:ref:`interface-tag<unbound.conf.interface-tag>`.
Enclose list of tags in quotes (``""``) and put spaces between tags.
- If no tags are specified the policies from this clause will be applied for
+ If no tags are specified the policies from this section will be applied for
all clients.
+.. _unbound.conf.tsig-key:
+
+TSIG Key Options
+^^^^^^^^^^^^^^^^^
+
+The **tsig-key:** clauses specify the TSIG keys that are used.
+There can be multiple **tsig-key:** clauses, with each specifying a
+different key.
+Each key has a name, algorithm and secret key material.
+
+TSIG keys are shared secrets.
+Both sides of the connection share the secret information.
+Also they must both use the same name for the key, and same algorithm.
+
+With ``include: "key.conf"`` it is possible to put the declaration of the key
+or some lines of it in an external file from the main configuration file.
+It can also be used without such an include, with it the config statements
+and key material can be put in separate files.
+
+
+@@UAHL@unbound.conf.tsig-key@name@@: *"<key name>"*
+ Name of the TSIG key.
+ The key name is transferred in DNS wireformat in the TSIG record, and
+ is used to reference the TSIG key from where it is configured to be used.
+
+
+@@UAHL@unbound.conf.tsig-key@algorithm@@: *<algorithm name>*
+ Name of the algorithm to use with this TSIG key.
+ This can be md5, sha1, sha224, sha256, sha384 or sha512.
+
+
+@@UAHL@unbound.conf.tsig-key@secret@@: *"<base64 blob>"*
+ The secret contents is a base64 string.
+ A way to get random base64 bytes is e.g.
+ from ``dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64``
+
Memory Control Example
----------------------
if(mstate->reply_list && mstate->s.env->cfg->dns_error_reporting)
dns_error_reporting(&mstate->s, rep);
+ if(mstate->reply_list && rep) {
+ uint8_t data[8192];
+ struct sldns_buffer dest;
+ int i;
+
+ sldns_buffer_init_frm_data(&dest, data, sizeof(data));
+ reply_info_answer_encode(&mstate->s.qinfo, rep, 0 /* id */,
+ 0 /* qflags */, &dest, 0 /* current time */,
+ 1 /* cached */, mstate->s.env->scratch,
+ sizeof(data) /* udpsize */, NULL /* edns */,
+ 1 /* dnssec */, 0 /* secure */);
+ log_err("Answer to be send to other unbounds, size: %d",
+ (int)sldns_buffer_limit(&dest));
+ for(i = 0; i < mstate->s.env->outnet->num_dist; i++) {
+ if(mstate->s.env->outnet->dist[i] != -1)
+ send(mstate->s.env->outnet->dist[i],
+ data, sldns_buffer_limit(&dest), 0);
+ }
+
+ }
+
for(r = mstate->reply_list; r; r = r->next) {
- struct timeval old;
- timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
- if(mstate->s.env->cfg->discard_timeout != 0 &&
- ((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
- mstate->s.env->cfg->discard_timeout) {
- /* Drop the reply, it is too old */
- /* briefly set the reply_list to NULL, so that the
- * tcp req info cleanup routine that calls the mesh
- * to deregister the meshstate for it is not done
- * because the list is NULL and also accounting is not
- * done there, but instead we do that here. */
- struct mesh_reply* reply_list = mstate->reply_list;
- verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
- infra_wait_limit_dec(mstate->s.env->infra_cache,
- &r->query_reply, mstate->s.env->cfg);
- mstate->reply_list = NULL;
- if(r->query_reply.c->use_h2)
- http2_stream_remove_mesh_state(r->h2_stream);
- comm_point_drop_reply(&r->query_reply);
- mstate->reply_list = reply_list;
- mstate->s.env->mesh->num_queries_discard_timeout++;
- continue;
+ if(mesh_is_udp(r)) {
+ /* For UDP queries, the old replies are discarded.
+ * This stops a large volume of old replies from
+ * building up.
+ * The stream replies, are not discarded. The
+ * stream is open, the other side is waiting.
+ * Some answer is needed, even if servfail, but the
+ * real reply is ready to go, so that is given. */
+ struct timeval old;
+ timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
+ if(mstate->s.env->cfg->discard_timeout != 0 &&
+ ((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
+ mstate->s.env->cfg->discard_timeout) {
+ /* Drop the reply, it is too old */
+ /* briefly set the reply_list to NULL, so that the
+ * tcp req info cleanup routine that calls the mesh
+ * to deregister the meshstate for it is not done
+ * because the list is NULL and also accounting is not
+ * done there, but instead we do that here. */
+ struct mesh_reply* reply_list = mstate->reply_list;
+ verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
+ infra_wait_limit_dec(mstate->s.env->infra_cache,
+ &r->query_reply, mstate->s.env->cfg);
+ mstate->reply_list = NULL;
+ if(r->query_reply.c->use_h2)
+ http2_stream_remove_mesh_state(r->h2_stream);
+ comm_point_drop_reply(&r->query_reply);
+ mstate->reply_list = reply_list;
+ mstate->s.env->mesh->num_queries_discard_timeout++;
+ continue;
+ }
}
i++;
projects / thirdparty / unbound.git / commitdiff
