unbound.conf.5 entries for define-tag, access-control-tag,

access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override.

git-svn-id: file:///svn/unbound/trunk@3833 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 02310848e7141daeb9a2e06efbcd9a67d1866c95..cd0d1ea0d5e4bb5593980e4c8c35b0ce799e586b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 24 August 2016: Ralph
        - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
          in each iteration in find_tag_datas().
+       - unbound.conf.5 entries for define-tag, access-control-tag,
+         access-control-tag-action, access-control-tag-data, local-zone-tag,
+         and local-zone-override.
          
 23 August 2016: Wouter
        - Fix #804: unbound stops responding after outage.  Fixes queries

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 6109855f05502f01c4cbaba77fdd00a5163319fb..7e9a85bdb2b19618e8875fd88ebf80522f41b96b 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -346,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
 cache. Default is 50 milliseconds. Increase this value if using forwarders
 needing more time to do recursive name resolution.
 .TP
+.B define\-tag: \fI<"list of tags">
+Define the tags that can be used with local\-zone and access\-control.
+Enclose the list between quotes ("") and put spaces between tags.
+.TP
 .B do\-ip4: \fI<yes or no>
 Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .TP
@@ -453,6 +457,23 @@ allowed full recursion but only the static data.  With deny_non_local,
 messages that are disallowed are dropped, with refuse_non_local they
 receive error code REFUSED.
 .TP
+.B access\-control\-tag: \fI<IP netblock> <"list of tags">
+Assign tags to access-control elements. Clients using this access control
+element use localzones that are tagged with one of these tags. Tags must be
+defined in \fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put
+spaces between tags. If access\-control\-tag is configured for a netblock that
+does not have an access\-control, an access\-control element with action
+\fIallow\fR is configured for this netblock.
+.TP
+.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
+Set action for particular tag for given access control element. If you have
+multiple tag values, the tag used to lookup the action is the first tag match
+between access\-control\-tag and local\-zone\-tag where "first" comes from the
+order of the define-tag values.
+.TP
+.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
+Set redirect data for particular tag for given access control element.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -1093,6 +1114,17 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
 IPv6 address and the host name.  For example "192.0.2.4 www.example.com".
 TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
 .TP 5
+.B local\-zone\-tag: \fI<zone> <"list of tags">
+Assign tags to localzones. Tagged localzones will only be applied when the
+used access-control element has a matching tag. Tags must be defined in
+\fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put spaces between
+tags.
+.TP 5
+.B local\-zone\-override: \fI<zone> <IP netblock> <type>
+Override the localzone type for queries from addresses matching netblock.
+Overrides types configured in both tagged and untagged localzones, and 
+access\-control\-tag\-action.
+.TP 5
 .B ratelimit: \fI<number or 0>
 Enable ratelimiting of queries sent to nameserver for performing recursion.
 If 0, the default, it is disabled.  This option is experimental at this time.