not hamper future protocol developments.
resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University.
- - Add harden-unknown-additional option. Default on and it removes
+ - Add harden-unknown-additional option. It removes
unknown records from the authority section and additional section.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.
+ - Set default for harden-unknown-additional to no. So that it does
+ not hamper future protocol developments.
18 January 2023: Wouter
- Fix not following cleared RD flags potentially enables amplification
# Harden against unknown records in the authority section and the
# additional section.
- # harden-unknown-additional: yes
+ # harden-unknown-additional: no
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
.TP
.B harden\-unknown\-additional: \fI<yes or no>
Harden against unknown records in the authority section and additional
-section. Default is yes. If no, such records are copied from the upstream
-and presented to the client together with the answer.
+section. Default is no. If no, such records are copied from the upstream
+and presented to the client together with the answer. If yes, it could
+hamper future protocol developments that want to add records.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
cfg->harden_below_nxdomain = 1;
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
- cfg->harden_unknown_additional = 1;
+ cfg->harden_unknown_additional = 0;
cfg->use_caps_bits_for_id = 0;
cfg->caps_whitelist = NULL;
cfg->private_address = NULL;
projects / thirdparty / unbound.git / commitdiff
