:\fR directive
|
||||||
"validator cachedb iterator" directive and be compiled into the daemon
|
e.g., "validator cachedb iterator" and be compiled into the daemon
|
||||||
with \fB\-\-enable\-cachedb\fR.
|
with \fB\-\-enable\-cachedb\fR.
|
||||||
If this module is enabled and configured, the specified backend database
|
If this module is enabled and configured, the specified backend database
|
||||||
works as a second level cache:
|
works as a second level cache:
|
||||||
|
|
|
||||||
|
|
@ -329,11 +329,7 @@ config_create(void)
|
||||||
if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem")))
|
if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem")))
|
||||||
goto error_exit;
|
goto error_exit;
|
||||||
|
|
||||||
#ifdef CLIENT_SUBNET
|
|
||||||
if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit;
|
|
||||||
#else
|
|
||||||
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
|
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
|
||||||
#endif
|
|
||||||
if(!(cfg->val_nsec3_key_iterations =
|
if(!(cfg->val_nsec3_key_iterations =
|
||||||
strdup("1024 150 2048 150 4096 150"))) goto error_exit;
|
strdup("1024 150 2048 150 4096 150"))) goto error_exit;
|
||||||
#if defined(DNSTAP_SOCKET_PATH)
|
#if defined(DNSTAP_SOCKET_PATH)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue