- Fix #1128: Cannot override tcp-upstream and tls-upstream with

  forward-tcp-upstream and forward-tls-upstream.

diff --git a/doc/Changelog b/doc/Changelog
index c28f8b41c7d498aa80d059a778ad24617fb3d598..62f25224d4406165ec39abae6c5772f3af799fe0 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 8 October 2024: Wouter
        - Fix #1149: unbound-control-setup hangs sometimes depending on
          the openssl version.
+       - Fix #1128: Cannot override tcp-upstream and tls-upstream with
+         forward-tcp-upstream and forward-tls-upstream.
 
 3 October 2024: Yorgos
        - Fix CVE-2024-8508, unbounded name compression could lead to denial

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index bc48db4787692b23c0570392badd21580c429561..2a5f6792a71dc883eb9ec8b6c84dffcf440ccb8a 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -566,6 +566,9 @@ tls\-system\-cert to load CA certs, otherwise the connections cannot be
 authenticated. This option enables TLS for all of them, but if you do not set
 this you can configure TLS specifically for some forward zones with
 forward\-tls\-upstream.  And also with stub\-tls\-upstream.
+If the tls\-upstream option is enabled, it is for all the forwards and stubs,
+where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
+as if they had been set to yes.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config