- Fix #714: Document config to block private-address for IPv4

mapped IPv6 addresses.


git-svn-id: file:///svn/unbound/trunk@3513 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,7 @@
+23 October 2015: Wouter
+	- Fix #714: Document config to block private-address for IPv4
+	  mapped IPv6 addresses.
+
 22 October 2015: Wouter
 	- Fix #712: unbound-anchor appears to not fsync root.key.
 

doc/example.conf.in

@@ -315,6 +315,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
 
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.

doc/unbound.conf.5.in

@@ -587,21 +587,22 @@ Can be given multiple times, for different domains.
 .TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
+on your private network, and are not allowed to be returned for
-internet names.  Any occurence of such addresses are removed from
+public internet names.  Any occurence of such addresses are removed
-DNS answers. Additionally, the DNSSEC validator may mark the answers
+from DNS answers. Additionally, the DNSSEC validator may mark the
-bogus. This protects against so\-called DNS Rebinding, where a user browser
+answers bogus. This protects against so\-called DNS Rebinding, where
-is turned into a network proxy, allowing remote access through the browser
+a user browser is turned into a network proxy, allowing remote access
-to other parts of your private network.  Some names can be allowed to
+through the browser to other parts of your private network.  Some names
-contain your private addresses, by default all the \fBlocal\-data\fR
+can be allowed to contain your private addresses, by default all the
-that you configured is allowed to, and you can specify additional
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
-names using \fBprivate\-domain\fR.  No private addresses are enabled
+additional names using \fBprivate\-domain\fR.  No private addresses are
-by default.  We consider to enable this for the RFC1918 private IP
+enabled by default.  We consider to enable this for the RFC1918 private
-address space by default in later releases. That would enable private 
+IP address space by default in later releases. That would enable private
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
+should not be visible on the public internet.  Turning on 127.0.0.0/8
-would hinder many spamblocklists as they use that.
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.