UPDATING: Document unbound support of RFC8375

As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks 'home.arpa'. Document this new behaviour and how to unblock it. Reported by: avg Discussed with: glebius, avg RFC: 8375, Section 6: Security Considerations

UPDATING: Document unbound support of RFC8375
As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks 'home.arpa'. Document this new behaviour and how to unblock it. Reported by: avg Discussed with: glebius, avg RFC: 8375, Section 6: Security Considerations
72d0d523 · Cy Schubert · 273016e8 · 72d0d523
Commit 72d0d523 authored Jan 23, 2022 by Cy Schubert
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,21 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)

+20211202:
+	Unbound support for RFC8375: The special-use domain 'home.arpa' is
+	by default blocked. To unblock it use a local-zone nodefault
+	statement in unbound.conf:
+		local-zone: "home.arpa." nodefault
+
+	Or use another type of local-zone to override with your choice.
+
+	The reason for this is discussed in Section 6.1 of RFC8375:
+	Because 'home.arpa.' is not globally scoped and cannot be secured
+	using DNSSEC based on the root domain's trust anchor, there is no way
+	to tell, using a standard DNS query, in which homenet scope an answer
+	belongs.  Consequently, users may experience surprising results with
+	such names when roaming to different homenets.
+
 20211230:
 	The macros provided for the manipulation of CPU sets (e.g. CPU_AND)
 	have been modified to take 2 source arguments instead of only 1.