From: W.C.A. Wijngaards Date: Fri, 14 Feb 2020 09:01:37 +0000 (+0100) Subject: dnstap io, dnstap tls default is yes, and man page documentation. X-Git-Tag: 1.11.0rc1~120^2~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d1b4e050d6d766707f1a18b69d684c86877b3cf;p=thirdparty%2Funbound.git dnstap io, dnstap tls default is yes, and man page documentation. --- diff --git a/doc/example.conf.in b/doc/example.conf.in index ec1b1ac70..277ea1977 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1026,7 +1026,7 @@ remote-control: # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: "" # # if set to yes if you want to use TLS to dnstap-ip, no for TCP. -# dnstap-tls: no +# dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" # # if "", it uses the cert bundle from the main unbound config. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 38c2d2984..86a962430 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -2114,6 +2114,78 @@ If this timeout expires Unbound closes the connection, treats it as if the Redis server does not have the requested data, and will try to re-establish a new connection later. This option defaults to 100 milliseconds. +.SS DNSTAP Logging Options +DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. +.TP +.B dnstap-enable: \fI +If dnstap is enabled. Default no. If yes, it connects to the dnstap server +and if any of the dnstap-log-..-messages options is enabled it sends logs +for those messages to the server. +.TP +.B dnstap-socket-path: \fI +Sets the unix socket file name for connecting to the server that is +listening on that socket. Default is "@DNSTAP_SOCKET_PATH@". +.TP +.B dnstap-ip: \fI +If "", the unix socket is used, if set with an IP address (IPv4 or IPv6) +that address is used to connect to the server. +.TP +.B dnstap-tls: \fI +Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR. +The default is yes. If set to no, TCP is used to connect to the server. +.TP +.B dnstap-tls-server-name: \fI +The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "". +.TP +.B dnstap-tls-cert-bundle: \fI +The pem file with certs to verify the TLS server certificate. If "" the +server default cert bundle is used, or the windows cert bundle on windows. +Default is "". +.TP +.B dnstap-tls-client-key-file: \fI +The client key file for TLS client authentication. If "" client +authentication is not used. Default is "". +.TP +.B dnstap-tls-client-cert-file: \fI +The client cert file for TLS client authentication. Default is "". +.TP +.B dnstap-send-identity: \fI +If enabled, the server identity is included in the log messages. +Default is no. +.TP +.B dnstap-send-version: \fI +If enabled, the server version if included in the log messages. +Default is no. +.TP +.B dnstap-identity: \fI +The identity to send with messages, if "" the hostname is used. +Default is "". +.TP +.B dnstap-version: \fI +The version to send with messages, if "" the package version is used. +Default is "". +.TP +.B dnstap-log-resolver-query-messages: \fI +Enable to log resolver query messages. Default is no. +These are messages from unbound to upstream servers. +.TP +.B dnstap-log-resolver-response-messages: \fI +Enable to log resolver response messages. Default is no. +These are replies from upstream servers to unbound. +.TP +.B dnstap-log-client-query-messages: \fI +Enable to log client query messages. Default is no. +These are client queries to unbound. +.TP +.B dnstap-log-client-response-messages: \fI +Enable to log client response messages. Default is no. +These are responses from unbound to clients. +.TP +.B dnstap-log-forwarder-query-messages: \fI +Enable to log forwarder query messages. Default is no. +.TP +.B dnstap-log-forwarder-response-messages: \fI +Enable to log forwarder response messages. Default is no. .SS Response Policy Zone Options .LP Response Policy Zones are configured with \fBrpz:\fR, and each one must have a diff --git a/util/config_file.c b/util/config_file.c index 19a5a0bcd..394cf17f3 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -295,6 +295,7 @@ config_create(void) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) goto error_exit; #endif + cfg->dnstap_tls = 1; cfg->disable_dnssec_lame_check = 0; cfg->ip_ratelimit = 0; cfg->ratelimit = 0;