- Fix NLnetLabs#1128: Cannot override tcp-upstream and tls-upstream with

forward-tcp-upstream and forward-tls-upstream.
gthess · Oct 8, 2024 · dcf7afd · dcf7afd
1 parent e671716
commit dcf7afd
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/doc/Changelog b/doc/Changelog
@@ -1,6 +1,8 @@
 8 October 2024: Wouter
 	- Fix #1149: unbound-control-setup hangs sometimes depending on
 	  the openssl version.
+	- Fix #1128: Cannot override tcp-upstream and tls-upstream with
+	  forward-tcp-upstream and forward-tls-upstream.
 
 3 October 2024: Yorgos
 	- Fix CVE-2024-8508, unbounded name compression could lead to denial

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
@@ -566,6 +566,9 @@ tls\-system\-cert to load CA certs, otherwise the connections cannot be
 authenticated. This option enables TLS for all of them, but if you do not set
 this you can configure TLS specifically for some forward zones with
 forward\-tls\-upstream.  And also with stub\-tls\-upstream.
+If the tls\-upstream option is enabled, it is for all the forwards and stubs,
+where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
+as if they had been set to yes.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config