From: Ralph Dolmans Date: Tue, 4 Jun 2019 13:39:08 +0000 (+0200) Subject: Add RPZ config options to unbound.conf man page. X-Git-Tag: release-1.10.0rc1~28^2~28^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a77c35ef50833a8cc6f506190ba430f16e8cab6f;p=thirdparty%2Funbound.git Add RPZ config options to unbound.conf man page. --- diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index eff757e67..cee2393b4 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -2073,6 +2073,56 @@ If this timeout expires Unbound closes the connection, treats it as if the Redis server does not have the requested data, and will try to re-establish a new connection later. This option defaults to 100 milliseconds. +.SS Response Policy Zone Options +.LP +Response Policy Zones are configured with \fBrpz:\fR, and each one must have a +\fBname:\fR. There can be multiple ones, by listing multiple rpz clauses, each +with a different name. RPZ clauses are applied in order of configuration. +.P +Only the QNAME trigger is supported. The supported RPZ actions are: NXDOMAIN, +NODATA, PASSTHRU, DROP and Local Data. RPZ QNAME triggers are applied after +\fBlocal-zones\fR and before \fBauth-zones\fR. +.TP +.B name: \fI +Name of the authority zone. +.TP +.B master: \fI +Where to download a copy of the zone from, with AXFR and IXFR. Multiple +masters can be specified. They are all tried if one fails. +.TP +.B allow\-notify: \fI +With allow\-notify you can specify additional sources of notifies. +When notified, the server attempts to first probe and then zone transfer. +If the notify is from a master, it first attempts that master. Otherwise +other masters are attempted. If there are no masters, but only urls, the +file is downloaded when notified. The masters from master: statements are +allowed notify by default. +.TP +.B zonefile: \fI +The filename where the zone is stored. If not given then no zonefile is used. +If the file does not exist or is empty, unbound will attempt to fetch zone +data (eg. from the master servers). +.TP +.B rpz\-action\-override: \fI +Always use this RPZ action for matching triggers from this zone. Possible action +are: nxdomain, nodata, passthru, drop, disabled and cname. +.TP +.B rpz\-cname\-override: \fI +The CNAME target domain to use if the cname action is configured for +\fBrpz\-action\-override\fR. +.TP +.B rpz\-log: \fI +Log all applied RPZ actions. Default is no. +.TP +.B rpz\-log\-name: \fI +Specify a string to be part of the log line, for easy referencing. +.TP +.B tags: \fI +Limit the policies from this RPZ clause to clients with a matching tag. Tags +need to be defined in \fBdefine\-tag\fR and can be assiged to client addresses +using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put +spaces between tags. If no tags are specified the policies from this clause will +be applied for all clients. .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer