d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of Unbound 1.9.1.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2019-06-30 14:56:56 +00:00
parent 9c9d011eed
commit 4713c21a1a
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/unbound/dist/; revision=349557
svn path=/vendor/unbound/1.9.1/; revision=349558; tag=vendor/unbound/1.9.1
43 changed files with 849 additions and 498 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.in
View File

@ -1075,8 +1075,7 @@ unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \

3
config.h.in
View File

@ -69,6 +69,9 @@
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */
#undef HAVE_CRYPTO_THREADID_SET_CALLBACK
/* Define to 1 if you have the `ctime_r' function. */
#undef HAVE_CTIME_R

286
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.9.0.
# Generated by GNU Autoconf 2.69 for unbound 1.9.1.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.9.0'
PACKAGE_STRING='unbound 1.9.0'
PACKAGE_VERSION='1.9.1'
PACKAGE_STRING='unbound 1.9.1'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -694,9 +694,6 @@ swig
SWIG_LIB
SWIG
PC_PY_DEPENDENCY
PKG_CONFIG_LIBDIR
PKG_CONFIG_PATH
PKG_CONFIG
PY_MAJOR_VERSION
PYTHON_SITE_PKG
PYTHON_LDFLAGS
@ -710,6 +707,9 @@ PTHREAD_CC
ax_pthread_config
RUNTIME_PATH
LIBOBJS
PKG_CONFIG_LIBDIR
PKG_CONFIG_PATH
PKG_CONFIG
LT_SYS_LIBRARY_PATH
OTOOL64
OTOOL
@ -892,10 +892,10 @@ CPP
YACC
YFLAGS
LT_SYS_LIBRARY_PATH
PYTHON_VERSION
PKG_CONFIG
PKG_CONFIG_PATH
PKG_CONFIG_LIBDIR
PYTHON_VERSION
SYSTEMD_CFLAGS
SYSTEMD_LIBS
SYSTEMD_DAEMON_CFLAGS
@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.9.0 to adapt to many kinds of systems.
\`configure' configures unbound 1.9.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1505,7 +1505,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.9.0:";;
short | recursive ) echo "Configuration of unbound 1.9.1:";;
esac
cat <<\_ACEOF
@ -1638,15 +1638,15 @@ Some influential environment variables:
default value of `-d' given by some make applications.
LT_SYS_LIBRARY_PATH
User-defined run-time library search path.
PYTHON_VERSION
The installed Python version to use, for example '2.3'. This
string will be appended to the Python interpreter canonical
name.
PKG_CONFIG path to pkg-config utility
PKG_CONFIG_PATH
directories to add to pkg-config's search path
PKG_CONFIG_LIBDIR
path overriding pkg-config's built-in search path
PYTHON_VERSION
The installed Python version to use, for example '2.3'. This
string will be appended to the Python interpreter canonical
name.
SYSTEMD_CFLAGS
C compiler flags for SYSTEMD, overriding pkg-config
SYSTEMD_LIBS
@ -1722,7 +1722,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.9.0
unbound configure 1.9.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.9.0, which was
It was created by unbound $as_me 1.9.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=9
UNBOUND_VERSION_MICRO=0
UNBOUND_VERSION_MICRO=1
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=0
LIBUNBOUND_REVISION=1
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2854,7 +2854,8 @@ LIBUNBOUND_AGE=1
# 1.8.1 had 8:1:0
# 1.8.2 had 8:2:0
# 1.8.3 had 8:3:0
# 1.8.4 had 9:0:1 # add ub_ctx_set_tls
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
# 1.9.1 had 9:1:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -14558,6 +14559,127 @@ CC=$lt_save_CC
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
if test -n "$ac_tool_prefix"; then
# Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_PKG_CONFIG+:} false; then :
$as_echo_n "(cached) " >&6
else
case $PKG_CONFIG in
[\\/]* | ?:[\\/]*)
ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
;;
esac
fi
PKG_CONFIG=$ac_cv_path_PKG_CONFIG
if test -n "$PKG_CONFIG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
$as_echo "$PKG_CONFIG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
fi
if test -z "$ac_cv_path_PKG_CONFIG"; then
ac_pt_PKG_CONFIG=$PKG_CONFIG
# Extract the first word of "pkg-config", so it can be a program name with args.
set dummy pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
$as_echo_n "(cached) " >&6
else
case $ac_pt_PKG_CONFIG in
[\\/]* | ?:[\\/]*)
ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
;;
esac
fi
ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
if test -n "$ac_pt_PKG_CONFIG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
$as_echo "$ac_pt_PKG_CONFIG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "x$ac_pt_PKG_CONFIG" = x; then
PKG_CONFIG=""
else
case $cross_compiling:$ac_tool_warned in
yes:)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
PKG_CONFIG=$ac_pt_PKG_CONFIG
fi
else
PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
fi
fi
if test -n "$PKG_CONFIG"; then
_pkg_min_version=0.9.0
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
PKG_CONFIG=""
fi
fi
# Checks for header files.
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h
do :
@ -17015,126 +17137,6 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
if test -n "$ac_tool_prefix"; then
# Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_PKG_CONFIG+:} false; then :
$as_echo_n "(cached) " >&6
else
case $PKG_CONFIG in
[\\/]* | ?:[\\/]*)
ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
;;
esac
fi
PKG_CONFIG=$ac_cv_path_PKG_CONFIG
if test -n "$PKG_CONFIG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
$as_echo "$PKG_CONFIG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
fi
if test -z "$ac_cv_path_PKG_CONFIG"; then
ac_pt_PKG_CONFIG=$PKG_CONFIG
# Extract the first word of "pkg-config", so it can be a program name with args.
set dummy pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
$as_echo_n "(cached) " >&6
else
case $ac_pt_PKG_CONFIG in
[\\/]* | ?:[\\/]*)
ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
;;
esac
fi
ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
if test -n "$ac_pt_PKG_CONFIG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
$as_echo "$ac_pt_PKG_CONFIG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "x$ac_pt_PKG_CONFIG" = x; then
PKG_CONFIG=""
else
case $cross_compiling:$ac_tool_warned in
yes:)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
PKG_CONFIG=$ac_pt_PKG_CONFIG
fi
else
PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
fi
fi
if test -n "$PKG_CONFIG"; then
_pkg_min_version=0.9.0
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
PKG_CONFIG=""
fi
fi
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
@ -17993,7 +17995,7 @@ fi
done
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -21148,7 +21150,7 @@ _ACEOF
version=1.9.0
version=1.9.1
date=`date +'%b %e, %Y'`
@ -21667,7 +21669,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.9.0, which was
This file was extended by unbound $as_me 1.9.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -21733,7 +21735,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.9.0
unbound config.status 1.9.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

12
configure.ac
View File

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[9])
m4_define([VERSION_MICRO],[0])
m4_define([VERSION_MICRO],[1])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=0
LIBUNBOUND_REVISION=1
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -85,7 +85,8 @@ LIBUNBOUND_AGE=1
# 1.8.1 had 8:1:0
# 1.8.2 had 8:2:0
# 1.8.3 had 8:3:0
# 1.8.4 had 9:0:1 # add ub_ctx_set_tls
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
# 1.9.1 had 9:1:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -382,6 +383,8 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
AC_CHECK_TOOL(STRIP, strip)
ACX_LIBTOOL_C_ONLY
PKG_PROG_PKG_CONFIG
# Checks for header files.
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
@ -641,7 +644,6 @@ if test x_$ub_test_python != x_no; then
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
PKG_PROG_PKG_CONFIG
PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
[PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
[PC_PY_DEPENDENCY="python"])
@ -781,7 +783,7 @@ else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback])
# these check_funcs need -lssl
BAKLIBS="$LIBS"

1
contrib/libunbound.so.conf
View File

@ -14,6 +14,7 @@ int ub_ctx_set_option(ub_ctx*, string, string);
int ub_ctx_get_option(ub_ctx*, string, +string*);
int ub_ctx_config(ub_ctx*, string);
int ub_ctx_set_fwd(ub_ctx*, string);
int ub_ctx_set_tls(ub_ctx*, bool(int));
int ub_ctx_set_stub(ub_ctx*, string, string, bool(int));
int ub_ctx_resolvconf(ub_ctx*, string);
int ub_ctx_hosts(ub_ctx*, string);

4
contrib/unbound.init
View File

@ -39,13 +39,13 @@ start() {
# setup root jail
if [ -s /etc/localtime ]; then
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
cp -fp /etc/localtime ${rootdir}/etc/localtime
fi;
fi;
if [ -s /etc/resolv.conf ]; then
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf
fi;
fi;

2
daemon/daemon.c
View File

@ -770,7 +770,7 @@ daemon_delete(struct daemon* daemon)
# endif
# ifdef HAVE_OPENSSL_CONFIG
EVP_cleanup();
# if OPENSSL_VERSION_NUMBER < 0x10100000
# if (OPENSSL_VERSION_NUMBER < 0x10100000) && !defined(OPENSSL_NO_ENGINE)
ENGINE_cleanup();
# endif
CONF_modules_free();

2
daemon/remote.c
View File

@ -1987,7 +1987,7 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
return NULL;
}
} else {
#ifndef HAVE_SSL_SET1_HOST
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", todo);

15
daemon/worker.c
View File

@ -1171,7 +1171,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
/* check if this query should be dropped based on source ip rate limiting */
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
*worker->env.now)) {
*worker->env.now, c->buffer)) {
/* See if we are passed through with slip factor */
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
ub_random_max(worker->env.rnd,
@ -1559,8 +1559,17 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
if(worker->env.cfg->log_replies)
{
struct timeval tv = {0, 0};
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
tv, 1, c->buffer);
if(qinfo.local_alias && qinfo.local_alias->rrset &&
qinfo.local_alias->rrset->rk.dname) {
/* log original qname, before the local alias was
* used to resolve that CNAME to something else */
qinfo.qname = qinfo.local_alias->rrset->rk.dname;
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
tv, 1, c->buffer);
} else {
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
tv, 1, c->buffer);
}
}
#ifdef USE_DNSCRYPT
if(!dnsc_handle_uncurved_request(repinfo)) {

88
doc/Changelog
View File

@ -1,5 +1,85 @@
5 February 2019: Wouter
- Fix tls-ciphers spelling in example.conf
1 March 2019: Wouter
- output forwarder log in ssl_req_order test.
28 February 2019: Wouter
- Remove memory leak on pythonmod python2 script file init.
- Remove swig gcc8 python function cast warnings, they are ignored.
- Print correct module that failed when module-config is wrong.
27 February 2019: Wouter
- Fix #4229: Unbound man pages lack information, about access-control
order and local zone tags, and elements in views.
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
before copying.
- Fix for python module on Windows, fix fopen.
25 February 2019: Wouter
- Fix #4227: pair event del and add for libevent for tcp_req_info.
21 February 2019: Wouter
- Fix the error for unknown module in module-config is understandable,
and explains it was not compiled in and where to see the list.
- In example.conf explain where to put cachedb module in module-config.
- In man page and example config explain that most modules have to
be listed at the start of module-config.
20 February 2019: Wouter
- Fix pythonmod include and sockaddr_un ifdefs for compile on
Windows, and for libunbound.
18 February 2019: Wouter
- Print query name with ip_ratelimit exceeded log lines.
- Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.
14 February 2019: Wouter
- Fix capsforid canonical sort qsort callback.
11 February 2019: Wouter
- Note default for module-config in man page.
- Fix recursion lame test for qname minimisation asked queries,
that were not present in the set of prepared answers.
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
cert name matching, from man page.
- make depend, with newer gcc, nicer layout.
7 February 2019: Wouter
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
- Fix that qname minimisation does not skip a label when missing
nameserver targets need to be fetched.
- Fix #4225: clients seem to erroneously receive no answer with
DNS-over-TLS and qname-minimisation.
4 February 2019: Wouter
- Fix that log-replies prints the correct name for local-alias
names, for names that have a CNAME in local-data configuration.
It logs the original query name, not the target of the CNAME.
- Add local-zone type inform_redirect, which logs like type inform,
and redirects like type redirect.
- Perform canonical sort for 0x20 capsforid compare of replies,
this sorts rrsets in the authority and additional section before
comparison, so that out of order rrsets do not cause failure.
31 January 2019: Wouter
- Set ub_ctx_set_tls call signature in ltrace config file for
libunbound in contrib/libunbound.so.conf.
- improve documentation for tls-service-key and forward-first.
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
conditional section, fixes systemd builds, from Enrico Scholz.
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
still supports the set_id_callback previous API. And for 1.1.0
no locking callbacks are needed.
- #8: Fix OpenSSL without ENGINE support compilation.
- Wipe TLS session key data from memory on exit.
30 January 2019: Ralph
- Fix case in which query timeout can result in marking delegation
as edns_lame_known.
29 January 2019: Wouter
- Fix spelling of tls-ciphers in example.conf.in.
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
- Fix locking for libunbound context setup with broken port config.
28 January 2019: Wouter
- ub_ctx_set_tls call for libunbound that enables DoT for the machines
@ -8,7 +88,9 @@
- List example config for root zone copy locally hosted with auth-zone
as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
B root address.
- set version to 1.9.0 for release.
- set version to 1.9.0 for release. And this was released with the
spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
development.
25 January 2019: Wouter
- Fix that tcp for auth zone and outgoing does not remove and

2
doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.9.0
README for Unbound 1.9.1
Copyright 2007 NLnet Labs
http://unbound.net

10
doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.9.0.
# See unbound.conf(5) man page, version 1.9.1.
#
# this is a comment.
@ -475,6 +475,9 @@ server:
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator).
# module-config: "validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
@ -673,6 +676,7 @@ server:
# o typetransparent resolves normally for other types and other names
# o inform acts like transparent, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o inform_redirect redirects queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name
# o noview breaks out of that view towards global local-zones.
@ -822,6 +826,8 @@ server:
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
# o list python in the module-config string (above) to enable.
# It can be at the start, it gets validated results, or just before
# the iterator and process before DNSSEC validation.
# o and give a python-script to run.
python:
# Script file to load
@ -972,7 +978,7 @@ remote-control:
# Enable external backend DB as auxiliary cache. Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config.
# included in module-config, just before the iterator module.
# cachedb:
# backend: "testframe"
# # secret seed string to calculate hashed keys

4
doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "libunbound" "3" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -44,7 +44,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.9.0 functions.
\- Unbound DNS validating resolver 1.9.1 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound-anchor" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound-checkconf" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

2
doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound-control" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"

2
doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound\-host" "1" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.9.0.
\- Unbound DNS validating resolver 1.9.1.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

47
doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0"
.TH "unbound.conf" "5" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -458,14 +458,15 @@ Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
file the last is used.
.TP
.B tls\-service\-key: \fI<file>
If enabled, the server provides TLS service on its TCP sockets. The clients
have to use tls\-upstream: yes. The file is the private key for the TLS
session. The public certificate is in the tls\-service\-pem file. Default
is "", turned off. Requires a restart (a reload is not enough) if changed,
because the private key is read while root permissions are held and before
chroot (if any). Normal DNS TCP service is not provided and gives errors,
this service is best run with a different \fBport:\fR config or \fI@port\fR
suffixes in the \fBinterface\fR config.
If enabled, the server provides TLS service on the TCP ports marked
implicitly or explicitly for TLS service with tls\-port. The file must
contain the private key for the TLS session, the public certificate is in
the tls\-service\-pem file and it must also be specified if tls\-service\-key
is specified. The default is "", turned off. Enabling or disabling
this service requires a restart (a reload is not enough), because the
key is read while root permissions are held and before chroot (if any).
The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
normal DNS TCP service.
.TP
.B ssl\-service\-key: \fI<file>
Alternate syntax for \fBtls\-service\-key\fR.
@ -545,6 +546,7 @@ classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
\fIrefuse_non_local\fR.
The most specific netblock match is used, if none match \fIdeny\fR is used.
The order of the access\-control statements therefore does not matter.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
@ -929,6 +931,12 @@ Setting this to "iterator" will result in a non\-validating server.
Setting this to "validator iterator" will turn on DNSSEC validation.
The ordering of the modules is important.
You must also set trust\-anchors for validation to be useful.
The default is "validator iterator". When the server is built with
EDNS client subnet support the default is "subnetcache validator iterator".
Most modules that need to be listed here have to be listed at the beginning
of the line. The cachedb module has to be listed just before the iterator.
The python module can be listed in different places, it then processes the
output of the module it is just before.
.TP
.B trust\-anchor\-file: \fI<filename>
File with trusted keys for validation. Both DS and DNSKEY entries can appear
@ -1140,7 +1148,7 @@ address space are not validated. This is usually required whenever
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
always_transparent, always_refuse, always_nxdomain, noview,
inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
and are explained below. After that the default settings are listed. Use
local\-data: to enter data into the local zone. Answers for local zones
are authoritative DNS answers. By default the zones are class IN.
@ -1201,6 +1209,10 @@ looking up infected names are logged, eg. to run antivirus on them.
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
\h'5'\fIinform_redirect\fR
The query is redirected, like 'redirect', and logged, like 'inform'.
Ie. answer queries with fixed data and also log the machines that ask.
.TP 10
\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
@ -1356,7 +1368,8 @@ TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
Assign tags to localzones. Tagged localzones will only be applied when the
used access-control element has a matching tag. Tags must be defined in
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
tags.
tags. When there are multiple tags it checks if the intersection of the
list of tags for the query and local\-zone\-tag is non-empty.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
Override the localzone type for queries from addresses matching netblock.
@ -1614,13 +1627,11 @@ the '@' and '#', the '@' comes first.
At high verbosity it logs the TLS certificate, with TLS enabled.
If you leave out the '#' and auth name from the forward\-addr, any
name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
The cert name match code needs OpenSSL 1.1.0 or later to be enabled.
.TP
.B forward\-first: \fI<yes or no>
If enabled, a query is attempted without the forward clause if it fails.
The data could not be retrieved and would have caused SERVFAIL because
the servers are unreachable, instead it is tried without this clause.
The default is no.
If a forwarded query is met with a SERVFAIL error, and this option is
enabled, unbound will fall back to normal recursive resolution for this
query as if no query forwarding had been specified. The default is "no".
.TP
.B forward\-tls\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this forwarder use TLS for transport.
@ -1715,7 +1726,9 @@ data (eg. from the master servers).
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
\fBlocal\-data\fR elements. Views can also contain view\-first,
response\-ip, response\-ip\-data and local\-data\-ptr elements.
View can be mapped to requests by specifying the
view name in an \fBaccess\-control\-view\fR element. Options from matching
views will override global options. Global options will be used if no matching
view is found, or when the matching view does not have the option specified.

2
iterator/iter_fwd.c
View File

@ -239,7 +239,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp)
s->name, p->str);
return 0;
}
#ifndef HAVE_SSL_SET1_HOST
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(tls_auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);

2
iterator/iter_hints.c
View File

@ -252,7 +252,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp)
s->name, p->str);
return 0;
}
#ifndef HAVE_SSL_SET1_HOST
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);

60
iterator/iter_utils.c
View File

@ -882,10 +882,35 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
return 1;
}
/** compare rrsets and sort canonically. Compares rrset name, type, class.
* return 0 if equal, +1 if x > y, and -1 if x < y.
*/
static int
rrset_canonical_sort_cmp(const void* x, const void* y)
{
struct ub_packed_rrset_key* rrx = *(struct ub_packed_rrset_key**)x;
struct ub_packed_rrset_key* rry = *(struct ub_packed_rrset_key**)y;
int r = dname_canonical_compare(rrx->rk.dname, rry->rk.dname);
if(r != 0)
return r;
if(rrx->rk.type != rry->rk.type) {
if(ntohs(rrx->rk.type) > ntohs(rry->rk.type))
return 1;
else return -1;
}
if(rrx->rk.rrset_class != rry->rk.rrset_class) {
if(ntohs(rrx->rk.rrset_class) > ntohs(rry->rk.rrset_class))
return 1;
else return -1;
}
return 0;
}
int
reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
{
size_t i;
struct ub_packed_rrset_key** sorted_p, **sorted_q;
if(p->flags != q->flags ||
p->qdcount != q->qdcount ||
/* do not check TTL, this may differ */
@ -899,16 +924,43 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
p->ar_numrrsets != q->ar_numrrsets ||
p->rrset_count != q->rrset_count)
return 0;
/* sort the rrsets in the authority and additional sections before
* compare, the query and answer sections are ordered in the sequence
* they should have (eg. one after the other for aliases). */
sorted_p = (struct ub_packed_rrset_key**)regional_alloc_init(
region, p->rrsets, sizeof(*sorted_p)*p->rrset_count);
if(!sorted_p) return 0;
log_assert(p->an_numrrsets + p->ns_numrrsets + p->ar_numrrsets <=
p->rrset_count);
qsort(sorted_p + p->an_numrrsets, p->ns_numrrsets,
sizeof(*sorted_p), rrset_canonical_sort_cmp);
qsort(sorted_p + p->an_numrrsets + p->ns_numrrsets, p->ar_numrrsets,
sizeof(*sorted_p), rrset_canonical_sort_cmp);
sorted_q = (struct ub_packed_rrset_key**)regional_alloc_init(
region, q->rrsets, sizeof(*sorted_q)*q->rrset_count);
if(!sorted_q) {
regional_free_all(region);
return 0;
}
log_assert(q->an_numrrsets + q->ns_numrrsets + q->ar_numrrsets <=
q->rrset_count);
qsort(sorted_q + q->an_numrrsets, q->ns_numrrsets,
sizeof(*sorted_q), rrset_canonical_sort_cmp);
qsort(sorted_q + q->an_numrrsets + q->ns_numrrsets, q->ar_numrrsets,
sizeof(*sorted_q), rrset_canonical_sort_cmp);
/* compare the rrsets */
for(i=0; i<p->rrset_count; i++) {
if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
if(!rrset_canonical_equal(region, p->rrsets[i],
q->rrsets[i])) {
if(!rrset_equal(sorted_p[i], sorted_q[i])) {
if(!rrset_canonical_equal(region, sorted_p[i],
sorted_q[i])) {
regional_free_all(region);
return 0;
}
regional_free_all(region);
}
}
regional_free_all(region);
return 1;
}

24
iterator/iterator.c
View File

@ -1448,7 +1448,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
* now will also exceed the rate, keeping cache fresh */
(void)infra_ratelimit_inc(qstate->env->infra_cache,
iq->dp->name, iq->dp->namelen,
*qstate->env->now);
*qstate->env->now, &qstate->qinfo,
qstate->reply);
/* see if we are passed through with slip factor */
if(qstate->env->cfg->ratelimit_factor != 0 &&
ub_random_max(qstate->env->rnd,
@ -2105,6 +2106,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
struct delegpt_addr* target;
struct outbound_entry* outq;
int auth_fallback = 0;
uint8_t* qout_orig = NULL;
size_t qout_orig_len = 0;
/* NOTE: a request will encounter this state for each target it
* needs to send a query to. That is, at least one per referral,
@ -2178,6 +2181,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
int labdiff = qchaselabs -
dname_count_labels(iq->qinfo_out.qname);
qout_orig = iq->qinfo_out.qname;
qout_orig_len = iq->qinfo_out.qname_len;
iq->qinfo_out.qname = iq->qchase.qname;
iq->qinfo_out.qname_len = iq->qchase.qname_len;
iq->minimise_count++;
@ -2330,6 +2335,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* wait to get all targets, we want to try em */
verbose(VERB_ALGO, "wait for all targets for fallback");
qstate->ext_state[id] = module_wait_reply;
/* undo qname minimise step because we'll get back here
* to do it again */
if(qout_orig && iq->minimise_count > 0) {
iq->minimise_count--;
iq->qinfo_out.qname = qout_orig;
iq->qinfo_out.qname_len = qout_orig_len;
}
return 0;
}
/* did we do enough fallback queries already? */
@ -2463,13 +2475,21 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries);
qstate->ext_state[id] = module_wait_reply;
}
/* undo qname minimise step because we'll get back here
* to do it again */
if(qout_orig && iq->minimise_count > 0) {
iq->minimise_count--;
iq->qinfo_out.qname = qout_orig;
iq->qinfo_out.qname_len = qout_orig_len;
}
return 0;
}
/* if not forwarding, check ratelimits per delegationpoint name */
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now)) {
iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
qstate->reply)) {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);

5
libunbound/libworker.c
View File

@ -222,11 +222,10 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
}
numports = cfg_condense_ports(cfg, &ports);
if(numports == 0) {
int locked = !w->is_bg || w->is_bg_thread;
libworker_delete(w);
if(locked) {
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
}
libworker_delete(w);
return NULL;
}
w->back = outside_network_create(w->base, cfg->msg_buffer_size,

18
libunbound/python/libunbound.i
View File

@ -33,12 +33,26 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
%begin %{
/* store state of warning output, restored at later pop */
#pragma GCC diagnostic push
/* ignore gcc8 METH_NOARGS function cast warnings for swig function pointers */
#pragma GCC diagnostic ignored "-Wcast-function-type"
%}
%module unbound
%{
/* restore state of warning output, remove the functioncast ignore */
#pragma GCC diagnostic pop
#include <sys/types.h>
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#include "libunbound/unbound.h"
%}
@ -108,7 +122,7 @@
%inline %{
void ub_ctx_free_dbg (struct ub_ctx* c) {
printf("******** UB_CTX free 0x%lX ************\n", (long unsigned int)c);
printf("******** UB_CTX free 0x%p ************\n", c);
ub_ctx_delete(c);
}
@ -648,7 +662,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
%inline %{
void ub_resolve_free_dbg (struct ub_result* r) {
printf("******** UB_RESOLVE free 0x%lX ************\n", (long unsigned int)r);
printf("******** UB_RESOLVE free 0x%p ************\n", r);
ub_resolve_free(r);
}
%}

22
pythonmod/interface.i
View File

@ -1,19 +1,37 @@
/*
* interface.i: unbound python module
*/
%begin %{
/* store state of warning output, restored at later pop */
#pragma GCC diagnostic push
/* ignore gcc8 METH_NOARGS function cast warnings for swig function pointers */
#pragma GCC diagnostic ignored "-Wcast-function-type"
%}
%module unboundmodule
%{
/* restore state of warning output, remove the functioncast ignore */
#pragma GCC diagnostic pop
/**
* \file
* This is the interface between the unbound server and a python module
* called to perform operations on queries.
*/
#include <sys/types.h>
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
#include <stdarg.h>
#include "config.h"
#include "util/log.h"
@ -449,7 +467,9 @@ struct sockaddr_storage {};
switch (ss->ss_family) {
case AF_INET: return sizeof(struct sockaddr_in);
case AF_INET6: return sizeof(struct sockaddr_in6);
#ifdef HAVE_SYS_UN_H
case AF_UNIX: return sizeof(struct sockaddr_un);
#endif
default:
return 0;
}
@ -515,10 +535,12 @@ struct sockaddr_storage {};
return PyBytes_FromStringAndSize((const char *)raw, sizeof(*raw));
}
#ifdef HAVE_SYS_UN_H
if (ss->ss_family == AF_UNIX) {
const struct sockaddr_un *sa = (struct sockaddr_un *)ss;
return PyBytes_FromString(sa->sun_path);
}
#endif
return Py_None;
}

23
pythonmod/pythonmod.c
View File

@ -247,6 +247,9 @@ int pythonmod_init(struct module_env* env, int id)
PyObject* py_init_arg, *res;
PyGILState_STATE gil;
int init_standard = 1;
#if PY_MAJOR_VERSION < 3
PyObject* PyFileObject = NULL;
#endif
struct pythonmod_env* pe = (struct pythonmod_env*)calloc(1, sizeof(struct pythonmod_env));
if (!pe)
@ -307,7 +310,15 @@ int pythonmod_init(struct module_env* env, int id)
}
/* Check Python file load */
if ((script_py = fopen(pe->fname, "r")) == NULL)
/* uses python to open the file, this works on other platforms,
* eg. Windows, to open the file in the correct mode for python */
#if PY_MAJOR_VERSION < 3
PyFileObject = PyFile_FromString((char*)pe->fname, "r");
script_py = PyFile_AsFile(PyFileObject);
#else
script_py = _Py_fopen(pe->fname, "r");
#endif
if (script_py == NULL)
{
log_err("pythonmod: can't open file %s for reading", pe->fname);
PyGILState_Release(gil);
@ -343,7 +354,11 @@ int pythonmod_init(struct module_env* env, int id)
PyGILState_Release(gil);
return 0;
}
#if PY_MAJOR_VERSION < 3
Py_XDECREF(PyFileObject);
#else
fclose(script_py);
#endif
if ((pe->func_init = PyDict_GetItemString(pe->dict, "init_standard")) == NULL)
{
@ -517,8 +532,7 @@ void pythonmod_clear(struct module_qstate* qstate, int id)
return;
pq = (struct pythonmod_qstate*)qstate->minfo[id];
verbose(VERB_ALGO, "pythonmod: clear, id: %d, pq:%lX", id,
(unsigned long int)pq);
verbose(VERB_ALGO, "pythonmod: clear, id: %d, pq:%p", id, pq);
if(pq != NULL)
{
PyGILState_STATE gil = PyGILState_Ensure();
@ -534,8 +548,7 @@ void pythonmod_clear(struct module_qstate* qstate, int id)
size_t pythonmod_get_mem(struct module_env* env, int id)
{
struct pythonmod_env* pe = (struct pythonmod_env*)env->modinfo[id];
verbose(VERB_ALGO, "pythonmod: get_mem, id: %d, pe:%lX", id,
(unsigned long int)pe);
verbose(VERB_ALGO, "pythonmod: get_mem, id: %d, pe:%p", id, pe);
if(!pe)
return 0;
return sizeof(*pe);

8
respip/respip.c
View File

@ -183,6 +183,8 @@ respip_action_cfg(struct respip_set* set, const char* ipstr,
action = respip_inform;
else if(strcmp(actnstr, "inform_deny") == 0)
action = respip_inform_deny;
else if(strcmp(actnstr, "inform_redirect") == 0)
action = respip_inform_redirect;
else if(strcmp(actnstr, "always_transparent") == 0)
action = respip_always_transparent;
else if(strcmp(actnstr, "always_refuse") == 0)
@ -245,7 +247,8 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
struct packed_rrset_data* pd;
struct sockaddr* sa;
int ret;
if(raddr->action != respip_redirect) {
if(raddr->action != respip_redirect
&& raddr->action != respip_inform_redirect) {
log_err("cannot parse response-ip-data %s: response-ip "
"action for %s is not redirect", rrstr, netblock);
return 0;
@ -750,7 +753,8 @@ respip_nodata_answer(uint16_t qtype, enum respip_action action,
*new_repp = new_rep;
return 1;
} else if(action == respip_static || action == respip_redirect ||
action == respip_always_nxdomain) {
action == respip_always_nxdomain ||
action == respip_inform_redirect) {
/* Since we don't know about other types of the owner name,
* we generally return NOERROR/NODATA unless an NXDOMAIN action
* is explicitly specified. */

44
services/cache/infra.c vendored
View File

@ -41,6 +41,8 @@
#include "config.h"
#include "sldns/rrdef.h"
#include "sldns/str2wire.h"
#include "sldns/sbuffer.h"
#include "sldns/wire2str.h"
#include "services/cache/infra.h"
#include "util/storage/slabhash.h"
#include "util/storage/lookup3.h"
@ -907,7 +909,8 @@ int infra_rate_max(void* data, time_t now)
}
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow)
size_t namelen, time_t timenow, struct query_info* qinfo,
struct comm_reply* replylist)
{
int lim, max;
struct lruhash_entry* entry;
@ -930,9 +933,19 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
lock_rw_unlock(&entry->lock);
if(premax < lim && max >= lim) {
char buf[257];
char buf[257], qnm[257], ts[12], cs[12], ip[128];
dname_str(name, buf);
verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim);
dname_str(qinfo->qname, qnm);
sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts));
sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
ip[0]=0;
if(replylist) {
addr_to_str((struct sockaddr_storage *)&replylist->addr,
replylist->addrlen, ip, sizeof(ip));
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
} else {
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
}
}
return (max < lim);
}
@ -991,7 +1004,7 @@ infra_get_mem(struct infra_cache* infra)
}
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow)
struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
{
int max;
struct lruhash_entry* entry;
@ -1010,11 +1023,28 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
lock_rw_unlock(&entry->lock);
if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
char client_ip[128];
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
addr_to_str((struct sockaddr_storage *)&repinfo->addr,
repinfo->addrlen, client_ip, sizeof(client_ip));
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
client_ip, infra_ip_ratelimit);
qnm[0]=0;
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
(void)sldns_wire2str_rrquestion_buf(
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
qnm, sizeof(qnm));
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
qnm[strlen(qnm)-1] = 0; /*remove newline*/
if(strchr(qnm, '\t'))
*strchr(qnm, '\t') = ' ';
if(strchr(qnm, '\t'))
*strchr(qnm, '\t') = ' ';
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
client_ip, infra_ip_ratelimit, qnm);
} else {
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
client_ip, infra_ip_ratelimit);
}
}
return (max <= infra_ip_ratelimit);
}

9
services/cache/infra.h vendored
View File

@ -366,12 +366,15 @@ long long infra_get_host_rto(struct infra_cache* infra,
* @param name: zone name
* @param namelen: zone name length
* @param timenow: what time it is now.
* @param qinfo: for logging, query name.
* @param replylist: for logging, querier's address (if any).
* @return 1 if it could be incremented. 0 if the increment overshot the
* ratelimit or if in the previous second the ratelimit was exceeded.
* Failures like alloc failures are not returned (probably as 1).
*/
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow);
size_t namelen, time_t timenow, struct query_info* qinfo,
struct comm_reply* replylist);
/**
* Decrement the query rate counter for a delegation point.
@ -410,10 +413,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
* @param infra: infra cache
* @param repinfo: information about client
* @param timenow: what time it is now.
* @param buffer: with query for logging.
* @return 1 if it could be incremented. 0 if the increment overshot the
* ratelimit and the query should be dropped. */
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow);
struct comm_reply* repinfo, time_t timenow,
struct sldns_buffer* buffer);
/**
* Get memory used by the infra cache.

10
services/listen_dnsport.c
View File

@ -1636,10 +1636,12 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
if(wr) {
req->cp->tcp_is_reading = 0;
comm_point_stop_listening(req->cp);
comm_point_start_listening(req->cp, -1,
req->cp->tcp_timeout_msec);
} else if(rd) {
req->cp->tcp_is_reading = 1;
comm_point_stop_listening(req->cp);
comm_point_start_listening(req->cp, -1,
req->cp->tcp_timeout_msec);
/* and also read it (from SSL stack buffers), so
@ -1647,6 +1649,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
* the TLS frame is sitting in the buffers. */
req->read_again = 1;
} else {
comm_point_stop_listening(req->cp);
comm_point_start_listening(req->cp, -1,
req->cp->tcp_timeout_msec);
comm_point_listen_for_rw(req->cp, 0, 0);
@ -1759,6 +1762,7 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
* clear to write to */
send_it:
c->tcp_is_reading = 0;
comm_point_stop_listening(c);
comm_point_start_listening(c, -1, c->tcp_timeout_msec);
return;
}
@ -1779,6 +1783,12 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
/* If mesh failed(mallocfail) and called commpoint_send_reply with
* something like servfail then we pick up that reply below. */
if(req->is_reply) {
/* reply from mesh is in the spool_buffer */
sldns_buffer_clear(c->buffer);
sldns_buffer_write(c->buffer,
sldns_buffer_begin(req->spool_buffer),
sldns_buffer_limit(req->spool_buffer));
sldns_buffer_flip(c->buffer);
goto send_it;
}

26
services/localzone.c
View File

@ -464,7 +464,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
return 0;
}
log_assert(z->dclass == rrclass);
if(z->type == local_zone_redirect &&
if((z->type == local_zone_redirect ||
z->type == local_zone_inform_redirect) &&
query_dname_compare(z->name, nm) != 0) {
log_err("local-data in redirect zone must reside at top of zone"
", not at %s", rrstr);
@ -481,7 +482,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
/* Reject it if we would end up having CNAME and other data (including
* another CNAME) for a redirect zone. */
if(z->type == local_zone_redirect && node->rrsets) {
if((z->type == local_zone_redirect ||
z->type == local_zone_inform_redirect) && node->rrsets) {
const char* othertype = NULL;
if (rrtype == LDNS_RR_TYPE_CNAME)
othertype = "other";
@ -1323,7 +1325,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
key.name = qinfo->qname;
key.namelen = qinfo->qname_len;
key.namelabs = labs;
if(lz_type == local_zone_redirect) {
if(lz_type == local_zone_redirect ||
lz_type == local_zone_inform_redirect) {
key.name = z->name;
key.namelen = z->namelen;
key.namelabs = z->namelabs;
@ -1355,7 +1358,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
return 0;
/* Special case for alias matching. See local_data_answer(). */
if(lz_type == local_zone_redirect &&
if((lz_type == local_zone_redirect ||
lz_type == local_zone_inform_redirect) &&
qinfo->qtype != LDNS_RR_TYPE_CNAME &&
lr->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
qinfo->local_alias =
@ -1370,7 +1374,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
return 1;
}
if(lz_type == local_zone_redirect) {
if(lz_type == local_zone_redirect ||
lz_type == local_zone_inform_redirect) {
/* convert rrset name to query name; like a wildcard */
struct ub_packed_rrset_key r = *lr->rrset;
r.rk.dname = qinfo->qname;
@ -1442,6 +1447,7 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
return 1;
} else if(lz_type == local_zone_static ||
lz_type == local_zone_redirect ||
lz_type == local_zone_inform_redirect ||
lz_type == local_zone_always_nxdomain) {
/* for static, reply nodata or nxdomain
* for redirect, reply nodata */
@ -1450,7 +1456,8 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
* or using closest match for NSEC.
* or using closest match for returning delegation downwards
*/
int rcode = (ld || lz_type == local_zone_redirect)?
int rcode = (ld || lz_type == local_zone_redirect ||
lz_type == local_zone_inform_redirect)?
LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
if(z->soa)
return local_encode(qinfo, env, edns, repinfo, buf, temp,
@ -1624,7 +1631,9 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
}
}
if((env->cfg->log_local_actions ||
lzt == local_zone_inform || lzt == local_zone_inform_deny)
lzt == local_zone_inform ||
lzt == local_zone_inform_deny ||
lzt == local_zone_inform_redirect)
&& repinfo)
lz_inform_print(z, qinfo, repinfo);
@ -1656,6 +1665,7 @@ const char* local_zone_type2str(enum localzone_type t)
case local_zone_nodefault: return "nodefault";
case local_zone_inform: return "inform";
case local_zone_inform_deny: return "inform_deny";
case local_zone_inform_redirect: return "inform_redirect";
case local_zone_always_transparent: return "always_transparent";
case local_zone_always_refuse: return "always_refuse";
case local_zone_always_nxdomain: return "always_nxdomain";
@ -1682,6 +1692,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
*t = local_zone_inform;
else if(strcmp(type, "inform_deny") == 0)
*t = local_zone_inform_deny;
else if(strcmp(type, "inform_redirect") == 0)
*t = local_zone_inform_redirect;
else if(strcmp(type, "always_transparent") == 0)
*t = local_zone_always_transparent;
else if(strcmp(type, "always_refuse") == 0)

4
services/localzone.h
View File

@ -83,6 +83,8 @@ enum localzone_type {
local_zone_inform,
/** log client address, and block (drop) */
local_zone_inform_deny,
/** log client address, and direct */
local_zone_inform_redirect,
/** resolve normally, even when there is local data */
local_zone_always_transparent,
/** answer with error, even when there is local data */
@ -491,6 +493,8 @@ enum respip_action {
respip_inform = local_zone_inform,
/** log query source and don't answer query */
respip_inform_deny = local_zone_inform_deny,
/** log query source and redirect */
respip_inform_redirect = local_zone_inform_redirect,
/** resolve normally, even when there is response-ip data */
respip_always_transparent = local_zone_always_transparent,
/** answer with 'refused' response */

10
services/modstack.c
View File

@ -113,8 +113,14 @@ modstack_config(struct module_stack* stack, const char* module_conf)
for(i=0; i<stack->num; i++) {
stack->mod[i] = module_factory(&module_conf);
if(!stack->mod[i]) {
log_err("Unknown value for next module: '%s'",
module_conf);
char md[256];
snprintf(md, sizeof(md), "%s", module_conf);
if(strchr(md, ' ')) *(strchr(md, ' ')) = 0;
if(strchr(md, '\t')) *(strchr(md, '\t')) = 0;
log_err("Unknown value in module-config, module: '%s'."
" This module is not present (not compiled in),"
" See the list of linked modules with unbound -h",
md);
return 0;
}
}

31
services/outside_network.c
View File

@ -1964,7 +1964,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
struct serviced_query* sq = (struct serviced_query*)arg;
struct outside_network* outnet = sq->outnet;
struct timeval now = *sq->outnet->now_tv;
int fallback_tcp = 0;
sq->pending = NULL; /* removed after callback */
if(error == NETEVENT_TIMEOUT) {
@ -1996,14 +1995,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
}
return 0;
}
if(rto >= RTT_MAX_TIMEOUT) {
/* fallback_tcp = 1; */
/* UDP does not work, fallback to TCP below */
} else {
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);
return 0;
}
} else if(error != NETEVENT_NOERROR) {
}
if(error != NETEVENT_NOERROR) {
/* udp returns error (due to no ID or interface available) */
serviced_callbacks(sq, error, c, rep);
return 0;
@ -2016,9 +2009,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
&sq->last_sent_time, sq->outnet->now_tv, c->buffer);
#endif
if(!fallback_tcp) {
if( (sq->status == serviced_query_UDP_EDNS
||sq->status == serviced_query_UDP_EDNS_FRAG)
if( (sq->status == serviced_query_UDP_EDNS
||sq->status == serviced_query_UDP_EDNS_FRAG)
&& (LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer))
== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL
@ -2032,7 +2024,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
}
return 0;
} else if(sq->status == serviced_query_UDP_EDNS &&
} else if(sq->status == serviced_query_UDP_EDNS &&
!sq->edns_lame_known) {
/* now we know that edns queries received answers store that */
log_addr(VERB_ALGO, "serviced query: EDNS works for",
@ -2042,7 +2034,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
log_err("Out of memory caching edns works");
}
sq->edns_lame_known = 1;
} else if(sq->status == serviced_query_UDP_EDNS_fallback &&
} else if(sq->status == serviced_query_UDP_EDNS_fallback &&
!sq->edns_lame_known && (LDNS_RCODE_WIRE(
sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOERROR ||
LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) ==
@ -2060,12 +2052,12 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
}
} else {
log_addr(VERB_ALGO, "serviced query: EDNS fails, but "
"not stored because need DNSSEC for", &sq->addr,
"not stored because need DNSSEC for", &sq->addr,
sq->addrlen);
}
sq->status = serviced_query_UDP;
}
if(now.tv_sec > sq->last_sent_time.tv_sec ||
}
if(now.tv_sec > sq->last_sent_time.tv_sec ||
(now.tv_sec == sq->last_sent_time.tv_sec &&
now.tv_usec > sq->last_sent_time.tv_usec)) {
/* convert from microseconds to milliseconds */
@ -2081,11 +2073,10 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
sq->last_rtt, (time_t)now.tv_sec))
log_err("out of memory noting rtt.");
}
}
} /* end of if_!fallback_tcp */
}
/* perform TC flag check and TCP fallback after updating our
* cache entries for EDNS status and RTT times */
if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer)) || fallback_tcp) {
if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer))) {
/* fallback to TCP */
/* this discards partial UDP contents */
if(sq->status == serviced_query_UDP_EDNS ||

2
testdata/auth_xfr_notify.rpl vendored
View File

@ -195,7 +195,7 @@ ENTRY_END
RANGE_END
; lookups for notify hostnames.
STEP 1 TIME_PASSES ELAPSED 0
STEP 1 TIME_PASSES ELAPSE 0
; now the query
STEP 2 QUERY

10
testdata/iter_ranoaa_lame.rpl vendored
View File

@ -153,6 +153,16 @@ SECTION AUTHORITY
example.net. IN NS ns.example.net.
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
ns.example.com. IN A 1.2.3.55
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id

20
testdata/iter_reclame_two.rpl vendored
View File

@ -105,6 +105,26 @@ lame.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RA NOERROR
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
ns.example.com. IN A 1.2.3.4
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RA NOERROR
SECTION QUESTION
lame.example.com. IN A
SECTION ANSWER
lame.example.com. IN A 1.2.3.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id

1
testdata/ssl_req_order.tdir/ssl_req_order.post vendored
View File

@ -9,3 +9,4 @@
kill_pid $FWD_PID
kill_pid $UNBOUND_PID
cat unbound.log
cat fwd.log

494
util/configparser.c
View File

File diff suppressed because it is too large Load Diff

8
util/configparser.y
View File

@ -1783,12 +1783,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
&& strcmp($3, "always_refuse")!=0
&& strcmp($3, "always_nxdomain")!=0
&& strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
&& strcmp($3, "inform_redirect") != 0) {
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"always_transparent, always_refuse, "
"always_nxdomain, noview or nodefault");
"inform_redirect, always_transparent, "
"always_refuse, always_nxdomain, noview "
"or nodefault");
free($2);
free($3);
} else if(strcmp($3, "nodefault")==0) {

17
util/net_help.c
View File

@ -1049,11 +1049,19 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
static lock_basic_type *ub_openssl_locks = NULL;
/** callback that gets thread id for openssl */
#ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
static void
ub_crypto_id_cb(CRYPTO_THREADID *id)
{
CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
}
#else
static unsigned long
ub_crypto_id_cb(void)
{
return (unsigned long)log_thread_get();
}
#endif
static void
ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
@ -1078,7 +1086,11 @@ int ub_openssl_lock_init(void)
for(i=0; i<CRYPTO_num_locks(); i++) {
lock_basic_init(&ub_openssl_locks[i]);
}
# ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
# else
CRYPTO_set_id_callback(&ub_crypto_id_cb);
# endif
CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
#endif /* OPENSSL_THREADS */
return 1;
@ -1090,7 +1102,11 @@ void ub_openssl_lock_delete(void)
int i;
if(!ub_openssl_locks)
return;
# ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
CRYPTO_THREADID_set_callback(NULL);
# else
CRYPTO_set_id_callback(NULL);
# endif
CRYPTO_set_locking_callback(NULL);
for(i=0; i<CRYPTO_num_locks(); i++) {
lock_basic_destroy(&ub_openssl_locks[i]);
@ -1219,6 +1235,7 @@ listen_sslctx_delete_ticket_keys(void)
struct tls_session_ticket_key *key;
if(!ticket_keys) return;
for(key = ticket_keys; key->key_name != NULL; key++) {
memset(key->key_name, 0xdd, 80); /* wipe key data from memory*/
free(key->key_name);
}
free(ticket_keys);

6
util/netevent.c
View File

@ -989,10 +989,10 @@ tcp_callback_writer(struct comm_point* c)
c->tcp_is_reading = 1;
c->tcp_byte_count = 0;
/* switch from listening(write) to listening(read) */
comm_point_stop_listening(c);
if(c->tcp_req_info) {
tcp_req_info_handle_writedone(c->tcp_req_info);
} else {
comm_point_stop_listening(c);
comm_point_start_listening(c, -1, -1);
}
}
@ -1006,11 +1006,11 @@ tcp_callback_reader(struct comm_point* c)
if(c->tcp_do_toggle_rw)
c->tcp_is_reading = 0;
c->tcp_byte_count = 0;
if(c->type == comm_tcp)
comm_point_stop_listening(c);
if(c->tcp_req_info) {
tcp_req_info_handle_readdone(c->tcp_req_info);
} else {
if(c->type == comm_tcp)
comm_point_stop_listening(c);
fptr_ok(fptr_whitelist_comm_point(c->callback));
if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
comm_point_start_listening(c, -1, c->tcp_timeout_msec);