diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in index e7c76c2588aa..bc021aa1eb00 100644 --- a/contrib/unbound/Makefile.in +++ b/contrib/unbound/Makefile.in @@ -616,7 +616,7 @@ install-all: all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL) $(UNBOUND_EVENT_INSTA $(INSTALL) -c -m 644 doc/unbound.conf.5 $(DESTDIR)$(mandir)/man5 $(INSTALL) -c -m 644 doc/unbound-host.1 $(DESTDIR)$(mandir)/man1 $(INSTALL) -c -m 755 unbound-control-setup $(DESTDIR)$(sbindir)/unbound-control-setup - if test ! -e $(DESTDIR)$(configfile); then $(INSTALL) -d `dirname $(DESTDIR)$(configfile)`; $(INSTALL) -c -m 644 doc/example.conf $(DESTDIR)$(configfile); fi + if test ! -e "$(DESTDIR)$(configfile)"; then $(INSTALL) -d `dirname "$(DESTDIR)$(configfile)"`; $(INSTALL) -c -m 644 doc/example.conf "$(DESTDIR)$(configfile)"; fi pythonmod-uninstall: rm -f -- $(DESTDIR)$(PYTHON_SITE_PKG)/unboundmodule.py @@ -645,7 +645,7 @@ uninstall: $(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL) $(UNBOUND_EVENT_UNINSTA rm -f -- $(DESTDIR)$(includedir)/unbound.h $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libunbound.la @echo - @echo "You still need to remove "`dirname $(DESTDIR)$(configfile)`" , $(DESTDIR)$(configfile) by hand" + @echo "You still need to remove "`dirname "$(DESTDIR)$(configfile)"`" , $(DESTDIR)$(configfile) by hand" iana_update: curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed diff --git a/contrib/unbound/README.md b/contrib/unbound/README.md index d1bbcf2b7797..c3d9bc2492ef 100644 --- a/contrib/unbound/README.md +++ b/contrib/unbound/README.md @@ -4,6 +4,7 @@ [![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound) [![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest) +[![Mastodon Follow](https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)](https://fosstodon.org/@nlnetlabs) Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. If you diff --git a/contrib/unbound/cachedb/cachedb.c b/contrib/unbound/cachedb/cachedb.c index b07743d85259..245daa986967 100644 --- a/contrib/unbound/cachedb/cachedb.c +++ b/contrib/unbound/cachedb/cachedb.c @@ -390,6 +390,15 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf) if(!qstate->return_msg || !qstate->return_msg->rep) return 0; + /* do not store failures like SERVFAIL in the cachedb, this avoids + * overwriting expired, valid, content with broken content. */ + if(FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; /* We don't store the reply if its TTL is 0 unless serve-expired is * enabled. Such a reply won't be reusable and simply be a waste for * the backend. It's also compatible with the default behavior of @@ -542,10 +551,16 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf) verbose(VERB_ALGO, "cachedb msg expired"); /* If serve-expired is enabled, we still use an expired message * setting the TTL to 0. */ - if(qstate->env->cfg->serve_expired) - adjust = -1; - else + if(!qstate->env->cfg->serve_expired || + (FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_YXDOMAIN)) return 0; /* message expired */ + else + adjust = -1; } verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust); adjust_msg_ttl(qstate->return_msg, adjust); diff --git a/contrib/unbound/configure b/contrib/unbound/configure index a2837d18553b..5823e49f2f80 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.17.0. +# Generated by GNU Autoconf 2.69 for unbound 1.17.1. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.17.0' -PACKAGE_STRING='unbound 1.17.0' +PACKAGE_VERSION='1.17.1' +PACKAGE_STRING='unbound 1.17.1' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.17.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.17.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1543,7 +1543,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.17.0:";; + short | recursive ) echo "Configuration of unbound 1.17.1:";; esac cat <<\_ACEOF @@ -1785,7 +1785,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.17.0 +unbound configure 1.17.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.17.0, which was +It was created by unbound $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=17 -UNBOUND_VERSION_MICRO=0 +UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=20 +LIBUNBOUND_REVISION=21 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2938,6 +2938,7 @@ LIBUNBOUND_AGE=1 # 1.16.2 had 9:18:1 # 1.16.3 had 9:19:1 # 1.17.0 had 9:20:1 +# 1.17.1 had 9:21:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -22085,7 +22086,7 @@ _ACEOF -version=1.17.0 +version=1.17.1 date=`date +'%b %e, %Y'` @@ -22604,7 +22605,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.17.0, which was +This file was extended by unbound $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22670,7 +22671,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.17.0 +unbound config.status 1.17.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index 57cc7e604b1e..2c7583310f20 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[17]) -m4_define([VERSION_MICRO],[0]) +m4_define([VERSION_MICRO],[1]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=20 +LIBUNBOUND_REVISION=21 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -106,6 +106,7 @@ LIBUNBOUND_AGE=1 # 1.16.2 had 9:18:1 # 1.16.3 had 9:19:1 # 1.17.0 had 9:20:1 +# 1.17.1 had 9:21:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary diff --git a/contrib/unbound/contrib/unbound.service.in b/contrib/unbound/contrib/unbound.service.in index ada5fac9c224..5a05c525170f 100644 --- a/contrib/unbound/contrib/unbound.service.in +++ b/contrib/unbound/contrib/unbound.service.in @@ -42,9 +42,8 @@ [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) -After=network-online.target -Before=nss-lookup.target -Wants=network-online.target nss-lookup.target +After=network.target +Before=network-online.target nss-lookup.target [Install] WantedBy=multi-user.target diff --git a/contrib/unbound/daemon/cachedump.c b/contrib/unbound/daemon/cachedump.c index baf8008ea80f..943eb63f326c 100644 --- a/contrib/unbound/daemon/cachedump.c +++ b/contrib/unbound/daemon/cachedump.c @@ -387,7 +387,7 @@ move_into_cache(struct ub_packed_rrset_key* k, struct rrset_ref ref; uint8_t* p; - ak = alloc_special_obtain(&worker->alloc); + ak = alloc_special_obtain(worker->alloc); if(!ak) { log_warn("error out of memory"); return 0; @@ -398,7 +398,7 @@ move_into_cache(struct ub_packed_rrset_key* k, ak->rk.dname = (uint8_t*)memdup(k->rk.dname, k->rk.dname_len); if(!ak->rk.dname) { log_warn("error out of memory"); - ub_packed_rrset_parsedelete(ak, &worker->alloc); + ub_packed_rrset_parsedelete(ak, worker->alloc); return 0; } s = sizeof(*ad) + (sizeof(size_t) + sizeof(uint8_t*) + @@ -408,7 +408,7 @@ move_into_cache(struct ub_packed_rrset_key* k, ad = (struct packed_rrset_data*)malloc(s); if(!ad) { log_warn("error out of memory"); - ub_packed_rrset_parsedelete(ak, &worker->alloc); + ub_packed_rrset_parsedelete(ak, worker->alloc); return 0; } p = (uint8_t*)ad; @@ -431,7 +431,8 @@ move_into_cache(struct ub_packed_rrset_key* k, ref.key = ak; ref.id = ak->id; (void)rrset_cache_update(worker->env.rrset_cache, &ref, - &worker->alloc, *worker->env.now); + worker->alloc, *worker->env.now); + return 1; } diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c index 71091133a487..193608d40e05 100644 --- a/contrib/unbound/daemon/daemon.c +++ b/contrib/unbound/daemon/daemon.c @@ -488,6 +488,27 @@ static int daemon_get_shufport(struct daemon* daemon, int* shufport) return avail; } +/** + * Clear and delete per-worker alloc caches, and free memory maintained in + * superalloc. + * The rrset and message caches must be empty at the time of call. + * @param daemon: the daemon that maintains the alloc caches to be cleared. + */ +static void +daemon_clear_allocs(struct daemon* daemon) +{ + int i; + + for(i=0; inum; i++) { + alloc_clear(daemon->worker_allocs[i]); + free(daemon->worker_allocs[i]); + } + free(daemon->worker_allocs); + daemon->worker_allocs = NULL; + + alloc_clear_special(&daemon->superalloc); +} + /** * Allocate empty worker structures. With backptr and thread-number, * from 0..numthread initialised. Used as user arguments to new threads. @@ -540,6 +561,21 @@ daemon_create_workers(struct daemon* daemon) /* the above is not ports/numthr, due to rounding */ fatal_exit("could not create worker"); } + /* create per-worker alloc caches if not reusing existing ones. */ + if(!daemon->worker_allocs) { + daemon->worker_allocs = (struct alloc_cache**)calloc( + (size_t)daemon->num, sizeof(struct alloc_cache*)); + if(!daemon->worker_allocs) + fatal_exit("could not allocate worker allocs"); + for(i=0; inum; i++) { + struct alloc_cache* alloc = calloc(1, + sizeof(struct alloc_cache)); + if (!alloc) + fatal_exit("could not allocate worker alloc"); + alloc_init(alloc, &daemon->superalloc, i); + daemon->worker_allocs[i] = alloc; + } + } free(shufport); } @@ -771,6 +807,7 @@ daemon_fork(struct daemon* daemon) /* Shutdown SHM */ shm_main_shutdown(daemon); + daemon->reuse_cache = daemon->workers[0]->reuse_cache; daemon->need_to_exit = daemon->workers[0]->need_to_exit; } @@ -785,9 +822,16 @@ daemon_cleanup(struct daemon* daemon) log_thread_set(NULL); /* clean up caches because * a) RRset IDs will be recycled after a reload, causing collisions - * b) validation config can change, thus rrset, msg, keycache clear */ - slabhash_clear(&daemon->env->rrset_cache->table); - slabhash_clear(daemon->env->msg_cache); + * b) validation config can change, thus rrset, msg, keycache clear + * + * If we are trying to keep the cache as long as possible, we should + * defer the cleanup until we know whether the new configuration allows + * the reuse. (If we're exiting, cleanup should be done here). */ + if(!daemon->reuse_cache || daemon->need_to_exit) { + slabhash_clear(&daemon->env->rrset_cache->table); + slabhash_clear(daemon->env->msg_cache); + } + daemon->old_num = daemon->num; /* save the current num */ local_zones_delete(daemon->local_zones); daemon->local_zones = NULL; respip_set_delete(daemon->respip_set); @@ -802,8 +846,13 @@ daemon_cleanup(struct daemon* daemon) worker_delete(daemon->workers[i]); free(daemon->workers); daemon->workers = NULL; + /* Unless we're trying to keep the cache, worker alloc_caches should be + * cleared and freed here. We do this after deleting workers to + * guarantee that the alloc caches are valid throughout the lifetime + * of workers. */ + if(!daemon->reuse_cache || daemon->need_to_exit) + daemon_clear_allocs(daemon); daemon->num = 0; - alloc_clear_special(&daemon->superalloc); #ifdef USE_DNSTAP dt_delete(daemon->dtenv); daemon->dtenv = NULL; @@ -900,8 +949,42 @@ daemon_delete(struct daemon* daemon) void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg) { + int new_num = cfg->num_threads?cfg->num_threads:1; + daemon->cfg = cfg; config_apply(cfg); + + /* If this is a reload and we deferred the decision on whether to + * reuse the alloc, RRset, and message caches, then check to see if + * it's safe to keep the caches: + * - changing the number of threads is obviously incompatible with + * keeping the per-thread alloc caches. It also means we have to + * clear RRset and message caches. (note that 'new_num' may be + * adjusted in daemon_create_workers, but for our purpose we can + * simply compare it with 'old_num'; if they are equal here, + * 'new_num' won't be adjusted to a different value than 'old_num'). + * - changing RRset cache size effectively clears any remaining cache + * entries. We could keep their keys in alloc caches, but it would + * be more consistent with the sense of the change to clear allocs + * and free memory. To do so we also have to clear message cache. + * - only changing message cache size does not necessarily affect + * RRset or alloc cache. But almost all new subsequent queries will + * require recursive resolution anyway, so it doesn't help much to + * just keep RRset and alloc caches. For simplicity we clear/free + * the other two, too. */ + if(daemon->worker_allocs && + (new_num != daemon->old_num || + !slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size, + cfg->msg_cache_slabs) || + !slabhash_is_size(&daemon->env->rrset_cache->table, + cfg->rrset_cache_size, cfg->rrset_cache_slabs))) + { + log_warn("cannot reuse caches due to critical config change"); + slabhash_clear(&daemon->env->rrset_cache->table); + slabhash_clear(daemon->env->msg_cache); + daemon_clear_allocs(daemon); + } + if(!slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size, cfg->msg_cache_slabs)) { slabhash_delete(daemon->env->msg_cache); diff --git a/contrib/unbound/daemon/daemon.h b/contrib/unbound/daemon/daemon.h index 58713e9ce466..57665446d41b 100644 --- a/contrib/unbound/daemon/daemon.h +++ b/contrib/unbound/daemon/daemon.h @@ -99,8 +99,12 @@ struct daemon { void* listen_sslctx, *connect_sslctx; /** num threads allocated */ int num; + /** num threads allocated in the previous config or 0 at first */ + int old_num; /** the worker entries */ struct worker** workers; + /** per-worker allocation cache */ + struct alloc_cache **worker_allocs; /** do we need to exit unbound (or is it only a reload?) */ int need_to_exit; /** master random table ; used for port div between threads on reload*/ @@ -140,6 +144,8 @@ struct daemon { /** the dnscrypt environment */ struct dnsc_env* dnscenv; #endif + /** reuse existing cache on reload if other conditions allow it. */ + int reuse_cache; }; /** diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index 7d4a414002ac..7c5a036f343d 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -105,8 +105,6 @@ /** what to put on statistics lines between var and value, ": " or "=" */ #define SQ "=" -/** if true, inhibits a lot of =0 lines from the stats output */ -static const int inhibit_zero = 1; /** subtract timers and the values do not overflow or become negative */ static void @@ -684,8 +682,9 @@ do_stop(RES* ssl, struct worker* worker) /** do the reload command */ static void -do_reload(RES* ssl, struct worker* worker) +do_reload(RES* ssl, struct worker* worker, int reuse_cache) { + worker->reuse_cache = reuse_cache; worker->need_to_exit = 0; comm_base_exit(worker->base); send_ok(ssl); @@ -920,7 +919,7 @@ print_hist(RES* ssl, struct ub_stats_info* s) /** print extended stats */ static int -print_ext(RES* ssl, struct ub_stats_info* s) +print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero) { int i; char nm[32]; @@ -1129,7 +1128,7 @@ do_stats(RES* ssl, struct worker* worker, int reset) return; if(!print_hist(ssl, &total)) return; - if(!print_ext(ssl, &total)) + if(!print_ext(ssl, &total, daemon->cfg->stat_inhibit_zero)) return; } } @@ -1963,6 +1962,8 @@ do_flush_name(RES* ssl, struct worker* w, char* arg) do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN); + do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SVCB, LDNS_RR_CLASS_IN); + do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_HTTPS, LDNS_RR_CLASS_IN); free(nm); send_ok(ssl); @@ -3029,8 +3030,11 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, if(cmdcmp(p, "stop", 4)) { do_stop(ssl, worker); return; + } else if(cmdcmp(p, "reload_keep_cache", 17)) { + do_reload(ssl, worker, 1); + return; } else if(cmdcmp(p, "reload", 6)) { - do_reload(ssl, worker); + do_reload(ssl, worker, 0); return; } else if(cmdcmp(p, "stats_noreset", 13)) { do_stats(ssl, worker, 0); diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index caefad621409..99dcf9940004 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -133,7 +133,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker), rrset = slabhash_get_mem(&worker->env.rrset_cache->table); infra = infra_get_mem(worker->env.infra_cache); mesh = mesh_get_mem(worker->env.mesh); - ac = alloc_get_mem(&worker->alloc); + ac = alloc_get_mem(worker->alloc); superac = alloc_get_mem(&worker->daemon->superalloc); anch = anchors_get_mem(worker->env.anchors); iter = 0; @@ -623,6 +623,14 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, if(worker->env.cfg->serve_expired_ttl && rep->serve_expired_ttl < timenow) return 0; + /* Ignore expired failure answers */ + if(FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; if(!rrset_array_lock(rep->ref, rep->rrset_count, 0)) return 0; *is_expired_answer = 1; @@ -730,8 +738,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, goto bail_out; } } else { - /* We don't check the global ede as this is a warning, not - * an error */ if (*is_expired_answer == 1 && worker->env.cfg->ede_serve_expired && worker->env.cfg->ede) { EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out, @@ -2059,15 +2065,14 @@ worker_init(struct worker* worker, struct config_file *cfg, } server_stats_init(&worker->stats, cfg); - alloc_init(&worker->alloc, &worker->daemon->superalloc, - worker->thread_num); - alloc_set_id_cleanup(&worker->alloc, &worker_alloc_cleanup, worker); + worker->alloc = worker->daemon->worker_allocs[worker->thread_num]; + alloc_set_id_cleanup(worker->alloc, &worker_alloc_cleanup, worker); worker->env = *worker->daemon->env; comm_base_timept(worker->base, &worker->env.now, &worker->env.now_tv); worker->env.worker = worker; worker->env.worker_base = worker->base; worker->env.send_query = &worker_send_query; - worker->env.alloc = &worker->alloc; + worker->env.alloc = worker->alloc; worker->env.outnet = worker->back; worker->env.rnd = worker->rndstate; /* If case prefetch is triggered, the corresponding mesh will clear @@ -2211,7 +2216,7 @@ worker_delete(struct worker* worker) #endif /* USE_DNSTAP */ comm_base_delete(worker->base); ub_randfree(worker->rndstate); - alloc_clear(&worker->alloc); + /* don't touch worker->alloc, as it's maintained in daemon */ regional_destroy(worker->env.scratch); regional_destroy(worker->scratchpad); free(worker); diff --git a/contrib/unbound/daemon/worker.h b/contrib/unbound/daemon/worker.h index 3fb52abd9d87..ab2fc728d274 100644 --- a/contrib/unbound/daemon/worker.h +++ b/contrib/unbound/daemon/worker.h @@ -118,7 +118,7 @@ struct worker { /** do we need to restart or quit (on signal) */ int need_to_exit; /** allocation cache for this thread */ - struct alloc_cache alloc; + struct alloc_cache *alloc; /** per thread statistics */ struct ub_server_stats stats; /** thread scratch regional */ @@ -131,6 +131,8 @@ struct worker { /** dnstap environment, changed for this thread */ struct dt_env dtenv; #endif + /** reuse existing cache on reload if other conditions allow it. */ + int reuse_cache; }; /** diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 727d1543ea4e..899026352434 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,7 +1,93 @@ +5 January 2023: Wouter + - Tag for 1.17.1 release. + +2 January 2023: Wouter + - Fix windows compile for libunbound subprocess reap comm point closes. + - Update github workflows to use checkout v3. + +14 December 2022: George + - Merge #569 from JINMEI Tatuya: add keep-cache option to + 'unbound-control reload' to keep caches. + +13 December 2022: George + - Expose 'statistics-inhibit-zero' as a configuration option; the + default value retains Unbound's behavior. + - Expose 'max-sent-count' as a configuration option; the + default value retains Unbound's behavior. + - Merge #461 from Christian Allred: Add max-query-restarts option. + Exposes an internal configuration but the default value retains + Unbound's behavior. + +13 December 2022: Wouter + - Merge #808: Wrap Makefile script's directory variables in quotes. + - Fix to wrap Makefile scripts directory in quotes for uninstall. + +1 December 2022: Wouter + - Fix #773: When used with systemd-networkd, unbound does not start + until systemd-networkd-wait-online.service times out. + +30 November 2022: George + - Add SVCB and HTTPS to the types removed by 'unbound-control flush'. + - Clear documentation for interactivity between the subnet module and + the serve-expired and prefetch configuration options. + +30 November 2022: Wouter + - Fix #782: Segmentation fault in stats.c:404. + +28 November 2022: Wouter + - Fix for the ignore of tcp events for closed comm points, preserve + the use after free protection features. + +23 November 2022: Philip + - Merge #720 from jonathangray: fix use after free when + WSACreateEvent() fails. + +22 November 2022: George + - Ignore expired error responses. + +11 November 2022: Wouter + - Fix #779: [doc] Missing documention in ub_resolve_event() for + callback parameter was_ratelimited. + +9 November 2022: George + - Complementary fix for distutils.sysconfig deprecation in Python 3.10 + to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. + +8 November 2022: Wouter + - Fix to ignore tcp events for closed comm points. + - Fix to make sure to not read again after a tcp comm point is closed. + - Fix #775: libunbound: subprocess reap causes parent process reap + to hang. + - iana portlist update. + +21 October 2022: George + - Merge #767 from jonathangray: consistently use IPv4/IPv6 in + unbound.conf.5. + +21 October 2022: Wouter + - Fix that cachedb does not store failures in the external cache. + +18 October 2022: George + - Clarify the use of MAX_SENT_COUNT in the iterator code. + +17 October 2022: Wouter + - testcode/dohclient sets log identity to its name. + +14 October 2022: Wouter + - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU + extension. + - In unit test, print python script name list correctly. + +13 October 2022: Wouter + - Tag for 1.17.0 release. The code repository continues with 1.17.1. + 11 October 2022: George - Fix PROXYv2 header read for TCP connections when no proxied addresses are provided. +7 October 2022: Wouter + - Tag for 1.17.0rc1 release. + 7 October 2022: George - Fix to stop possible loops in the tcp reuse code (write_wait list and tcp_wait list). Based on analysis and patch from Prad Seniappan diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index 88444a5e3c99..faab92bcb077 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.17.0 +README for Unbound 1.17.1 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index df0b2a1fb2c0..8cf3d868285e 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.17.0. +# See unbound.conf(5) man page, version 1.17.1. # # this is a comment. @@ -35,9 +35,14 @@ server: # statistics-cumulative: no # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. + # printed from unbound-control. Default off, because of speed. # extended-statistics: no + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. # num-threads: 1 @@ -173,6 +178,15 @@ server: # a throwaway response (also timeouts) is received. # outbound-msg-retry: 5 + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index b87289e0d764..19a213e1aa6f 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "libunbound" "3" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.17.0 functions. +\- Unbound DNS validating resolver 1.17.1 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index dc61b72dadb4..9bba2522a19c 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-anchor" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index ba6c334c7c78..128f1cebd94b 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-checkconf" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index 3841b9737f4e..10be612fe20e 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-control" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -54,6 +54,12 @@ Stop the server. The server daemon exits. .B reload Reload the server. This flushes the cache and reads the config file fresh. .TP +.B reload_keep_cache +Reload the server but try to keep the RRset and message cache if +(re)configuration allows for it. +That means the caches sizes and the number of threads must not change between +reloads. +.TP .B verbosity \fInumber Change verbosity value for logging. Same values as \fBverbosity\fR keyword in \fIunbound.conf\fR(5). This new setting lasts until the server is issued @@ -130,7 +136,7 @@ name specified. .TP .B flush \fIname Remove the name from the cache. Removes the types -A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. +A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS. Because that is fast to do. Other record types can be removed using .B flush_type or diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index 8371084c575b..0af5777f0492 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound\-host" "1" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index ac61b0f7a10c..498690805c85 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.17.0. +\- Unbound DNS validating resolver 1.17.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 6c021b900d89..3844d52551c6 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound.conf" "5" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -112,6 +112,14 @@ If enabled, extended statistics are printed from \fIunbound\-control\fR(8). Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP +.B statistics\-inhibit\-zero: \fI +If enabled, selected extended statistics with a value of 0 are inhibited from +printing with \fIunbound\-control\fR(8). +These are query types, query classes, query opcodes, answer rcodes +(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and +RPZ actions. +Default is on. +.TP .B num\-threads: \fI The number of threads to create to serve clients. Use 1 for no threading. .TP @@ -349,7 +357,7 @@ ip\-transparent option is also available. The value of the Differentiated Services Codepoint (DSCP) in the differentiated services field (DS) of the outgoing IP packet headers. The field replaces the outdated IPv4 Type-Of-Service field and the -IPV6 traffic class field. +IPv6 traffic class field. .TP .B rrset\-cache\-size: \fI Number of bytes size of the RRset cache. Default is 4 megabytes. @@ -416,7 +424,7 @@ Enable or disable whether ip4 queries are answered or issued. Default is yes. Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the -ipv6 transport for sending DNS traffic, it does not impact the contents of +IPv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP .B prefer\-ip4: \fI @@ -1671,7 +1679,7 @@ This specifies the action data for \fIresponse-ip\fR with action being to redirect as specified by "\fIresource record string\fR". "Resource record string" is similar to that of \fIaccess-control-tag-action\fR, but it must be of either AAAA, A or CNAME types. -If the IP-netblock is an IPv6/IPV4 prefix, the record +If the IP-netblock is an IPv6/IPv4 prefix, the record must be AAAA/A respectively, unless it is a CNAME (which can be used for both versions of IP netblocks). If it is CNAME there must not be more than one \fIresponse-ip-data\fR for the same IP-netblock. @@ -1820,6 +1828,21 @@ If a forward/stub zone is used, this is the number of retries per nameserver in the zone. Default is 5. .TP 5 +.B max\-sent\-count: \fI +Hard limit on the number of outgoing queries Unbound will make while resolving +a name, making sure large NS sets do not loop. +Results in SERVFAIL when reached. +It resets on query restarts (e.g., CNAME) and referrals. +Default is 32. +.TP 5 +.B max\-query\-restarts: \fI +Hard limit on the number of times Unbound is allowed to restart a query upon +encountering a CNAME record. +Results in SERVFAIL when reached. +Changing this value needs caution as it can allow long CNAME chains to be +accepted, where Unbound needs to verify (resolve) each link individually. +Default is 11. +.TP 5 .B fast\-server\-permil: \fI Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. A value of 900 would pick from the fastest @@ -1853,7 +1876,7 @@ errors. Default is "no". When the \fBval-log-level\fR option is also set to \fB2\fR, responses with Extended DNS Errors concerning DNSSEC failures that are not served from cache, will also contain a descriptive text message about the reason for the failure. -.TP +.TP 5 .B ede\-serve\-expired: \fI If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale Answer as EDNS0 option to the expired response. Note that this will not attach @@ -2358,6 +2381,9 @@ The maximum size of the ECS cache is controlled by 'msg-cache-size' in the configuration file. On top of that, for each query only 100 different subnets are allowed to be stored for each address family. Exceeding that number, older entries will be purged from cache. +.LP +This module does not interact with the \fBserve\-expired*\fR and +\fBprefetch:\fR options. .TP .B send\-client\-subnet: \fI\fR Send client source address to this authority. Append /num to indicate a diff --git a/contrib/unbound/edns-subnet/subnetmod.c b/contrib/unbound/edns-subnet/subnetmod.c index 0f1df417f6b5..458a89702269 100644 --- a/contrib/unbound/edns-subnet/subnetmod.c +++ b/contrib/unbound/edns-subnet/subnetmod.c @@ -204,6 +204,17 @@ subnetmod_init(struct module_env *env, int id) } alloc_init(&sn_env->alloc, NULL, 0); env->modinfo[id] = (void*)sn_env; + + /* Warn that serve-expired and prefetch do not work with the subnet + * module cache. */ + if(env->cfg->serve_expired) + log_warn( + "subnetcache: serve-expired is set but not working " + "for data originating from the subnet module cache."); + if(env->cfg->prefetch) + log_warn( + "subnetcache: prefetch is set but not working " + "for data originating from the subnet module cache."); /* Copy msg_cache settings */ sn_env->subnet_msg_cache = slabhash_create(env->cfg->msg_cache_slabs, HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size, diff --git a/contrib/unbound/iterator/iter_utils.c b/contrib/unbound/iterator/iter_utils.c index 56b184a02fb8..b2a2309ab4b1 100644 --- a/contrib/unbound/iterator/iter_utils.c +++ b/contrib/unbound/iterator/iter_utils.c @@ -175,6 +175,8 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; iter_env->outbound_msg_retry = cfg->outbound_msg_retry; + iter_env->max_sent_count = cfg->max_sent_count; + iter_env->max_query_restarts = cfg->max_query_restarts; return 1; } diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index 2f3ad06fe6ea..33095b2b5c45 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -1314,7 +1314,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, /* We enforce a maximum number of query restarts. This is primarily a * cheap way to prevent CNAME loops. */ - if(iq->query_restart_count > MAX_RESTART_COUNT) { + if(iq->query_restart_count > ie->max_query_restarts) { verbose(VERB_QUERY, "request has exceeded the maximum number" " of query restarts with %d", iq->query_restart_count); errinf(qstate, "request has exceeded the maximum number " @@ -2276,14 +2276,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, iq->num_current_queries, iq->sent_count); /* Make sure that we haven't run away */ - /* FIXME: is this check even necessary? */ if(iq->referral_count > MAX_REFERRAL_COUNT) { verbose(VERB_QUERY, "request has exceeded the maximum " "number of referrrals with %d", iq->referral_count); errinf(qstate, "exceeded the maximum of referrals"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } - if(iq->sent_count > MAX_SENT_COUNT) { + if(iq->sent_count > ie->max_sent_count) { verbose(VERB_QUERY, "request has exceeded the maximum " "number of sends with %d", iq->sent_count); errinf(qstate, "exceeded the maximum number of sends"); @@ -2630,7 +2629,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, * the original query is one that matched too, so we have * caps_server+1 number of matching queries now */ if(iq->caps_server+1 >= naddr*3 || - iq->caps_server*2+2 >= MAX_SENT_COUNT) { + iq->caps_server*2+2 >= (size_t)ie->max_sent_count) { /* *2 on sentcount check because ipv6 may fail */ /* we're done, process the response */ verbose(VERB_ALGO, "0x20 fallback had %d responses " diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h index e35718cf33bd..89038dc8a7e6 100644 --- a/contrib/unbound/iterator/iterator.h +++ b/contrib/unbound/iterator/iterator.h @@ -63,12 +63,8 @@ struct rbtree_type; /** max number of nxdomains allowed for target lookups for a query and * its subqueries when fallback has kicked in */ #define MAX_TARGET_NX_FALLBACK (MAX_TARGET_NX*2) -/** max number of query restarts. Determines max number of CNAME chain. */ -#define MAX_RESTART_COUNT 11 /** max number of referrals. Makes sure resolver does not run away */ #define MAX_REFERRAL_COUNT 130 -/** max number of queries-sent-out. Make sure large NS set does not loop */ -#define MAX_SENT_COUNT 32 /** max number of queries for which to perform dnsseclameness detection, * (rrsigs missing detection) after that, just pick up that response */ #define DNSSEC_LAME_DETECT_COUNT 4 @@ -145,6 +141,12 @@ struct iter_env { /** number of retries on outgoing queries */ int outbound_msg_retry; + + /** number of queries_sent */ + int max_sent_count; + + /** max number of query restarts to limit length of CNAME chain */ + int max_query_restarts; }; /** diff --git a/contrib/unbound/libunbound/context.c b/contrib/unbound/libunbound/context.c index c8d911f13c7f..f7c0a2cd5fae 100644 --- a/contrib/unbound/libunbound/context.c +++ b/contrib/unbound/libunbound/context.c @@ -70,6 +70,7 @@ context_finalize(struct ub_ctx* ctx) } else { log_init(cfg->logfile, cfg->use_syslog, NULL); } + ctx->pipe_pid = getpid(); cfg_apply_local_port_policy(cfg, 65536); config_apply(cfg); if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) diff --git a/contrib/unbound/libunbound/context.h b/contrib/unbound/libunbound/context.h index c0c86fb52697..c0fc80e57be4 100644 --- a/contrib/unbound/libunbound/context.h +++ b/contrib/unbound/libunbound/context.h @@ -89,6 +89,12 @@ struct ub_ctx { pid_t bg_pid; /** tid of bg worker thread */ ub_thread_type bg_tid; + /** pid when pipes are created. This was the process when the + * setup was called. Helps with clean up, so we can tell after a fork + * which side of the fork the delete is on. */ + pid_t pipe_pid; + /** when threaded, the worker that exists in the created thread. */ + struct libworker* thread_worker; /** do threading (instead of forking) for async resolution */ int dothread; diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c index ea5ef24bb01c..80a82bb47ddf 100644 --- a/contrib/unbound/libunbound/libunbound.c +++ b/contrib/unbound/libunbound/libunbound.c @@ -305,11 +305,31 @@ ub_ctx_delete(struct ub_ctx* ctx) int do_stop = 1; if(!ctx) return; + /* if the delete is called but it has forked, and before the fork + * the context was finalized, then the bg worker is not stopped + * from here. There is one worker, but two contexts that refer to + * it and only one should clean up, the one with getpid == pipe_pid.*/ + if(ctx->created_bg && ctx->pipe_pid != getpid()) { + do_stop = 0; +#ifndef USE_WINSOCK + /* Stop events from getting deregistered, if the backend is + * epoll, the epoll fd is the same as the other process. + * That process should deregister them. */ + if(ctx->qq_pipe->listen_com) + ctx->qq_pipe->listen_com->event_added = 0; + if(ctx->qq_pipe->res_com) + ctx->qq_pipe->res_com->event_added = 0; + if(ctx->rr_pipe->listen_com) + ctx->rr_pipe->listen_com->event_added = 0; + if(ctx->rr_pipe->res_com) + ctx->rr_pipe->res_com->event_added = 0; +#endif + } /* see if bg thread is created and if threads have been killed */ /* no locks, because those may be held by terminated threads */ /* for processes the read pipe is closed and we see that on read */ #ifdef HAVE_PTHREAD - if(ctx->created_bg && ctx->dothread) { + if(ctx->created_bg && ctx->dothread && do_stop) { if(pthread_kill(ctx->bg_tid, 0) == ESRCH) { /* thread has been killed */ do_stop = 0; @@ -318,6 +338,23 @@ ub_ctx_delete(struct ub_ctx* ctx) #endif /* HAVE_PTHREAD */ if(do_stop) ub_stop_bg(ctx); + if(ctx->created_bg && ctx->pipe_pid != getpid() && ctx->thread_worker) { + /* This delete is happening from a different process. Delete + * the thread worker from this process memory space. The + * thread is not there to do so, so it is freed here. */ + struct ub_event_base* evbase = comm_base_internal( + ctx->thread_worker->base); + libworker_delete_event(ctx->thread_worker); + ctx->thread_worker = NULL; +#ifdef USE_MINI_EVENT + ub_event_base_free(evbase); +#else + /* cannot event_base_free, because the epoll_fd cleanup + * in libevent could stop the original event_base in the + * other process from working. */ + free(evbase); +#endif + } libworker_delete_event(ctx->event_worker); modstack_desetup(&ctx->mods, ctx->env); diff --git a/contrib/unbound/libunbound/libworker.c b/contrib/unbound/libunbound/libworker.c index 11bf5f9db555..b9ef02217a2f 100644 --- a/contrib/unbound/libunbound/libworker.c +++ b/contrib/unbound/libunbound/libworker.c @@ -395,6 +395,7 @@ int libworker_bg(struct ub_ctx* ctx) w = libworker_setup(ctx, 1, NULL); if(!w) return UB_NOMEM; w->is_bg_thread = 1; + ctx->thread_worker = w; #ifdef ENABLE_LOCK_CHECKS w->thread_num = 1; /* for nicer DEBUG checklocks */ #endif diff --git a/contrib/unbound/libunbound/unbound-event.h b/contrib/unbound/libunbound/unbound-event.h index a5d5c038b68f..5fa74df78186 100644 --- a/contrib/unbound/libunbound/unbound-event.h +++ b/contrib/unbound/libunbound/unbound-event.h @@ -230,7 +230,7 @@ int ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base); * @param callback: this is called on completion of the resolution. * It is called as: * void callback(void* mydata, int rcode, void* packet, int packet_len, - * int sec, char* why_bogus) + * int sec, char* why_bogus, int was_ratelimited) * with mydata: the same as passed here, you may pass NULL, * with rcode: 0 on no error, nonzero for mostly SERVFAIL situations, * this is a DNS rcode. @@ -241,6 +241,7 @@ int ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base); * with packet_len: length in bytes of the packet buffer. * with sec: 0 if insecure, 1 if bogus, 2 if DNSSEC secure. * with why_bogus: text string explaining why it is bogus (or NULL). + * with was_ratelimited: if the query was ratelimited. * These point to buffers inside unbound; do not deallocate the packet or * error string. * diff --git a/contrib/unbound/services/authzone.c b/contrib/unbound/services/authzone.c index ec502f11dd29..0cc73416ed6f 100644 --- a/contrib/unbound/services/authzone.c +++ b/contrib/unbound/services/authzone.c @@ -2756,6 +2756,7 @@ az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, == 0) { msg->rep->rrsets[i]->rk.dname = newname; msg->rep->rrsets[i]->rk.dname_len = newlen; + msg->rep->rrsets[i]->entry.hash = rrset_key_hash(&msg->rep->rrsets[i]->rk); } } } diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index b6e5697349c2..6fc9919ef4c0 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -636,6 +636,14 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r, r->serve_expired_ttl < now) { return NULL; } + /* Ignore expired failure answers */ + if(FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; } else { return NULL; } diff --git a/contrib/unbound/sldns/rrdef.h b/contrib/unbound/sldns/rrdef.h index 999c223074e1..98fb257dc8cd 100644 --- a/contrib/unbound/sldns/rrdef.h +++ b/contrib/unbound/sldns/rrdef.h @@ -196,8 +196,8 @@ enum sldns_enum_rr_type LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */ LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */ LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */ - LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */ - LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */ + LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */ + LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */ LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */ diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index d01ef284be89..60455bf43b8b 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -102,6 +102,12 @@ usage(void) printf(" stop stops the server\n"); printf(" reload reloads the server\n"); printf(" (this flushes data, stats, requestlist)\n"); + printf(" reload_keep_cache reloads the server but tries to\n"); + printf(" keep the RRset and message cache\n"); + printf(" if (re)configuration allows for it.\n"); + printf(" That means the caches sizes and\n"); + printf(" the number of threads must not\n"); + printf(" change between reloads.\n"); printf(" stats print statistics\n"); printf(" stats_noreset peek at statistics\n"); #ifdef HAVE_SHMGET @@ -180,8 +186,6 @@ usage(void) #ifdef HAVE_SHMGET /** what to put on statistics lines between var and value, ": " or "=" */ #define SQ "=" -/** if true, inhibits a lot of =0 lines from the stats output */ -static const int inhibit_zero = 1; /** divide sum of timers to get average */ static void timeval_divide(struct timeval* avg, const struct timeval* sum, long long d) @@ -316,7 +320,7 @@ static void print_hist(struct ub_stats_info* s) } /** print extended */ -static void print_extended(struct ub_stats_info* s) +static void print_extended(struct ub_stats_info* s, int inhibit_zero) { int i; char nm[16]; @@ -439,7 +443,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats, if(cfg->stat_extended) { print_mem(shm_stat, &stats[0]); print_hist(stats); - print_extended(stats); + print_extended(stats, cfg->stat_inhibit_zero); } } #endif /* HAVE_SHMGET */ diff --git a/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials b/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials new file mode 100644 index 000000000000..11a131130000 --- /dev/null +++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials @@ -0,0 +1,5 @@ +remote-control: + server-key-file: bad_server.key + server-cert-file: bad_server.pem + control-key-file: bad_control.key + control-cert-file: bad_control.pem diff --git a/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials b/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials new file mode 100644 index 000000000000..25cb830dca4e --- /dev/null +++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials @@ -0,0 +1,5 @@ +remote-control: + server-key-file: unbound_server.key + server-cert-file: unbound_server.pem + control-key-file: bad_control.key + control-cert-file: bad_control.pem diff --git a/contrib/unbound/testdata/cachedb_servfail_cname.crpl b/contrib/unbound/testdata/cachedb_servfail_cname.crpl new file mode 100644 index 000000000000..221f00d4df54 --- /dev/null +++ b/contrib/unbound/testdata/cachedb_servfail_cname.crpl @@ -0,0 +1,181 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no + ;serve-expired: yes + module-config: "cachedb iterator" + +cachedb: + backend: "testframe" + secret-seed: "testvalue" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 +CONFIG_END + +SCENARIO_BEGIN Test cachedb store and servfail reply from cname. +; the servfail reply should not overwrite the cache contents. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns2.example.com. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.com. IN NS +SECTION AUTHORITY +foo.com. IN NS ns.example.com. +ENTRY_END +RANGE_END + +; ns2.example.com. +RANGE_BEGIN 0 20 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns2.example.com., now failing +RANGE_BEGIN 20 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN CNAME foo.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +ns2.example.com. IN A +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +ns2.example.com. IN AAAA +SECTION ANSWER +ENTRY_END +RANGE_END + +; get and entry in cache, to make it expired. +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the answer for it +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN A 1.2.3.4 +ENTRY_END + +; it is now expired +STEP 20 TIME_PASSES ELAPSE 20 + +; get a servfail in cache for the destination +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +; the query is now a CNAME to servfail. +; there is a valid, but expired, entry in cache. +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN CNAME foo.example.com. +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/testdata/serve_expired_cached_servfail.rpl b/contrib/unbound/testdata/serve_expired_cached_servfail.rpl new file mode 100644 index 000000000000..286de708b9c5 --- /dev/null +++ b/contrib/unbound/testdata/serve_expired_cached_servfail.rpl @@ -0,0 +1,130 @@ +; config options +server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no + serve-expired: yes + serve-expired-reply-ttl: 123 + log-servfail: yes + ede: yes + ede-serve-expired: yes + + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply +; Scenario overview: +; - query for example.com. IN A +; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5) +; - check that the client gets the SERVFAIL; also cached +; - query again right after the TTL expired +; - cached SERVFAIL should be ignored and upstream queried +; - check that we get the correct answer + +; ns.example.com. +RANGE_BEGIN 0 20 + ADDRESS 1.2.3.4 + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA SERVFAIL + SECTION QUESTION + example.com. IN A + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 30 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. 10 IN NS + SECTION ANSWER + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 0 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we get the SERVFAIL (will be cached) +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Query again +STEP 20 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we get the cached SERVFAIL +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Wait for the SERVFAIL to expire +STEP 31 TIME_PASSES ELAPSE 6 + +; Query again +STEP 40 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we got the correct answer +STEP 50 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/testdata/subnet_cached_servfail.crpl b/contrib/unbound/testdata/subnet_cached_servfail.crpl new file mode 100644 index 000000000000..9c746d579124 --- /dev/null +++ b/contrib/unbound/testdata/subnet_cached_servfail.crpl @@ -0,0 +1,167 @@ +; Check if an expired SERVFAIL answer stored in the global cache does not block +; ECS queries to reach the ECS cache. + +server: + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + send-client-subnet: 1.2.3.4 + max-client-subnet-ipv4: 21 + module-config: "subnetcache iterator" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + serve-expired: yes + prefetch: yes + +stub-zone: + name: "example.com." + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test that expired SERVFAIL in global cache does not block clients to reach the ECS cache + +; ns.example.com. +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR SERVFAIL + SECTION QUESTION + www.example.com. IN A + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 11 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id copy_ednsdata_assume_clientsubnet + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 05 ; option length + 00 01 ; Family + 08 00 ; source mask, scopemask + 7f ; address + HEX_EDNSDATA_END + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This answer should be in the global cache +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; Bring the cached SERVFAIL to prefetch time +STEP 10 TIME_PASSES ELAPSE 5 + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This answer was cached but a prefetch was triggerred +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; Wait for the SERVFAIL to expire +STEP 13 TIME_PASSES ELAPSE 2 + +; Query again to verify that the record was prefetched and stored in the ECS +; cache (because the server replied with ECS this time) +STEP 14 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This record came from the ECS cache +STEP 15 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA DO NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 8 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3598 IN NS ns.example.com. +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 08 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ns.example.com. 3598 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 00422617dad7..d0b9904e133d 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -99,6 +99,7 @@ config_create(void) cfg->stat_interval = 0; cfg->stat_cumulative = 0; cfg->stat_extended = 0; + cfg->stat_inhibit_zero = 1; cfg->num_threads = 1; cfg->port = UNBOUND_DNS_PORT; cfg->do_ip4 = 1; @@ -336,6 +337,8 @@ config_create(void) cfg->ip_ratelimit_backoff = 0; cfg->ratelimit_backoff = 0; cfg->outbound_msg_retry = 5; + cfg->max_sent_count = 32; + cfg->max_query_restarts = 11; cfg->qname_minimisation = 1; cfg->qname_minimisation_strict = 0; cfg->shm_enable = 0; @@ -516,6 +519,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("use-syslog:", use_syslog) else S_STR("log-identity:", log_identity) else S_YNO("extended-statistics:", stat_extended) + else S_YNO("statistics-inhibit-zero:", stat_inhibit_zero) else S_YNO("statistics-cumulative:", stat_cumulative) else S_YNO("shm-enable:", shm_enable) else S_NUMBER_OR_ZERO("shm-key:", shm_key) @@ -778,6 +782,8 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff) else S_YNO("ratelimit-backoff:", ratelimit_backoff) else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry) + else S_NUMBER_NONZERO("max-sent-count:", max_sent_count) + else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts) else S_SIZET_NONZERO("fast-server-num:", fast_server_num) else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil) else S_YNO("qname-minimisation:", qname_minimisation) @@ -996,6 +1002,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "statistics-interval", stat_interval) else O_YNO(opt, "statistics-cumulative", stat_cumulative) else O_YNO(opt, "extended-statistics", stat_extended) + else O_YNO(opt, "statistics-inhibit-zero", stat_inhibit_zero) else O_YNO(opt, "shm-enable", shm_enable) else O_DEC(opt, "shm-key", shm_key) else O_YNO(opt, "use-syslog", use_syslog) @@ -1238,6 +1245,8 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff) else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff) else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry) + else O_UNS(opt, "max-sent-count", max_sent_count) + else O_UNS(opt, "max-query-restarts", max_query_restarts) else O_DEC(opt, "fast-server-num", fast_server_num) else O_DEC(opt, "fast-server-permil", fast_server_permil) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index b1406913a8c1..87cb92cf0e03 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -76,6 +76,8 @@ struct config_file { int stat_cumulative; /** if true, the statistics are kept in greater detail */ int stat_extended; + /** if true, inhibits a lot of =0 lines from the extended stats output */ + int stat_inhibit_zero; /** number of threads to create */ int num_threads; @@ -608,6 +610,11 @@ struct config_file { /** number of retries on outgoing queries */ int outbound_msg_retry; + /** max sent queries per qstate; resets on query restarts (e.g., + * CNAMES) and referrals */ + int max_sent_count; + /** max number of query restarts; determines max length of CNAME chain */ + int max_query_restarts; /** minimise outgoing QNAME and hide original QTYPE if possible */ int qname_minimisation; /** minimise QNAME in strict mode, minimise according to RFC. diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index f614040b8605..4fcb622e453e 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -439,6 +439,7 @@ insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) } statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) } statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) } extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) } +statistics-inhibit-zero{COLON} { YDVAR(1, VAR_STATISTICS_INHIBIT_ZERO) } shm-enable{COLON} { YDVAR(1, VAR_SHM_ENABLE) } shm-key{COLON} { YDVAR(1, VAR_SHM_KEY) } remote-control{COLON} { YDVAR(0, VAR_REMOTE_CONTROL) } @@ -515,6 +516,8 @@ ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) } ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) } ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) } outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) } +max-sent-count{COLON} { YDVAR(1, VAR_MAX_SENT_COUNT) } +max-query-restarts{COLON} { YDVAR(1, VAR_MAX_QUERY_RESTARTS) } low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) } fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) } low-rtt-pct{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) } diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index 3ecdad2ad254..f21c30815b3f 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -140,7 +140,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_DISABLE_DNSSEC_LAME_CHECK %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE -%token VAR_OUTBOUND_MSG_RETRY +%token VAR_OUTBOUND_MSG_RETRY VAR_MAX_SENT_COUNT VAR_MAX_QUERY_RESTARTS %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR %token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF @@ -193,7 +193,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE %token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG %token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA -%token VAR_PROXY_PROTOCOL_PORT +%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -282,6 +282,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_ratelimit_below_domain | server_ratelimit_factor | server_ip_ratelimit_factor | server_ratelimit_backoff | server_ip_ratelimit_backoff | server_outbound_msg_retry | + server_max_sent_count | server_max_query_restarts | server_send_client_subnet | server_client_subnet_zone | server_client_subnet_always_forward | server_client_subnet_opcode | server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 | @@ -322,7 +323,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_zonemd_permissive_mode | server_max_reuse_tcp_queries | server_tcp_reuse_timeout | server_tcp_auth_query_timeout | server_interface_automatic_ports | server_ede | - server_proxy_protocol_port + server_proxy_protocol_port | server_statistics_inhibit_zero ; stubstart: VAR_STUB_ZONE { @@ -554,6 +555,15 @@ server_extended_statistics: VAR_EXTENDED_STATISTICS STRING_ARG free($2); } ; +server_statistics_inhibit_zero: VAR_STATISTICS_INHIBIT_ZERO STRING_ARG + { + OUTYY(("P(server_statistics_inhibit_zero:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->stat_inhibit_zero = (strcmp($2, "yes")==0); + free($2); + } + ; server_shm_enable: VAR_SHM_ENABLE STRING_ARG { OUTYY(("P(server_shm_enable:%s)\n", $2)); @@ -2636,6 +2646,24 @@ server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG free($2); } ; +server_max_sent_count: VAR_MAX_SENT_COUNT STRING_ARG + { + OUTYY(("P(server_max_sent_count:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_sent_count = atoi($2); + free($2); + } + ; +server_max_query_restarts: VAR_MAX_QUERY_RESTARTS STRING_ARG + { + OUTYY(("P(server_max_query_restarts:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_query_restarts = atoi($2); + free($2); + } + ; server_low_rtt: VAR_LOW_RTT STRING_ARG { OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n")); diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc index 80a8144d385b..b816f8a0464e 100644 --- a/contrib/unbound/util/iana_ports.inc +++ b/contrib/unbound/util/iana_ports.inc @@ -4840,6 +4840,7 @@ 8403, 8416, 8417, +8433, 8442, 8443, 8444, diff --git a/contrib/unbound/util/netevent.c b/contrib/unbound/util/netevent.c index da59a9d60bda..fe3d511643f8 100644 --- a/contrib/unbound/util/netevent.c +++ b/contrib/unbound/util/netevent.c @@ -810,7 +810,7 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, /* We are reading a whole packet; * Move the rest of the data to overwrite the PROXYv2 header */ /* XXX can we do better to avoid memmove? */ - memmove(header, ((void*)header)+size, + memmove(header, ((char*)header)+size, sldns_buffer_limit(buf)-size); sldns_buffer_set_limit(buf, sldns_buffer_limit(buf)-size); } @@ -2545,8 +2545,9 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 1; } -/** read again to drain buffers when there could be more to read */ -static void +/** read again to drain buffers when there could be more to read, returns 0 + * on failure which means the comm point is closed. */ +static int tcp_req_info_read_again(int fd, struct comm_point* c) { while(c->tcp_req_info->read_again) { @@ -2563,9 +2564,10 @@ tcp_req_info_read_again(int fd, struct comm_point* c) (void)(*c->callback)(c, c->cb_arg, NETEVENT_CLOSED, NULL); } - return; + return 0; } } + return 1; } /** read again to drain buffers when there could be more to read */ @@ -2623,6 +2625,9 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg) log_assert(c->type == comm_tcp); ub_comm_base_now(c->ev->base); + if(c->fd == -1 || c->fd != fd) + return; /* duplicate event, but commpoint closed. */ + #ifdef USE_DNSCRYPT /* Initialize if this is a dnscrypt socket */ if(c->tcp_parent) { @@ -2671,8 +2676,10 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg) } return; } - if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) - tcp_req_info_read_again(fd, c); + if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) { + if(!tcp_req_info_read_again(fd, c)) + return; + } if(moreread && *moreread) tcp_more_read_again(fd, c); return; @@ -2690,8 +2697,10 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg) } return; } - if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) - tcp_req_info_read_again(fd, c); + if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) { + if(!tcp_req_info_read_again(fd, c)) + return; + } if(morewrite && *morewrite) tcp_more_write_again(fd, c); return; @@ -4488,6 +4497,11 @@ comm_point_close(struct comm_point* c) tcp_req_info_clear(c->tcp_req_info); if(c->h2_session) http2_session_server_delete(c->h2_session); + /* stop the comm point from reading or writing after it is closed. */ + if(c->tcp_more_read_again && *c->tcp_more_read_again) + *c->tcp_more_read_again = 0; + if(c->tcp_more_write_again && *c->tcp_more_write_again) + *c->tcp_more_write_again = 0; /* close fd after removing from event lists, or epoll.. is messed up */ if(c->fd != -1 && !c->do_not_close) { diff --git a/contrib/unbound/util/tube.c b/contrib/unbound/util/tube.c index 43455feefb7f..7d98b93c3751 100644 --- a/contrib/unbound/util/tube.c +++ b/contrib/unbound/util/tube.c @@ -45,6 +45,9 @@ #include "util/netevent.h" #include "util/fptr_wlist.h" #include "util/ub_event.h" +#ifdef HAVE_POLL_H +#include +#endif #ifndef USE_WINSOCK /* on unix */ @@ -396,20 +399,28 @@ int tube_read_msg(struct tube* tube, uint8_t** buf, uint32_t* len, return 1; } -/** perform a select() on the fd */ +/** perform poll() on the fd */ static int pollit(int fd, struct timeval* t) { - fd_set r; + struct pollfd fds; + int pret; + int msec = -1; + memset(&fds, 0, sizeof(fds)); + fds.fd = fd; + fds.events = POLLIN | POLLERR | POLLHUP; #ifndef S_SPLINT_S - FD_ZERO(&r); - FD_SET(FD_SET_T fd, &r); + if(t) + msec = t->tv_sec*1000 + t->tv_usec/1000; #endif - if(select(fd+1, &r, NULL, NULL, t) == -1) { + + pret = poll(&fds, 1, msec); + + if(pret == -1) return 0; - } - errno = 0; - return (int)(FD_ISSET(fd, &r)); + if(pret != 0) + return 1; + return 0; } int tube_poll(struct tube* tube) @@ -426,24 +437,27 @@ int tube_wait(struct tube* tube) int tube_wait_timeout(struct tube* tube, int msec) { - struct timeval t; - int fd = tube->sr; - fd_set r; - t.tv_sec = msec/1000; - t.tv_usec = (msec%1000)*1000; -#ifndef S_SPLINT_S - FD_ZERO(&r); - FD_SET(FD_SET_T fd, &r); -#endif + int ret = 0; + while(1) { - if(select(fd+1, &r, NULL, NULL, &t) == -1) { + struct pollfd fds; + memset(&fds, 0, sizeof(fds)); + + fds.fd = tube->sr; + fds.events = POLLIN | POLLERR | POLLHUP; + ret = poll(&fds, 1, msec); + + if(ret == -1) { if(errno == EAGAIN || errno == EINTR) continue; return -1; } break; } - return (int)(FD_ISSET(fd, &r)); + + if(ret != 0) + return 1; + return 0; } int tube_read_fd(struct tube* tube) @@ -529,6 +543,7 @@ struct tube* tube_create(void) if(tube->event == WSA_INVALID_EVENT) { free(tube); log_err("WSACreateEvent: %s", wsa_strerror(WSAGetLastError())); + return NULL; } if(!WSAResetEvent(tube->event)) { log_err("WSAResetEvent: %s", wsa_strerror(WSAGetLastError())); diff --git a/usr.sbin/unbound/config.h b/usr.sbin/unbound/config.h index 20822b930ab8..7ea0d3151ac5 100644 --- a/usr.sbin/unbound/config.h +++ b/usr.sbin/unbound/config.h @@ -21,7 +21,7 @@ #define CONFCMDLINE "--with-ssl=/usr --with-libexpat=/usr --disable-dnscrypt --disable-dnstap --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads--prefix=/usr --localstatedir=/var/unbound --mandir=/usr/share/man --build=freebsd" /* Pathname to the Unbound configuration file */ -#define CONFIGFILE "/var/unbound/unbound.conf" +#define CONFIGFILE "/usr/local/etc/unbound/unbound.conf" /* Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work */ @@ -30,6 +30,12 @@ /* Whether daemon is deprecated */ /* #undef DEPRECATED_DAEMON */ +/* Deprecate RSA 1024 bit length, makes that an unsupported key */ +/* #undef DEPRECATE_RSA_1024 */ + +/* Deprecate RSA 1024 bit length, makes that an unsupported key */ +/* #undef DEPRECATE_RSA_1024 */ + /* Define this to enable kernel based UDP source port randomization. */ /* #undef DISABLE_EXPLICIT_PORT_RANDOMISATION */ @@ -71,6 +77,12 @@ /* If we have be64toh */ /* #undef HAVE_BE64TOH */ +/* Define to 1 if you have the `BIO_set_callback_ex' function. */ +/* #undef HAVE_BIO_SET_CALLBACK_EX */ + +/* Define to 1 if you have the `BIO_set_callback_ex' function. */ +/* #undef HAVE_BIO_SET_CALLBACK_EX */ + /* Define to 1 if you have the header file. */ /* #undef HAVE_BSD_STDLIB_H */ @@ -105,7 +117,7 @@ /* Define to 1 if you have the declaration of `evsignal_assign', and to 0 if you don't. */ -/* #undef HAVE_DECL_EVSIGNAL_ASSIGN */ +#define HAVE_DECL_EVSIGNAL_ASSIGN 1 /* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you don't. */ @@ -218,6 +230,15 @@ /* Define to 1 if you have the `EVP_cleanup' function. */ /* #undef HAVE_EVP_CLEANUP */ +/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled' + function. */ +/* #undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED */ + + +/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled' + function. */ +/* #undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED */ + /* Define to 1 if you have the `EVP_DigestVerify' function. */ #define HAVE_EVP_DIGESTVERIFY 1 @@ -290,6 +311,12 @@ /* Define to 1 if you have the `getrlimit' function. */ #define HAVE_GETRLIMIT 1 +/* Define to 1 if you have the `gettid' function. */ +/* #undef HAVE_GETTID */ + +/* Define to 1 if you have the `gettid' function. */ +/* #undef HAVE_GETTID */ + /* Define to 1 if you have the `glob' function. */ #define HAVE_GLOB 1 @@ -314,6 +341,12 @@ /* Define to 1 if you have the header file. */ #define HAVE_IFADDRS_H 1 +/* Define to 1 if you have the `if_nametoindex' function. */ +#define HAVE_IF_NAMETOINDEX 1 + +/* Define to 1 if you have the `if_nametoindex' function. */ +#define HAVE_IF_NAMETOINDEX 1 + /* Define to 1 if you have the `inet_aton' function. */ #define HAVE_INET_ATON 1 @@ -362,8 +395,8 @@ /* Define to 1 if you have the `memmove' function. */ #define HAVE_MEMMOVE 1 -/* Define to 1 if you have the header file. */ -#define HAVE_MEMORY_H 1 +/* Define to 1 if you have the header file. */ +/* #undef HAVE_MINIX_CONFIG_H */ /* Define to 1 if you have the header file. */ #define HAVE_NETDB_H 1 @@ -374,6 +407,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_NETINET_TCP_H 1 +/* Define to 1 if you have the header file. */ +/* #undef HAVE_NETIOAPI_H */ + /* Use libnettle for crypto */ /* #undef HAVE_NETTLE */ @@ -428,6 +464,9 @@ /* Define to 1 if you have the `OPENSSL_init_ssl' function. */ #define HAVE_OPENSSL_INIT_SSL 1 +/* Define to 1 if you have the header file. */ +/* #undef HAVE_OPENSSL_PARAM_BUILD_H */ + /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_RAND_H 1 @@ -437,6 +476,15 @@ /* Define to 1 if you have the header file. */ #define HAVE_OPENSSL_SSL_H 1 +/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */ +/* #undef HAVE_OSSL_PARAM_BLD_NEW */ + +/* Define to 1 if you have the `poll' function. */ +#define HAVE_POLL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_POLL_H 1 + /* Define if you have POSIX threads libraries and header files. */ #define HAVE_PTHREAD 1 @@ -518,6 +566,9 @@ /* Define if you have the SSL libraries installed. */ #define HAVE_SSL /**/ +/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */ +#define HAVE_SSL_CTX_SET_ALPN_PROTOS 1 + /* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */ #define HAVE_SSL_CTX_SET_ALPN_SELECT_CB 1 @@ -531,9 +582,15 @@ function. */ /* #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB */ +/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */ +#define HAVE_SSL_GET0_ALPN_SELECTED 1 + /* Define to 1 if you have the `SSL_get0_peername' function. */ #define HAVE_SSL_GET0_PEERNAME 1 +/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */ +/* #undef HAVE_SSL_GET1_PEER_CERTIFICATE */ + /* Define to 1 if you have the `SSL_set1_host' function. */ #define HAVE_SSL_SET1_HOST 1 @@ -546,6 +603,9 @@ /* Define to 1 if you have the header file. */ #define HAVE_STDINT_H 1 +/* Define to 1 if you have the header file. */ +#define HAVE_STDIO_H 1 + /* Define to 1 if you have the header file. */ #define HAVE_STDLIB_H 1 @@ -648,6 +708,9 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_VFORK_H */ +/* Define to 1 if you have the header file. */ +#define HAVE_WCHAR_H 1 + /* Define to 1 if you have the header file. */ /* #undef HAVE_WINDOWS_H */ @@ -731,7 +794,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.17.0" +#define PACKAGE_STRING "unbound 1.17.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -740,7 +803,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.17.0" +#define PACKAGE_VERSION "1.17.1" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -749,7 +812,8 @@ your system. */ /* #undef PTHREAD_CREATE_JOINABLE */ -/* Define as the return type of signal handlers (`int' or `void'). */ +/* Return type of signal handlers, but autoconf 2.70 says 'your code may + safely assume C89 semantics that RETSIGTYPE is void.' */ #define RETSIGTYPE void /* if REUSEPORT is enabled by default */ @@ -762,7 +826,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,17,0,0 +#define RSRC_PACKAGE_VERSION 1,17,1,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" @@ -770,11 +834,17 @@ /* Shared data */ #define SHARE_DIR "/var/unbound" -/* The size of `size_t'. */ #ifdef __LP64__ +/* The size of `size_t', as computed by sizeof. */ #define SIZEOF_SIZE_T 8 +/* The size of `size_t'. */ +/* The size of `pthread_t', as computed by sizeof. */ +#define SIZEOF_PTHREAD_T 8 #else #define SIZEOF_SIZE_T 4 +/* The size of `size_t'. */ +/* The size of `pthread_t', as computed by sizeof. */ +#define SIZEOF_PTHREAD_T 4 #endif /* The size of `time_t', as computed by sizeof. */ @@ -784,13 +854,22 @@ #define SIZEOF_TIME_T 8 #endif +/* The size of `unsigned long', as computed by sizeof. */ +#ifdef __LP64__ +#define SIZEOF_UNSIGNED_LONG 8 +#else +#define SIZEOF_UNSIGNED_LONG 4 +#endif + /* define if (v)snprintf does not return length needed, (but length used) */ /* #undef SNPRINTF_RET_BROKEN */ /* Define to 1 if libsodium supports sodium_set_misuse_handler */ /* #undef SODIUM_MISUSE_HANDLER */ -/* Define to 1 if you have the ANSI C header files. */ +/* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for + backward compatibility; new code need not use it. */ #define STDC_HEADERS 1 /* use default strptime. */ @@ -856,6 +935,14 @@ /* Define if you enable libevent */ #define USE_LIBEVENT 1 +/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a + default outgoing port range. This is only for the libunbound on Linux and + does not affect unbound resolving daemon itself. This may severely limit + the number of available outgoing ports and thus decrease randomness. Define + this only when the target system restricts (e.g. some of SELinux enabled + distributions) the use of non-ephemeral ports. */ +/* #undef USE_LINUX_IP_LOCAL_PORT_RANGE */ + /* Define if you want to use internal select based events */ #define USE_MINI_EVENT 1 @@ -878,21 +965,87 @@ #ifndef _ALL_SOURCE # define _ALL_SOURCE 1 #endif +/* Enable general extensions on macOS. */ +#ifndef _DARWIN_C_SOURCE +# define _DARWIN_C_SOURCE 1 +#endif +/* Enable general extensions on Solaris. */ +#ifndef __EXTENSIONS__ +# define __EXTENSIONS__ 1 +#endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # define _GNU_SOURCE 1 #endif -/* Enable threading extensions on Solaris. */ +/* Enable X/Open compliant socket functions that do not require linking + with -lxnet on HP-UX 11.11. */ +#ifndef _HPUX_ALT_XOPEN_SOCKET_API +# define _HPUX_ALT_XOPEN_SOCKET_API 1 +#endif +/* Identify the host operating system as Minix. + This macro does not affect the system headers' behavior. + A future release of Autoconf may stop defining this macro. */ +#ifndef _MINIX +/* # undef _MINIX */ +#endif +/* Enable general extensions on NetBSD. + Enable NetBSD compatibility extensions on Minix. */ +#ifndef _NETBSD_SOURCE +# define _NETBSD_SOURCE 1 +#endif +/* Enable OpenBSD compatibility extensions on NetBSD. + Oddly enough, this does nothing on OpenBSD. */ +#ifndef _OPENBSD_SOURCE +# define _OPENBSD_SOURCE 1 +#endif +/* Define to 1 if needed for POSIX-compatible behavior. */ +#ifndef _POSIX_SOURCE +/* # undef _POSIX_SOURCE */ +#endif +/* Define to 2 if needed for POSIX-compatible behavior. */ +#ifndef _POSIX_1_SOURCE +/* # undef _POSIX_1_SOURCE */ +#endif +/* Enable POSIX-compatible threading on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # define _POSIX_PTHREAD_SEMANTICS 1 #endif +/* Enable extensions specified by ISO/IEC TS 18661-5:2014. */ +#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__ +# define __STDC_WANT_IEC_60559_ATTRIBS_EXT__ 1 +#endif +/* Enable extensions specified by ISO/IEC TS 18661-1:2014. */ +#ifndef __STDC_WANT_IEC_60559_BFP_EXT__ +# define __STDC_WANT_IEC_60559_BFP_EXT__ 1 +#endif +/* Enable extensions specified by ISO/IEC TS 18661-2:2015. */ +#ifndef __STDC_WANT_IEC_60559_DFP_EXT__ +# define __STDC_WANT_IEC_60559_DFP_EXT__ 1 +#endif +/* Enable extensions specified by ISO/IEC TS 18661-4:2015. */ +#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__ +# define __STDC_WANT_IEC_60559_FUNCS_EXT__ 1 +#endif +/* Enable extensions specified by ISO/IEC TS 18661-3:2015. */ +#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__ +# define __STDC_WANT_IEC_60559_TYPES_EXT__ 1 +#endif +/* Enable extensions specified by ISO/IEC TR 24731-2:2010. */ +#ifndef __STDC_WANT_LIB_EXT2__ +# define __STDC_WANT_LIB_EXT2__ 1 +#endif +/* Enable extensions specified by ISO/IEC 24747:2009. */ +#ifndef __STDC_WANT_MATH_SPEC_FUNCS__ +# define __STDC_WANT_MATH_SPEC_FUNCS__ 1 +#endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # define _TANDEM_SOURCE 1 #endif -/* Enable general extensions on Solaris. */ -#ifndef __EXTENSIONS__ -# define __EXTENSIONS__ 1 +/* Enable X/Open extensions. Define to 500 only if necessary + to make mbstate_t available. */ +#ifndef _XOPEN_SOURCE +/* # undef _XOPEN_SOURCE */ #endif @@ -918,11 +1071,6 @@ `char[]'. */ #define YYTEXT_POINTER 1 -/* Enable large inode numbers on Mac OS X 10.5. */ -#ifndef _DARWIN_USE_64_BIT_INODE -# define _DARWIN_USE_64_BIT_INODE 1 -#endif - /* Number of bits in a file offset, on hosts where this is settable. */ /* #undef _FILE_OFFSET_BITS */ @@ -932,18 +1080,12 @@ /* Define for large files, on AIX-style hosts. */ /* #undef _LARGE_FILES */ -/* Define to 1 if on MINIX. */ -/* #undef _MINIX */ - /* Enable for compile on Minix */ -/* #undef _NETBSD_SOURCE */ +#define _NETBSD_SOURCE 1 -/* Define to 2 if the system does not provide POSIX.1 features except with - this defined. */ -/* #undef _POSIX_1_SOURCE */ - -/* Define to 1 if you need to in order for `stat' and other things to work. */ -/* #undef _POSIX_SOURCE */ +/* defined to use gcc ansi snprintf and sscanf that understands %lld when + compiled for windows. */ +/* #undef __USE_MINGW_ANSI_STDIO */ /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ @@ -981,7 +1123,7 @@ /* Define to `long int' if does not define. */ /* #undef off_t */ -/* Define to `int' if does not define. */ +/* Define as a signed integer type capable of holding a process identifier. */ /* #undef pid_t */ /* Define to 'int' if not defined */ @@ -1124,7 +1266,7 @@ #include #endif -#ifndef USE_WINSOCK +#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO) #define ARG_LL "%ll" #else #define ARG_LL "%I64"