From 72d0d523e9ba740d21ae6b03902eacd6100dd594 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Sun, 23 Jan 2022 22:21:49 -0800 Subject: [PATCH] UPDATING: Document unbound support of RFC8375 As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks 'home.arpa'. Document this new behaviour and how to unblock it. Reported by: avg Discussed with: glebius, avg RFC: 8375, Section 6: Security Considerations --- UPDATING | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/UPDATING b/UPDATING index 53a31d6217f..3c8b9aa8463 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,21 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20211202: + Unbound support for RFC8375: The special-use domain 'home.arpa' is + by default blocked. To unblock it use a local-zone nodefault + statement in unbound.conf: + local-zone: "home.arpa." nodefault + + Or use another type of local-zone to override with your choice. + + The reason for this is discussed in Section 6.1 of RFC8375: + Because 'home.arpa.' is not globally scoped and cannot be secured + using DNSSEC based on the root domain's trust anchor, there is no way + to tell, using a standard DNS query, in which homenet scope an answer + belongs. Consequently, users may experience surprising results with + such names when roaming to different homenets. + 20211230: The macros provided for the manipulation of CPU sets (e.g. CPU_AND) have been modified to take 2 source arguments instead of only 1.