1.. 2 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 3 4.. 5 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 6 7.. 8 IT HELPS PEOPLE DIFFING THE CHANGES 9 10.. 11 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 12 13.. 14 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 15 16.. 17 IT HELPS PEOPLE DIFFING THE CHANGES 18 19.. 20 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 21 22.. 23 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 24 25.. 26 IT HELPS PEOPLE DIFFING THE CHANGES 27 28.. 29 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 30 31.. 32 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 33 34.. 35 IT HELPS PEOPLE DIFFING THE CHANGES 36 37.. program:: unbound-control 38 39unbound-control(8) 40================== 41 42Synopsis 43-------- 44 45**unbound-control** [``-hq``] [``-c cfgfile``] [``-s server``] command 46 47Description 48----------- 49 50``unbound-control`` performs remote administration on the 51:doc:`unbound(8)</manpages/unbound>` DNS server. 52It reads the configuration file, contacts the Unbound server over TLS sends the 53command and displays the result. 54 55The available options are: 56 57.. option:: -h 58 59 Show the version and commandline option help. 60 61.. option:: -c <cfgfile> 62 63 The config file to read with settings. 64 If not given the default config file 65 :file:`@ub_conf_file@` is used. 66 67.. option:: -s <server[@port]> 68 69 IPv4 or IPv6 address of the server to contact. 70 If not given, the address is read from the config file. 71 72.. option:: -q 73 74 Quiet, if the option is given it does not print anything if it works ok. 75 76Commands 77-------- 78 79There are several commands that the server understands. 80 81 82@@UAHL@unbound-control.commands@start@@ 83 Start the server. 84 Simply execs :doc:`unbound(8)</manpages/unbound>`. 85 The ``unbound`` executable is searched for in the **PATH** set in the 86 environment. 87 It is started with the config file specified using :option:`-c` or the 88 default config file. 89 90 91@@UAHL@unbound-control.commands@stop@@ 92 Stop the server. 93 The server daemon exits. 94 95 96@@UAHL@unbound-control.commands@reload@@ 97 Reload the server. 98 This flushes the cache and reads the config file fresh. 99 100 101@@UAHL@unbound-control.commands@reload_keep_cache@@ 102 Reload the server but try to keep the RRset and message cache if 103 (re)configuration allows for it. 104 That means the caches sizes and the number of threads must not change 105 between reloads. 106 107 108@@UAHL@unbound-control.commands@fast_reload@@ [``+dpv``] 109 Reload the server, but keep downtime to a minimum, so that user queries 110 keep seeing service. 111 This needs the code compiled with threads. 112 The config is loaded in a thread, and prepared, then it briefly pauses the 113 existing server and updates config options. 114 The intent is that the pause does not impact the service of user queries. 115 The cache is kept. 116 Also user queries worked on are kept and continue, but with the new config 117 options. 118 119 .. note:: 120 This command is experimental at this time. 121 122 The amount of temporal memory needed during a fast_reload is twice the 123 amount needed for configuration. 124 This is because Unbound temporarily needs to store both current 125 configuration values and new ones while trying to fast_reload. 126 Zones loaded from disk (authority zones and RPZ zones) are included in such 127 memory needs. 128 129 Options that can be changed are for 130 :ref:`forwards<unbound.conf.forward>`, 131 :ref:`stubs<unbound.conf.stub>`, 132 :ref:`views<unbound.conf.view>`, 133 :ref:`authority zones<unbound.conf.auth>`, 134 :ref:`RPZ zones<unbound.conf.rpz>` and 135 :ref:`local zones<unbound.conf.local-zone>`. 136 137 Also 138 :ref:`access-control<unbound.conf.access-control>` and similar options, 139 :ref:`interface-action<unbound.conf.interface-action>` and similar 140 options and 141 :ref:`tcp-connection-limit<unbound.conf.tcp-connection-limit>`. 142 It can reload some 143 :ref:`define-tag<unbound.conf.define-tag>` 144 changes, more on that below. 145 Further options include 146 :ref:`insecure-lan-zones<unbound.conf.insecure-lan-zones>`, 147 :ref:`domain-insecure<unbound.conf.domain-insecure>`, 148 :ref:`trust-anchor-file<unbound.conf.trust-anchor-file>`, 149 :ref:`trust-anchor<unbound.conf.trust-anchor>`, 150 :ref:`trusted-keys-file<unbound.conf.trusted-keys-file>`, 151 :ref:`auto-trust-anchor-file<unbound.conf.auto-trust-anchor-file>`, 152 :ref:`edns-client-string<unbound.conf.edns-client-string>`, 153 ipset, 154 :ref:`log-identity<unbound.conf.log-identity>`, 155 :ref:`infra-cache-numhosts<unbound.conf.infra-cache-numhosts>`, 156 :ref:`msg-cache-size<unbound.conf.msg-cache-size>`, 157 :ref:`rrset-cache-size<unbound.conf.rrset-cache-size>`, 158 :ref:`key-cache-size<unbound.conf.key-cache-size>`, 159 :ref:`ratelimit-size<unbound.conf.ratelimit-size>`, 160 :ref:`neg-cache-size<unbound.conf.neg-cache-size>`, 161 :ref:`num-queries-per-thread<unbound.conf.num-queries-per-thread>`, 162 :ref:`jostle-timeout<unbound.conf.jostle-timeout>`, 163 :ref:`use-caps-for-id<unbound.conf.use-caps-for-id>`, 164 :ref:`unwanted-reply-threshold<unbound.conf.unwanted-reply-threshold>`, 165 :ref:`tls-use-sni<unbound.conf.tls-use-sni>`, 166 :ref:`outgoing-tcp-mss<unbound.conf.outgoing-tcp-mss>`, 167 :ref:`ip-dscp<unbound.conf.ip-dscp>`, 168 :ref:`max-reuse-tcp-queries<unbound.conf.max-reuse-tcp-queries>`, 169 :ref:`tcp-reuse-timeout<unbound.conf.tcp-reuse-timeout>`, 170 :ref:`tcp-auth-query-timeout<unbound.conf.tcp-auth-query-timeout>`, 171 :ref:`delay-close<unbound.conf.delay-close>`. 172 173 It does not work with 174 :ref:`interface<unbound.conf.interface>` and 175 :ref:`outgoing-interface<unbound.conf.outgoing-interface>` changes, 176 also not with 177 :ref:`remote control<unbound.conf.remote>`, 178 :ref:`outgoing-port-permit<unbound.conf.outgoing-port-permit>`, 179 :ref:`outgoing-port-avoid<unbound.conf.outgoing-port-avoid>`, 180 :ref:`msg-buffer-size<unbound.conf.msg-buffer-size>`, 181 any **\*-slabs** options and 182 :ref:`statistics-interval<unbound.conf.statistics-interval>` changes. 183 184 For :ref:`dnstap<unbound.conf.dnstap>` these options can be changed: 185 :ref:`dnstap-log-resolver-query-messages<unbound.conf.dnstap.dnstap-log-resolver-query-messages>`, 186 :ref:`dnstap-log-resolver-response-messages<unbound.conf.dnstap.dnstap-log-resolver-response-messages>`, 187 :ref:`dnstap-log-client-query-messages<unbound.conf.dnstap.dnstap-log-client-query-messages>`, 188 :ref:`dnstap-log-client-response-messages<unbound.conf.dnstap.dnstap-log-client-response-messages>`, 189 :ref:`dnstap-log-forwarder-query-messages<unbound.conf.dnstap.dnstap-log-forwarder-query-messages>` and 190 :ref:`dnstap-log-forwarder-response-messages<unbound.conf.dnstap.dnstap-log-forwarder-response-messages>`. 191 192 It does not work with these options: 193 :ref:`dnstap-enable<unbound.conf.dnstap.dnstap-enable>`, 194 :ref:`dnstap-bidirectional<unbound.conf.dnstap.dnstap-bidirectional>`, 195 :ref:`dnstap-socket-path<unbound.conf.dnstap.dnstap-socket-path>`, 196 :ref:`dnstap-ip<unbound.conf.dnstap.dnstap-ip>`, 197 :ref:`dnstap-tls<unbound.conf.dnstap.dnstap-tls>`, 198 :ref:`dnstap-tls-server-name<unbound.conf.dnstap.dnstap-tls-server-name>`, 199 :ref:`dnstap-tls-cert-bundle<unbound.conf.dnstap.dnstap-tls-cert-bundle>`, 200 :ref:`dnstap-tls-client-key-file<unbound.conf.dnstap.dnstap-tls-client-key-file>` and 201 :ref:`dnstap-tls-client-cert-file<unbound.conf.dnstap.dnstap-tls-client-cert-file>`. 202 203 The options 204 :ref:`dnstap-send-identity<unbound.conf.dnstap.dnstap-send-identity>`, 205 :ref:`dnstap-send-version<unbound.conf.dnstap.dnstap-send-version>`, 206 :ref:`dnstap-identity<unbound.conf.dnstap.dnstap-identity>`, and 207 :ref:`dnstap-version<unbound.conf.dnstap.dnstap-version>` can be loaded 208 when ``+p`` is not used. 209 210 The ``+v`` option makes the output verbose which includes the time it took 211 to do the reload. 212 With ``+vv`` it is more verbose which includes the amount of memory that 213 was allocated temporarily to perform the reload; this amount of memory can 214 be big if the config has large contents. 215 In the timing output the 'reload' time is the time during which the server 216 was paused. 217 218 The ``+p`` option makes the reload not pause threads, they keep running. 219 Locks are acquired, but items are updated in sequence, so it is possible 220 for threads to see an inconsistent state with some options from the old 221 and some options from the new config, such as cache TTL parameters from the 222 old config and forwards from the new config. 223 The stubs and forwards are updated at the same time, so that they are 224 viewed consistently, either old or new values together. 225 The option makes the reload time take eg. 3 microseconds instead of 0.3 226 milliseconds during which the worker threads are interrupted. 227 So, the interruption is much shorter, at the expense of some inconsistency. 228 After the reload itself, every worker thread is briefly contacted to make 229 them release resources, this makes the delete timing a little longer, and 230 takes up time from the remote control servicing worker thread. 231 232 With the nopause option (``+p``), the reload does not work to reload some 233 options, that fast reload works on without the nopause option: 234 :ref:`val-bogus-ttl<unbound.conf.val-bogus-ttl>`, 235 :ref:`val-override-date<unbound.conf.val-override-date>`, 236 :ref:`val-sig-skew-min<unbound.conf.val-sig-skew-min>`, 237 :ref:`val-sig-skew-max<unbound.conf.val-sig-skew-max>`, 238 :ref:`val-max-restart<unbound.conf.val-max-restart>`, 239 :ref:`val-nsec3-keysize-iterations<unbound.conf.val-nsec3-keysize-iterations>`, 240 :ref:`target-fetch-policy<unbound.conf.target-fetch-policy>`, 241 :ref:`outbound-msg-retry<unbound.conf.outbound-msg-retry>`, 242 :ref:`max-sent-count<unbound.conf.max-sent-count>`, 243 :ref:`max-query-restarts<unbound.conf.max-query-restarts>`, 244 :ref:`do-not-query-address<unbound.conf.do-not-query-address>`, 245 :ref:`do-not-query-localhost<unbound.conf.do-not-query-localhost>`, 246 :ref:`private-address<unbound.conf.private-address>`, 247 :ref:`private-domain<unbound.conf.private-domain>`, 248 :ref:`caps-exempt<unbound.conf.caps-exempt>`, 249 :ref:`nat64-prefix<unbound.conf.nat64.nat64-prefix>`, 250 :ref:`do-nat64<unbound.conf.nat64.do-nat64>`, 251 :ref:`infra-host-ttl<unbound.conf.infra-host-ttl>`, 252 :ref:`infra-keep-probing<unbound.conf.infra-keep-probing>`, 253 :ref:`ratelimit<unbound.conf.ratelimit>`, 254 :ref:`ip-ratelimit<unbound.conf.ip-ratelimit>`, 255 :ref:`ip-ratelimit-cookie<unbound.conf.ip-ratelimit-cookie>`, 256 :ref:`wait-limit-netblock<unbound.conf.wait-limit-netblock>`, 257 :ref:`wait-limit-cookie-netblock<unbound.conf.wait-limit-cookie-netblock>`, 258 :ref:`ratelimit-below-domain<unbound.conf.ratelimit-below-domain>`, 259 :ref:`ratelimit-for-domain<unbound.conf.ratelimit-for-domain>`. 260 261 The ``+d`` option makes the reload drop queries that the worker threads are 262 working on. 263 This is like 264 :ref:`flush_requestlist<unbound-control.commands.flush_requestlist>`. 265 Without it the queries are kept so that users keep getting answers for 266 those queries that are currently processed. 267 The drop makes it so that queries during the life time of the 268 query processing see only old, or only new config options. 269 270 When there are changes to the config tags, from the 271 :ref:`define-tag<unbound.conf.define-tag>` option, 272 then the ``+d`` option is implicitly turned on with a warning printout, and 273 queries are dropped. 274 This is to stop references to the old tag information, by the old 275 queries. 276 If the number of tags is increased in the newly loaded config, by 277 adding tags at the end, then the implicit ``+d`` option is not needed. 278 279 For response ip, that is actions associated with IP addresses, and perhaps 280 intersected with access control tag and action information, those settings 281 are stored with a query when it comes in based on its source IP address. 282 The old information is kept with the query until the queries are done. 283 This is gone when those queries are resolved and finished, or it is 284 possible to flush the requestlist with ``+d``. 285 286 287@@UAHL@unbound-control.commands@verbosity@@ *number* 288 Change verbosity value for logging. 289 Same values as the **verbosity:** keyword in 290 :doc:`unbound.conf(5)</manpages/unbound.conf>`. 291 This new setting lasts until the server is issued a reload (taken from 292 config file again), or the next verbosity control command. 293 294 295@@UAHL@unbound-control.commands@log_reopen@@ 296 Reopen the logfile, close and open it. 297 Useful for logrotation to make the daemon release the file it is logging 298 to. 299 If you are using syslog it will attempt to close and open the syslog (which 300 may not work if chrooted). 301 302 303@@UAHL@unbound-control.commands@stats@@ 304 Print statistics. 305 Resets the internal counters to zero, this can be controlled using the 306 **statistics-cumulative:** config statement. 307 Statistics are printed with one ``[name]: [value]`` per line. 308 309 310@@UAHL@unbound-control.commands@stats_noreset@@ 311 Peek at statistics. 312 Prints them like the stats command does, but does not reset the internal 313 counters to zero. 314 315 316@@UAHL@unbound-control.commands@status@@ 317 Display server status. 318 Exit code 3 if not running (the connection to the port is refused), 1 on 319 error, 0 if running. 320 321 322@@UAHL@unbound-control.commands@local_zone@@ *name type* 323 Add new local zone with name and type. 324 Like local-zone config statement. 325 If the zone already exists, the type is changed to the given argument. 326 327 328@@UAHL@unbound-control.commands@local_zone_remove@@ *name* 329 Remove the local zone with the given name. 330 Removes all local data inside it. 331 If the zone does not exist, the command succeeds. 332 333 334@@UAHL@unbound-control.commands@local_data@@ *RR data...* 335 Add new local data, the given resource record. 336 Like **local-data:** keyword, except for when no covering zone exists. 337 In that case this remote control command creates a transparent zone with 338 the same name as this record. 339 340 341@@UAHL@unbound-control.commands@local_data_remove@@ *name* 342 Remove all RR data from local name. 343 If the name already has no items, nothing happens. 344 Often results in NXDOMAIN for the name (in a static zone), but if the name 345 has become an empty nonterminal (there is still data in domain names below 346 the removed name), NOERROR nodata answers are the result for that name. 347 348 349@@UAHL@unbound-control.commands@local_zones@@ 350 Add local zones read from stdin of unbound-control. 351 Input is read per line, with name space type on a line. 352 For bulk additions. 353 354 355@@UAHL@unbound-control.commands@local_zones_remove@@ 356 Remove local zones read from stdin of unbound-control. 357 Input is one name per line. 358 For bulk removals. 359 360 361@@UAHL@unbound-control.commands@local_datas@@ 362 Add local data RRs read from stdin of unbound-control. 363 Input is one RR per line. 364 For bulk additions. 365 366 367@@UAHL@unbound-control.commands@local_datas_remove@@ 368 Remove local data RRs read from stdin of unbound-control. 369 Input is one name per line. 370 For bulk removals. 371 372 373@@UAHL@unbound-control.commands@dump_cache@@ 374 The contents of the cache is printed in a text format to stdout. 375 You can redirect it to a file to store the cache in a file. 376 Not supported in remote Unbounds in multi-process operation. 377 378 379@@UAHL@unbound-control.commands@load_cache@@ 380 The contents of the cache is loaded from stdin. 381 Uses the same format as dump_cache uses. 382 Loading the cache with old, or wrong data can result in old or wrong data 383 returned to clients. 384 Loading data into the cache in this way is supported in order to aid with 385 debugging. 386 Not supported in remote Unbounds in multi-process operation. 387 388 389@@UAHL@unbound-control.commands@cache_lookup@@ [``+t``] *names* 390 Print to stdout the RRsets and messages that are in the cache. 391 For every name listed the content at or under the name is printed. 392 Several names separated by spaces can be given, each is printed. 393 When subnetcache is enabled, also matching entries from the subnet 394 cache are printed. 395 396 The ``+t`` option allows tld and root names. 397 With it names like 'com' and '.' can be used, but it takes a lot of 398 effort to look up in the cache. 399 400 401@@UAHL@unbound-control.commands@lookup@@ *name* 402 Print to stdout the name servers that would be used to look up the name 403 specified. 404 405 406@@UAHL@unbound-control.commands@flush@@ [``+c``] *name* 407 Remove the name from the cache. 408 Removes the types A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, 409 SVCB and HTTPS. 410 Because that is fast to do. 411 Other record types can be removed using **flush_type** or **flush_zone**. 412 413 The ``+c`` option removes the items also from the cachedb cache. 414 If cachedb is in use. 415 416 417@@UAHL@unbound-control.commands@flush_type@@ [``+c``] *name type* 418 Remove the name, type information from the cache. 419 420 The ``+c`` option removes the items also from the cachedb cache. 421 If cachedb is in use. 422 423 424@@UAHL@unbound-control.commands@flush_zone@@ [``+c``] name 425 Remove all information at or below the name from the cache. 426 The rrsets and key entries are removed so that new lookups will be 427 performed. 428 This needs to walk and inspect the entire cache, and is a slow operation. 429 The entries are set to expired in the implementation of this command (so, 430 with serve-expired enabled, it'll serve that information but schedule a 431 prefetch for new information). 432 433 The ``+c`` option removes the items also from the cachedb cache. 434 If cachedb is in use. 435 436 437@@UAHL@unbound-control.commands@flush_bogus@@ [``+c``] 438 Remove all bogus data from the cache. 439 440 The ``+c`` option removes the items also from the cachedb cache. 441 If cachedb is in use. 442 443 444@@UAHL@unbound-control.commands@flush_negative@@ [``+c``] 445 Remove all negative data from the cache. 446 This is nxdomain answers, nodata answers and servfail answers. 447 Also removes bad key entries (which could be due to failed lookups) from 448 the dnssec key cache, and iterator last-resort lookup failures from the 449 rrset cache. 450 451 The ``+c`` option removes the items also from the cachedb cache. 452 If cachedb is in use. 453 454 455@@UAHL@unbound-control.commands@flush_stats@@ 456 Reset statistics to zero. 457 458 459@@UAHL@unbound-control.commands@flush_requestlist@@ 460 Drop the queries that are worked on. 461 Stops working on the queries that the server is working on now. 462 The cache is unaffected. 463 No reply is sent for those queries, probably making those users request 464 again later. 465 Useful to make the server restart working on queries with new settings, 466 such as a higher verbosity level. 467 468 469@@UAHL@unbound-control.commands@dump_requestlist@@ 470 Show what is worked on. 471 Prints all queries that the server is currently working on. 472 Prints the time that users have been waiting. 473 For internal requests, no time is printed. 474 And then prints out the module status. 475 This prints the queries from the first thread, and not queries that are 476 being serviced from other threads. 477 478 479@@UAHL@unbound-control.commands@flush_infra@@ *all|IP* 480 If all then entire infra cache is emptied. 481 If a specific IP address, the entry for that address is removed from the 482 cache. 483 It contains EDNS, ping and lameness data. 484 485 486@@UAHL@unbound-control.commands@dump_infra@@ 487 Show the contents of the infra cache. 488 489 490@@UAHL@unbound-control.commands@set_option@@ *opt: val* 491 Set the option to the given value without a reload. 492 The cache is therefore not flushed. 493 The option must end with a ``':'`` and whitespace must be between the 494 option and the value. 495 Some values may not have an effect if set this way, the new values are not 496 written to the config file, not all options are supported. 497 This is different from the set_option call in libunbound, where all values 498 work because Unbound has not been initialized. 499 500 The values that work are: statistics-interval, statistics-cumulative, 501 do-not-query-localhost, harden-short-bufsize, harden-large-queries, 502 harden-glue, harden-dnssec-stripped, harden-below-nxdomain, 503 harden-referral-path, prefetch, prefetch-key, log-queries, hide-identity, 504 hide-version, identity, version, val-log-level, val-log-squelch, 505 ignore-cd-flag, add-holddown, del-holddown, keep-missing, tcp-upstream, 506 ssl-upstream, max-udp-size, ratelimit, ip-ratelimit, cache-max-ttl, 507 cache-min-ttl, cache-max-negative-ttl. 508 509 510@@UAHL@unbound-control.commands@get_option@@ *opt* 511 Get the value of the option. 512 Give the option name without a trailing ``':'``. 513 The value is printed. 514 If the value is ``""``, nothing is printed and the connection closes. 515 On error ``'error ...'`` is printed (it gives a syntax error on unknown 516 option). 517 For some options a list of values, one on each line, is printed. 518 The options are shown from the config file as modified with set_option. 519 For some options an override may have been taken that does not show up with 520 this command, not results from e.g. the verbosity and forward control 521 commands. 522 Not all options work, see list_stubs, list_forwards, list_local_zones and 523 list_local_data for those. 524 525 526@@UAHL@unbound-control.commands@list_stubs@@ 527 List the stub zones in use. 528 These are printed one by one to the output. 529 This includes the root hints in use. 530 531 532@@UAHL@unbound-control.commands@list_forwards@@ 533 List the forward zones in use. 534 These are printed zone by zone to the output. 535 536 537@@UAHL@unbound-control.commands@list_insecure@@ 538 List the zones with domain-insecure. 539 540 541@@UAHL@unbound-control.commands@list_local_zones@@ 542 List the local zones in use. 543 These are printed one per line with zone type. 544 545 546@@UAHL@unbound-control.commands@list_local_data@@ 547 List the local data RRs in use. 548 The resource records are printed. 549 550 551@@UAHL@unbound-control.commands@insecure_add@@ *zone* 552 Add a domain-insecure for the given zone, like the statement in 553 unbound.conf. 554 Adds to the running Unbound without affecting the cache 555 contents (which may still be bogus, use flush_zone to remove it), does not 556 affect the config file. 557 558 559@@UAHL@unbound-control.commands@insecure_remove@@ *zone* 560 Removes domain-insecure for the given zone. 561 562 563@@UAHL@unbound-control.commands@forward_add@@ [``+it``] *zone addr ...* 564 Add a new forward zone to running Unbound. 565 With ``+i`` option also adds a domain-insecure for the zone (so it can 566 resolve insecurely if you have a DNSSEC root trust anchor configured for 567 other names). 568 The addr can be IP4, IP6 or nameserver names, like forward-zone config in 569 unbound.conf. 570 The ``+t`` option sets it to use TLS upstream, like 571 :ref:`forward-tls-upstream: yes<unbound.conf.forward.forward-tls-upstream>`. 572 573 574@@UAHL@unbound-control.commands@forward_remove@@ [``+i``] *zone* 575 Remove a forward zone from running Unbound. 576 The ``+i`` also removes a domain-insecure for the zone. 577 578 579@@UAHL@unbound-control.commands@stub_add@@ [``+ipt``] *zone addr ...* 580 Add a new stub zone to running Unbound. 581 With ``+i`` option also adds a domain-insecure for the zone. 582 With ``+p`` the stub zone is set to prime, without it it is set to 583 notprime. 584 The addr can be IP4, IP6 or nameserver names, like the **stub-zone:** 585 config in unbound.conf. 586 The ``+t`` option sets it to use TLS upstream, like 587 :ref:`stub-tls-upstream: yes<unbound.conf.stub.stub-tls-upstream>`. 588 589 590@@UAHL@unbound-control.commands@stub_remove@@ [``+i``] *zone* 591 Remove a stub zone from running Unbound. 592 The ``+i`` also removes a domain-insecure for the zone. 593 594 595@@UAHL@unbound-control.commands@forward@@ [*off* | *addr ...* ] 596 Setup forwarding mode. 597 Configures if the server should ask other upstream nameservers, should go 598 to the internet root nameservers itself, or show the current config. 599 You could pass the nameservers after a DHCP update. 600 601 Without arguments the current list of addresses used to forward all queries 602 to is printed. 603 On startup this is from the forward-zone ``"."`` configuration. 604 Afterwards it shows the status. 605 It prints off when no forwarding is used. 606 607 If off is passed, forwarding is disabled and the root nameservers are 608 used. 609 This can be used to avoid to avoid buggy or non-DNSSEC supporting 610 nameservers returned from DHCP. 611 But may not work in hotels or hotspots. 612 613 If one or more IPv4 or IPv6 addresses are given, those are then used to 614 forward queries to. 615 The addresses must be separated with spaces. 616 With ``'@port'`` the port number can be set explicitly (default port is 53 617 (DNS)). 618 619 By default the forwarder information from the config file for the root 620 ``"."`` is used. 621 The config file is not changed, so after a reload these changes are gone. 622 Other forward zones from the config file are not affected by this command. 623 624 625@@UAHL@unbound-control.commands@ratelimit_list@@ [``+a``] 626 List the domains that are ratelimited. 627 Printed one per line with current estimated qps and qps limit from config. 628 With ``+a`` it prints all domains, not just the ratelimited domains, with 629 their estimated qps. 630 The ratelimited domains return an error for uncached (new) queries, but 631 cached queries work as normal. 632 633 634@@UAHL@unbound-control.commands@ip_ratelimit_list@@ [``+a``] 635 List the ip addresses that are ratelimited. 636 Printed one per line with current estimated qps and qps limit from config. 637 With ``+a`` it prints all ips, not just the ratelimited ips, with their 638 estimated qps. 639 The ratelimited ips are dropped before checking the cache. 640 641 642@@UAHL@unbound-control.commands@list_auth_zones@@ 643 List the auth zones that are configured. 644 Printed one per line with a status, indicating if the zone is expired and 645 current serial number. 646 Configured RPZ zones are included. 647 648 649@@UAHL@unbound-control.commands@auth_zone_reload@@ *zone* 650 Reload the auth zone (or RPZ zone) from zonefile. 651 The zonefile is read in overwriting the current contents of the zone in 652 memory. 653 This changes the auth zone contents itself, not the cache contents. 654 Such cache contents exists if you set Unbound to validate with 655 **for-upstream: yes** and that can be cleared with **flush_zone** *zone*. 656 657 658@@UAHL@unbound-control.commands@auth_zone_transfer@@ *zone* 659 Transfer the auth zone (or RPZ zone) from master. 660 The auth zone probe sequence is started, where the masters are probed to 661 see if they have an updated zone (with the SOA serial check). 662 And then the zone is transferred for a newer zone version. 663 664 665@@UAHL@unbound-control.commands@rpz_enable@@ *zone* 666 Enable the RPZ zone if it had previously been disabled. 667 668 669@@UAHL@unbound-control.commands@rpz_disable@@ *zone* 670 Disable the RPZ zone. 671 672 673@@UAHL@unbound-control.commands@view_list_local_zones@@ *view* 674 *list_local_zones* for given view. 675 676 677@@UAHL@unbound-control.commands@view_local_zone@@ *view name type* 678 *local_zone* for given view. 679 680 681@@UAHL@unbound-control.commands@view_local_zone_remove@@ *view name* 682 *local_zone_remove* for given view. 683 684 685@@UAHL@unbound-control.commands@view_list_local_data@@ *view* 686 *list_local_data* for given view. 687 688 689@@UAHL@unbound-control.commands@view_local_data@@ *view RR data...* 690 *local_data* for given view. 691 692 693@@UAHL@unbound-control.commands@view_local_data_remove@@ *view name* 694 *local_data_remove* for given view. 695 696 697@@UAHL@unbound-control.commands@view_local_datas_remove@@ *view* 698 Remove a list of *local_data* for given view from stdin. 699 Like *local_datas_remove*. 700 701 702@@UAHL@unbound-control.commands@view_local_datas@@ *view* 703 Add a list of *local_data* for given view from stdin. 704 Like *local_datas*. 705 706 707@@UAHL@unbound-control.commands@add_cookie_secret@@ *secret* 708 Add or replace a cookie secret persistently. 709 *secret* needs to be an 128 bit hex string. 710 711 Cookie secrets can be either **active** or **staging**. 712 **Active** cookie secrets are used to create DNS Cookies, but verification 713 of a DNS Cookie succeeds with any of the **active** or **staging** cookie 714 secrets. 715 The state of the current cookie secrets can be printed with the 716 :ref:`print_cookie_secrets<unbound-control.commands.print_cookie_secrets>` 717 command. 718 719 When there are no cookie secrets configured yet, the *secret* is added as 720 **active**. 721 If there is already an **active** cookie secret, the *secret* is added as 722 **staging** or replacing an existing **staging** secret. 723 724 To "roll" a cookie secret used in an anycast set. 725 The new secret has to be added as **staging** secret to **all** nodes in 726 the anycast set. 727 When **all** nodes can verify DNS Cookies with the new secret, the new 728 secret can be activated with the 729 :ref:`activate_cookie_secret<unbound-control.commands.activate_cookie_secret>` 730 command. 731 After **all** nodes have the new secret **active** for at least one hour, 732 the previous secret can be dropped with the 733 :ref:`drop_cookie_secret<unbound-control.commands.drop_cookie_secret>` 734 command. 735 736 Persistence is accomplished by writing to a file which is configured with 737 the 738 :ref:`cookie-secret-file<unbound.conf.cookie-secret-file>` 739 option in the server section of the config file. 740 This is disabled by default, "". 741 742 743@@UAHL@unbound-control.commands@drop_cookie_secret@@ 744 Drop the **staging** cookie secret. 745 746 747@@UAHL@unbound-control.commands@activate_cookie_secret@@ 748 Make the current **staging** cookie secret **active**, and the current 749 **active** cookie secret **staging**. 750 751 752@@UAHL@unbound-control.commands@print_cookie_secrets@@ 753 Show the current configured cookie secrets with their status. 754 755Exit Code 756--------- 757 758The ``unbound-control`` program exits with status code 1 on error, 0 on 759success. 760 761Set Up 762------ 763 764The setup requires a self-signed certificate and private keys for both the 765server and client. 766The script ``unbound-control-setup`` generates these in the default run 767directory, or with ``-d`` in another directory. 768If you change the access control permissions on the key files you can decide 769who can use ``unbound-control``, by default owner and group but not all users. 770Run the script under the same username as you have configured in 771:file:`unbound.conf` or as root, so that the daemon is permitted to read the 772files, for example with: 773 774.. code-block:: bash 775 776 sudo -u unbound unbound-control-setup 777 778If you have not configured a username in :file:`unbound.conf`, the keys need 779read permission for the user credentials under which the daemon is started. 780The script preserves private keys present in the directory. 781After running the script as root, turn on 782:ref:`control-enable<unbound.conf.remote.control-enable>` in 783:file:`unbound.conf`. 784 785Statistic Counters 786------------------ 787 788The :ref:`stats<unbound-control.commands.stats>` and 789:ref:`stats_noreset<unbound-control.commands.stats_noreset>` commands show a 790number of statistic counters: 791 792 793@@UAHL@unbound-control.stats@threadX.num.queries@@ 794 number of queries received by thread 795 796 797@@UAHL@unbound-control.stats@threadX.num.queries_ip_ratelimited@@ 798 number of queries rate limited by thread 799 800 801@@UAHL@unbound-control.stats@threadX.num.queries_cookie_valid@@ 802 number of queries with a valid DNS Cookie by thread 803 804 805@@UAHL@unbound-control.stats@threadX.num.queries_cookie_client@@ 806 number of queries with a client part only DNS Cookie by thread 807 808 809@@UAHL@unbound-control.stats@threadX.num.queries_cookie_invalid@@ 810 number of queries with an invalid DNS Cookie by thread 811 812 813@@UAHL@unbound-control.stats@threadX.num.queries_discard_timeout@@ 814 number of queries removed due to discard-timeout by thread 815 816 817@@UAHL@unbound-control.stats@threadX.num.queries_wait_limit@@ 818 number of queries removed due to wait-limit by thread 819 820 821@@UAHL@unbound-control.stats@threadX.num.cachehits@@ 822 number of queries that were successfully answered using a cache lookup 823 824 825@@UAHL@unbound-control.stats@threadX.num.cachemiss@@ 826 number of queries that needed recursive processing 827 828 829@@UAHL@unbound-control.stats@threadX.num.dnscrypt.crypted@@ 830 number of queries that were encrypted and successfully decapsulated by 831 dnscrypt. 832 833 834@@UAHL@unbound-control.stats@threadX.num.dnscrypt.cert@@ 835 number of queries that were requesting dnscrypt certificates. 836 837 838@@UAHL@unbound-control.stats@threadX.num.dnscrypt.cleartext@@ 839 number of queries received on dnscrypt port that were cleartext and not a 840 request for certificates. 841 842 843@@UAHL@unbound-control.stats@threadX.num.dnscrypt.malformed@@ 844 number of request that were neither cleartext, not valid dnscrypt messages. 845 846 847@@UAHL@unbound-control.stats@threadX.num.dns_error_reports@@ 848 number of DNS Error Reports generated by thread 849 850 851@@UAHL@unbound-control.stats@threadX.num.prefetch@@ 852 number of cache prefetches performed. 853 This number is included in cachehits, as the original query had the 854 unprefetched answer from cache, and resulted in recursive processing, 855 taking a slot in the requestlist. 856 Not part of the recursivereplies (or the histogram thereof) or cachemiss, 857 as a cache response was sent. 858 859 860@@UAHL@unbound-control.stats@threadX.num.expired@@ 861 number of replies that served an expired cache entry. 862 863 864@@UAHL@unbound-control.stats@threadX.num.queries_timed_out@@ 865 number of queries that are dropped because they waited in the UDP socket 866 buffer for too long. 867 868 869@@UAHL@unbound-control.stats@threadX.query.queue_time_us.max@@ 870 The maximum wait time for packets in the socket buffer, in microseconds. 871 This is only reported when 872 :ref:`sock-queue-timeout<unbound.conf.sock-queue-timeout>` is enabled. 873 874 875@@UAHL@unbound-control.stats@threadX.num.recursivereplies@@ 876 The number of replies sent to queries that needed recursive processing. 877 Could be smaller than threadX.num.cachemiss if due to timeouts no replies 878 were sent for some queries. 879 880 881@@UAHL@unbound-control.stats@threadX.requestlist.avg@@ 882 The average number of requests in the internal recursive processing request 883 list on insert of a new incoming recursive processing query. 884 885 886@@UAHL@unbound-control.stats@threadX.requestlist.max@@ 887 Maximum size attained by the internal recursive processing request list. 888 889 890@@UAHL@unbound-control.stats@threadX.requestlist.overwritten@@ 891 Number of requests in the request list that were overwritten by newer 892 entries. 893 This happens if there is a flood of queries that recursive processing and 894 the server has a hard time. 895 896 897@@UAHL@unbound-control.stats@threadX.requestlist.exceeded@@ 898 Queries that were dropped because the request list was full. 899 This happens if a flood of queries need recursive processing, and the 900 server can not keep up. 901 902 903@@UAHL@unbound-control.stats@threadX.requestlist.current.all@@ 904 Current size of the request list, includes internally generated queries 905 (such as priming queries and glue lookups). 906 907 908@@UAHL@unbound-control.stats@threadX.requestlist.current.user@@ 909 Current size of the request list, only the requests from client queries. 910 911 912@@UAHL@unbound-control.stats@threadX.recursion.time.avg@@ 913 Average time it took to answer queries that needed recursive processing. 914 Note that queries that were answered from the cache are not in this average. 915 916 917@@UAHL@unbound-control.stats@threadX.recursion.time.median@@ 918 The median of the time it took to answer queries that needed recursive 919 processing. 920 The median means that 50% of the user queries were answered in less than 921 this time. 922 Because of big outliers (usually queries to non responsive servers), the 923 average can be bigger than the median. 924 This median has been calculated by interpolation from a histogram. 925 926 927@@UAHL@unbound-control.stats@threadX.tcpusage@@ 928 The currently held tcp buffers for incoming connections. 929 A spot value on the time of the request. 930 This helps you spot if the incoming-num-tcp buffers are full. 931 932 933@@UAHL@unbound-control.stats@total.num.queries@@ 934 summed over threads. 935 936 937@@UAHL@unbound-control.stats@total.num.queries_ip_ratelimited@@ 938 summed over threads. 939 940 941@@UAHL@unbound-control.stats@total.num.queries_cookie_valid@@ 942 summed over threads. 943 944 945@@UAHL@unbound-control.stats@total.num.queries_cookie_client@@ 946 summed over threads. 947 948 949@@UAHL@unbound-control.stats@total.num.queries_cookie_invalid@@ 950 summed over threads. 951 952 953@@UAHL@unbound-control.stats@total.num.queries_discard_timeout@@ 954 summed over threads. 955 956 957@@UAHL@unbound-control.stats@total.num.queries_wait_limit@@ 958 summed over threads. 959 960 961@@UAHL@unbound-control.stats@total.num.cachehits@@ 962 summed over threads. 963 964 965@@UAHL@unbound-control.stats@total.num.cachemiss@@ 966 summed over threads. 967 968 969@@UAHL@unbound-control.stats@total.num.dnscrypt.crypted@@ 970 summed over threads. 971 972 973@@UAHL@unbound-control.stats@total.num.dnscrypt.cert@@ 974 summed over threads. 975 976 977@@UAHL@unbound-control.stats@total.num.dnscrypt.cleartext@@ 978 summed over threads. 979 980 981@@UAHL@unbound-control.stats@total.num.dnscrypt.malformed@@ 982 summed over threads. 983 984 985@@UAHL@unbound-control.stats@total.num.dns_error_reports@@ 986 summed over threads. 987 988 989@@UAHL@unbound-control.stats@total.num.prefetch@@ 990 summed over threads. 991 992 993@@UAHL@unbound-control.stats@total.num.expired@@ 994 summed over threads. 995 996 997@@UAHL@unbound-control.stats@total.num.queries_timed_out@@ 998 summed over threads. 999 1000 1001@@UAHL@unbound-control.stats@total.query.queue_time_us.max@@ 1002 the maximum of the thread values. 1003 1004 1005@@UAHL@unbound-control.stats@total.num.recursivereplies@@ 1006 summed over threads. 1007 1008 1009@@UAHL@unbound-control.stats@total.requestlist.avg@@ 1010 averaged over threads. 1011 1012 1013@@UAHL@unbound-control.stats@total.requestlist.max@@ 1014 the maximum of the thread requestlist.max values. 1015 1016 1017@@UAHL@unbound-control.stats@total.requestlist.overwritten@@ 1018 summed over threads. 1019 1020 1021@@UAHL@unbound-control.stats@total.requestlist.exceeded@@ 1022 summed over threads. 1023 1024 1025@@UAHL@unbound-control.stats@total.requestlist.current.all@@ 1026 summed over threads. 1027 1028 1029@@UAHL@unbound-control.stats@total.recursion.time.median@@ 1030 averaged over threads. 1031 1032 1033@@UAHL@unbound-control.stats@total.tcpusage@@ 1034 summed over threads. 1035 1036 1037@@UAHL@unbound-control.stats@time.now@@ 1038 current time in seconds since 1970. 1039 1040 1041@@UAHL@unbound-control.stats@time.up@@ 1042 uptime since server boot in seconds. 1043 1044 1045@@UAHL@unbound-control.stats@time.elapsed@@ 1046 time since last statistics printout, in seconds. 1047 1048Extended Statistics 1049------------------- 1050 1051 1052@@UAHL@unbound-control.stats@mem.cache.rrset@@ 1053 Memory in bytes in use by the RRset cache. 1054 1055 1056@@UAHL@unbound-control.stats@mem.cache.message@@ 1057 Memory in bytes in use by the message cache. 1058 1059 1060@@UAHL@unbound-control.stats@mem.cache.dnscrypt_shared_secret@@ 1061 Memory in bytes in use by the dnscrypt shared secrets cache. 1062 1063 1064@@UAHL@unbound-control.stats@mem.cache.dnscrypt_nonce@@ 1065 Memory in bytes in use by the dnscrypt nonce cache. 1066 1067 1068@@UAHL@unbound-control.stats@mem.mod.iterator@@ 1069 Memory in bytes in use by the iterator module. 1070 1071 1072@@UAHL@unbound-control.stats@mem.mod.validator@@ 1073 Memory in bytes in use by the validator module. 1074 Includes the key cache and negative cache. 1075 1076 1077@@UAHL@unbound-control.stats@mem.streamwait@@ 1078 Memory in bytes in used by the TCP and TLS stream wait buffers. 1079 These are answers waiting to be written back to the clients. 1080 1081 1082@@UAHL@unbound-control.stats@mem.http.query_buffer@@ 1083 Memory in bytes used by the HTTP/2 query buffers. 1084 Containing (partial) DNS queries waiting for request stream completion. 1085 1086 1087@@UAHL@unbound-control.stats@mem.http.response_buffer@@ 1088 Memory in bytes used by the HTTP/2 response buffers. 1089 Containing DNS responses waiting to be written back to the clients. 1090 1091 1092@@UAHL@unbound-control.stats@mem.quic@@ 1093 Memory in bytes used by QUIC. 1094 Containing connection information, stream information, queries read and 1095 responses written back to the clients. 1096 1097@@UAHL@unbound-control.stats@histogram@@.<sec>.<usec>.to.<sec>.<usec> 1098 Shows a histogram, summed over all threads. 1099 Every element counts the recursive queries whose reply time fit between the 1100 lower and upper bound. 1101 Times larger or equal to the lowerbound, and smaller than the upper bound. 1102 There are 40 buckets, with bucket sizes doubling. 1103 1104 1105@@UAHL@unbound-control.stats@num.query.type.A@@ 1106 The total number of queries over all threads with query type A. 1107 Printed for the other query types as well, but only for the types for which 1108 queries were received, thus =0 entries are omitted for brevity. 1109 1110 1111@@UAHL@unbound-control.stats@num.query.type.other@@ 1112 Number of queries with query types 256-65535. 1113 1114 1115@@UAHL@unbound-control.stats@num.query.class.IN@@ 1116 The total number of queries over all threads with query class IN 1117 (internet). 1118 Also printed for other classes (such as CH (CHAOS) sometimes used for 1119 debugging), or NONE, ANY, used by dynamic update. 1120 num.query.class.other is printed for classes 256-65535. 1121 1122 1123@@UAHL@unbound-control.stats@num.query.opcode.QUERY@@ 1124 The total number of queries over all threads with query opcode QUERY. 1125 Also printed for other opcodes, UPDATE, ... 1126 1127 1128@@UAHL@unbound-control.stats@num.query.tcp@@ 1129 Number of queries that were made using TCP towards the Unbound server. 1130 1131 1132@@UAHL@unbound-control.stats@num.query.tcpout@@ 1133 Number of queries that the Unbound server made using TCP outgoing towards 1134 other servers. 1135 1136 1137@@UAHL@unbound-control.stats@num.query.udpout@@ 1138 Number of queries that the Unbound server made using UDP outgoing towards 1139 other servers. 1140 1141 1142@@UAHL@unbound-control.stats@num.query.tls@@ 1143 Number of queries that were made using TLS towards the Unbound server. 1144 These are also counted in num.query.tcp, because TLS uses TCP. 1145 1146 1147@@UAHL@unbound-control.stats@num.query.tls.resume@@ 1148 Number of TLS session resumptions, these are queries over TLS towards the 1149 Unbound server where the client negotiated a TLS session resumption key. 1150 1151 1152@@UAHL@unbound-control.stats@num.query.https@@ 1153 Number of queries that were made using HTTPS towards the Unbound server. 1154 These are also counted in num.query.tcp and num.query.tls, because HTTPS 1155 uses TLS and TCP. 1156 1157 1158@@UAHL@unbound-control.stats@num.query.quic@@ 1159 Number of queries that were made using QUIC towards the Unbound server. 1160 These are also counted in num.query.tls, because TLS is used for these 1161 queries. 1162 1163 1164@@UAHL@unbound-control.stats@num.query.ipv6@@ 1165 Number of queries that were made using IPv6 towards the Unbound server. 1166 1167 1168@@UAHL@unbound-control.stats@num.query.flags.RD@@ 1169 The number of queries that had the RD flag set in the header. 1170 Also printed for flags QR, AA, TC, RA, Z, AD, CD. 1171 Note that queries with flags QR, AA or TC may have been rejected because of 1172 that. 1173 1174 1175@@UAHL@unbound-control.stats@num.query.edns.present@@ 1176 number of queries that had an EDNS OPT record present. 1177 1178 1179@@UAHL@unbound-control.stats@num.query.edns.DO@@ 1180 number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit 1181 set. 1182 These queries are also included in the num.query.edns.present number. 1183 1184 1185@@UAHL@unbound-control.stats@num.query.ratelimited@@ 1186 The number of queries that are turned away from being send to nameserver 1187 due to ratelimiting. 1188 1189 1190@@UAHL@unbound-control.stats@num.query.dnscrypt.shared_secret.cachemiss@@ 1191 The number of dnscrypt queries that did not find a shared secret in the 1192 cache. 1193 This can be use to compute the shared secret hitrate. 1194 1195 1196@@UAHL@unbound-control.stats@num.query.dnscrypt.replay@@ 1197 The number of dnscrypt queries that found a nonce hit in the nonce cache 1198 and hence are considered a query replay. 1199 1200 1201@@UAHL@unbound-control.stats@num.answer.rcode.NXDOMAIN@@ 1202 The number of answers to queries, from cache or from recursion, that had 1203 the return code NXDOMAIN. 1204 Also printed for the other return codes. 1205 1206 1207@@UAHL@unbound-control.stats@num.answer.rcode.nodata@@ 1208 The number of answers to queries that had the pseudo return code nodata. 1209 This means the actual return code was NOERROR, but additionally, no data 1210 was carried in the answer (making what is called a NOERROR/NODATA answer). 1211 These queries are also included in the num.answer.rcode.NOERROR number. 1212 Common for AAAA lookups when an A record exists, and no AAAA. 1213 1214 1215@@UAHL@unbound-control.stats@num.answer.secure@@ 1216 Number of answers that were secure. 1217 The answer validated correctly. 1218 The AD bit might have been set in some of these answers, where the client 1219 signalled (with DO or AD bit in the query) that they were ready to accept 1220 the AD bit in the answer. 1221 1222 1223@@UAHL@unbound-control.stats@num.answer.bogus@@ 1224 Number of answers that were bogus. 1225 These answers resulted in SERVFAIL to the client because the answer failed 1226 validation. 1227 1228 1229@@UAHL@unbound-control.stats@num.rrset.bogus@@ 1230 The number of rrsets marked bogus by the validator. 1231 Increased for every RRset inspection that fails. 1232 1233 1234@@UAHL@unbound-control.stats@num.valops@@ 1235 The number of validation operations performed by the validator. 1236 Increased for every RRSIG verification operation regardless of the 1237 validation result. 1238 The RRSIG and key combination needs to first pass some sanity checks before 1239 Unbound even performs the verification, e.g., length/protocol checks. 1240 1241 1242@@UAHL@unbound-control.stats@unwanted.queries@@ 1243 Number of queries that were refused or dropped because they failed the 1244 access control settings. 1245 1246 1247@@UAHL@unbound-control.stats@unwanted.replies@@ 1248 Replies that were unwanted or unsolicited. 1249 Could have been random traffic, delayed duplicates, very late answers, or 1250 could be spoofing attempts. 1251 Some low level of late answers and delayed duplicates are to be expected 1252 with the UDP protocol. 1253 Very high values could indicate a threat (spoofing). 1254 1255 1256@@UAHL@unbound-control.stats@msg.cache.count@@ 1257 The number of items (DNS replies) in the message cache. 1258 1259 1260@@UAHL@unbound-control.stats@rrset.cache.count@@ 1261 The number of RRsets in the rrset cache. 1262 This includes rrsets used by the messages in the message cache, but also 1263 delegation information. 1264 1265 1266@@UAHL@unbound-control.stats@infra.cache.count@@ 1267 The number of items in the infra cache. 1268 These are IP addresses with their timing and protocol support information. 1269 1270 1271@@UAHL@unbound-control.stats@key.cache.count@@ 1272 The number of items in the key cache. 1273 These are DNSSEC keys, one item per delegation point, and their validation 1274 status. 1275 1276 1277@@UAHL@unbound-control.stats@msg.cache.max_collisions@@ 1278 The maximum number of hash table collisions in the msg cache. 1279 This is the number of hashes that are identical when a new element is 1280 inserted in the hash table. 1281 If the value is very large, like hundreds, something is wrong with the 1282 performance of the hash table, hash values are incorrect or malicious. 1283 1284 1285@@UAHL@unbound-control.stats@rrset.cache.max_collisions@@ 1286 The maximum number of hash table collisions in the rrset cache. 1287 This is the number of hashes that are identical when a new element is 1288 inserted in the hash table. 1289 If the value is very large, like hundreds, something is wrong with the 1290 performance of the hash table, hash values are incorrect or malicious. 1291 1292 1293@@UAHL@unbound-control.stats@dnscrypt_shared_secret.cache.count@@ 1294 The number of items in the shared secret cache. 1295 These are precomputed shared secrets for a given client public key/server 1296 secret key pair. 1297 Shared secrets are CPU intensive and this cache allows Unbound to avoid 1298 recomputing the shared secret when multiple dnscrypt queries are sent from 1299 the same client. 1300 1301 1302@@UAHL@unbound-control.stats@dnscrypt_nonce.cache.count@@ 1303 The number of items in the client nonce cache. 1304 This cache is used to prevent dnscrypt queries replay. 1305 The client nonce must be unique for each client public key/server secret 1306 key pair. 1307 This cache should be able to host QPS * `replay window` interval keys to 1308 prevent replay of a query during `replay window` seconds. 1309 1310 1311@@UAHL@unbound-control.stats@num.query.authzone.up@@ 1312 The number of queries answered from auth-zone data, upstream queries. 1313 These queries would otherwise have been sent (with fallback enabled) to the 1314 internet, but are now answered from the auth zone. 1315 1316 1317@@UAHL@unbound-control.stats@num.query.authzone.down@@ 1318 The number of queries for downstream answered from auth-zone data. 1319 These queries are from downstream clients, and have had an answer from the 1320 data in the auth zone. 1321 1322 1323@@UAHL@unbound-control.stats@num.query.aggressive.NOERROR@@ 1324 The number of queries answered using cached NSEC records with NODATA RCODE. 1325 These queries would otherwise have been sent to the internet, but are now 1326 answered using cached data. 1327 1328 1329@@UAHL@unbound-control.stats@num.query.aggressive.NXDOMAIN@@ 1330 The number of queries answered using cached NSEC records with NXDOMAIN 1331 RCODE. 1332 These queries would otherwise have been sent to the internet, but are now 1333 answered using cached data. 1334 1335 1336@@UAHL@unbound-control.stats@num.query.subnet@@ 1337 Number of queries that got an answer that contained EDNS client subnet 1338 data. 1339 1340 1341@@UAHL@unbound-control.stats@num.query.subnet_cache@@ 1342 Number of queries answered from the edns client subnet cache. 1343 These are counted as cachemiss by the main counters, but hit the client 1344 subnet specific cache after getting processed by the edns client subnet 1345 module. 1346 1347 1348@@UAHL@unbound-control.stats@num.query.cachedb@@ 1349 Number of queries answered from the external cache of cachedb. 1350 These are counted as cachemiss by the main counters, but hit the cachedb 1351 external cache after getting processed by the cachedb module. 1352 1353@@UAHL@unbound-control.stats@num.rpz.action@@.<rpz_action> 1354 Number of queries answered using configured RPZ policy, per RPZ action 1355 type. 1356 Possible actions are: nxdomain, nodata, passthru, drop, tcp-only, 1357 local-data, disabled, and cname-override. 1358 1359Files 1360----- 1361 1362@ub_conf_file@ 1363 Unbound configuration file. 1364 1365@UNBOUND_RUN_DIR@ 1366 directory with private keys (:file:`unbound_server.key` and 1367 :file:`unbound_control.key`) and self-signed certificates 1368 (:file:`unbound_server.pem` and :file:`unbound_control.pem`). 1369 1370See Also 1371-------- 1372 1373:doc:`unbound.conf(5)</manpages/unbound.conf>`, 1374:doc:`unbound(8)</manpages/unbound>`. 1375