1.. 2 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 3 4.. 5 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 6 7.. 8 IT HELPS PEOPLE DIFFING THE CHANGES 9 10.. 11 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 12 13.. 14 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 15 16.. 17 IT HELPS PEOPLE DIFFING THE CHANGES 18 19.. 20 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 21 22.. 23 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 24 25.. 26 IT HELPS PEOPLE DIFFING THE CHANGES 27 28.. 29 WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE 30 31.. 32 IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE 33 34.. 35 IT HELPS PEOPLE DIFFING THE CHANGES 36 37.. program:: unbound-control 38 39unbound-control(8) 40================== 41 42Synopsis 43-------- 44 45**unbound-control** [``-hq``] [``-c cfgfile``] [``-s server``] command 46 47Description 48----------- 49 50``unbound-control`` performs remote administration on the 51:doc:`unbound(8)</manpages/unbound>` DNS server. 52It reads the configuration file, contacts the Unbound server over TLS sends the 53command and displays the result. 54 55The available options are: 56 57.. option:: -h 58 59 Show the version and commandline option help. 60 61.. option:: -c <cfgfile> 62 63 The config file to read with settings. 64 If not given the default config file 65 :file:`@ub_conf_file@` is used. 66 67.. option:: -s <server[@port]> 68 69 IPv4 or IPv6 address of the server to contact. 70 If not given, the address is read from the config file. 71 72.. option:: -q 73 74 Quiet, if the option is given it does not print anything if it works ok. 75 76Commands 77-------- 78 79There are several commands that the server understands. 80 81 82@@UAHL@unbound-control.commands@start@@ 83 Start the server. 84 Simply execs :doc:`unbound(8)</manpages/unbound>`. 85 The ``unbound`` executable is searched for in the **PATH** set in the 86 environment. 87 It is started with the config file specified using :option:`-c` or the 88 default config file. 89 90 91@@UAHL@unbound-control.commands@stop@@ 92 Stop the server. 93 The server daemon exits. 94 95 96@@UAHL@unbound-control.commands@reload@@ 97 Reload the server. 98 This flushes the cache and reads the config file fresh. 99 100 101@@UAHL@unbound-control.commands@reload_keep_cache@@ 102 Reload the server but try to keep the RRset and message cache if 103 (re)configuration allows for it. 104 That means the caches sizes and the number of threads must not change 105 between reloads. 106 107 108@@UAHL@unbound-control.commands@fast_reload@@ [``+dpv``] 109 Reload the server, but keep downtime to a minimum, so that user queries 110 keep seeing service. 111 This needs the code compiled with threads. 112 The config is loaded in a thread, and prepared, then it briefly pauses the 113 existing server and updates config options. 114 The intent is that the pause does not impact the service of user queries. 115 The cache is kept. 116 Also user queries worked on are kept and continue, but with the new config 117 options. 118 119 .. note:: 120 This command is experimental at this time. 121 122 The amount of temporal memory needed during a fast_reload is twice the 123 amount needed for configuration. 124 This is because Unbound temporarily needs to store both current 125 configuration values and new ones while trying to fast_reload. 126 Zones loaded from disk (authority zones and RPZ zones) are included in such 127 memory needs. 128 129 Options that can be changed are for 130 :ref:`forwards<unbound.conf.forward>`, 131 :ref:`stubs<unbound.conf.stub>`, 132 :ref:`views<unbound.conf.view>`, 133 :ref:`authority zones<unbound.conf.auth>`, 134 :ref:`RPZ zones<unbound.conf.rpz>` and 135 :ref:`local zones<unbound.conf.local-zone>`. 136 137 Also 138 :ref:`access-control<unbound.conf.access-control>` and similar options, 139 :ref:`interface-action<unbound.conf.interface-action>` and similar 140 options and 141 :ref:`tcp-connection-limit<unbound.conf.tcp-connection-limit>`. 142 It can reload some 143 :ref:`define-tag<unbound.conf.define-tag>` 144 changes, more on that below. 145 Further options include 146 :ref:`insecure-lan-zones<unbound.conf.insecure-lan-zones>`, 147 :ref:`domain-insecure<unbound.conf.domain-insecure>`, 148 :ref:`trust-anchor-file<unbound.conf.trust-anchor-file>`, 149 :ref:`trust-anchor<unbound.conf.trust-anchor>`, 150 :ref:`trusted-keys-file<unbound.conf.trusted-keys-file>`, 151 :ref:`auto-trust-anchor-file<unbound.conf.auto-trust-anchor-file>`, 152 :ref:`edns-client-string<unbound.conf.edns-client-string>`, 153 ipset, 154 :ref:`log-identity<unbound.conf.log-identity>`, 155 :ref:`infra-cache-numhosts<unbound.conf.infra-cache-numhosts>`, 156 :ref:`msg-cache-size<unbound.conf.msg-cache-size>`, 157 :ref:`rrset-cache-size<unbound.conf.rrset-cache-size>`, 158 :ref:`key-cache-size<unbound.conf.key-cache-size>`, 159 :ref:`ratelimit-size<unbound.conf.ratelimit-size>`, 160 :ref:`neg-cache-size<unbound.conf.neg-cache-size>`, 161 :ref:`num-queries-per-thread<unbound.conf.num-queries-per-thread>`, 162 :ref:`jostle-timeout<unbound.conf.jostle-timeout>`, 163 :ref:`use-caps-for-id<unbound.conf.use-caps-for-id>`, 164 :ref:`unwanted-reply-threshold<unbound.conf.unwanted-reply-threshold>`, 165 :ref:`tls-use-sni<unbound.conf.tls-use-sni>`, 166 :ref:`outgoing-tcp-mss<unbound.conf.outgoing-tcp-mss>`, 167 :ref:`ip-dscp<unbound.conf.ip-dscp>`, 168 :ref:`max-reuse-tcp-queries<unbound.conf.max-reuse-tcp-queries>`, 169 :ref:`tcp-reuse-timeout<unbound.conf.tcp-reuse-timeout>`, 170 :ref:`tcp-auth-query-timeout<unbound.conf.tcp-auth-query-timeout>`, 171 :ref:`delay-close<unbound.conf.delay-close>`. 172 :ref:`iter-scrub-promiscuous<unbound.conf.iter-scrub-promiscuous>`. 173 174 It does not work with 175 :ref:`interface<unbound.conf.interface>` and 176 :ref:`outgoing-interface<unbound.conf.outgoing-interface>` changes, 177 also not with 178 :ref:`remote control<unbound.conf.remote>`, 179 :ref:`outgoing-port-permit<unbound.conf.outgoing-port-permit>`, 180 :ref:`outgoing-port-avoid<unbound.conf.outgoing-port-avoid>`, 181 :ref:`msg-buffer-size<unbound.conf.msg-buffer-size>`, 182 any **\*-slabs** options and 183 :ref:`statistics-interval<unbound.conf.statistics-interval>` changes. 184 185 For :ref:`dnstap<unbound.conf.dnstap>` these options can be changed: 186 :ref:`dnstap-log-resolver-query-messages<unbound.conf.dnstap.dnstap-log-resolver-query-messages>`, 187 :ref:`dnstap-log-resolver-response-messages<unbound.conf.dnstap.dnstap-log-resolver-response-messages>`, 188 :ref:`dnstap-log-client-query-messages<unbound.conf.dnstap.dnstap-log-client-query-messages>`, 189 :ref:`dnstap-log-client-response-messages<unbound.conf.dnstap.dnstap-log-client-response-messages>`, 190 :ref:`dnstap-log-forwarder-query-messages<unbound.conf.dnstap.dnstap-log-forwarder-query-messages>` and 191 :ref:`dnstap-log-forwarder-response-messages<unbound.conf.dnstap.dnstap-log-forwarder-response-messages>`. 192 193 It does not work with these options: 194 :ref:`dnstap-enable<unbound.conf.dnstap.dnstap-enable>`, 195 :ref:`dnstap-bidirectional<unbound.conf.dnstap.dnstap-bidirectional>`, 196 :ref:`dnstap-socket-path<unbound.conf.dnstap.dnstap-socket-path>`, 197 :ref:`dnstap-ip<unbound.conf.dnstap.dnstap-ip>`, 198 :ref:`dnstap-tls<unbound.conf.dnstap.dnstap-tls>`, 199 :ref:`dnstap-tls-server-name<unbound.conf.dnstap.dnstap-tls-server-name>`, 200 :ref:`dnstap-tls-cert-bundle<unbound.conf.dnstap.dnstap-tls-cert-bundle>`, 201 :ref:`dnstap-tls-client-key-file<unbound.conf.dnstap.dnstap-tls-client-key-file>` and 202 :ref:`dnstap-tls-client-cert-file<unbound.conf.dnstap.dnstap-tls-client-cert-file>`. 203 204 The options 205 :ref:`dnstap-send-identity<unbound.conf.dnstap.dnstap-send-identity>`, 206 :ref:`dnstap-send-version<unbound.conf.dnstap.dnstap-send-version>`, 207 :ref:`dnstap-identity<unbound.conf.dnstap.dnstap-identity>`, and 208 :ref:`dnstap-version<unbound.conf.dnstap.dnstap-version>` can be loaded 209 when ``+p`` is not used. 210 211 The ``+v`` option makes the output verbose which includes the time it took 212 to do the reload. 213 With ``+vv`` it is more verbose which includes the amount of memory that 214 was allocated temporarily to perform the reload; this amount of memory can 215 be big if the config has large contents. 216 In the timing output the 'reload' time is the time during which the server 217 was paused. 218 219 The ``+p`` option makes the reload not pause threads, they keep running. 220 Locks are acquired, but items are updated in sequence, so it is possible 221 for threads to see an inconsistent state with some options from the old 222 and some options from the new config, such as cache TTL parameters from the 223 old config and forwards from the new config. 224 The stubs and forwards are updated at the same time, so that they are 225 viewed consistently, either old or new values together. 226 The option makes the reload time take eg. 3 microseconds instead of 0.3 227 milliseconds during which the worker threads are interrupted. 228 So, the interruption is much shorter, at the expense of some inconsistency. 229 After the reload itself, every worker thread is briefly contacted to make 230 them release resources, this makes the delete timing a little longer, and 231 takes up time from the remote control servicing worker thread. 232 233 With the nopause option (``+p``), the reload does not work to reload some 234 options, that fast reload works on without the nopause option: 235 :ref:`val-bogus-ttl<unbound.conf.val-bogus-ttl>`, 236 :ref:`val-override-date<unbound.conf.val-override-date>`, 237 :ref:`val-sig-skew-min<unbound.conf.val-sig-skew-min>`, 238 :ref:`val-sig-skew-max<unbound.conf.val-sig-skew-max>`, 239 :ref:`val-max-restart<unbound.conf.val-max-restart>`, 240 :ref:`val-nsec3-keysize-iterations<unbound.conf.val-nsec3-keysize-iterations>`, 241 :ref:`target-fetch-policy<unbound.conf.target-fetch-policy>`, 242 :ref:`outbound-msg-retry<unbound.conf.outbound-msg-retry>`, 243 :ref:`max-sent-count<unbound.conf.max-sent-count>`, 244 :ref:`max-query-restarts<unbound.conf.max-query-restarts>`, 245 :ref:`do-not-query-address<unbound.conf.do-not-query-address>`, 246 :ref:`do-not-query-localhost<unbound.conf.do-not-query-localhost>`, 247 :ref:`private-address<unbound.conf.private-address>`, 248 :ref:`private-domain<unbound.conf.private-domain>`, 249 :ref:`caps-exempt<unbound.conf.caps-exempt>`, 250 :ref:`nat64-prefix<unbound.conf.nat64.nat64-prefix>`, 251 :ref:`do-nat64<unbound.conf.nat64.do-nat64>`, 252 :ref:`infra-host-ttl<unbound.conf.infra-host-ttl>`, 253 :ref:`infra-keep-probing<unbound.conf.infra-keep-probing>`, 254 :ref:`ratelimit<unbound.conf.ratelimit>`, 255 :ref:`ip-ratelimit<unbound.conf.ip-ratelimit>`, 256 :ref:`ip-ratelimit-cookie<unbound.conf.ip-ratelimit-cookie>`, 257 :ref:`wait-limit-netblock<unbound.conf.wait-limit-netblock>`, 258 :ref:`wait-limit-cookie-netblock<unbound.conf.wait-limit-cookie-netblock>`, 259 :ref:`ratelimit-below-domain<unbound.conf.ratelimit-below-domain>`, 260 :ref:`ratelimit-for-domain<unbound.conf.ratelimit-for-domain>`. 261 262 The ``+d`` option makes the reload drop queries that the worker threads are 263 working on. 264 This is like 265 :ref:`flush_requestlist<unbound-control.commands.flush_requestlist>`. 266 Without it the queries are kept so that users keep getting answers for 267 those queries that are currently processed. 268 The drop makes it so that queries during the life time of the 269 query processing see only old, or only new config options. 270 271 When there are changes to the config tags, from the 272 :ref:`define-tag<unbound.conf.define-tag>` option, 273 then the ``+d`` option is implicitly turned on with a warning printout, and 274 queries are dropped. 275 This is to stop references to the old tag information, by the old 276 queries. 277 If the number of tags is increased in the newly loaded config, by 278 adding tags at the end, then the implicit ``+d`` option is not needed. 279 280 For response ip, that is actions associated with IP addresses, and perhaps 281 intersected with access control tag and action information, those settings 282 are stored with a query when it comes in based on its source IP address. 283 The old information is kept with the query until the queries are done. 284 This is gone when those queries are resolved and finished, or it is 285 possible to flush the requestlist with ``+d``. 286 287 288@@UAHL@unbound-control.commands@verbosity@@ *number* 289 Change verbosity value for logging. 290 Same values as the **verbosity:** keyword in 291 :doc:`unbound.conf(5)</manpages/unbound.conf>`. 292 This new setting lasts until the server is issued a reload (taken from 293 config file again), or the next verbosity control command. 294 295 296@@UAHL@unbound-control.commands@log_reopen@@ 297 Reopen the logfile, close and open it. 298 Useful for logrotation to make the daemon release the file it is logging 299 to. 300 If you are using syslog it will attempt to close and open the syslog (which 301 may not work if chrooted). 302 303 304@@UAHL@unbound-control.commands@stats@@ 305 Print statistics. 306 Resets the internal counters to zero, this can be controlled using the 307 **statistics-cumulative:** config statement. 308 Statistics are printed with one ``[name]: [value]`` per line. 309 310 311@@UAHL@unbound-control.commands@stats_noreset@@ 312 Peek at statistics. 313 Prints them like the stats command does, but does not reset the internal 314 counters to zero. 315 316 317@@UAHL@unbound-control.commands@status@@ 318 Display server status. 319 Exit code 3 if not running (the connection to the port is refused), 1 on 320 error, 0 if running. 321 322 323@@UAHL@unbound-control.commands@local_zone@@ *name type* 324 Add new local zone with name and type. 325 Like local-zone config statement. 326 If the zone already exists, the type is changed to the given argument. 327 328 329@@UAHL@unbound-control.commands@local_zone_remove@@ *name* 330 Remove the local zone with the given name. 331 Removes all local data inside it. 332 If the zone does not exist, the command succeeds. 333 334 335@@UAHL@unbound-control.commands@local_data@@ *RR data...* 336 Add new local data, the given resource record. 337 Like **local-data:** keyword, except for when no covering zone exists. 338 In that case this remote control command creates a transparent zone with 339 the same name as this record. 340 341 342@@UAHL@unbound-control.commands@local_data_remove@@ *name* 343 Remove all RR data from local name. 344 If the name already has no items, nothing happens. 345 Often results in NXDOMAIN for the name (in a static zone), but if the name 346 has become an empty nonterminal (there is still data in domain names below 347 the removed name), NOERROR nodata answers are the result for that name. 348 349 350@@UAHL@unbound-control.commands@local_zones@@ 351 Add local zones read from stdin of unbound-control. 352 Input is read per line, with name space type on a line. 353 For bulk additions. 354 355 356@@UAHL@unbound-control.commands@local_zones_remove@@ 357 Remove local zones read from stdin of unbound-control. 358 Input is one name per line. 359 For bulk removals. 360 361 362@@UAHL@unbound-control.commands@local_datas@@ 363 Add local data RRs read from stdin of unbound-control. 364 Input is one RR per line. 365 For bulk additions. 366 367 368@@UAHL@unbound-control.commands@local_datas_remove@@ 369 Remove local data RRs read from stdin of unbound-control. 370 Input is one name per line. 371 For bulk removals. 372 373 374@@UAHL@unbound-control.commands@dump_cache@@ 375 The contents of the cache is printed in a text format to stdout. 376 You can redirect it to a file to store the cache in a file. 377 Not supported in remote Unbounds in multi-process operation. 378 379 380@@UAHL@unbound-control.commands@load_cache@@ 381 The contents of the cache is loaded from stdin. 382 Uses the same format as dump_cache uses. 383 Loading the cache with old, or wrong data can result in old or wrong data 384 returned to clients. 385 Loading data into the cache in this way is supported in order to aid with 386 debugging. 387 Not supported in remote Unbounds in multi-process operation. 388 389 390@@UAHL@unbound-control.commands@cache_lookup@@ [``+t``] *names* 391 Print to stdout the RRsets and messages that are in the cache. 392 For every name listed the content at or under the name is printed. 393 Several names separated by spaces can be given, each is printed. 394 When subnetcache is enabled, also matching entries from the subnet 395 cache are printed. 396 397 The ``+t`` option allows tld and root names. 398 With it names like 'com' and '.' can be used, but it takes a lot of 399 effort to look up in the cache. 400 401 402@@UAHL@unbound-control.commands@lookup@@ *name* 403 Print to stdout the name servers that would be used to look up the name 404 specified. 405 406 407@@UAHL@unbound-control.commands@flush@@ [``+c``] *name* 408 Remove the name from the cache. 409 Removes the types A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, 410 SVCB and HTTPS. 411 Because that is fast to do. 412 Other record types can be removed using **flush_type** or **flush_zone**. 413 414 The ``+c`` option removes the items also from the cachedb cache. 415 If cachedb is in use. 416 417 418@@UAHL@unbound-control.commands@flush_type@@ [``+c``] *name type* 419 Remove the name, type information from the cache. 420 421 The ``+c`` option removes the items also from the cachedb cache. 422 If cachedb is in use. 423 424 425@@UAHL@unbound-control.commands@flush_zone@@ [``+c``] name 426 Remove all information at or below the name from the cache. 427 The rrsets and key entries are removed so that new lookups will be 428 performed. 429 This needs to walk and inspect the entire cache, and is a slow operation. 430 The entries are set to expired in the implementation of this command (so, 431 with serve-expired enabled, it'll serve that information but schedule a 432 prefetch for new information). 433 434 The ``+c`` option removes the items also from the cachedb cache. 435 If cachedb is in use. 436 437 438@@UAHL@unbound-control.commands@flush_bogus@@ [``+c``] 439 Remove all bogus data from the cache. 440 441 The ``+c`` option removes the items also from the cachedb cache. 442 If cachedb is in use. 443 444 445@@UAHL@unbound-control.commands@flush_negative@@ [``+c``] 446 Remove all negative data from the cache. 447 This is nxdomain answers, nodata answers and servfail answers. 448 Also removes bad key entries (which could be due to failed lookups) from 449 the dnssec key cache, and iterator last-resort lookup failures from the 450 rrset cache. 451 452 The ``+c`` option removes the items also from the cachedb cache. 453 If cachedb is in use. 454 455 456@@UAHL@unbound-control.commands@flush_stats@@ 457 Reset statistics to zero. 458 459 460@@UAHL@unbound-control.commands@flush_requestlist@@ 461 Drop the queries that are worked on. 462 Stops working on the queries that the server is working on now. 463 The cache is unaffected. 464 No reply is sent for those queries, probably making those users request 465 again later. 466 Useful to make the server restart working on queries with new settings, 467 such as a higher verbosity level. 468 469 470@@UAHL@unbound-control.commands@dump_requestlist@@ 471 Show what is worked on. 472 Prints all queries that the server is currently working on. 473 Prints the time that users have been waiting. 474 For internal requests, no time is printed. 475 And then prints out the module status. 476 This prints the queries from the first thread, and not queries that are 477 being serviced from other threads. 478 479 480@@UAHL@unbound-control.commands@flush_infra@@ *all|IP* 481 If all then entire infra cache is emptied. 482 If a specific IP address, the entry for that address is removed from the 483 cache. 484 It contains EDNS, ping and lameness data. 485 486 487@@UAHL@unbound-control.commands@dump_infra@@ 488 Show the contents of the infra cache. 489 490 491@@UAHL@unbound-control.commands@set_option@@ *opt: val* 492 Set the option to the given value without a reload. 493 The cache is therefore not flushed. 494 The option must end with a ``':'`` and whitespace must be between the 495 option and the value. 496 Some values may not have an effect if set this way, the new values are not 497 written to the config file, not all options are supported. 498 This is different from the set_option call in libunbound, where all values 499 work because Unbound has not been initialized. 500 501 The values that work are: statistics-interval, statistics-cumulative, 502 do-not-query-localhost, harden-short-bufsize, harden-large-queries, 503 harden-glue, harden-dnssec-stripped, harden-below-nxdomain, 504 harden-referral-path, prefetch, prefetch-key, log-queries, hide-identity, 505 hide-version, identity, version, val-log-level, val-log-squelch, 506 ignore-cd-flag, add-holddown, del-holddown, keep-missing, tcp-upstream, 507 ssl-upstream, max-udp-size, ratelimit, ip-ratelimit, cache-max-ttl, 508 cache-min-ttl, cache-max-negative-ttl. 509 510 511@@UAHL@unbound-control.commands@get_option@@ *opt* 512 Get the value of the option. 513 Give the option name without a trailing ``':'``. 514 The value is printed. 515 If the value is ``""``, nothing is printed and the connection closes. 516 On error ``'error ...'`` is printed (it gives a syntax error on unknown 517 option). 518 For some options a list of values, one on each line, is printed. 519 The options are shown from the config file as modified with set_option. 520 For some options an override may have been taken that does not show up with 521 this command, not results from e.g. the verbosity and forward control 522 commands. 523 Not all options work, see list_stubs, list_forwards, list_local_zones and 524 list_local_data for those. 525 526 527@@UAHL@unbound-control.commands@list_stubs@@ 528 List the stub zones in use. 529 These are printed one by one to the output. 530 This includes the root hints in use. 531 532 533@@UAHL@unbound-control.commands@list_forwards@@ 534 List the forward zones in use. 535 These are printed zone by zone to the output. 536 537 538@@UAHL@unbound-control.commands@list_insecure@@ 539 List the zones with domain-insecure. 540 541 542@@UAHL@unbound-control.commands@list_local_zones@@ 543 List the local zones in use. 544 These are printed one per line with zone type. 545 546 547@@UAHL@unbound-control.commands@list_local_data@@ 548 List the local data RRs in use. 549 The resource records are printed. 550 551 552@@UAHL@unbound-control.commands@insecure_add@@ *zone* 553 Add a domain-insecure for the given zone, like the statement in 554 unbound.conf. 555 Adds to the running Unbound without affecting the cache 556 contents (which may still be bogus, use flush_zone to remove it), does not 557 affect the config file. 558 559 560@@UAHL@unbound-control.commands@insecure_remove@@ *zone* 561 Removes domain-insecure for the given zone. 562 563 564@@UAHL@unbound-control.commands@forward_add@@ [``+it``] *zone addr ...* 565 Add a new forward zone to running Unbound. 566 With ``+i`` option also adds a domain-insecure for the zone (so it can 567 resolve insecurely if you have a DNSSEC root trust anchor configured for 568 other names). 569 The addr can be IP4, IP6 or nameserver names, like forward-zone config in 570 unbound.conf. 571 The ``+t`` option sets it to use TLS upstream, like 572 :ref:`forward-tls-upstream: yes<unbound.conf.forward.forward-tls-upstream>`. 573 574 575@@UAHL@unbound-control.commands@forward_remove@@ [``+i``] *zone* 576 Remove a forward zone from running Unbound. 577 The ``+i`` also removes a domain-insecure for the zone. 578 579 580@@UAHL@unbound-control.commands@stub_add@@ [``+ipt``] *zone addr ...* 581 Add a new stub zone to running Unbound. 582 With ``+i`` option also adds a domain-insecure for the zone. 583 With ``+p`` the stub zone is set to prime, without it it is set to 584 notprime. 585 The addr can be IP4, IP6 or nameserver names, like the **stub-zone:** 586 config in unbound.conf. 587 The ``+t`` option sets it to use TLS upstream, like 588 :ref:`stub-tls-upstream: yes<unbound.conf.stub.stub-tls-upstream>`. 589 590 591@@UAHL@unbound-control.commands@stub_remove@@ [``+i``] *zone* 592 Remove a stub zone from running Unbound. 593 The ``+i`` also removes a domain-insecure for the zone. 594 595 596@@UAHL@unbound-control.commands@forward@@ [*off* | *addr ...* ] 597 Setup forwarding mode. 598 Configures if the server should ask other upstream nameservers, should go 599 to the internet root nameservers itself, or show the current config. 600 You could pass the nameservers after a DHCP update. 601 602 Without arguments the current list of addresses used to forward all queries 603 to is printed. 604 On startup this is from the forward-zone ``"."`` configuration. 605 Afterwards it shows the status. 606 It prints off when no forwarding is used. 607 608 If off is passed, forwarding is disabled and the root nameservers are 609 used. 610 This can be used to avoid to avoid buggy or non-DNSSEC supporting 611 nameservers returned from DHCP. 612 But may not work in hotels or hotspots. 613 614 If one or more IPv4 or IPv6 addresses are given, those are then used to 615 forward queries to. 616 The addresses must be separated with spaces. 617 With ``'@port'`` the port number can be set explicitly (default port is 53 618 (DNS)). 619 620 By default the forwarder information from the config file for the root 621 ``"."`` is used. 622 The config file is not changed, so after a reload these changes are gone. 623 Other forward zones from the config file are not affected by this command. 624 625 626@@UAHL@unbound-control.commands@ratelimit_list@@ [``+a``] 627 List the domains that are ratelimited. 628 Printed one per line with current estimated qps and qps limit from config. 629 With ``+a`` it prints all domains, not just the ratelimited domains, with 630 their estimated qps. 631 The ratelimited domains return an error for uncached (new) queries, but 632 cached queries work as normal. 633 634 635@@UAHL@unbound-control.commands@ip_ratelimit_list@@ [``+a``] 636 List the ip addresses that are ratelimited. 637 Printed one per line with current estimated qps and qps limit from config. 638 With ``+a`` it prints all ips, not just the ratelimited ips, with their 639 estimated qps. 640 The ratelimited ips are dropped before checking the cache. 641 642 643@@UAHL@unbound-control.commands@list_auth_zones@@ 644 List the auth zones that are configured. 645 Printed one per line with a status, indicating if the zone is expired and 646 current serial number. 647 Configured RPZ zones are included. 648 649 650@@UAHL@unbound-control.commands@auth_zone_reload@@ *zone* 651 Reload the auth zone (or RPZ zone) from zonefile. 652 The zonefile is read in overwriting the current contents of the zone in 653 memory. 654 This changes the auth zone contents itself, not the cache contents. 655 Such cache contents exists if you set Unbound to validate with 656 **for-upstream: yes** and that can be cleared with **flush_zone** *zone*. 657 658 659@@UAHL@unbound-control.commands@auth_zone_transfer@@ *zone* 660 Transfer the auth zone (or RPZ zone) from master. 661 The auth zone probe sequence is started, where the masters are probed to 662 see if they have an updated zone (with the SOA serial check). 663 And then the zone is transferred for a newer zone version. 664 665 666@@UAHL@unbound-control.commands@rpz_enable@@ *zone* 667 Enable the RPZ zone if it had previously been disabled. 668 669 670@@UAHL@unbound-control.commands@rpz_disable@@ *zone* 671 Disable the RPZ zone. 672 673 674@@UAHL@unbound-control.commands@view_list_local_zones@@ *view* 675 *list_local_zones* for given view. 676 677 678@@UAHL@unbound-control.commands@view_local_zone@@ *view name type* 679 *local_zone* for given view. 680 681 682@@UAHL@unbound-control.commands@view_local_zone_remove@@ *view name* 683 *local_zone_remove* for given view. 684 685 686@@UAHL@unbound-control.commands@view_list_local_data@@ *view* 687 *list_local_data* for given view. 688 689 690@@UAHL@unbound-control.commands@view_local_data@@ *view RR data...* 691 *local_data* for given view. 692 693 694@@UAHL@unbound-control.commands@view_local_data_remove@@ *view name* 695 *local_data_remove* for given view. 696 697 698@@UAHL@unbound-control.commands@view_local_datas_remove@@ *view* 699 Remove a list of *local_data* for given view from stdin. 700 Like *local_datas_remove*. 701 702 703@@UAHL@unbound-control.commands@view_local_datas@@ *view* 704 Add a list of *local_data* for given view from stdin. 705 Like *local_datas*. 706 707 708@@UAHL@unbound-control.commands@add_cookie_secret@@ *secret* 709 Add or replace a cookie secret persistently. 710 *secret* needs to be an 128 bit hex string. 711 712 Cookie secrets can be either **active** or **staging**. 713 **Active** cookie secrets are used to create DNS Cookies, but verification 714 of a DNS Cookie succeeds with any of the **active** or **staging** cookie 715 secrets. 716 The state of the current cookie secrets can be printed with the 717 :ref:`print_cookie_secrets<unbound-control.commands.print_cookie_secrets>` 718 command. 719 720 When there are no cookie secrets configured yet, the *secret* is added as 721 **active**. 722 If there is already an **active** cookie secret, the *secret* is added as 723 **staging** or replacing an existing **staging** secret. 724 725 To "roll" a cookie secret used in an anycast set. 726 The new secret has to be added as **staging** secret to **all** nodes in 727 the anycast set. 728 When **all** nodes can verify DNS Cookies with the new secret, the new 729 secret can be activated with the 730 :ref:`activate_cookie_secret<unbound-control.commands.activate_cookie_secret>` 731 command. 732 After **all** nodes have the new secret **active** for at least one hour, 733 the previous secret can be dropped with the 734 :ref:`drop_cookie_secret<unbound-control.commands.drop_cookie_secret>` 735 command. 736 737 Persistence is accomplished by writing to a file which is configured with 738 the 739 :ref:`cookie-secret-file<unbound.conf.cookie-secret-file>` 740 option in the server section of the config file. 741 This is disabled by default, "". 742 743 744@@UAHL@unbound-control.commands@drop_cookie_secret@@ 745 Drop the **staging** cookie secret. 746 747 748@@UAHL@unbound-control.commands@activate_cookie_secret@@ 749 Make the current **staging** cookie secret **active**, and the current 750 **active** cookie secret **staging**. 751 752 753@@UAHL@unbound-control.commands@print_cookie_secrets@@ 754 Show the current configured cookie secrets with their status. 755 756Exit Code 757--------- 758 759The ``unbound-control`` program exits with status code 1 on error, 0 on 760success. 761 762Set Up 763------ 764 765The setup requires a self-signed certificate and private keys for both the 766server and client. 767The script ``unbound-control-setup`` generates these in the default run 768directory, or with ``-d`` in another directory. 769If you change the access control permissions on the key files you can decide 770who can use ``unbound-control``, by default owner and group but not all users. 771Run the script under the same username as you have configured in 772:file:`unbound.conf` or as root, so that the daemon is permitted to read the 773files, for example with: 774 775.. code-block:: bash 776 777 sudo -u unbound unbound-control-setup 778 779If you have not configured a username in :file:`unbound.conf`, the keys need 780read permission for the user credentials under which the daemon is started. 781The script preserves private keys present in the directory. 782After running the script as root, turn on 783:ref:`control-enable<unbound.conf.remote.control-enable>` in 784:file:`unbound.conf`. 785 786Statistic Counters 787------------------ 788 789The :ref:`stats<unbound-control.commands.stats>` and 790:ref:`stats_noreset<unbound-control.commands.stats_noreset>` commands show a 791number of statistic counters: 792 793 794@@UAHL@unbound-control.stats@threadX.num.queries@@ 795 number of queries received by thread 796 797 798@@UAHL@unbound-control.stats@threadX.num.queries_ip_ratelimited@@ 799 number of queries rate limited by thread 800 801 802@@UAHL@unbound-control.stats@threadX.num.queries_cookie_valid@@ 803 number of queries with a valid DNS Cookie by thread 804 805 806@@UAHL@unbound-control.stats@threadX.num.queries_cookie_client@@ 807 number of queries with a client part only DNS Cookie by thread 808 809 810@@UAHL@unbound-control.stats@threadX.num.queries_cookie_invalid@@ 811 number of queries with an invalid DNS Cookie by thread 812 813 814@@UAHL@unbound-control.stats@threadX.num.queries_discard_timeout@@ 815 number of queries removed due to discard-timeout by thread 816 817 818@@UAHL@unbound-control.stats@threadX.num.queries_wait_limit@@ 819 number of queries removed due to wait-limit by thread 820 821 822@@UAHL@unbound-control.stats@threadX.num.cachehits@@ 823 number of queries that were successfully answered using a cache lookup 824 825 826@@UAHL@unbound-control.stats@threadX.num.cachemiss@@ 827 number of queries that needed recursive processing 828 829 830@@UAHL@unbound-control.stats@threadX.num.dnscrypt.crypted@@ 831 number of queries that were encrypted and successfully decapsulated by 832 dnscrypt. 833 834 835@@UAHL@unbound-control.stats@threadX.num.dnscrypt.cert@@ 836 number of queries that were requesting dnscrypt certificates. 837 838 839@@UAHL@unbound-control.stats@threadX.num.dnscrypt.cleartext@@ 840 number of queries received on dnscrypt port that were cleartext and not a 841 request for certificates. 842 843 844@@UAHL@unbound-control.stats@threadX.num.dnscrypt.malformed@@ 845 number of request that were neither cleartext, not valid dnscrypt messages. 846 847 848@@UAHL@unbound-control.stats@threadX.num.dns_error_reports@@ 849 number of DNS Error Reports generated by thread 850 851 852@@UAHL@unbound-control.stats@threadX.num.prefetch@@ 853 number of cache prefetches performed. 854 This number is included in cachehits, as the original query had the 855 unprefetched answer from cache, and resulted in recursive processing, 856 taking a slot in the requestlist. 857 Not part of the recursivereplies (or the histogram thereof) or cachemiss, 858 as a cache response was sent. 859 860 861@@UAHL@unbound-control.stats@threadX.num.expired@@ 862 number of replies that served an expired cache entry. 863 864 865@@UAHL@unbound-control.stats@threadX.num.queries_timed_out@@ 866 number of queries that are dropped because they waited in the UDP socket 867 buffer for too long. 868 869 870@@UAHL@unbound-control.stats@threadX.query.queue_time_us.max@@ 871 The maximum wait time for packets in the socket buffer, in microseconds. 872 This is only reported when 873 :ref:`sock-queue-timeout<unbound.conf.sock-queue-timeout>` is enabled. 874 875 876@@UAHL@unbound-control.stats@threadX.num.recursivereplies@@ 877 The number of replies sent to queries that needed recursive processing. 878 Could be smaller than threadX.num.cachemiss if due to timeouts no replies 879 were sent for some queries. 880 881 882@@UAHL@unbound-control.stats@threadX.requestlist.avg@@ 883 The average number of requests in the internal recursive processing request 884 list on insert of a new incoming recursive processing query. 885 886 887@@UAHL@unbound-control.stats@threadX.requestlist.max@@ 888 Maximum size attained by the internal recursive processing request list. 889 890 891@@UAHL@unbound-control.stats@threadX.requestlist.overwritten@@ 892 Number of requests in the request list that were overwritten by newer 893 entries. 894 This happens if there is a flood of queries that recursive processing and 895 the server has a hard time. 896 897 898@@UAHL@unbound-control.stats@threadX.requestlist.exceeded@@ 899 Queries that were dropped because the request list was full. 900 This happens if a flood of queries need recursive processing, and the 901 server can not keep up. 902 903 904@@UAHL@unbound-control.stats@threadX.requestlist.current.all@@ 905 Current size of the request list, includes internally generated queries 906 (such as priming queries and glue lookups). 907 908 909@@UAHL@unbound-control.stats@threadX.requestlist.current.user@@ 910 Current size of the request list, only the requests from client queries. 911 912 913@@UAHL@unbound-control.stats@threadX.recursion.time.avg@@ 914 Average time it took to answer queries that needed recursive processing. 915 Note that queries that were answered from the cache are not in this average. 916 917 918@@UAHL@unbound-control.stats@threadX.recursion.time.median@@ 919 The median of the time it took to answer queries that needed recursive 920 processing. 921 The median means that 50% of the user queries were answered in less than 922 this time. 923 Because of big outliers (usually queries to non responsive servers), the 924 average can be bigger than the median. 925 This median has been calculated by interpolation from a histogram. 926 927 928@@UAHL@unbound-control.stats@threadX.tcpusage@@ 929 The currently held tcp buffers for incoming connections. 930 A spot value on the time of the request. 931 This helps you spot if the incoming-num-tcp buffers are full. 932 933 934@@UAHL@unbound-control.stats@total.num.queries@@ 935 summed over threads. 936 937 938@@UAHL@unbound-control.stats@total.num.queries_ip_ratelimited@@ 939 summed over threads. 940 941 942@@UAHL@unbound-control.stats@total.num.queries_cookie_valid@@ 943 summed over threads. 944 945 946@@UAHL@unbound-control.stats@total.num.queries_cookie_client@@ 947 summed over threads. 948 949 950@@UAHL@unbound-control.stats@total.num.queries_cookie_invalid@@ 951 summed over threads. 952 953 954@@UAHL@unbound-control.stats@total.num.queries_discard_timeout@@ 955 summed over threads. 956 957 958@@UAHL@unbound-control.stats@total.num.queries_wait_limit@@ 959 summed over threads. 960 961 962@@UAHL@unbound-control.stats@total.num.cachehits@@ 963 summed over threads. 964 965 966@@UAHL@unbound-control.stats@total.num.cachemiss@@ 967 summed over threads. 968 969 970@@UAHL@unbound-control.stats@total.num.dnscrypt.crypted@@ 971 summed over threads. 972 973 974@@UAHL@unbound-control.stats@total.num.dnscrypt.cert@@ 975 summed over threads. 976 977 978@@UAHL@unbound-control.stats@total.num.dnscrypt.cleartext@@ 979 summed over threads. 980 981 982@@UAHL@unbound-control.stats@total.num.dnscrypt.malformed@@ 983 summed over threads. 984 985 986@@UAHL@unbound-control.stats@total.num.dns_error_reports@@ 987 summed over threads. 988 989 990@@UAHL@unbound-control.stats@total.num.prefetch@@ 991 summed over threads. 992 993 994@@UAHL@unbound-control.stats@total.num.expired@@ 995 summed over threads. 996 997 998@@UAHL@unbound-control.stats@total.num.queries_timed_out@@ 999 summed over threads. 1000 1001 1002@@UAHL@unbound-control.stats@total.query.queue_time_us.max@@ 1003 the maximum of the thread values. 1004 1005 1006@@UAHL@unbound-control.stats@total.num.recursivereplies@@ 1007 summed over threads. 1008 1009 1010@@UAHL@unbound-control.stats@total.requestlist.avg@@ 1011 averaged over threads. 1012 1013 1014@@UAHL@unbound-control.stats@total.requestlist.max@@ 1015 the maximum of the thread requestlist.max values. 1016 1017 1018@@UAHL@unbound-control.stats@total.requestlist.overwritten@@ 1019 summed over threads. 1020 1021 1022@@UAHL@unbound-control.stats@total.requestlist.exceeded@@ 1023 summed over threads. 1024 1025 1026@@UAHL@unbound-control.stats@total.requestlist.current.all@@ 1027 summed over threads. 1028 1029 1030@@UAHL@unbound-control.stats@total.recursion.time.median@@ 1031 averaged over threads. 1032 1033 1034@@UAHL@unbound-control.stats@total.tcpusage@@ 1035 summed over threads. 1036 1037 1038@@UAHL@unbound-control.stats@time.now@@ 1039 current time in seconds since 1970. 1040 1041 1042@@UAHL@unbound-control.stats@time.up@@ 1043 uptime since server boot in seconds. 1044 1045 1046@@UAHL@unbound-control.stats@time.elapsed@@ 1047 time since last statistics printout, in seconds. 1048 1049Extended Statistics 1050------------------- 1051 1052 1053@@UAHL@unbound-control.stats@mem.cache.rrset@@ 1054 Memory in bytes in use by the RRset cache. 1055 1056 1057@@UAHL@unbound-control.stats@mem.cache.message@@ 1058 Memory in bytes in use by the message cache. 1059 1060 1061@@UAHL@unbound-control.stats@mem.cache.dnscrypt_shared_secret@@ 1062 Memory in bytes in use by the dnscrypt shared secrets cache. 1063 1064 1065@@UAHL@unbound-control.stats@mem.cache.dnscrypt_nonce@@ 1066 Memory in bytes in use by the dnscrypt nonce cache. 1067 1068 1069@@UAHL@unbound-control.stats@mem.mod.iterator@@ 1070 Memory in bytes in use by the iterator module. 1071 1072 1073@@UAHL@unbound-control.stats@mem.mod.validator@@ 1074 Memory in bytes in use by the validator module. 1075 Includes the key cache and negative cache. 1076 1077 1078@@UAHL@unbound-control.stats@mem.streamwait@@ 1079 Memory in bytes in used by the TCP and TLS stream wait buffers. 1080 These are answers waiting to be written back to the clients. 1081 1082 1083@@UAHL@unbound-control.stats@mem.http.query_buffer@@ 1084 Memory in bytes used by the HTTP/2 query buffers. 1085 Containing (partial) DNS queries waiting for request stream completion. 1086 1087 1088@@UAHL@unbound-control.stats@mem.http.response_buffer@@ 1089 Memory in bytes used by the HTTP/2 response buffers. 1090 Containing DNS responses waiting to be written back to the clients. 1091 1092 1093@@UAHL@unbound-control.stats@mem.quic@@ 1094 Memory in bytes used by QUIC. 1095 Containing connection information, stream information, queries read and 1096 responses written back to the clients. 1097 1098@@UAHL@unbound-control.stats@histogram@@.<sec>.<usec>.to.<sec>.<usec> 1099 Shows a histogram, summed over all threads. 1100 Every element counts the recursive queries whose reply time fit between the 1101 lower and upper bound. 1102 Times larger or equal to the lowerbound, and smaller than the upper bound. 1103 There are 40 buckets, with bucket sizes doubling. 1104 1105 1106@@UAHL@unbound-control.stats@num.query.type.A@@ 1107 The total number of queries over all threads with query type A. 1108 Printed for the other query types as well, but only for the types for which 1109 queries were received, thus =0 entries are omitted for brevity. 1110 1111 1112@@UAHL@unbound-control.stats@num.query.type.other@@ 1113 Number of queries with query types 256-65535. 1114 1115 1116@@UAHL@unbound-control.stats@num.query.class.IN@@ 1117 The total number of queries over all threads with query class IN 1118 (internet). 1119 Also printed for other classes (such as CH (CHAOS) sometimes used for 1120 debugging), or NONE, ANY, used by dynamic update. 1121 num.query.class.other is printed for classes 256-65535. 1122 1123 1124@@UAHL@unbound-control.stats@num.query.opcode.QUERY@@ 1125 The total number of queries over all threads with query opcode QUERY. 1126 Also printed for other opcodes, UPDATE, ... 1127 1128 1129@@UAHL@unbound-control.stats@num.query.tcp@@ 1130 Number of queries that were made using TCP towards the Unbound server. 1131 1132 1133@@UAHL@unbound-control.stats@num.query.tcpout@@ 1134 Number of queries that the Unbound server made using TCP outgoing towards 1135 other servers. 1136 1137 1138@@UAHL@unbound-control.stats@num.query.udpout@@ 1139 Number of queries that the Unbound server made using UDP outgoing towards 1140 other servers. 1141 1142 1143@@UAHL@unbound-control.stats@num.query.tls@@ 1144 Number of queries that were made using TLS towards the Unbound server. 1145 These are also counted in num.query.tcp, because TLS uses TCP. 1146 1147 1148@@UAHL@unbound-control.stats@num.query.tls.resume@@ 1149 Number of TLS session resumptions, these are queries over TLS towards the 1150 Unbound server where the client negotiated a TLS session resumption key. 1151 1152 1153@@UAHL@unbound-control.stats@num.query.https@@ 1154 Number of queries that were made using HTTPS towards the Unbound server. 1155 These are also counted in num.query.tcp and num.query.tls, because HTTPS 1156 uses TLS and TCP. 1157 1158 1159@@UAHL@unbound-control.stats@num.query.quic@@ 1160 Number of queries that were made using QUIC towards the Unbound server. 1161 These are also counted in num.query.tls, because TLS is used for these 1162 queries. 1163 1164 1165@@UAHL@unbound-control.stats@num.query.ipv6@@ 1166 Number of queries that were made using IPv6 towards the Unbound server. 1167 1168 1169@@UAHL@unbound-control.stats@num.query.flags.RD@@ 1170 The number of queries that had the RD flag set in the header. 1171 Also printed for flags QR, AA, TC, RA, Z, AD, CD. 1172 Note that queries with flags QR, AA or TC may have been rejected because of 1173 that. 1174 1175 1176@@UAHL@unbound-control.stats@num.query.edns.present@@ 1177 number of queries that had an EDNS OPT record present. 1178 1179 1180@@UAHL@unbound-control.stats@num.query.edns.DO@@ 1181 number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit 1182 set. 1183 These queries are also included in the num.query.edns.present number. 1184 1185 1186@@UAHL@unbound-control.stats@num.query.ratelimited@@ 1187 The number of queries that are turned away from being send to nameserver 1188 due to ratelimiting. 1189 1190 1191@@UAHL@unbound-control.stats@num.query.dnscrypt.shared_secret.cachemiss@@ 1192 The number of dnscrypt queries that did not find a shared secret in the 1193 cache. 1194 This can be use to compute the shared secret hitrate. 1195 1196 1197@@UAHL@unbound-control.stats@num.query.dnscrypt.replay@@ 1198 The number of dnscrypt queries that found a nonce hit in the nonce cache 1199 and hence are considered a query replay. 1200 1201 1202@@UAHL@unbound-control.stats@num.answer.rcode.NXDOMAIN@@ 1203 The number of answers to queries, from cache or from recursion, that had 1204 the return code NXDOMAIN. 1205 Also printed for the other return codes. 1206 1207 1208@@UAHL@unbound-control.stats@num.answer.rcode.nodata@@ 1209 The number of answers to queries that had the pseudo return code nodata. 1210 This means the actual return code was NOERROR, but additionally, no data 1211 was carried in the answer (making what is called a NOERROR/NODATA answer). 1212 These queries are also included in the num.answer.rcode.NOERROR number. 1213 Common for AAAA lookups when an A record exists, and no AAAA. 1214 1215 1216@@UAHL@unbound-control.stats@num.answer.secure@@ 1217 Number of answers that were secure. 1218 The answer validated correctly. 1219 The AD bit might have been set in some of these answers, where the client 1220 signalled (with DO or AD bit in the query) that they were ready to accept 1221 the AD bit in the answer. 1222 1223 1224@@UAHL@unbound-control.stats@num.answer.bogus@@ 1225 Number of answers that were bogus. 1226 These answers resulted in SERVFAIL to the client because the answer failed 1227 validation. 1228 1229 1230@@UAHL@unbound-control.stats@num.rrset.bogus@@ 1231 The number of rrsets marked bogus by the validator. 1232 Increased for every RRset inspection that fails. 1233 1234 1235@@UAHL@unbound-control.stats@num.valops@@ 1236 The number of validation operations performed by the validator. 1237 Increased for every RRSIG verification operation regardless of the 1238 validation result. 1239 The RRSIG and key combination needs to first pass some sanity checks before 1240 Unbound even performs the verification, e.g., length/protocol checks. 1241 1242 1243@@UAHL@unbound-control.stats@unwanted.queries@@ 1244 Number of queries that were refused or dropped because they failed the 1245 access control settings. 1246 1247 1248@@UAHL@unbound-control.stats@unwanted.replies@@ 1249 Replies that were unwanted or unsolicited. 1250 Could have been random traffic, delayed duplicates, very late answers, or 1251 could be spoofing attempts. 1252 Some low level of late answers and delayed duplicates are to be expected 1253 with the UDP protocol. 1254 Very high values could indicate a threat (spoofing). 1255 1256 1257@@UAHL@unbound-control.stats@msg.cache.count@@ 1258 The number of items (DNS replies) in the message cache. 1259 1260 1261@@UAHL@unbound-control.stats@rrset.cache.count@@ 1262 The number of RRsets in the rrset cache. 1263 This includes rrsets used by the messages in the message cache, but also 1264 delegation information. 1265 1266 1267@@UAHL@unbound-control.stats@infra.cache.count@@ 1268 The number of items in the infra cache. 1269 These are IP addresses with their timing and protocol support information. 1270 1271 1272@@UAHL@unbound-control.stats@key.cache.count@@ 1273 The number of items in the key cache. 1274 These are DNSSEC keys, one item per delegation point, and their validation 1275 status. 1276 1277 1278@@UAHL@unbound-control.stats@msg.cache.max_collisions@@ 1279 The maximum number of hash table collisions in the msg cache. 1280 This is the number of hashes that are identical when a new element is 1281 inserted in the hash table. 1282 If the value is very large, like hundreds, something is wrong with the 1283 performance of the hash table, hash values are incorrect or malicious. 1284 1285 1286@@UAHL@unbound-control.stats@rrset.cache.max_collisions@@ 1287 The maximum number of hash table collisions in the rrset cache. 1288 This is the number of hashes that are identical when a new element is 1289 inserted in the hash table. 1290 If the value is very large, like hundreds, something is wrong with the 1291 performance of the hash table, hash values are incorrect or malicious. 1292 1293 1294@@UAHL@unbound-control.stats@dnscrypt_shared_secret.cache.count@@ 1295 The number of items in the shared secret cache. 1296 These are precomputed shared secrets for a given client public key/server 1297 secret key pair. 1298 Shared secrets are CPU intensive and this cache allows Unbound to avoid 1299 recomputing the shared secret when multiple dnscrypt queries are sent from 1300 the same client. 1301 1302 1303@@UAHL@unbound-control.stats@dnscrypt_nonce.cache.count@@ 1304 The number of items in the client nonce cache. 1305 This cache is used to prevent dnscrypt queries replay. 1306 The client nonce must be unique for each client public key/server secret 1307 key pair. 1308 This cache should be able to host QPS * `replay window` interval keys to 1309 prevent replay of a query during `replay window` seconds. 1310 1311 1312@@UAHL@unbound-control.stats@num.query.authzone.up@@ 1313 The number of queries answered from auth-zone data, upstream queries. 1314 These queries would otherwise have been sent (with fallback enabled) to the 1315 internet, but are now answered from the auth zone. 1316 1317 1318@@UAHL@unbound-control.stats@num.query.authzone.down@@ 1319 The number of queries for downstream answered from auth-zone data. 1320 These queries are from downstream clients, and have had an answer from the 1321 data in the auth zone. 1322 1323 1324@@UAHL@unbound-control.stats@num.query.aggressive.NOERROR@@ 1325 The number of queries answered using cached NSEC records with NODATA RCODE. 1326 These queries would otherwise have been sent to the internet, but are now 1327 answered using cached data. 1328 1329 1330@@UAHL@unbound-control.stats@num.query.aggressive.NXDOMAIN@@ 1331 The number of queries answered using cached NSEC records with NXDOMAIN 1332 RCODE. 1333 These queries would otherwise have been sent to the internet, but are now 1334 answered using cached data. 1335 1336 1337@@UAHL@unbound-control.stats@num.query.subnet@@ 1338 Number of queries that got an answer that contained EDNS client subnet 1339 data. 1340 1341 1342@@UAHL@unbound-control.stats@num.query.subnet_cache@@ 1343 Number of queries answered from the edns client subnet cache. 1344 These are counted as cachemiss by the main counters, but hit the client 1345 subnet specific cache after getting processed by the edns client subnet 1346 module. 1347 1348 1349@@UAHL@unbound-control.stats@num.query.cachedb@@ 1350 Number of queries answered from the external cache of cachedb. 1351 These are counted as cachemiss by the main counters, but hit the cachedb 1352 external cache after getting processed by the cachedb module. 1353 1354@@UAHL@unbound-control.stats@num.rpz.action@@.<rpz_action> 1355 Number of queries answered using configured RPZ policy, per RPZ action 1356 type. 1357 Possible actions are: nxdomain, nodata, passthru, drop, tcp-only, 1358 local-data, disabled, and cname-override. 1359 1360Files 1361----- 1362 1363@ub_conf_file@ 1364 Unbound configuration file. 1365 1366@UNBOUND_RUN_DIR@ 1367 directory with private keys (:file:`unbound_server.key` and 1368 :file:`unbound_control.key`) and self-signed certificates 1369 (:file:`unbound_server.pem` and :file:`unbound_control.pem`). 1370 1371See Also 1372-------- 1373 1374:doc:`unbound.conf(5)</manpages/unbound.conf>`, 1375:doc:`unbound(8)</manpages/unbound>`. 1376