- Update generated man pages.

diff --git a/doc/Changelog b/doc/Changelog
index 8a6089c61ae92da377e6d665667129be29a56a46..53595e53c252038ad6e092c4f790acff2b830038 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -15,6 +15,7 @@
          function.
        - Fix ttl comparisons in rdata_copy for 32bit signed or unsigned.
        - Fix subnet store of servfail to not leak memory.
+       - Update generated man pages.
 
 17 April 2026: Yorgos
        - Merge #1400: Support pthread_setname_np. Adds support for

diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 5fcf055d0dbb63c3e20c66dbcce71b94a169d290..e07684019a5a41f31c3e96ac822f439f575518a1 100644 (file)
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -168,6 +168,8 @@ ipset,
 \fI\%tcp\-auth\-query\-timeout\fP,
 \fI\%delay\-close\fP\&.
 \fI\%iter\-scrub\-promiscuous\fP\&.
+\fI\%tls\-service\-key\fP\&.
+\fI\%tls\-service\-pem\fP\&.
 .sp
 It does not work with
 \fI\%interface\fP and

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index f4bc93800aeefe5b46ebbdd8bd8c554eecccbc63..25fcca373a9ea22f747112d2932b7abd0730528f 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1139,9 +1139,13 @@ The file must contain the private key for the TLS session, the public
 certificate is in the \fI\%tls\-service\-pem\fP
 file and it must also be specified if
 \fI\%tls\-service\-key\fP is specified.
-Enabling or disabling this service requires a restart (a reload is not
-enough), because the key is read while root permissions are held and before
-chroot (if any).
+If the key is stored with root permissions or outside of chroot, then
+a change or enabling or disabling requires a restart (a reload is not
+enough).
+But if the key file (and tls\-service\-pem file) are accessible, then they
+are read in on reload, and fast_reload.
+The server checks the modification time of the file (and the filename)
+to see if the file has changed for reload.
 The ports enabled implicitly or explicitly via
 \fI\%tls\-port\fP and
 \fI\%https\-port\fP do not provide normal DNS TCP
@@ -3765,6 +3769,10 @@ Default: 32
 Hard limit on the number of times Unbound is allowed to restart a query
 upon encountering a CNAME record.
 Results in SERVFAIL when reached.
+This applies to chained CNAME records but not sporadic CNAME records that
+could be encountered in the lifetime of the query\(aqs resolution effort.
+When a CNAME chain concludes, the counter keeping track of this limit is
+reset.
 Changing this value needs caution as it can allow long CNAME chains to be
 accepted, where Unbound needs to verify (resolve) each link individually.
 .sp
@@ -3792,6 +3800,16 @@ Default: 11
 .UNINDENT
 .INDENT 0.0
 .TP
+.B iter\-scrub\-rrsig: \fI<number>\fP 
+Limit on the number of RRSIGs allowed for an RRset, from the iterator
+scrubber.
+This protects against an overly large number of RRSIGs.
+Clips off the remainder of the RRSIG list at that point.
+.sp
+Default: 8
+.UNINDENT
+.INDENT 0.0
+.TP
 .B max\-global\-quota: \fI<number>\fP 
 Limit on the number of upstream queries sent out for an incoming query and
 its subqueries from recursion.
@@ -3973,7 +3991,7 @@ Default: no
 .UNINDENT
 .INDENT 0.0
 .TP
-.B control\-interface: \fI<IP address or interface name or path>\fP 
+.B control\-interface: \fI<IP address or interface name[@port] or path>\fP 
 Give IPv4 or IPv6 addresses or local socket path to listen on for control
 commands.
 If an interface name is used instead of an IP address, the list of IP