Documentation nicer.

Stronger crypto by default for unbound-control.


git-svn-id: file:///svn/unbound/trunk@1950 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -2,6 +2,8 @@
 	- iana portlist updated.
 	- bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
 	- verbose output includes parent-side-address notion for lameness.
+	- documented val-log-level: 2 setting in example.conf and man page.
+	- change unbound-control-setup from 1024(sha1) to 1536(sha256).
 
 1 January 2010: Wouter
 	- iana portlist updated.

doc/example.conf.in

@@ -357,7 +357,7 @@ server:
 	# val-permissive-mode: no
 
 	# Have the validator log failed validations for your diagnosis.
-	# 0: off. 1: A line per failed user query.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0
 
 	# It is possible to configure NSEC3 maximum iteration counts per

doc/unbound.conf.5.in

@@ -596,11 +596,13 @@ to protect the users that rely on this validator for authentication from
 protentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
-Have the validator print validation failures to the log.  Regardless of the
+Have the validator print validation failures to the log.  Regardless of
-verbosity setting.  Default is 0, off. At 1, for every user query that fails
+the verbosity setting.  Default is 0, off.  At 1, for every user query
-a line is printed to the logs.  This way you can monitor what happens with
+that fails a line is printed to the logs.  This way you can monitor what
-validation.  Use a diagnosis tool, such as dig or drill, to find out why 
+happens with validation.  Use a diagnosis tool, such as dig or drill,
-validation is failing for these queries.
+to find out why validation is failing for these queries.  At 2, not only
+the query that failed is printed but also the reason why unbound thought
+it was wrong and which server sent the faulty data.
 .TP
 .B val\-permissive\-mode: \fI<yes or no>
 Instruct the validator to mark bogus messages as indeterminate. The security

smallapp/unbound-control-setup.sh

@@ -46,7 +46,10 @@ CLIENTNAME=unbound-control
 DAYS=7200
 
 # size of keys in bits
-BITS=1024
+BITS=1536
+
+# hash algorithm
+HASH=sha256
 
 # base name for unbound server keys
 SVR_BASE=unbound_server
@@ -84,7 +87,7 @@ done
 
 # go!:
 echo "setup in directory $DESTDIR"
-cd "$DESTDIR" || error "could not cd"
+cd "$DESTDIR" || error "could not cd to $DESTDIR"
 
 # create certificate keys; do not recreate if they already exist.
 if test -f $SVR_BASE.key; then
@@ -104,7 +107,7 @@ fi
 cat >request.cfg <<EOF
 [req]
 default_bits=$BITS
-default_md=sha1
+default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
 
@@ -122,7 +125,7 @@ openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
 cat >request.cfg <<EOF
 [req]
 default_bits=$BITS
-default_md=sha1
+default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
 
@@ -132,7 +135,7 @@ EOF
 test -f request.cfg || error "could not create request.cfg"
 
 echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -out $CTL_BASE.pem
+openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
 test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # create trusted usage pem
 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"