upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- auth-zone provides a way to configure RFC7706 from unbound.conf,

Browse source 
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.


git-svn-id: file:///svn/unbound/trunk@4510 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-02-05 14:21:46 +00:00
parent ff6ab04ecd
commit a1b7abfb9f
3 changed files with 55 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,6 +1,9 @@
5 February 2018: Wouter 5 February 2018: Wouter
- Fix #3451: dnstap not building when you have a separate build dir. - Fix #3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2. And removed protoc warning, set dnstap.proto syntax to proto2.
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
2 February 2018: Wouter 2 February 2018: Wouter
- Fix unfreed locks in log and arc4random at exit of unbound. - Fix unfreed locks in log and arc4random at exit of unbound.

4
doc/example.conf.in
View file

@ -814,11 +814,12 @@ remote-control:
# upstream (which saves a lookup to the upstream). The first example # upstream (which saves a lookup to the upstream). The first example
# has a copy of the root for local usage. The second serves example.org # has a copy of the root for local usage. The second serves example.org
# authoritatively. zonefile: reads from file (and writes to it if you also # authoritatively. zonefile: reads from file (and writes to it if you also
# download it), master: fetches with AXFR, url: fetches zonefile over http. # download it), master: fetches with AXFR and IXFR
# auth-zone: # auth-zone:
# name: "." # name: "."
# for-downstream: no # for-downstream: no
# for-upstream: yes # for-upstream: yes
# fallback-enabled: yes
# master: b.root-servers.net # master: b.root-servers.net
# master: c.root-servers.net # master: c.root-servers.net
# master: e.root-servers.net # master: e.root-servers.net
@ -830,7 +831,6 @@ remote-control:
# for-downstream: yes # for-downstream: yes
# for-upstream: yes # for-upstream: yes
# zonefile: "example.org.zone" # zonefile: "example.org.zone"
# url: "http://www.example.com/example.org.zone"
# Views # Views
# Create named views. Name must be unique. Map views to requests using # Create named views. Name must be unique. Map views to requests using

50
doc/unbound.conf.5.in
View file

@ -1439,6 +1439,56 @@ Default is no.
.TP .TP
.B forward\-ssl\-upstream: \fI<yes or no> .B forward\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBforward\-tls\-upstream\fR. Alternate syntax for \fBforward\-tls\-upstream\fR.
.SS "Authority Zone Options"
.LP
Authority zones are configured with \fBauth\-zone:\fR, and each one must
have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
The authority zone with the name closest to the name looked up is used.
Authority zones are processed after \fBlocal\-zones\fR and before
cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
make unbound respond like an authority server. Authority zones are also
processed after cache, just before going to the network to fetch
information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
in this manner provide a local copy of an authority server that speeds up
lookups of that data.
.LP
Authority zones can be read from zonefile. And can be kept updated via
AXFR and IXFR. After update the zonefile is rewritten. The update mechanism
uses the SOA timer values and performs SOA UDP queries to detect zone changes.
.TP
.B name: \fI<zone name>
Name of the authority zone.
.TP
.B master: \fI<IP address or host name>
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
masters can be specified. They are all tried if one fails.
.TP
.B fallback\-enabled: \fI<yes or no>
Default no. If enabled, unbound falls back to querying the internet as
a resolver for this zone when lookups fail. For example for DNSSEC
validation failures.
.TP
.B for\-downstream: \fI<yes or no>
Default yes. If enabled, unbound serves authority responses to
downstream clients for this zone. This option makes unbound behave, for
the queries with names in this zone, like one of the authority servers for
that zone. Turn it off if you want unbound to provide recursion for the
zone but have a local copy of zone data. If for\-downstream is no and
for\-upstream is yes, then unbound will DNSSEC validate the contents of the
zone before serving the zone contents to clients and store validation
results in the cache.
.TP
.B for\-upstream: \fI<yes or no>
Default yes. If enabled, unbound fetches data from this data collection
for answering recursion queries. Instead of sending queries over the internet
to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
data (eg. from the master servers).
.SS "View Options" .SS "View Options"
.LP .LP
There may be multiple There may be multiple