From: W.C.A. Wijngaards Date: Fri, 17 Apr 2026 14:32:02 +0000 (+0200) Subject: - Update generated man pages. X-Git-Tag: release-1.25.0rc1~16 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=c996671a1f07d907bfe2427c956b28bd924e461a;p=thirdparty%2Funbound.git - Update generated man pages. --- diff --git a/doc/Changelog b/doc/Changelog index 8a6089c61..53595e53c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -15,6 +15,7 @@ function. - Fix ttl comparisons in rdata_copy for 32bit signed or unsigned. - Fix subnet store of servfail to not leak memory. + - Update generated man pages. 17 April 2026: Yorgos - Merge #1400: Support pthread_setname_np. Adds support for diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 5fcf055d0..e07684019 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -168,6 +168,8 @@ ipset, \fI\%tcp\-auth\-query\-timeout\fP, \fI\%delay\-close\fP\&. \fI\%iter\-scrub\-promiscuous\fP\&. +\fI\%tls\-service\-key\fP\&. +\fI\%tls\-service\-pem\fP\&. .sp It does not work with \fI\%interface\fP and diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index f4bc93800..25fcca373 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1139,9 +1139,13 @@ The file must contain the private key for the TLS session, the public certificate is in the \fI\%tls\-service\-pem\fP file and it must also be specified if \fI\%tls\-service\-key\fP is specified. -Enabling or disabling this service requires a restart (a reload is not -enough), because the key is read while root permissions are held and before -chroot (if any). +If the key is stored with root permissions or outside of chroot, then +a change or enabling or disabling requires a restart (a reload is not +enough). +But if the key file (and tls\-service\-pem file) are accessible, then they +are read in on reload, and fast_reload. +The server checks the modification time of the file (and the filename) +to see if the file has changed for reload. The ports enabled implicitly or explicitly via \fI\%tls\-port\fP and \fI\%https\-port\fP do not provide normal DNS TCP @@ -3765,6 +3769,10 @@ Default: 32 Hard limit on the number of times Unbound is allowed to restart a query upon encountering a CNAME record. Results in SERVFAIL when reached. +This applies to chained CNAME records but not sporadic CNAME records that +could be encountered in the lifetime of the query\(aqs resolution effort. +When a CNAME chain concludes, the counter keeping track of this limit is +reset. Changing this value needs caution as it can allow long CNAME chains to be accepted, where Unbound needs to verify (resolve) each link individually. .sp @@ -3792,6 +3800,16 @@ Default: 11 .UNINDENT .INDENT 0.0 .TP +.B iter\-scrub\-rrsig: \fI\fP +Limit on the number of RRSIGs allowed for an RRset, from the iterator +scrubber. +This protects against an overly large number of RRSIGs. +Clips off the remainder of the RRSIG list at that point. +.sp +Default: 8 +.UNINDENT +.INDENT 0.0 +.TP .B max\-global\-quota: \fI\fP Limit on the number of upstream queries sent out for an incoming query and its subqueries from recursion. @@ -3973,7 +3991,7 @@ Default: no .UNINDENT .INDENT 0.0 .TP -.B control\-interface: \fI\fP +.B control\-interface: \fI\fP Give IPv4 or IPv6 addresses or local socket path to listen on for control commands. If an interface name is used instead of an IP address, the list of IP