W.C.A. Wijngaards
5e9b6296b7
- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
...
that can set the timeout separately for commands and the
connection set up to the redis server. If they are not
specified, the redis-timeout value is used.
2024-09-17 13:10:34 +02:00
W.C.A. Wijngaards
1e0cf1e86b
- Merge patch to fix for glue that is outside of zone, with
...
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
Enabling this option protects the Unbound resolver against bad
glue, that is unverified out of zone glue, by resolving them.
It uses the records as last resort if there is no other working
glue.
2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
3d350fa73d
- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
...
configuration options.
2024-08-20 14:08:52 +02:00
Wouter Wijngaards
ad21dbd1c2
Cookie secret file ( #1090 )
...
* - cookie-secret-file, define struct.
* - cookie-secret-file, add config option, create, read and delete struct.
* - cookie-secret-file, check cookie secrets for cookie validation.
* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
activate_cookie_secret and print_cookie_secrets.
* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
staging cookies get a fresh cookie and spelling in error message.
* - cookie-secret-file, remove unused variable from cookie file unit test.
* Remove unshare and faketime dependencies for cookie_file test; documentation nits.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
2024-08-02 13:32:08 +02:00
Yorgos Thessalonikefs
c717debace
- For #935 and #1104 , clarify RPZ order and semantics.
2024-07-24 01:54:02 +02:00
W.C.A. Wijngaards
c3dd6a2dbd
- Add dnstap-sample-rate that logs only 1/N messages, for high volume
...
server environments. Thanks Dan Luther.
2024-07-19 10:04:40 +02:00
Yorgos Thessalonikefs
7083d58c6b
- For #1102 : clearer text for using interface-* options for the
...
loopback interface.
2024-07-12 16:29:44 +02:00
W.C.A. Wijngaards
0c0c36f015
- Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
2024-05-27 14:36:35 +02:00
W.C.A. Wijngaards
c3206f4568
- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
...
from the Network and Information Security Lab of Tsinghua University
for reporting it.
2024-05-01 10:10:58 +02:00
W.C.A. Wijngaards
08fb9a9209
- Fix cachedb for serve-expired with serve-expired-client-timeout.
2024-04-12 11:26:53 +02:00
W.C.A. Wijngaards
d47849a26e
- Fix cachedb for serve-expired with serve-expired-reply-ttl.
2024-04-10 17:01:57 +02:00
W.C.A. Wijngaards
d98c7b9ae3
- Implement cachedb-check-when-serve-expired: yes option, default
...
is enabled. When serve expired is enabled with cachedb, it first
checks cachedb before serving the expired response.
2024-04-10 11:21:28 +02:00
Yorgos Thessalonikefs
708d5229ae
- Merge #1027 : Introduce 'cache-min-negative-ttl' option.
2024-04-05 11:44:37 +02:00
Yorgos Thessalonikefs
e36b5a099c
Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout ( #1028 )
...
* - Clearer documentation for tcp-idle-timeout and
edns-tcp-keepalive-timeout.
* - Address review comment.
2024-03-12 14:52:00 +01:00
Yorgos Thessalonikefs
025881d0e9
- Introduce 'cache-min-negative-ttl' option to bound the minimum TTL for
...
negative answers overriding 'cache-min-ttl'.
2024-03-12 11:24:59 +01:00
Willem Toorop
e1229e375f
Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage ( #1010 )
...
* Mention REFUSED with TC with unmatched allow_cookie acl in manpage
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit
description as it will be bypassed with a valid DNS-Cookie regardless of the
allow_cookie acl.
* Apply suggestions from code review
* Update doc/unbound.conf.5.in
* DNS-Cookies should bypass ip-ratelimit setting
2024-02-20 15:29:34 +01:00
W.C.A. Wijngaards
54d86dd73b
- Fix documentation for access-control in the unbound.conf man page.
2024-02-08 14:36:18 +01:00
W.C.A. Wijngaards
3d1bc143af
- Fix #969 : [FR] distinguish Do53, DoT and DoH in the logs.
2023-12-05 10:05:51 +01:00
W.C.A. Wijngaards
4a211a9117
- cachedb-no-store, example conf and man page documentation.
2023-10-13 11:37:18 +02:00
Wouter Wijngaards
5c6c57ed89
Merge pull request #944 from NLnetLabs/disable-edns-do
...
Disable EDNS DO
2023-10-12 14:04:29 +02:00
George Thessalonikefs
e98b89651e
- Fix #850 : [FR] Ability to use specific database in Redis, with new
...
redis-logical-db configuration option.
2023-10-11 11:44:55 +02:00
Wouter Wijngaards
b05154218c
Update doc/unbound.conf.5.in
...
Co-authored-by: Yorgos Thessalonikefs <george@nlnetlabs.nl>
2023-10-06 16:40:34 +02:00
W.C.A. Wijngaards
39df4f0923
- disable-edns-do, queriers receive no EDNS in response if the
...
disable-edns-do option is enabled and they set the DO flag. And unit test
for that.
2023-10-04 13:54:05 +02:00
W.C.A. Wijngaards
d1977c679b
- disable-edns-do, doc and add option disable-edns-do: no.
2023-09-13 13:11:53 +02:00
George Thessalonikefs
49e4258102
- For #762 : Interaction between DNS Cookies and source IP ratelimiting
...
by allowing Cookies to bypass the ratelimit, but still allowing
ratelimit to valid DNS Cookie clients via the new
ip-ratelimit-cookie option.
2023-08-08 10:14:03 +02:00
George Thessalonikefs
4ccb613396
Merge branch 'master' into features/downstream-cookies
2023-08-05 20:37:48 +02:00
George Thessalonikefs
fbc0256825
- For #762 : Cleaner manpage text and uniform use of the term DNS
...
Cookies.
2023-08-05 20:00:37 +02:00
George Thessalonikefs
299f55b0d1
- More clear description of the different auth-zone behaviors on the
...
man page.
2023-07-14 15:28:42 +02:00
George Thessalonikefs
adb4aeb609
- For #722 : Minor fixes, formatting and refactoring.
2023-05-01 18:23:13 +02:00
George Thessalonikefs
e1ec3cf893
Merge branch 'nat64' of https://github.com/eqvinox/unbound into eqvinox-nat64
2023-04-26 15:14:39 +02:00
W.C.A. Wijngaards
144f29638c
- Fix for #882 : small changes, date updated in Copyright for
...
util/timeval_func.c and util/timeval_func.h. Man page entries and
example entry.
2023-04-26 13:49:33 +02:00
George Thessalonikefs
6bf677e7de
Fix #833 : [FR] Ability to set the Redis password.
2023-01-23 11:45:07 +01:00
W.C.A. Wijngaards
77f15428c9
- Add #835 : [FR] Ability to use Redis unix sockets.
2023-01-23 10:09:28 +01:00
Wouter Wijngaards
6a4a9435d1
Merge pull request #819 from pavel-odintsov/pavel/suppress_a
...
Added new static zone type block_a to suppress all A queries for specific zones
2023-01-20 16:18:05 +01:00
W.C.A. Wijngaards
c9233f8429
- Set default for harden-unknown-additional to no. So that it does
...
not hamper future protocol developments.
2023-01-19 15:45:10 +01:00
W.C.A. Wijngaards
8df1e58209
- Add harden-unknown-additional option. Default on and it removes
...
unknown records from the authority section and additional section.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.
2023-01-19 14:59:18 +01:00
W.C.A. Wijngaards
d69f875261
- Set max-udp-size default to 1232. This is the same default value as
...
the default value for edns-buffer-size. It restricts client edns
buffer size choices, and makes unbound behave similar to other DNS
resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University.
2023-01-19 14:16:17 +01:00
Pavel Odintsov
d5b9a790fe
Added new static zone type block_a to suppress all A queries for specific zones
2023-01-03 19:17:51 +00:00
George Thessalonikefs
df411b3f28
- Updates for #461 (Add max-query-restarts option).
2022-12-13 15:29:22 +01:00
George Thessalonikefs
71db243b0d
Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf
2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5
- Expose 'max-sent-count' as a configuration option; the
...
default value retains Unbound's behavior.
2022-12-13 13:57:07 +01:00
George Thessalonikefs
859d0f2dfe
- Expose 'statistics-inhibit-zero' as a configuration option; the
...
default value retains Unbound's behavior.
2022-12-13 10:47:37 +01:00
George Thessalonikefs
d7a9def160
- Clear documentation for interactivity between the subnet module and
...
the serve-expired and prefetch configuration options.
2022-11-30 14:45:36 +01:00
Willem Toorop
8df26b132b
Merge branch 'master' into devel/merge-master-into-downstream-cookies
2022-11-07 17:09:20 +00:00
David Lamparter
64fb06f892
NAT64 support
...
This implements #721 . Includes documentation and some very basic tests.
Please refer to doc for further detail.
2022-11-07 11:37:50 +00:00
Jonathan Gray
4f27799456
consistently use IPv4/IPv6
2022-10-10 19:14:58 +11:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support ( #760 )
2022-10-03 15:29:47 +02:00
Willem Toorop
75f3fbdd65
Downstream DNS Cookies a la RFC7873 and RFC9018
...
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:
answer-cookie: yes
A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
2022-09-28 10:28:19 +02:00
George Thessalonikefs
aec33b3d63
Documentation for interface-* options.
2022-09-11 20:21:32 +02:00
George Thessalonikefs
c30bdff939
Initial commit for interface based ACL.
2022-09-11 20:21:32 +02:00