Commit 72d0d523 authored by Cy Schubert's avatar Cy Schubert
Browse files

UPDATING: Document unbound support of RFC8375

As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks
''. Document this new behaviour and how to unblock it.

Reported by:	avg
Discussed with:	glebius, avg
RFC:		8375, Section 6: Security Considerations
parent 273016e8
......@@ -27,6 +27,21 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
Unbound support for RFC8375: The special-use domain '' is
by default blocked. To unblock it use a local-zone nodefault
statement in unbound.conf:
local-zone: "" nodefault
Or use another type of local-zone to override with your choice.
The reason for this is discussed in Section 6.1 of RFC8375:
Because '' is not globally scoped and cannot be secured
using DNSSEC based on the root domain's trust anchor, there is no way
to tell, using a standard DNS query, in which homenet scope an answer
belongs. Consequently, users may experience surprising results with
such names when roaming to different homenets.
The macros provided for the manipulation of CPU sets (e.g. CPU_AND)
have been modified to take 2 source arguments instead of only 1.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment