- Fix #714: Document config to block private-address for IPv4

  mapped IPv6 addresses.

git-svn-id: file:///svn/unbound/trunk@3513 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 99a5d70c2b53ff8531c8648fa5cce94d3b0d58bb..b6b8c3c4c883441013b442960efddaa7c4a1999c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+23 October 2015: Wouter
+       - Fix #714: Document config to block private-address for IPv4
+         mapped IPv6 addresses.
+
 22 October 2015: Wouter
        - Fix #712: unbound-anchor appears to not fsync root.key.
 

diff --git a/doc/example.conf.in b/doc/example.conf.in
index a89b228dbffc95752791e4dbd7382973de16abea..29a2da75dc7c6e0cbdfa3d62ba92c0523f34ed06 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -315,6 +315,7 @@ server:
        # private-address: 169.254.0.0/16
        # private-address: fd00::/8
        # private-address: fe80::/10
+       # private-address: ::ffff:0:0/96
 
        # Allow the domain (and its subdomains) to contain private addresses.
        # local-data statements are allowed to contain private addresses too.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 6b265db3e756128078ecd3a3e9fa26179196830f..d75e2b2a7814b7ca810117ce6e33a7495641178c 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -587,21 +587,22 @@ Can be given multiple times, for different domains.
 .TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.