12 November 2009: Wouter
- iana portlist updated.
+ - fix manpage errors reported by debian lintian.
+ - review comments.
+ - fixup very long vallog2 level error strings.
11 November 2009: Wouter
- ldns tarball updated (to 1.6.2).
Add a trust anchor to the given context.
At this time it is only possible to add trusted keys before the
first resolve is done.
-The format is a string, similar to the zone-file format,
+The format is a string, similar to the zone\-file format,
[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
.TP
.B ub_ctx_add_ta_file
.TP
.B ub_ctx_trustedkeys
Add trust anchors to the given context.
-Pass the name of a bind-style config file with trusted-keys{}.
+Pass the name of a bind\-style config file with trusted\-keys{}.
At this time it is only possible to add trusted keys before the
first resolve is done.
.TP
.B ub_ctx_debugout
Set debug and error log output to the given stream. Pass NULL to disable
-output. Default is stderr. File-names or using syslog can be enabled
+output. Default is stderr. File\-names or using syslog can be enabled
using config options, this routine is for using your own stream.
.TP
.B ub_ctx_debuglevel
.B ub_poll
returns true if some information may be available, false otherwise.
.B ub_fd
-returns a file descriptor or -1 on error.
+returns a file descriptor or \-1 on error.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound\fR(8).
.\"
.SH "NAME"
.LP
-unbound-checkconf
+unbound\-checkconf
\- Check unbound configuration file for errors.
.SH "SYNOPSIS"
-.B unbound-checkconf
+.B unbound\-checkconf
.RB [ \-h ]
.RB [ \-o
.IR option ]
.RI [ cfgfile ]
.SH "DESCRIPTION"
-.B Unbound-checkconf
+.B Unbound\-checkconf
checks the configuration file for the
\fIunbound\fR(8)
DNS resolver for syntax and other errors.
The config file to read with settings for unbound. It is checked.
If omitted, the config file at the default location is checked.
.SH "EXIT CODE"
-The unbound-checkconf program exits with status code 1 on error,
+The unbound\-checkconf program exits with status code 1 on error,
0 for a correct config file.
.SH "FILES"
.TP
.\"
.SH "NAME"
.LP
-unbound-control
+.B unbound\-control,
+.B unbound\-control\-setup
\- Unbound remote server control utility.
.SH "SYNOPSIS"
-.B unbound-control
+.B unbound\-control
.RB [ \-h ]
.RB [ \-c
.IR cfgfile ]
.IR server ]
.IR command
.SH "DESCRIPTION"
-.B Unbound-control
+.B Unbound\-control
performs remote administration on the \fIunbound\fR(8) DNS server.
It reads the configuration file, contacts the unbound server over SSL
sends the command and displays the result.
the current config. You could pass the nameservers after a DHCP update.
.IP
Without arguments the current list of addresses used to forward all queries
-to is printed. On startup this is from the forward-zone "." configuration.
+to is printed. On startup this is from the forward\-zone "." configuration.
Afterwards it shows the status. It prints off when no forwarding is used.
.IP
If \fIoff\fR is passed, forwarding is disabled and the root nameservers
-are used. This can be used to avoid to avoid buggy or non-DNSSEC supporting
+are used. This can be used to avoid to avoid buggy or non\-DNSSEC supporting
nameservers returned from DHCP. But may not work in hotels or hotspots.
.IP
If one or more IPv4 or IPv6 addresses are given, those are then used to forward
used. The config file is not changed, so after a reload these changes are
gone. Other forward zones from the config file are not affected by this command.
.SH "EXIT CODE"
-The unbound-control program exits with status code 1 on error, 0 on success.
+The unbound\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fIunbound\-control\-setup\fR generates
a username in unbound.conf, the keys need read permission for the user
credentials under which the daemon is started.
The script preserves private keys present in the directory.
-After running the script as root, turn on \fBcontrol-enable\fR in
+After running the script as root, turn on \fBcontrol\-enable\fR in
\fIunbound.conf\fR.
.SH "STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
queries were received, thus =0 entries are omitted for brevity.
.TP
.I num.query.type.other
-Number of queries with query types 256-65535.
+Number of queries with query types 256\-65535.
.TP
.I num.query.class.IN
The total number of queries over all threads with query class IN (internet).
Also printed for other classes (such as CH (CHAOS) sometimes used for
debugging), or NONE, ANY, used by dynamic update.
-num.query.class.other is printed for classes 256-65535.
+num.query.class.other is printed for classes 256\-65535.
.TP
.I num.query.opcode.QUERY
The total number of queries over all threads with query opcode QUERY.
.TP
.I @UNBOUND_RUN_DIR@
directory with private keys (unbound_server.key and unbound_control.key) and
-self-signed certificates (unbound_server.pem and unbound_control.pem).
+self\-signed certificates (unbound_server.pem and unbound_control.pem).
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound\fR(8).
username: unbound
# make sure unbound can access entropy from inside the chroot.
# e.g. on linux the use these commands (on BSD, devfs(8) is used):
- # mount --bind -n /dev/random /etc/unbound/dev/random
- # and mount --bind -n /dev/log /etc/unbound/dev/log
+ # mount \-\-bind \-n /dev/random /etc/unbound/dev/random
+ # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
chroot: "/etc/unbound"
# logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
pidfile: "/etc/unbound/unbound.pid"
given the default is to listen to localhost.
The interfaces are not changed on a reload (kill \-HUP) but only on restart.
.TP
-.B interface-automatic: \fI<yes or no>
+.B interface\-automatic: \fI<yes or no>
Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for IPv6
-(and its socket options) and IPv4 (and have source-interface socket options).
+(and its socket options) and IPv4 (and have source\-interface socket options).
Default value is no.
.TP
.B outgoing\-interface: \fI<ip address>
A larger number of permitted outgoing ports increases resilience against
spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low-high", without spaces.
+Give a port number or a range of the form "low\-high", without spaces.
.IP
The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
are processed in the line order of the config file, adding the permitted ports
queries. Use this to make sure unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
-Give a port number or a range of the form "low-high", without spaces.
+Give a port number or a range of the form "low\-high", without spaces.
.TP
.B outgoing\-num\-tcp: \fI<number>
Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
extra query load that is generated. Experimental option.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
-Use 0x20-encoded random bits in the query to foil spoof attempts.
+Use 0x20\-encoded random bits in the query to foil spoof attempts.
This perturbs the lowercase and uppercase of query names sent to
authority servers and checks if the reply still has the correct casing.
Disabled by default.
on your private network, and are not allowed to be returned for public
internet names. Any occurence of such addresses are removed from
DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so-called DNS Rebinding, where a user browser
+bogus. This protects against so\-called DNS Rebinding, where a user browser
is turned into a network proxy, allowing remote access through the browser
to other parts of your private network. Some names can be allowed to
contain your private addresses, by default all the \fBlocal\-data\fR
Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
tutorials and examples. You can remove the block on this zone with:
.nf
- local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
+ local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
.fi
This also works with the other default zones.
.\" End of local-zone listing.
commands to the running unbound server. The server uses these clauses
to setup SSLv3 / TLSv1 security for the connection. The
\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
-section for options. To setup the correct self-signed certificates use the
+section for options. To setup the correct self\-signed certificates use the
\fIunbound\-control\-setup\fR(8) utility.
.TP 5
.B control\-enable: \fI<yes or no>
clauses. Each with a \fBname:\fR and zero or more hostnames or IP
addresses. For the forward zone this list of nameservers is used to
forward the queries to. The servers listed as \fBforward\-host:\fR and
-\fBforward-addr:\fR have to handle further recursion for the query. Thus,
+\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
those servers are not authority servers, but are (just like unbound is)
recursive servers too; unbound does not perform recursion itself for the
forward zone, it lets the remote server do it. Class IN is assumed.
DNSSEC validation is enabled, just add trust anchors.
If you do not have to worry about programs using more than 3 Mb of memory,
the below example is not for you. Use the defaults to receive full service,
-which on BSD-32bit tops out at 30-40 Mb after heavy usage.
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
.P
.nf
# example settings that reduce memory usage
}
/* we have prepared the new keys so nothing can go wrong any more.
* And we are sure we cannot be left without trustanchor after
- * an errors. Put in the new keys and remove old ones. */
+ * any errors. Put in the new keys and remove old ones. */
/* free the old data */
autr_rrset_delete(tp->ds_rrset);
uint16_t dclass;
/* read the owner name */
char* next = strchr(line, ' ');
- if(!next) return NULL;
+ if(!next)
+ return NULL;
next[0] = 0;
rdf = ldns_dname_new_frm_str(line);
- if(!rdf) return NULL;
+ if(!rdf)
+ return NULL;
labs = dname_count_size_labels(ldns_rdf_data(rdf), &len);
log_assert(len == ldns_rdf_size(rdf));
(*linenr)++;
/* check what the new depth is after the line */
+ /* this routine cannot handle braces inside quotes,
+ say for TXT records, but this routine only has to read keys */
for(i=0; i<poslen; i++) {
if(pos[i] == '(') {
depth++;
if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_RRSIG)
continue;
t = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(rr));
- if(t > *env->now) {
+ if(t - *env->now > 0) {
t -= *env->now;
if(t < r)
r = t;
offset = 0;
while (offset < rr1_len && *ldns_buffer_at(rr1_buf, offset) != 0)
offset += *ldns_buffer_at(rr1_buf, offset) + 1;
- /* jump to rdata section (PAST the rdata length field */
- offset += 11;
+ /* jump to rdata section (PAST the rdata length field) */
+ offset += 11; /* 0-dname-end + type + class + ttl + rdatalen */
min_len = (rr1_len < rr2_len) ? rr1_len : rr2_len;
/* compare RRs RDATA byte for byte. */
for(i = offset; i < min_len; i++)
projects / thirdparty / unbound.git / commitdiff
