From: W.C.A. Wijngaards Date: Thu, 19 Jan 2023 14:45:10 +0000 (+0100) Subject: - Set default for harden-unknown-additional to no. So that it does X-Git-Tag: release-1.18.0rc1~24^2~84 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9233f84290fc4aa55e7a144a038834e34085abd;p=thirdparty%2Funbound.git - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. --- diff --git a/doc/Changelog b/doc/Changelog index 2de00f017..33450ab93 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,9 +5,11 @@ resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University. - - Add harden-unknown-additional option. Default on and it removes + - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li, from NISL Lab, Tsinghua University. + - Set default for harden-unknown-additional to no. So that it does + not hamper future protocol developments. 18 January 2023: Wouter - Fix not following cleared RD flags potentially enables amplification diff --git a/doc/example.conf.in b/doc/example.conf.in index ca8f95a5e..8d8a057ad 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -505,7 +505,7 @@ server: # Harden against unknown records in the authority section and the # additional section. - # harden-unknown-additional: yes + # harden-unknown-additional: no # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 075f4b28e..93150aea3 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1022,8 +1022,9 @@ this option off avoids that validation failure. .TP .B harden\-unknown\-additional: \fI Harden against unknown records in the authority section and additional -section. Default is yes. If no, such records are copied from the upstream -and presented to the client together with the answer. +section. Default is no. If no, such records are copied from the upstream +and presented to the client together with the answer. If yes, it could +hamper future protocol developments that want to add records. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. diff --git a/util/config_file.c b/util/config_file.c index 5f605c5b1..b41e66468 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -233,7 +233,7 @@ config_create(void) cfg->harden_below_nxdomain = 1; cfg->harden_referral_path = 0; cfg->harden_algo_downgrade = 0; - cfg->harden_unknown_additional = 1; + cfg->harden_unknown_additional = 0; cfg->use_caps_bits_for_id = 0; cfg->caps_whitelist = NULL; cfg->private_address = NULL;