- Update generated man pages.

diff --git a/doc/Changelog b/doc/Changelog
index 4aac9feab025f3e1091bd3bfe224af0634dbecd3..e75bad2b22c378e1fafae77b523fa2b947a9384e 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
 27 February 2026: Wouter
        - Merge #1409: Documentation CNAME in redirect-type local-zone.
+       - Update generated man pages.
 
 25 February 2026: Wouter
        - Fix validator to set unchecked when validation recursion

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index d24872d8edc7ff515e1b5a7575817cc39a00ab8c..194a3c076f5b8a6e882c457178db20e923d1ce99 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -3013,6 +3013,39 @@ local\-data: \(dqexample.com. A 127.0.0.1\(dq
 queries for \fBwww.example.com\fP and \fBwww.foo.example.com\fP are
 redirected, so that users with web browsers cannot access sites with
 suffix example.com.
+.sp
+A \fBCNAME\fP record can also be provided via local\-data:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+local\-zone: \(dqexample.com.\(dq redirect
+local\-data: \(dqexample.com. CNAME www.example.org.\(dq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+In that case, the \fBCNAME\fP is resolved and the answer
+includes resolved target records as well.
+The \fBCNAME\fP record has to be with the zone name of the local\-zone,
+and there can be one CNAME, not more.
+The \fBCNAME\fP record has to be at the zone apex of the
+\fBredirect\fP zone, then it is used for redirection.
+The resolution proceeds with upstream DNS resolution, and
+that does not include the lookup in local zones.
+So the record is not able to point in local zones, but it
+can point to upstream DNS answers.
+.sp
+\fBCNAME\fP resolution is supported only in type \fBredirect\fP
+local\-zone, and in type \fBinform_redirect\fP local\-zone.
+.sp
+As different from \fBCNAME\fP records that are used elsewhere, in
+the \fBredirect\fP type local\-zone, it is supported that in the target
+of the record a wildcard label gets expanded to the query name, with
+for example: \fBexample.com. CNAME *.foo.net.\fP gets expanded
+to \fBwww.example.com. CNAME www.example.com.foo.net.\fP\&.
 .UNINDENT
 .INDENT 7.0
 .TP
@@ -3071,6 +3104,9 @@ use IPv6 protocol and avoid any queries to IPv4.
 .B always_refuse 
 Like \fI\%refuse\fP, but ignores
 local data and refuses the query.
+This type also blocks queries of type DS for the zone name.
+That can break the DNSSEC chain of trust, but it is refused anyway.
+The block for type DS assists in more completely blocking the zone.
 .UNINDENT
 .INDENT 7.0
 .TP
@@ -4759,6 +4795,17 @@ Default: no
 Use a specific NAT64 prefix to reach IPv4\-only servers.
 The prefix length must be one of /32, /40, /48, /56, /64 or /96.
 .sp
+The NAT64 prefix is allowed by the
+\fI\%do\-not\-query\-address\fP option,
+so that there is a clear outcome of addresses in both; the NAT64 prefix
+is allowed.
+The IPv4 address could be filtered by the
+\fI\%do\-not\-query\-address\fP option,
+if needed.
+Allowing the NAT64 prefix is useful when using do\-not\-query\-address
+for a cluster of machines that is IPv6\-only and uses NAT64, but does
+not have internet access.
+.sp
 Default: 64:ff9b::/96 (same as \fI\%dns64\-prefix\fP)
 .UNINDENT
 .SH DNSCRYPT OPTIONS