git: 72d0d523e9ba - main - UPDATING: Document unbound support of RFC8375

The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=72d0d523e9ba740d21ae6b03902eacd6100dd594

commit 72d0d523e9ba740d21ae6b03902eacd6100dd594
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-01-24 06:21:49 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-01-24 06:30:55 +0000

    UPDATING: Document unbound support of RFC8375
    
    As of unbound 1.14.0rc1, as per RFC8375 unbound by default blocks
    'home.arpa'. Document this new behaviour and how to unblock it.
    
    Reported by:    avg
    Discussed with: glebius, avg
    RFC:            8375, Section 6: Security Considerations
---
 UPDATING | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/UPDATING b/UPDATING
index 53a31d6217fd..3c8b9aa84639 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,21 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20211202:
+	Unbound support for RFC8375: The special-use domain 'home.arpa' is
+	by default blocked. To unblock it use a local-zone nodefault
+	statement in unbound.conf:
+		local-zone: "home.arpa." nodefault
+
+	Or use another type of local-zone to override with your choice.
+
+	The reason for this is discussed in Section 6.1 of RFC8375:
+	Because 'home.arpa.' is not globally scoped and cannot be secured
+	using DNSSEC based on the root domain's trust anchor, there is no way
+	to tell, using a standard DNS query, in which homenet scope an answer
+	belongs.  Consequently, users may experience surprising results with
+	such names when roaming to different homenets.
+
 20211230:
 	The macros provided for the manipulation of CPU sets (e.g. CPU_AND)
 	have been modified to take 2 source arguments instead of only 1.