Permalink
Browse files

- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is

  also recognized and means the same.  Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
  forward-tls-upstream.


git-svn-id: file:///svn/unbound/trunk@4444 be551aaa-1e26-0410-a405-d3ace91eadb9
  • Loading branch information...
wcawijngaards committed Jan 22, 2018
1 parent d759fdd commit 4b4b1eec8b0d693cfc8dd40708bd3ca19b483148
Showing with 2,239 additions and 2,136 deletions.
  1. +6 −0 doc/Changelog
  2. +6 −6 doc/example.conf.in
  3. +29 −10 doc/unbound.conf.5.in
  4. +2,192 −2,120 util/configlexer.c
  5. +6 −0 util/configlexer.lex
@@ -1,3 +1,9 @@
22 January 2018: Wouter
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.

19 January 2018: Wouter
- tag 1.6.8 for release with CVE fix.
- trunk has 1.6.9 with fix and previous commits.
@@ -662,13 +662,13 @@ server:
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
# ssl-port: 853
# tls-service-key: "path/to/privatekeyfile.key"
# tls-service-pem: "path/to/publiccertfile.pem"
# tls-port: 853

# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
# ssl-upstream: no
# tls-upstream: no

# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
@@ -787,7 +787,7 @@ remote-control:
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-ssl-upstream: no
# stub-tls-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
@@ -803,7 +803,7 @@ remote-control:
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-ssl-upstream: no
# forward-tls-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
@@ -398,30 +398,43 @@ Enable udp upstream even if do-udp is no. Default is no, and this does not
change anything. Useful for TLS service providers, that want no udp downstream
but use udp to fetch data upstream.
.TP
.B ssl\-upstream: \fI<yes or no>
.B tls\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
TCP wireformat. The other server must support this (see
\fBssl\-service\-key\fR).
\fBtls\-service\-key\fR).
.TP
.B ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
file the last is used.
.TP
.B ssl\-service-key: \fI<file>
.B tls\-service\-key: \fI<file>
If enabled, the server provider SSL service on its TCP sockets. The clients
have to use ssl\-upstream: yes. The file is the private key for the TLS
session. The public certificate is in the ssl\-service\-pem file. Default
have to use tls\-upstream: yes. The file is the private key for the TLS
session. The public certificate is in the tls\-service\-pem file. Default
is "", turned off. Requires a restart (a reload is not enough) if changed,
because the private key is read while root permissions are held and before
chroot (if any). Normal DNS TCP service is not provided and gives errors,
this service is best run with a different \fBport:\fR config or \fI@port\fR
suffixes in the \fBinterface\fR config.
.TP
.B ssl\-service\-pem: \fI<file>
The public key certificate pem file for the ssl service. Default is "",
.B ssl\-service\-key: \fI<file>
Alternate syntax for \fBtls\-service\-key\fR.
.TP
.B tls\-service\-pem: \fI<file>
The public key certificate pem file for the tls service. Default is "",
turned off.
.TP
.B ssl\-port: \fI<number>
.B ssl\-service\-pem: \fI<file>
Alternate syntax for \fBtls\-service\-pem\fR.
.TP
.B tls\-port: \fI<number>
The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B ssl\-port: \fI<number>
Alternate syntax for \fBtls\-port\fR.
.TP
.B use\-systemd: \fI<yes or no>
Enable or disable systemd socket activation.
Default is no.
@@ -1380,9 +1393,12 @@ The data could not be retrieved and would have caused SERVFAIL because
the servers are unreachable, instead it is tried without this clause.
The default is no.
.TP
.B stub\-ssl\-upstream: \fI<yes or no>
.B stub\-tls\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this stub use SSL for transport.
Default is no.
.TP
.B stub\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBstub\-tls\-upstream\fR.
.SS "Forward Zone Options"
.LP
There may be multiple
@@ -1417,9 +1433,12 @@ The data could not be retrieved and would have caused SERVFAIL because
the servers are unreachable, instead it is tried without this clause.
The default is no.
.TP
.B forward\-ssl\-upstream: \fI<yes or no>
.B forward\-tls\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this forwarder use SSL for transport.
Default is no.
.TP
.B forward\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBforward\-tls\-upstream\fR.
.SS "View Options"
.LP
There may be multiple
Oops, something went wrong.

0 comments on commit 4b4b1ee

Please sign in to comment.