upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Set default for harden-unknown-additional to no. So that it does

Browse source 
not hamper future protocol developments.
This commit is contained in:
W.C.A. Wijngaards 2023-01-19 15:45:10 +01:00
parent 8df1e58209
commit c9233f8429
4 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -5,9 +5,11 @@
resolvers. The new choice, down from 4096 means it is harder to get resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab, large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University. Tsinghua University.
- Add harden-unknown-additional option. Default on and it removes - Add harden-unknown-additional option. It removes
unknown records from the authority section and additional section. unknown records from the authority section and additional section.
Thanks to Xiang Li, from NISL Lab, Tsinghua University. Thanks to Xiang Li, from NISL Lab, Tsinghua University.
- Set default for harden-unknown-additional to no. So that it does
not hamper future protocol developments.
18 January 2023: Wouter 18 January 2023: Wouter
- Fix not following cleared RD flags potentially enables amplification - Fix not following cleared RD flags potentially enables amplification

2
doc/example.conf.in
View file

@ -505,7 +505,7 @@ server:
# Harden against unknown records in the authority section and the # Harden against unknown records in the authority section and the
# additional section. # additional section.
# harden-unknown-additional: yes # harden-unknown-additional: no
# Sent minimum amount of information to upstream servers to enhance # Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE # privacy. Only sent minimum required labels of the QNAME and set QTYPE

5
doc/unbound.conf.5.in
View file

@ -1022,8 +1022,9 @@ this option off avoids that validation failure.
.TP .TP
.B harden\-unknown\-additional: \fI<yes or no> .B harden\-unknown\-additional: \fI<yes or no>
Harden against unknown records in the authority section and additional Harden against unknown records in the authority section and additional
section. Default is yes. If no, such records are copied from the upstream section. Default is no. If no, such records are copied from the upstream
and presented to the client together with the answer. and presented to the client together with the answer. If yes, it could
hamper future protocol developments that want to add records.
.TP .TP
.B use\-caps\-for\-id: \fI<yes or no> .B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts. Use 0x20\-encoded random bits in the query to foil spoof attempts.

2
util/config_file.c
View file

@ -233,7 +233,7 @@ config_create(void)
cfg->harden_below_nxdomain = 1; cfg->harden_below_nxdomain = 1;
cfg->harden_referral_path = 0; cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0; cfg->harden_algo_downgrade = 0;
cfg->harden_unknown_additional = 1; cfg->harden_unknown_additional = 0;
cfg->use_caps_bits_for_id = 0; cfg->use_caps_bits_for_id = 0;
cfg->caps_whitelist = NULL; cfg->caps_whitelist = NULL;
cfg->private_address = NULL; cfg->private_address = NULL;