-
Notifications
You must be signed in to change notification settings - Fork 4
/
netgate-unbound.yang
789 lines (679 loc) · 17 KB
/
netgate-unbound.yang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
module netgate-unbound {
yang-version 1.1;
namespace "urn:netgate:xml:yang:netgate-unbound";
prefix "ngunb";
import ietf-inet-types {
prefix "inet";
}
import netgate-cli-extensions {
prefix "ngcliext";
}
import netgate-common {
prefix "ngcom";
}
organization "Netgate";
contact "Web: <http://www.netgate.com>";
description
"This YANG module provides a data-model for the Unbound service.
Copyright 2018-2020 Rubicon Communications, LLC.
";
revision 2022-06-15 {
description
"TNSR Release 22.06.";
}
revision 2022-02-15 {
description
"TNSR Release 22.02.";
}
revision 2021-06-15 {
description
"TNSR Release 21.07.";
}
revision 2021-02-15 {
description
"TNSR Release 21.02.";
}
revision 2020-06-15 {
description
"TNSR Release 20.06.";
}
revision 2020-02-15 {
description
"TNSR Release 20.02.";
}
revision 2019-08-30 {
description
"TNSR Release 19.08.";
}
revision 2019-05-30 {
description
"TNSR Release 19.05.";
}
revision 2019-02-15 {
description
"TNSR Release 19.02.";
}
revision 2018-06-26 {
description
"Initial Revision.";
}
typedef unbound-operation {
type enumeration {
enum start {
description
"Start daemon";
}
enum stop {
description
"Stop daemon";
}
enum restart {
description
"Restart daemon";
}
enum reload {
description
"Reload config file";
}
enum status {
description
"Daemon status";
}
}
}
typedef unbound-access-control {
type enumeration {
enum allow {
description
"Allow access for a client.";
}
enum allow_snoop {
description
"Allow both recursive and non recursive access.";
}
enum deny {
description
"Stop queries.";
}
enum deny_non_local {
description
"Allow queries for the authoritative local-data only.
Disallowed queries are dropped.";
}
enum refuse {
description
"Stop queries, sends a DNS rcode REFUSED error.";
}
enum refuse_non_local {
description
"Allow queries for the authoritative local-data only.
Disallowed queries garner the REFUSED error code.";
}
}
}
typedef unbound-zone-type {
type enumeration {
enum deny {
description
"Serve local data, else drop queries.";
}
enum refuse {
description
"Serve local data, else reply with error.";
}
enum static {
description
"Serve local data, else nxdomain or nodata answer.";
}
enum transparent {
description
"Gives local data, and resolves normally for other names.";
}
enum typetransparent {
description
"Resolves normally for other types and other names.";
}
enum redirect {
description
"Serves zone data for any subdomain in the zone.";
}
enum inform {
description
"Like transparent, but logs client IP address.";
}
enum inform_deny {
description
"Drops queries and logs client IP address.";
}
enum no_default {
description
"Normally resolve AS112 zones.";
}
}
}
container unbound-config {
description
"Configuration for the Unbound DNS name resolver daemon.";
container parameters {
description
"A collection of various Unbound parameters.";
leaf enable {
type boolean;
description
"If true, the Unbound daemon is enabled.";
ngcliext:node-op "bool";
ngcliext:node-fmt "unbound disable$n|unbound enable$n";
}
}
container daemon {
description
"The server attributes.";
ngcliext:node-fmt "unbound server$n";
ngcliext:pre-children-op "push";
container server {
description
"The server attributes.";
container interfaces {
description
"Interface binding specifications.";
list interface {
key "ip-address";
ngcliext:parent-fmt "^$%";
leaf ip-address {
type inet:ip-address-no-zone;
description
"IP address of an interface on which
queries should be answered.";
ngcliext:node-fmt "$< @@%{port}$n";
}
leaf port {
type uint16;
description
"An optional port number.";
ngcliext:sibling-fmt " port @@";
}
}
}
container access-control {
description
"Access control specifications.";
ngcliext:parent-fmt "^$%";
list access {
key "ip-prefix";
ngcliext:node-fmt "$< @{ip-prefix} @{action}$n";
leaf ip-prefix {
type inet:ip-prefix;
description
"An IP prefix being granted some access.";
}
leaf action {
type unbound-access-control;
description
"The access-control action allow to the
given IP prefix.";
}
}
}
container local-zones {
description
"The local-zone attributes.";
list zone {
key "zone-name";
description
"Each local-zone is identified by a domain name.";
ngcliext:node-fmt "^local-zone @{zone-name}$n";
ngcliext:pre-children-op "push";
leaf zone-name {
type inet:domain-name;
description
"The local-zone domain name.";
}
leaf type {
type unbound-zone-type;
default "transparent";
description
"The zone type. One of 'deny', 'refuse',
'static', 'transparent', 'type_transparent',
'redirect', 'inform', 'inform_deny', or
'no_default'.";
ngcliext:node-fmt "^$% @@$n";
}
leaf description {
type ngcom:description-63;
description
"Arbitrary description for zone.";
ngcliext:node-fmt "^$% @@$n";
}
container hosts {
description
"Local host names within the zone.";
list host {
key "host-name";
ngcliext:node-fmt "^hostname @{host-name}$n";
ngcliext:pre-children-op "push";
leaf host-name {
type inet:domain-name;
description
"The host name within the simple zone.";
}
leaf-list ip-address {
type inet:ip-address-no-zone;
min-elements 1;
description
"An IP address for the host.";
ngcliext:node-fmt "^address @@$n";
}
leaf description {
type ngcom:description-63;
description
"Arbitrary description for host.";
ngcliext:node-fmt "^$% @@$n";
}
}
}
}
}
container outgoing-interfaces {
description
"The IP addresses of interfaces that should be used
for outgoing queries. If more than one IP address
is configured, a random interface will be selected
from the list.";
leaf-list ip-address {
type inet:ip-address;
description
"An IP address to use for outbound queries.";
ngcliext:node-fmt "^outgoing-interface @@$n";
}
}
leaf cache-max-ttl {
type uint32;
description
"Maximum time to live for RRsets and messages
in the cache. Default is 86400 seconds.";
ngcliext:node-fmt "^rrset-message cache ttl max @@$n";
}
leaf cache-min-ttl {
type uint32;
description
"Maximum time to live for RRsets and messages
in the cache. Default is 0 seconds.";
ngcliext:node-fmt "^rrset-message cache ttl minimum @@$n";
}
leaf do-ip4 {
type boolean;
default true;
description
"If true, IPv4 queries are answered.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf do-ip6 {
type boolean;
description
"If true, IPv6 queries are answered.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf do-tcp {
type boolean;
default true;
description
"If true, TCP queries are answered.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf do-udp {
type boolean;
default true;
description
"If true, UDP queries are answered.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf edns-buffer-size {
type uint16;
description
"The EDNS reassembly buffer size in bytes
advertised to peers. Default is 4096 by
RFC recommendation.";
ngcliext:node-fmt "^edns reassembly size @@$n";
}
leaf harden-dnssec-stripped {
type boolean;
description
"If true, require DNSSEC data for trust-anchored
zones.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no harden dnssec-stripped$n|^harden dnssec-stripped$n";
}
leaf harden-glue {
type boolean;
default true;
description
"If true, and it is within the server's authority,
glue will be trusted.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no harden glue$n|^harden glue$n";
}
leaf hide-identity {
type boolean;
default true;
description
"If true, id.server and hostname.bind queries are
refused.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no hide identity$n|^hide identity$n";
}
leaf hide-version {
type boolean;
description
"If true, version.server and version.bind queries
are refused.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no hide version$n|^hide version$n";
}
leaf incoming-num-tcp {
type uint16;
description
"The number of incoming TCP buffers to allocate
per thread. Default is 10.";
ngcliext:node-fmt "^tcp buffers incoming @@$n";
}
leaf infra-cache-numhosts {
type uint32;
description
"The number of hosts for which information is
cached. Default is 10000.";
ngcliext:node-fmt "^host cache num-hosts @@$n";
}
leaf infra-cache-slabs {
type uint8;
description
"The power of 2 number of slabs in the
infrastructure cache.";
ngcliext:node-fmt "^host cache slabs @@$n";
}
leaf infra-host-ttl {
type uint32;
description
"Time to live, in seconds, for entries in the host
cache. The host cache contains roundtrip timing,
lameness, and EDNS support information. Default
is 900.";
ngcliext:node-fmt "^host cache ttl @@$n";
}
leaf jostle-timeout {
type uint32;
description
"Timeout, in msec, used when the server is very
busy. Set to a value that usually results in one
roundtrip to the authority servers. This value
helps mitigate denial of service and slow queries.
Default is 200 milliseconds.";
ngcliext:node-fmt "^jostle timeout @@$n";
}
leaf key-cache-slabs {
type uint8;
description
"The power of 2 number of slabs in the key cache.
A value (close) to the number of cpus is a
reasonable guess.";
ngcliext:node-fmt "^key cache slabs @@$n";
}
leaf msg-cache-size {
type uint32;
description
"The number of bytes in the message cache. The
default is 4 megabytes.";
ngcliext:node-fmt "^message cache size @@$n";
}
leaf msg-cache-slabs {
type uint8;
description
"The power of 2 number of slabs in the message
cache. A value (close) to the number of cpus is
a reasonable guess.";
ngcliext:node-fmt "^message cache slabs @@$n";
}
leaf num-queries-per-thread {
type uint16;
description
"The number of queries that every thread will
service simultaneously.";
ngcliext:node-fmt "^thread num-queries @@$n";
}
leaf num-threads {
type uint8;
description
"The number of threads used to serve clients. Use
1 for no threading.";
ngcliext:node-fmt "^thread num-threads @@$n";
}
leaf outgoing-num-tcp {
type uint16;
description
"The number of outgoing TCP buffers to allocate
per thread. Default is 10.";
ngcliext:node-fmt "^tcp buffers outgoing @@$n";
}
leaf outgoing-range {
type uint16 {
range "1..max";
}
default 4096;
description
"The number of ports, and file descriptors, to
open per thread. Must be at least 1.";
ngcliext:node-fmt "^port outgoing range @@$n";
}
leaf port {
type uint16;
description
"The port on which the server responds to queries.
Default is 53.";
ngcliext:node-fmt "^$< @@$n";
}
leaf prefetch-key {
type boolean;
description
"If true, DNSKEYs are fetched earlier in the
validation process when a DS record is
encountered.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no key prefetch$n|^key prefetch$n";
}
leaf prefetch {
type boolean;
description
"If true, message cache elements are prefetched
before they expire to keep the cache up to date.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no message prefetch$n|^message prefetch$n";
}
leaf rrset-cache-size {
type uint32;
description
"The number of bytes in the RRset cache. The
default is 4 MB.";
ngcliext:node-fmt "^rrset cache size @@$n";
}
leaf rrset-cache-slabs {
type uint8;
description
"The power of 2 number of slabs in the RRset
cache.";
ngcliext:node-fmt "^rrset cache slab @@$n";
}
leaf serve-expired {
type boolean;
description
"If true, the server attempts to serve old
responses from cache with a TTL of 0 in the
response without waiting for the actual
resolution to finish.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf so-rcvbuf {
type uint32;
description
"If not 0, then set the SO_RCVBUF socket option to
get more buffer space on the UDP port's incoming
queries so that short spikes on busy servers do
not drop packets";
ngcliext:node-fmt "^socket receive-buffer size @@$n";
}
leaf unwanted-reply-threshold {
type uint32;
description
"If not 0, when a total number of unwanted replies
per thread reaches this threshold, warnings are
issued and defensive actions is taken. The RRset
and message caches are cleared. ";
ngcliext:node-fmt "^thread unwanted-reply-threshold @@$n";
}
leaf use-caps-for-id {
type boolean;
description
"If true, use 0x20-encoded random bits in the
query to foil spoof attempts.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^$%no $n|^$%$n";
}
leaf verbosity {
type uint8 {
range "0..5";
}
description
"The verbosity level, 0-5.";
ngcliext:node-fmt "^$% @@$n";
}
}
container forward-zones {
description
"The forward-zone attributes.";
list zone {
key "zone-name";
description
"Each forward-zone is identified by a domain name.
Use '.' as the wildcard domain name. Each zone
has a list of nameservers specified as hostnames
or host addresses.";
ngcliext:node-fmt "^forward-zone @{zone-name}$n";
ngcliext:pre-children-op "push";
leaf zone-name {
type inet:domain-name;
description
"The forward-zone domain name. Use '.' as
a wildcard to forward all queries.";
}
container forward-hosts {
leaf-list host {
type inet:domain-name;
description
"Hostname of a nameserver to which queries
are forwarded.";
ngcliext:node-fmt "^nameserver hostname @@$n";
}
}
container forward-addresses {
description
"A collection of nameserver IPv4 or IPv6
addresses of nameservers to which queries are
forwarded.";
list address {
key "ip-address";
leaf ip-address {
type inet:ip-address-no-zone;
description
"IP address of a nameserver to which
queries are forwarded.";
ngcliext:node-fmt "^nameserver address @@%{port}%{auth-name}$n";
}
leaf port {
type uint16;
description
"An optional port number.";
ngcliext:sibling-fmt " $% @@";
}
leaf auth-name {
type string;
description
"An optional TLS auth name.";
ngcliext:sibling-fmt " $% @@";
}
}
}
leaf forward-first {
type boolean;
description
"If true and the query fails using this
forwarder first, lookups are then sent to
authoritative, root nameservers.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%$n|^$%$n";
}
leaf forward-tls-upstream {
type boolean;
description
"If true, queries to this forwarder use TLS
for transport.";
ngcliext:node-op "bool";
ngcliext:node-fmt "^no $%|^$%$n";
}
}
}
}
}
rpc unbound-control {
input {
leaf operation {
type unbound-operation;
mandatory true;
description
"One of the strings 'start', 'stop', 'restart',
'reload', or 'status'.";
}
}
output {
leaf stdout {
type string;
}
}
}
rpc unbound-coredump {
input {
leaf operation {
type ngcom:service-op-enable-disable;
mandatory true;
description
"One of the strings 'enable', or 'disable'.";
}
}
output {
leaf stdout {
type string;
}
}
}
rpc unbound-config-operation {
input {
leaf request {
type string;
description
"The operation, 'get-config-file'.";
}
leaf param {
type string;
description
"An optional parameter.";
}
}
output {
leaf stdout {
type string;
}
}
}
}