- iana portlist updated.
- bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
- verbose output includes parent-side-address notion for lameness.
+ - documented val-log-level: 2 setting in example.conf and man page.
+ - change unbound-control-setup from 1024(sha1) to 1536(sha256).
1 January 2010: Wouter
- iana portlist updated.
# val-permissive-mode: no
# Have the validator log failed validations for your diagnosis.
- # 0: off. 1: A line per failed user query.
+ # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
# val-log-level: 0
# It is possible to configure NSEC3 maximum iteration counts per
protentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
-Have the validator print validation failures to the log. Regardless of the
-verbosity setting. Default is 0, off. At 1, for every user query that fails
-a line is printed to the logs. This way you can monitor what happens with
-validation. Use a diagnosis tool, such as dig or drill, to find out why
-validation is failing for these queries.
+Have the validator print validation failures to the log. Regardless of
+the verbosity setting. Default is 0, off. At 1, for every user query
+that fails a line is printed to the logs. This way you can monitor what
+happens with validation. Use a diagnosis tool, such as dig or drill,
+to find out why validation is failing for these queries. At 2, not only
+the query that failed is printed but also the reason why unbound thought
+it was wrong and which server sent the faulty data.
.TP
.B val\-permissive\-mode: \fI<yes or no>
Instruct the validator to mark bogus messages as indeterminate. The security
DAYS=7200
# size of keys in bits
-BITS=1024
+BITS=1536
+
+# hash algorithm
+HASH=sha256
# base name for unbound server keys
SVR_BASE=unbound_server
# go!:
echo "setup in directory $DESTDIR"
-cd "$DESTDIR" || error "could not cd"
+cd "$DESTDIR" || error "could not cd to $DESTDIR"
# create certificate keys; do not recreate if they already exist.
if test -f $SVR_BASE.key; then
cat >request.cfg <<EOF
[req]
default_bits=$BITS
-default_md=sha1
+default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
cat >request.cfg <<EOF
[req]
default_bits=$BITS
-default_md=sha1
+default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
test -f request.cfg || error "could not create request.cfg"
echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -out $CTL_BASE.pem
+openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
# create trusted usage pem
# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
projects / thirdparty / unbound.git / commitdiff
