- Update generated man pages.

diff --git a/doc/Changelog b/doc/Changelog
index 0230be80611aeb62075759465e59c617f50fe559..2581a3cdc3b0939dd94760cc01bbcc90bf74f747 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
          Network Sciences and Cyberspace, Tsinghua University for the
          report. The private-address option is fixed to also elide
          SVCB and HTTPS records that match the filter.
+       - Update generated man pages.
 
 4 March 2026: Yorgos
        - For #1411: Introduce a failing case in the rpl test so that it only

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 194a3c076f5b8a6e882c457178db20e923d1ce99..b8c601c79a0798391840435b79c3b4c9231fbf5f 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -2275,6 +2275,11 @@ This protects against so\-called DNS Rebinding, where a user browser is
 turned into a network proxy, allowing remote access through the browser to
 other parts of your private network.
 .sp
+The option removes resource records of types A, AAAA, SVCB and HTTPS
+that match the filter.
+Inside the SVCB and HTTPS records, the svcparams of type ipv4hint
+and ipv6hint are checked for matches.
+.sp
 Some names can be allowed to contain your private addresses, by default all
 the \fI\%local\-data\fP that you configured is
 allowed to, and you can specify additional names using