From 658dde3b9fda1b3eb04bd6b8265a1ceca6b38cce Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Wed, 24 Aug 2016 13:43:14 +0000 Subject: [PATCH] unbound.conf.5 entries for define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override. git-svn-id: file:///svn/unbound/trunk@3833 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 +++ doc/unbound.conf.5.in | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 02310848e..cd0d1ea0d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,9 @@ 24 August 2016: Ralph - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter in each iteration in find_tag_datas(). + - unbound.conf.5 entries for define-tag, access-control-tag, + access-control-tag-action, access-control-tag-data, local-zone-tag, + and local-zone-override. 23 August 2016: Wouter - Fix #804: unbound stops responding after outage. Fixes queries diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 6109855f0..7e9a85bdb 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -346,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure cache. Default is 50 milliseconds. Increase this value if using forwarders needing more time to do recursive name resolution. .TP +.B define\-tag: \fI<"list of tags"> +Define the tags that can be used with local\-zone and access\-control. +Enclose the list between quotes ("") and put spaces between tags. +.TP .B do\-ip4: \fI Enable or disable whether ip4 queries are answered or issued. Default is yes. .TP @@ -453,6 +457,23 @@ allowed full recursion but only the static data. With deny_non_local, messages that are disallowed are dropped, with refuse_non_local they receive error code REFUSED. .TP +.B access\-control\-tag: \fI <"list of tags"> +Assign tags to access-control elements. Clients using this access control +element use localzones that are tagged with one of these tags. Tags must be +defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put +spaces between tags. If access\-control\-tag is configured for a netblock that +does not have an access\-control, an access\-control element with action +\fIallow\fR is configured for this netblock. +.TP +.B access\-control\-tag\-action: \fI +Set action for particular tag for given access control element. If you have +multiple tag values, the tag used to lookup the action is the first tag match +between access\-control\-tag and local\-zone\-tag where "first" comes from the +order of the define-tag values. +.TP +.B access\-control\-tag\-data: \fI <"resource record string"> +Set redirect data for particular tag for given access control element. +.TP .B chroot: \fI If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the @@ -1093,6 +1114,17 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" .TP 5 +.B local\-zone\-tag: \fI <"list of tags"> +Assign tags to localzones. Tagged localzones will only be applied when the +used access-control element has a matching tag. Tags must be defined in +\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between +tags. +.TP 5 +.B local\-zone\-override: \fI +Override the localzone type for queries from addresses matching netblock. +Overrides types configured in both tagged and untagged localzones, and +access\-control\-tag\-action. +.TP 5 .B ratelimit: \fI Enable ratelimiting of queries sent to nameserver for performing recursion. If 0, the default, it is disabled. This option is experimental at this time. -- 2.47.3