UPDATING: Document unbound support of RFC8375
As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks 'home.arpa'. Document this new behaviour and how to unblock it. Reported by: avg Discussed with: glebius, avg RFC: 8375, Section 6: Security Considerations
This commit is contained in:
@@ -27,6 +27,21 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
|
|||||||
world, or to merely disable the most expensive debugging functionality
|
world, or to merely disable the most expensive debugging functionality
|
||||||
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
|
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
|
||||||
|
|
||||||
|
20211202:
|
||||||
|
Unbound support for RFC8375: The special-use domain 'home.arpa' is
|
||||||
|
by default blocked. To unblock it use a local-zone nodefault
|
||||||
|
statement in unbound.conf:
|
||||||
|
local-zone: "home.arpa." nodefault
|
||||||
|
|
||||||
|
Or use another type of local-zone to override with your choice.
|
||||||
|
|
||||||
|
The reason for this is discussed in Section 6.1 of RFC8375:
|
||||||
|
Because 'home.arpa.' is not globally scoped and cannot be secured
|
||||||
|
using DNSSEC based on the root domain's trust anchor, there is no way
|
||||||
|
to tell, using a standard DNS query, in which homenet scope an answer
|
||||||
|
belongs. Consequently, users may experience surprising results with
|
||||||
|
such names when roaming to different homenets.
|
||||||
|
|
||||||
20211230:
|
20211230:
|
||||||
The macros provided for the manipulation of CPU sets (e.g. CPU_AND)
|
The macros provided for the manipulation of CPU sets (e.g. CPU_AND)
|
||||||
have been modified to take 2 source arguments instead of only 1.
|
have been modified to take 2 source arguments instead of only 1.
|
||||||
|
|||||||
Reference in New Issue
Block a user