- documentation for new options: ssl-upstream, ssl-service-key and

  ssl-service.pem.

git-svn-id: file:///svn/unbound/trunk@2533 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 8045d4bcfeaa233d1a2766d5b96011aa37e98b77..c0eb6d8d50c4131cdf2cf0aab1576539575f2f78 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 1 November 2011: Wouter
        - dns over ssl support as a client, ssl-upstream yes turns it on.
          It performs an SSL transaction for every DNS query (250 msec).
+       - documentation for new options: ssl-upstream, ssl-service-key and
+         ssl-service.pem.
 
 31 October 2011: Wouter
        - dns over ssl support, ssl-service-pem and ssl-service-key files

diff --git a/doc/example.conf.in b/doc/example.conf.in
index ac59166ad444cfa3b06e1c6e7726f4a511cb96ee..d8fcb56ad54663fb89756ac377d424d4da19cc38 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -453,6 +453,16 @@ server:
        # you need to do the reverse notation yourself.
        # local-data-ptr: "192.0.2.3 www.example.com"
 
+       # service clients over SSL (on the TCP sockets), with plain DNS inside
+       # the SSL stream.  Give the certificate to use and private key.
+       # default is "" (disabled).  requires restart to take effect.
+       # ssl-service-key: "path/to/privatekeyfile.key"
+       # ssl-service-pem: "path/to/publiccertfile.pem"
+
+       # request upstream over SSL (with plain DNS inside the SSL stream).
+       # Default is no.  Can be turned on and off with unbound-control.
+       # ssl-upstream: no
+
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.

diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 6ba0140ba2b81a520e501be0f02e2913f6c6804b..dab5d7e7bfd17c118ac393f0f94e5f3850364c31 100644 (file)
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -164,7 +164,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
 harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
 hide\-identity, hide\-version, identity, version, val\-log\-level,
 val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
-keep\-missing, tcp\-upstream.
+keep\-missing, tcp\-upstream, ssl\-upstream.
 .TP
 .B get_option \fIopt
 Get the value of the option.  Give the option name without a trailing ':'.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index e5d930f936d58b02272c7286df927ab281976f18..07ad37c67e16dfb62074969fedbe92120161b055 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -296,6 +296,25 @@ Enable or disable whether TCP queries are answered or issued. Default is yes.
 Enable or disable whether the upstream queries use TCP only for transport.
 Default is no.  Useful in tunneling scenarios.
 .TP
+.B ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the upstream queries use SSL only for transport.
+Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
+TCP wireformat.  The other server must support this (see \fBssl\-service\-key\fR).
+.TP
+.B ssl\-service-key: \fI<file>
+If enabled, the server provider SSL service on its TCP sockets.  The clients
+have to use ssl\-upstream: yes.  The file is the private key for the TLS
+session.  The public certificate is in the ssl\-service\-pem file.  Default
+is "", turned off.  Requires a restart (a reload is not enough) if changed,
+because the private key is read while root permissions are held and before
+chroot (if any).  Normal DNS TCP service is not provided and gives errors,
+this service is best run with a different \fBport:\fR config or \fI@port\fR
+suffixes in the \fBinterface\fR config.
+.TP
+.B ssl\-service\-pem: \fI<file>
+The public key certificate pem file for the ssl service.  Default is "",
+turned off.
+.TP
 .B do\-daemonize: \fI<yes or no>
 Enable or disable whether the unbound server forks into the background as
 a daemon. Default is yes.