- Make the default value of module-config "validator iterator"

  regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.

diff --git a/doc/Changelog b/doc/Changelog
index 514f5c62b9a2842e8d43a09db6e41276360c4be2..47fcb66045b53db42ea4aa2b1b8ac8918eac8b9f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+29 January 2025: Yorgos
+       - Make the default value of module-config "validator iterator"
+         regardless of compilation options. --enable-subnet would implicitly
+         change the value to enable the subnetcache module by default in the
+         past.
+
 24 January 2025: Yorgos
        - Merge #1220 from Petr Menšík, Add unbound members group access to
          control key.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index c5240d53a9448631c31af0c10f855ba77d613b23..cc109f0b5d500b0c4dc510db52414cc14391a738 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1260,9 +1260,6 @@ Adding \fIrespip\fR to the front will cause RPZ processing to be done on
 all queries.
 The default is "\fIvalidator iterator\fR".
 .IP
-When the server is built with
-EDNS client subnet support the default is "\fIsubnetcache validator
-iterator\fR".
 Most modules that need to be listed here have to be listed at the beginning
 of the line.  The subnetcachedb module has to be listed just before
 the iterator.
@@ -2511,8 +2508,8 @@ The dynamic library file to load. Repeat this option for every dynlib module
 instance added to the \fBmodule\-config:\fR option.
 .SS "DNS64 Module Options"
 .LP
-The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
-validator iterator" directive and be compiled into the daemon to be
+The dns64 module must be configured in the \fBmodule\-config:\fR directive
+e.g., "dns64 validator iterator" and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .TP
 .B dns64\-prefix: \fI<IPv6 prefix>\fR
@@ -2612,8 +2609,8 @@ in the dnscrypt nonce cache.  Close to the number of cpus is
 a fairly good setting.
 .SS "EDNS Client Subnet Module Options"
 .LP
-The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
-validator iterator" directive and be compiled into the daemon to be
+The ECS module must be configured in the \fBmodule\-config:\fR directive e.g.,
+"subnetcache validator iterator" and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
 If the destination address is allowed in the configuration Unbound will add the
@@ -2634,6 +2631,15 @@ configuration file. On top of that, for each query only 100 different subnets
 are allowed to be stored for each address family. Exceeding that number, older
 entries will be purged from cache.
 .LP
+Note that due to the nature of how EDNS Client Subnet works, by segregating the
+client IP space in order to try and have tailored responses for prefixes of
+unknown sizes, resolution and cache response performance are impacted as a
+result.
+Usage of the subnetcache module should only be enabled in installations that
+require such functionality where the resolver and the clients belong to
+different networks.
+An example of that is an open resolver installation.
+.LP
 This module does not interact with the \fBserve\-expired*\fR and
 \fBprefetch:\fR options.
 .TP
@@ -2684,8 +2690,8 @@ Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
 This number applies for each qname/qclass/qtype tuple. Defaults to 100.
 .SS "Opportunistic IPsec Support Module Options"
 .LP
-The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
-validator iterator" directive and be compiled into Unbound by using
+The IPsec module must be configured in the \fBmodule\-config:\fR directive
+e.g., "ipsecmod validator iterator" and be compiled into Unbound by using
 \fB\-\-enable\-ipsecmod\fR to be enabled.
 These settings go in the \fBserver:\fR section.
 .LP
@@ -2754,8 +2760,8 @@ not specified, all domains are treated as being allowed (default).
 Alternate syntax for \fBipsecmod\-allow\fR.
 .SS "Cache DB Module Options"
 .LP
-The Cache DB module must be configured in the \fBmodule\-config:\fR
-"validator cachedb iterator" directive and be compiled into the daemon
+The Cache DB module must be configured in the \fBmodule\-config:\fR directive
+e.g., "validator cachedb iterator" and be compiled into the daemon
 with \fB\-\-enable\-cachedb\fR.
 If this module is enabled and configured, the specified backend database
 works as a second level cache:

diff --git a/util/config_file.c b/util/config_file.c
index 5fef48ed89659754bef271e865bc9583dda98147..595336e0945de38118753757c460b749c72ac3fa 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -329,11 +329,7 @@ config_create(void)
        if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem")))
                goto error_exit;
 
-#ifdef CLIENT_SUBNET
-       if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit;
-#else
        if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
-#endif
        if(!(cfg->val_nsec3_key_iterations =
                strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)