and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
this hardware alive is becoming increasingly difficult, and I should heed the
message sent by the three disks which have died on me over the last few days.
Noone sane will mourn these ports anyway. So long, and thanks for the fish.
to the port list in net.inet.tcp.baddynamic. Service name taken from IANA
service-names-port-numbers.txt.
If anyone's interested in adding AF_UNIX support for comms between unbound
and unbound-control, that would very welcome.
OK brad@ deraadt@
has fun effects on some manpages under some circumstances, as found out
by sthen@: the gindent manpage looks like shit when seen with that new
default man.conf on an uft8 terminal, e.g., quotes combine with the
previous character to yield accented letters for no reason.
this should be handled calmly after release, not rushed in at the last
minute (okay deraadt@)
to refrain from trying to execute /etc/rc.d/ in that case.
Problem noticed by jasper@.
Opinions on this patch vary: "much nicer, ok" sthen@
"good god, what horrible shell voodoo, ok" ajacoutot@
suggested by naddy@. This solves the problem that occurs when a
server crashes or is hard booted and comes back up without tearing
down any connections to it, and packets from these connections don't
match any existing state or rule and are silenty dropped.
ok phessler@ henning@ claudio@ dlg@
Our dhclient only uses the bpf tap for broadcast packets (which bypass
pf) but lease renewals will use a regular socket and are blocked without
this change. Rules are written so that accidential forwarding of packets
is not possible.
Diff from brad@, OK henning@, benno@, mikeb@