From: sthen Date: Sun, 9 Sep 2018 21:30:24 +0000 (+0000) Subject: merge in some missed bits from 1.7.0 to simplify update prep. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=dcaa9ce1bdffed001f4ad6002c91a3b930a6a38c;p=openbsd merge in some missed bits from 1.7.0 to simplify update prep. (I think we actually had slightly beyond 1.7.0, I've left code bits but there are some SSL->TLS changes which go away with this and will come back with the update). --- diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README index d0c0bf34f3f..58cd56fa809 100644 --- a/usr.sbin/unbound/doc/README +++ b/usr.sbin/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.6.6 +README for Unbound 1.7.0 Copyright 2007 NLnet Labs http://unbound.net diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in index 1511c1b21c0..a31ee6d3c4f 100644 --- a/usr.sbin/unbound/doc/example.conf.in +++ b/usr.sbin/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.6.6. +# See unbound.conf(5) man page, version 1.7.0. # # this is a comment. @@ -664,14 +664,14 @@ server: # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over TLS (on the TCP sockets), with plain DNS inside - # the TLS stream. Give the certificate to use and private key. + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "path/to/privatekeyfile.key" # tls-service-pem: "path/to/publiccertfile.pem" # tls-port: 853 - # request upstream over TLS (with plain DNS inside the TLS stream). + # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in index 8245f70cd84..357e981fff4 100644 --- a/usr.sbin/unbound/doc/libunbound.3.in +++ b/usr.sbin/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "libunbound" "3" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -43,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.6.6 functions. +\- Unbound DNS validating resolver 1.7.0 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in index a008e0c0e26..f50bf28af3f 100644 --- a/usr.sbin/unbound/doc/unbound-anchor.8.in +++ b/usr.sbin/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound-anchor" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in index 2e38e76b997..a07124e57a2 100644 --- a/usr.sbin/unbound/doc/unbound-checkconf.8.in +++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound-checkconf" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in index 2f3fbf9e4f1..53af91514eb 100644 --- a/usr.sbin/unbound/doc/unbound-control.8.in +++ b/usr.sbin/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound-control" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/usr.sbin/unbound/doc/unbound-host.1.in b/usr.sbin/unbound/doc/unbound-host.1.in index de8f0bdd052..6842514d287 100644 --- a/usr.sbin/unbound/doc/unbound-host.1.in +++ b/usr.sbin/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound\-host" "1" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/usr.sbin/unbound/doc/unbound.8.in b/usr.sbin/unbound/doc/unbound.8.in index 24959ba26ce..3c5786a7977 100644 --- a/usr.sbin/unbound/doc/unbound.8.in +++ b/usr.sbin/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.6.6. +\- Unbound DNS validating resolver 1.7.0. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in index b83e8808dfe..ba30f4f89eb 100644 --- a/usr.sbin/unbound/doc/unbound.conf.5.in +++ b/usr.sbin/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6" +.TH "unbound.conf" "5" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -252,7 +252,7 @@ silently (unless verbosity 3) without the option. .B ip\-transparent: \fI If yes, then use IP_TRANSPARENT socket option on sockets where unbound is listening for incoming traffic. Default no. Allows you to bind to -non\-local interfaces. For example for non\-existent IP addresses that +non\-local interfaces. For example for non\-existant IP addresses that are going to exist later on, with host failover configuration. This is a lot like interface\-automatic, but that one services all interfaces and with this option you can select which (future) interfaces unbound @@ -363,8 +363,8 @@ change anything. Useful for TLS service providers, that want no udp downstream but use udp to fetch data upstream. .TP .B tls\-upstream: \fI -Enabled or disable whether the upstream queries use TLS only for transport. -Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in +Enabled or disable whether the upstream queries use SSL only for transport. +Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in TCP wireformat. The other server must support this (see \fBtls\-service\-key\fR). .TP @@ -373,7 +373,7 @@ Alternate syntax for \fBtls\-upstream\fR. If both are present in the config file the last is used. .TP .B tls\-service\-key: \fI -If enabled, the server provider TLS service on its TCP sockets. The clients +If enabled, the server provider SSL service on its TCP sockets. The clients have to use tls\-upstream: yes. The file is the private key for the TLS session. The public certificate is in the tls\-service\-pem file. Default is "", turned off. Requires a restart (a reload is not enough) if changed, @@ -393,8 +393,8 @@ turned off. Alternate syntax for \fBtls\-service\-pem\fR. .TP .B tls\-port: \fI -The port number on which to provide TCP TLS service, default 853, only -interfaces configured with that port number as @number get the TLS service. +The port number on which to provide TCP SSL service, default 853, only +interfaces configured with that port number as @number get the SSL service. .TP .B ssl\-port: \fI Alternate syntax for \fBtls\-port\fR. @@ -683,8 +683,8 @@ This option only has effect when qname-minimisation is enabled. Default is off. .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. -Default is no. It helps to reduce the query rate towards targets that get -a very high nonexistent name lookup rate. +Default is off. It helps to reduce the query rate towards targets that get +a very high nonexistant name lookup rate. .TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses @@ -1265,7 +1265,7 @@ In the clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send commands to the running unbound server. The server uses these clauses -to setup TLSv1 security for the connection. The +to setup SSLv3 / TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the \fIunbound\-control\-setup\fR(8) utility. @@ -1371,7 +1371,7 @@ the servers are unreachable, instead it is tried without this clause. The default is no. .TP .B stub\-tls\-upstream: \fI -Enabled or disable whether the queries to this stub use TLS for transport. +Enabled or disable whether the queries to this stub use SSL for transport. Default is no. .TP .B stub\-ssl\-upstream: \fI @@ -1411,7 +1411,7 @@ the servers are unreachable, instead it is tried without this clause. The default is no. .TP .B forward\-tls\-upstream: \fI -Enabled or disable whether the queries to this forwarder use TLS for transport. +Enabled or disable whether the queries to this forwarder use SSL for transport. Default is no. .TP .B forward\-ssl\-upstream: \fI diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc index 5afec2f886f..e44a796dc4a 100644 --- a/usr.sbin/unbound/util/iana_ports.inc +++ b/usr.sbin/unbound/util/iana_ports.inc @@ -4635,6 +4635,7 @@ 7402, 7410, 7411, +7420, 7421, 7426, 7427,